@dk/hipp 0.1.30 → 0.1.31
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +17 -6
- package/hipp.js +2 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -93,6 +93,17 @@ with their original keys.
|
|
|
93
93
|
**Multiple publishers**: Each developer can use their own private key. Delete
|
|
94
94
|
`hipp.pub`, run HIPP, and a new keypair will be generated for that revision.
|
|
95
95
|
|
|
96
|
+
### Why This Works
|
|
97
|
+
|
|
98
|
+
The public key in `hipp.pub` is committed to git at the specific revision of
|
|
99
|
+
each release. Verification always uses the key from that historical revision,
|
|
100
|
+
not a current one. This means:
|
|
101
|
+
|
|
102
|
+
- You don't need to retain your private key — once published, past releases are
|
|
103
|
+
verifiable from the git history alone
|
|
104
|
+
- A compromised private key can only sign future releases, not forge past ones
|
|
105
|
+
- Multiple publishers work naturally because each release is self-contained
|
|
106
|
+
|
|
96
107
|
### Options
|
|
97
108
|
|
|
98
109
|
* `-y, --yes`: Skip the confirmation prompt (ideal for CI/CD pipelines).
|
|
@@ -242,21 +253,21 @@ PERFORMANCE OF THIS SOFTWARE.
|
|
|
242
253
|
Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):
|
|
243
254
|
|
|
244
255
|
```bash
|
|
245
|
-
npx @dk/hipp verify @dk/hipp@0.1.
|
|
256
|
+
npx @dk/hipp verify @dk/hipp@0.1.31
|
|
246
257
|
```
|
|
247
258
|
|
|
248
259
|
```json
|
|
249
260
|
{
|
|
250
261
|
"origin": "git@github.com:dmytri/hipp.git",
|
|
251
|
-
"tag": "v0.1.
|
|
252
|
-
"revision": "
|
|
253
|
-
"hash": "
|
|
254
|
-
"signature": "
|
|
262
|
+
"tag": "v0.1.31",
|
|
263
|
+
"revision": "270b281d7bf0e908b7c267fb87f9f68e3dc2be86",
|
|
264
|
+
"hash": "1085bdf7d5774cae5d64236a18e95c95c8d2d198ae22e9f8cfa2c10afd0fe57b",
|
|
265
|
+
"signature": "mPj1cIun7czw0TQmsWkq/HEq7O+ZdTUQrMhTRZ8Cm4Z23dYu/G/m/itzyC2x/kBRVW+8h+m399acusrSArCzBA==",
|
|
255
266
|
"name": "Dmytri Kleiner",
|
|
256
267
|
"email": "dev@dmytri.to",
|
|
257
268
|
"npm": "11.12.1",
|
|
258
269
|
"node": "v25.8.2",
|
|
259
270
|
"git": "git version 2.47.3",
|
|
260
|
-
"hipp": "0.1.
|
|
271
|
+
"hipp": "0.1.31"
|
|
261
272
|
}
|
|
262
273
|
```
|
package/hipp.js
CHANGED
|
@@ -525,6 +525,8 @@ async function runVerify(packageSpec) {
|
|
|
525
525
|
} else {
|
|
526
526
|
const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
|
|
527
527
|
|
|
528
|
+
log.info(`🔑 Public key: hipp.pub from git@rev ${revision.slice(0, 12)} at tag ${tag}`);
|
|
529
|
+
|
|
528
530
|
log.info(`🏗️ Staging git files...`);
|
|
529
531
|
const trackedFiles = getTrackedFilesFromDir(tmpDir);
|
|
530
532
|
copyTrackedFilesFromDir(stageDir, tmpDir, trackedFiles);
|