npm: typed access to dist.attestations and dist.signatures#26
Merged
Conversation
When a publisher uses trusted publishing, npm exposes two metadata
signals alongside each version: a dist.attestations pointer at the
separately-fetched sigstore bundle, and a dist.signatures array of
ECDSA-P256 signatures over '{name}@{version}:{integrity}'. Both were
silently dropped during JSON decode because distInfo only carried
shasum/tarball/integrity.
Adds typed structs (npm.AttestationRef, npm.Signature) and populates
them through to Version.Metadata under 'npm:attestations' and
'npm:signatures' keys. Top-level registries package exports type
aliases NPMAttestationRef / NPMSignature plus a NPMProvenance helper
so callers can read the typed values without re-casting through
map[string]any.
Callers that want to validate the registry-published signatures or
fetch the sigstore bundle from dist.attestations.url can now do so
without re-parsing the version document themselves.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
npm exposes two metadata signals alongside each published version when the publisher used trusted publishing: a `dist.attestations` pointer at the separately-fetched sigstore bundle, and a `dist.signatures` array of ECDSA-P256 signatures over `{name}@{version}:{integrity}`. Both were silently dropped during JSON decode because `distInfo` only carried `shasum`/`tarball`/`integrity`.
This PR captures and exposes them.
Changes
Tests
`TestFetchVersions_Provenance` asserts both fields round-trip with the expected typed shapes. `TestFetchVersions_NoProvenance` asserts the no-provenance case returns nil / empty without panic.
Why
Consumers that want to verify the registry-published signatures or fetch the sigstore bundle from `dist.attestations.url` can do so without re-parsing the version document themselves.