Does npm CLI verify PGP or not? #222
Unanswered
slavafomin
asked this question in
General
Replies: 1 comment
-
|
I can see that package fetching and caching is implemented in pacote package. However, I can't see any PGP-related code there as well. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello!
According to this official blog post: new pgp machinery npm supports PGP signatures by providing them in the
npm-signaturepackument field, however, I can't see any references to this in the CLI source code.Does npm CLI actually verify PGP signatures or not?
If not. Are you planning to implement this in the near future? Maybe there are some temporary solutions that could be used right now?
I'm writing an article regarding npm security and this information will really help to spread the knowledge. Thank you!
Beta Was this translation helpful? Give feedback.
All reactions