Verifying the PGP registry signature of a package from the npm public registry (deprecated)

Note: PGP based registry signatures will be deprecated on April 25th 2023 in favour of ECDSA registry signatures. This means no new packages will be signed with PGP keys from this date onwards and the public key hosted on Keybase will expire.

To ensure the integrity of a package version you download from the npm public registry, you can manually verify the PGP signature of the package.

Note: Since fully verifying signatures on Keybase requires rechecking proofs (which requires network activity) and is therefore expensive, we recommend only verifying signatures if it is necessary -- for example, when verifying a deploy artifact, or when initially storing a package in your cache.

Prerequisites

  1. Install Keybase from https://keybase.io/download
  2. Create a Keybase account on https://keybase.io
  3. Follow "npmregistry" on Keybase.
  4. Download a local copy of the npm public registry's public PGP key.

Verifying npm signatures for the public registry

Note: The following steps use version 1.4.3 of the light-cycle package as an example.

  1. On the command line, fetch the signature for the package version you want and save it in a file:

    npm view light-cycle@1.4.3 dist.npm-signature > sig-to-check
  2. Get the integrity field for that version (example below includes response):

    npm view light-cycle@1.4.3 dist.integrity

    Example response:

    sha512-sFcuivsDZ99fY0TbvuRC6CDXB8r/ylafjJAMnbSF0y4EMM1/1DtQo40G2WKz1rBbyiz4SLAc3Wa6yZyC4XSGOQ==
  3. Construct the string that ties the unique package name and version to the integrity string (example below includes response):

    keybase pgp verify --signed-by npmregistry -d sig-to-check -m 'light-cycle@1.4.3:sha512-sFcuivsDZ99fY0TbvuRC6CDXB8r/ylafjJAMnbSF0y4EMM1/1DtQo40G2WKz1rBbyiz4SLAc3Wa6yZyC4XSGOQ=='

    Example response:

    ▶ INFO Identifying npmregistry
    ✔ public key fingerprint: 0963 1802 8A2B 58C8 4929 D8E1 3D4D 5B12 0276 566A
    ✔ admin of DNS zone npmjs.org: found TXT entry keybase-site-verification=Ls8jN55i6KesjiX91Ck79bUZ17eA-iohmw2jJFM16xc
    ✔ admin of DNS zone npmjs.com: found TXT entry keybase-site-verification=iK3pjpRBkv-CIJ4PHtWL4TTcFXMpPiwPynatKl3oWO4
    ✔ "npmjs" on twitter: https://twitter.com/npmjs/status/981288548845240320
    Signature verified. Signed by npmregistry 3 years ago (2018-04-13 15:00:37 -0700 MST).
    PGP Fingerprint: 096318028a2b58c84929d8e13d4d5b120276566a.