Public Key Pen
This is a specification and implementation that leverages Public Key Infrastructure to build trust networks for distributed software.
npm install pkp -gpkp config
pkp sign <package-name>
pkp sign --remote git://github.com/hij1nx/pkp.git
The verify method iterates though the signatures and validates that they were infact signed using the private key that corresponds to the public key provided.
pkp verify [version]
A package should contain a pki.json file which includes an object literal with entries corresponding to each signed version of the package. The file should include the following fields.
Extracted from the
package.json. This is used to alter the user making
the request that a signing has been successful.
The public key of the user making the request.
A sha1 hash of the codebase to be signed.
An array of object literals representing successful signings that can
be verified using