pkp

Public Key Pen

Public Key Infrastructure for Packages

This is a specification and implementation that leverages Public Key Infrastructure to build trust networks for distributed software.

npm install pkp -g
pkp config
pkp init
pkp sign <package-name>

or

pkp sign --remote git://github.com/hij1nx/pkp.git

The verify method iterates though the signatures and validates that they were infact signed using the private key that corresponds to the public key provided.

pkp verify [version]

A package should contain a pki.json file which includes an object literal with entries corresponding to each signed version of the package. The file should include the following fields.

Extracted from the package.json. This is used to alter the user making the request that a signing has been successful.

The public key of the user making the request.

A sha1 hash of the codebase to be signed.

An array of object literals representing successful signings that can be verified using pkp.

{
  "0.0.1": {
    "principal": {
      "principal-at": "hij1nx@async.ly",
      "server-at": "10.0.0.1",
      "public-key": "-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAwIB6PV4gYy1X47zQllmke+KGYdXFH1xyrO0q4DZw3OBHr187xZWn81LWI6av\nyIhW+XDeVYuAud1+VqnsvsBASD19qc2xXiZ21cHdSfB1N2nSHBBHB2e+ubhDEN9PbhAcO+BK\ngr8E0/ucGy5thM70KZpVuJGXZJWABzlrin/Q3xyk/46OFQNj5DXjmSfSoWcs76TknAkttz0N\nc4QK3buByERNeWOjJsZjTj5w8StVpwfc2Ut3wUIoks/8w+nwqiAW1tHVoCjcol8fHIvRiiNH\n1bYS+ZkBgb0RUKzQkl+l8o6IfFzhSnvt9g+E5aVOgzJs/O2RdwjpHpVsfwh74pM8qwIDAQAB\n-----END RSA PUBLIC KEY-----\n\n"
    },
    "data": "7330651368657d5f711b5f15481949a9a30221b2",
    "type": "sha1"
    "signatures": [
      {
        "principal": {
          "principal-at": "hij1nx@async.ly",
          "server-at": "10.0.0.1",
          "public-key": "-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAwIB6PV4gYy1X47zQllmke+KGYdXFH1xyrO0q4DZw3OBHr187xZWn81LWI6av\nyIhW+XDeVYuAud1+VqnsvsBASD19qc2xXiZ21cHdSfB1N2nSHBBHB2e+ubhDEN9PbhAcO+BK\ngr8E0/ucGy5thM70KZpVuJGXZJWABzlrin/Q3xyk/46OFQNj5DXjmSfSoWcs76TknAkttz0N\nc4QK3buByERNeWOjJsZjTj5w8StVpwfc2Ut3wUIoks/8w+nwqiAW1tHVoCjcol8fHIvRiiNH\n1bYS+ZkBgb0RUKzQkl+l8o6IfFzhSnvt9g+E5aVOgzJs/O2RdwjpHpVsfwh74pM8qwIDAQAB\n-----END RSA PUBLIC KEY-----\n\n"
        },
        "signature": {
          "data": "RjCojNv/oJMarme4zojP43rUKCoLADt2TQxOF2oOpEuOoSjD3uIGXa8raltUf7UNseTPXUFbktspgOaJ/z45C+uhOgdOrhAOgJudCT+22xsW1IG2LFmbnnEv865R5h6w38DYaFZK3BjddLR5IPrkoDHw+Pk5xr43npc/XU1BHxI7/xmNyi3ydm9DJ44WXwiQo7ypK5PbgNC+k6AN+XSFQm+sK1rH7w1d22J+jR48SHejNaXPyAkMEQDuEGu0v/gnT8GSh+GGPqJZNKg8QVbIXK5hDD7ztvHmU3w5hDlzWvUGMJ9OWUlNPrnc/swTW0PdO6C9OinXw7BjXVoJsjQk3g==",
          "type": "sha1-base64"
        }
      }
    ]
  }
}