[英]How does npm verify packages and how to verify npm/node installation packages between machines?
Where in the npm code does it verify the packages against a checksum?它在 npm 代码中的哪个位置根据校验和验证包? Also is it possible to verify one machine's installation of node and packages vs another machine?是否可以验证一台机器与另一台机器的节点和包的安装? As in, is it possible to generate a bunch of checksums for a machine to compare with whatever's in the registry, and on a separate machine.如在,是否可以为机器生成一堆校验和,以与注册表中的任何内容进行比较,并在单独的机器上进行比较。
In npm, it seems to be using a tree library called the arborist to create a replica of the directory structure.在 npm 中,它似乎使用了一个名为 arborist 的树库来创建目录结构的副本。 On the other as a user i'd like to be able to validate, generate, checksums of the packages for the sake of provenance and verification.另一方面,作为用户,为了出处和验证,我希望能够验证、生成包的校验和。 How do i go about doing this?我该怎么做? And is it built into the package manager?它是否内置于包管理器中?
Where in the npm code does it verify the packages against a checksum?它在 npm 代码中的哪个位置根据校验和验证包?
Here: https://github.com/npm/cli/blob/04eb43f2b2a387987b61a7318908cf18f03d97e0/lib/utils/tar.js#L78-L80这里: https : //github.com/npm/cli/blob/04eb43f2b2a387987b61a7318908cf18f03d97e0/lib/utils/tar.js#L78-L80
const integrity = await ssri.fromData(tarball, {
algorithms: ['sha1', 'sha512'],
})
As in, is it possible to generate a bunch of checksums for a machine to compare with whatever's in the registry, and on a separate machine.如在,是否可以为机器生成一堆校验和,以与注册表中的任何内容进行比较,并在单独的机器上进行比较。
I'm not sure of the details of your use case but I believe it should be possible.我不确定您的用例的详细信息,但我相信这应该是可能的。 Have a look at the fromData()
and other functions of the ssri
module that npm
uses to generate the integrity SHAs.查看npm
用于生成完整性 SHA的ssri
模块的fromData()
和其他函数。
Note that npm
generates the SHAs from tarballs (or from git SHAs if you are installing from git
rather than the npm
registry).请注意, npm
从 tarball 生成 SHAs(如果您是从git
而不是npm
注册表安装,则从 git SHAs 生成)。 So you'll need to package the modules up as tarballs.因此,您需要将模块打包为 tarball。 The npm pack
command might come in handy. npm pack
命令可能会派上用场。
Related (but not quite what you're looking for I don't think) would be the "Verifying the PGP signature of a package from the npm public registry" article in the npm
docs..相关的(但不完全是你正在寻找的我不认为)将是npm
文档中的“验证来自 npm 公共注册表的包的 PGP 签名”文章。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.