UNPKG

@salesforce/plugin-trust

Version:

validate a digital signature for a npm package

github.com/salesforcecli/plugin-trust

salesforcecli/plugin-trust

126 lines (84 loc) 4.82 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# plugin-trust [![NPM](https://img.shields.io/npm/v/@salesforce/plugin-trust.svg?label=@salesforce/plugin-trust)](https://www.npmjs.com/package/@salesforce/plugin-trust) [![Downloads/week](https://img.shields.io/npm/dw/@salesforce/plugin-trust.svg)](https://npmjs.org/package/@salesforce/plugin-trust) [![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://opensource.org/license/apache-2-0) Verify the authenticity of a plugin being installed with `plugins:install`. This plugin is bundled with the [Salesforce CLI](https://developer.salesforce.com/tools/sfdxcli). For more information on the CLI, read the [getting started guide](https://developer.salesforce.com/docs/atlas.en-us.sfdx_setup.meta/sfdx_setup/sfdx_setup_intro.htm). We always recommend using the latest version of these commands bundled with the CLI, however, you can install a specific version or tag if needed. ### Allowlisting If a plugin needs to be installed in a unattended fashion as is the case with automation. The plugin acceptance prompt can be avoided by placing the plugin name in \$HOME/.config/sf/unsignedPluginAllowList.json ```json [ "@salesforce/npmName", "plugin2", ... ] ``` If a plugin is not signed you then won't get a prompt confirming the installation of an unsigned plugin. Instead you'll get a message stating that the plugin was allowlisted and the installation will proceed as normal. ### Additional Verification Information In addition to signature verification additional checks are in place to help ensure authenticity of plugins. DNS - The public key url and signature urls must have an https scheme and originate from developer.salesforce.com Cert Pinning - The digital fingerprint of developer.salesforce.com's certificate is validated. This helps prevent man in the middle attacks. ## Install ```bash sfdx plugins:install trust@x.y.z ``` ## Issues Please report any issues at <https://github.com/forcedotcom/cli/issues> ## Contributing 1. Please read our [Code of Conduct](CODE_OF_CONDUCT.md) 2. Create a new issue before starting your project so that we can keep track of what you are trying to add/fix. That way, we can also offer suggestions or let you know if there is already an effort in progress. 3. Fork this repository. 4. [Build the plugin locally](#build) 5. Create a _topic_ branch in your fork. Note, this step is recommended but technically not required if contributing using a fork. 6. Edit the code in your fork. 7. Write appropriate tests for your changes. Try to achieve at least 95% code coverage on any new code. No pull request will be accepted without unit tests. 8. Sign CLA (see [CLA](#cla) below). 9. Send us a pull request when you are done. We'll review your code, suggest any needed changes, and merge it in. ### CLA External contributors will be required to sign a Contributor's License Agreement. You can do so by going to <https://cla.salesforce.com/sign-cla>. ### Build To build the plugin locally, make sure to have yarn installed and run the following commands: ```bash # Clone the repository git clone git@github.com:salesforcecli/plugin-trust # Install the dependencies and compile yarn install yarn build ``` To use your plugin, run using the local `./bin/dev` or `./bin/dev.cmd` file. ```bash # Run using local run file. ./bin/dev plugins:trust ``` There should be no differences when running via the Salesforce CLI or using the local run file. However, it can be useful to link the plugin to do some additional testing or run your commands from anywhere on your machine. ```bash # Link your plugin to the sfdx cli sfdx plugins:link . # To verify sfdx plugins ``` ## Commands <!-- commands --> - [`@salesforce/plugin-trust plugins trust verify`](#salesforceplugin-trust-plugins-trust-verify) ## `@salesforce/plugin-trust plugins trust verify` Validate a digital signature. ``` USAGE $ @salesforce/plugin-trust plugins trust verify -n <value> [--json] [--flags-dir <value>] [-r <value>] FLAGS -n, --npm=<value> (required) Specify the npm name. This can include a tag/version. -r, --registry=<value> The registry name. The behavior is the same as npm. GLOBAL FLAGS --flags-dir=<value> Import flag values from a directory. --json Format output as json. DESCRIPTION Validate a digital signature. Verifies the digital signature on an npm package matches the signature and key stored at the expected URLs. EXAMPLES $ @salesforce/plugin-trust plugins trust verify --npm @scope/npmName --registry https://npm.pkg.github.com $ @salesforce/plugin-trust plugins trust verify --npm @scope/npmName ``` _See code: [src/commands/plugins/trust/verify.ts](https://github.com/salesforcecli/plugin-trust/blob/3.7.113/src/commands/plugins/trust/verify.ts)_ <!-- commandsstop -->