maoo
commented
8 years ago After a long investigation I figured out that the NodeJS community is still trying to figure out how to implement npm package signing - https://github.com/node-forward/discussions/issues/29
During my investigation I stumbled on https://s8f.org/salty.html , made by one of the guys involved in the discussion above; it looks like something definitely worth trying.
To avoid tampering with NPM artifacts published (and maintained) by the Foundation, it is strongly recommended (if not mandatory, from a Foundation Security standpoint) to sign artifacts in order to prove their authenticity and avoid man-in-the-middle attacks.
The Java (Maven) release already includes such feature, which is widely endorsed by Maven Central (check https://symphonyoss.atlassian.net/wiki/display/FM/Software+Development+Onboarding#SoftwareDevelopmentOnboarding-MavenReleaseFeatures), but for NPM it's up to the project to enforce it, as it's not mandatory.
Looking for an NPM package that helps with the signing/deployment of GPG-signed artifacts.