feat: add npm audit signatures

Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550)

Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452))

This command will verify registry signatures stored in the packument against a public key on the registry.

It currently supports:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired, compared to the version created date
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- json/human format output

TODO
- [ ] Fix tests and implement test cases
  - [ ] Expired public key
  - [ ] No public keys
  - [ ] Missing signatures with a public key on the registry
  - [ ] Missing signatures without a public key on the registry
  - [ ] Install with valid signatures
  - [ ] Install with invalid signatures
  - [ ] Third party registry with signatures and keys
  - [ ] Tests for the different formats (json, human)
  - [ ] Tests to omit type of dependency (e.g dev deps)
- [ ] Fetch signatures and integrity from `pacote.manifest`
- [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys
- [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct?
- [ ] What other checks do we want?
  - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys?
  - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?

Author: feelepxyz

lib/commands/audit.js

@@ -1,8 +1,10 @@
 const Arborist = require('@npmcli/arborist')
 const auditReport = require('npm-audit-report')
-const reifyFinish = require('../utils/reify-finish.js')
-const auditError = require('../utils/audit-error.js')
+
 const ArboristWorkspaceCmd = require('../arborist-cmd.js')
+const auditError = require('../utils/audit-error.js')
+const reifyFinish = require('../utils/reify-finish.js')
+const VerifySignatures = require('../utils/verify-signatures.js')
 
 class Audit extends ArboristWorkspaceCmd {
   static description = 'Run a security audit'
@@ -37,6 +39,14 @@ class Audit extends ArboristWorkspaceCmd {
   }
 
   async exec (args) {
+    if (args[0] === 'signatures') {
+      await this.auditSignatures()
+    } else {
+      await this.auditAdvisories(args)
+    }
+  }
+
+  async auditAdvisories (args) {
     const reporter = this.npm.config.get('json') ? 'json' : 'detail'
     const opts = {
       ...this.npm.flatOptions,
@@ -59,6 +69,37 @@ class Audit extends ArboristWorkspaceCmd {
       this.npm.output(result.report)
     }
   }
+
+  async auditSignatures () {
+    const reporter = this.npm.config.get('json') ? 'json' : 'detail'
+    const opts = {
+      ...this.npm.flatOptions,
+      path: this.npm.prefix,
+      reporter,
+      workspaces: this.workspaceNames,
+    }
+
+    const arb = new Arborist(opts)
+    const tree = await arb.loadActual()
+    let filterSet = new Set()
+    if (opts.workspaces && opts.workspaces.length) {
+      filterSet =
+        arb.workspaceDependencySet(
+          tree,
+          opts.workspaces,
+          this.npm.flatOptions.includeWorkspaceRoot
+        )
+    } else if (!this.npm.flatOptions.workspacesEnabled) {
+      filterSet =
+        arb.excludeWorkspacesDependencySet(tree)
+    }
+
+    const verify = new VerifySignatures(tree, filterSet, this.npm, { ...opts })
+    await verify.run()
+    const result = verify.report()
+    process.exitCode = process.exitCode || result.exitCode
+    this.npm.output(result.report)
+  }
 }
 
 module.exports = Audit