Function verifyPackageProvenance

Expand description

Verification.

verifyPackageProvenance(
    options: {
        packageName: string;
        repo: `${string}/${string}`;
        version: `${number}.${number}.${number}${string}`;
    } & FetchOptions & {
        maxJsonResponseBytes?: number;
        maxRekorEntries?: number;
        rekorLagBudgetMs?: number;
        rekorLagDelaysMs?: readonly number[];
        trustMaterial?: TrustMaterial;
        verifier?: BundleVerifier;
    },
): Promise<PackageProvenance>

Verify npm package provenance via sigstore attestations. Checks the certificate chain, issuer identity, and source repository. Returns a PackageProvenance handle for addon verification.

throws

ProvenanceError if the package has no SLSA provenance attestation, the certificate is invalid, or the source repo does not match.

throws

Error on transient failures (network timeout, service unavailable) — safe to retry.

example

import {
  verifyPackageProvenance,
  semVerString,
  githubRepo,
  sha256Hex,
} from "node-addon-slsa";

const provenance = await verifyPackageProvenance({
  packageName: "my-native-addon",
  version: semVerString("1.0.0"),
  repo: githubRepo("owner/repo"),
});

// Verify the addon binary was produced by the same workflow run.
const addonHash = sha256Hex("a".repeat(64)); // SHA-256 of the binary
await provenance.verifyAddon({ sha256: addonHash });

Function verifyPackageProvenanceCopy item path

Function verifyPackageProvenance