asdf-nodejs/README.md

# asdf-nodejs

Node.js plugin for [asdf](https://github.com/asdf-vm/asdf) version manager

## Requirements

+ _(MacOS)_ [GNU Core Utils](http://www.gnu.org/software/coreutils/coreutils.html˙˚) - `brew install coreutils`

## Install

```
asdf plugin-add nodejs https://github.com/asdf-vm/asdf-nodejs.git
```

## Bootstrap trust for signature validation

The plugin properly valides OpenPGP signatures.
All you have to do is to bootstrap the trust once as follows.

You can either import the OpenPGP public keys in your main OpenPGP keyring or use a dedicated keyring (recommended in order to mitigate https://github.com/nodejs/node/issues/9859).
If you decided to do the later, prepare the dedicated keyring and make it temporarily the default one in your current shell:

```Shell
export GNUPGHOME="$HOME/.asdf/keyrings/nodejs" && mkdir -p "$GNUPGHOME" && chmod 0700 "$GNUPGHOME"
```

Then import the OpenPGP public keys of the [Release Team](https://github.com/nodejs/node/#release-team) as documented on the linked page or run the `import-release-team-keyring` script which is bundled with this plugin.

For more details, refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/).
Note that only versions greater or equal to 0.10.0 are checked. Before that version, signatures for SHA2-256 hashes might not be provided (and can not be installed with the `strict` setting for that reason).

This behavior can be influenced by the `NODEJS_CHECK_SIGNATURES` variable which supports the following options:

`no`: Do not check signatures/checksums.
`yes`: Check signatures/checksums if they should be present (enforced for >= 0.10.0).
`strict` (default): Check signatures/checksums and don’t operate on package versions which did not provide signatures/checksums properly (< 0.10.0).

## Use

Check [asdf](https://github.com/asdf-vm/asdf) readme for instructions on how to install & manage versions of Node.js.

When installing Node.js using `asdf install`, you can pass custom configure options with the following env vars:

* `NODEJS_CONFIGURE_OPTIONS` - use only your configure options
* `NODEJS_EXTRA_CONFIGURE_OPTIONS` - append these configure options along with ones that this plugin already uses
-												Add readme

											
										
										
											2015-05-24 12:27:40 +08:00
+								# asdf-nodejs
-												Update to refer to new organization
											
										
										
											2016-03-16 12:24:18 +08:00
+								Node.js plugin for [asdf](https://github.com/asdf-vm/asdf) version manager
-												Add readme

											
										
										
											2015-05-24 12:27:40 +08:00
-												Document in the ReadMe file that `coreutils` is a requirement for MacOS users

											
										
										
											2017-02-23 06:17:36 +08:00
+								## Requirements
 								+ _(MacOS)_ [GNU Core Utils](http://www.gnu.org/software/coreutils/coreutils.html˙˚) - `brew install coreutils`
-												Add readme

											
										
										
											2015-05-24 12:27:40 +08:00
+								## Install
 								```
-												Update to refer to new organization
											
										
										
											2016-03-16 12:24:18 +08:00
+								asdf plugin-add nodejs https://github.com/asdf-vm/asdf-nodejs.git
-												Add readme

											
										
										
											2015-05-24 12:27:40 +08:00
+								```
-												Check signatures/checksums to ensure authenticity

Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: https://github.com/asdf-vm/asdf/issues/158
Mitigates: https://github.com/nodejs/node/issues/9859
Mitigates: https://github.com/nodejs/node/issues/6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: #15
Closes: #16
Closes: #19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or #16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: https://github.com/creationix/nvm/pull/736
Related to: https://github.com/creationix/nvm/issues/793

											
										
										
											2017-02-13 03:44:21 +08:00
+								## Bootstrap trust for signature validation
-												Update README

											
										
										
											2017-02-14 17:40:46 +08:00
+								The plugin properly valides OpenPGP signatures.
 								All you have to do is to bootstrap the trust once as follows.
-												Check signatures/checksums to ensure authenticity

Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: https://github.com/asdf-vm/asdf/issues/158
Mitigates: https://github.com/nodejs/node/issues/9859
Mitigates: https://github.com/nodejs/node/issues/6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: #15
Closes: #16
Closes: #19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or #16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: https://github.com/creationix/nvm/pull/736
Related to: https://github.com/creationix/nvm/issues/793

											
										
										
											2017-02-13 03:44:21 +08:00
-												Update README

											
										
										
											2017-02-14 17:40:46 +08:00
+								You can either import the OpenPGP public keys in your main OpenPGP keyring or use a dedicated keyring (recommended in order to mitigate https://github.com/nodejs/node/issues/9859).
-												Check signatures/checksums to ensure authenticity

Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: https://github.com/asdf-vm/asdf/issues/158
Mitigates: https://github.com/nodejs/node/issues/9859
Mitigates: https://github.com/nodejs/node/issues/6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: #15
Closes: #16
Closes: #19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or #16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: https://github.com/creationix/nvm/pull/736
Related to: https://github.com/creationix/nvm/issues/793

											
										
										
											2017-02-13 03:44:21 +08:00
+								If you decided to do the later, prepare the dedicated keyring and make it temporarily the default one in your current shell:
 								```Shell
 								export GNUPGHOME="$HOME/.asdf/keyrings/nodejs" && mkdir -p "$GNUPGHOME" && chmod 0700 "$GNUPGHOME"
 								```
-												Fix CI testing of signatures/checksums checking

Fixes: #25

											
										
										
											2017-02-21 02:21:05 +08:00
+								Then import the OpenPGP public keys of the [Release Team](https://github.com/nodejs/node/#release-team) as documented on the linked page or run the `import-release-team-keyring` script which is bundled with this plugin.
-												Check signatures/checksums to ensure authenticity

Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: https://github.com/asdf-vm/asdf/issues/158
Mitigates: https://github.com/nodejs/node/issues/9859
Mitigates: https://github.com/nodejs/node/issues/6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: #15
Closes: #16
Closes: #19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or #16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: https://github.com/creationix/nvm/pull/736
Related to: https://github.com/creationix/nvm/issues/793

											
										
										
											2017-02-13 03:44:21 +08:00
 								For more details, refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/).
-												Update README

											
										
										
											2017-02-14 17:40:46 +08:00
+								Note that only versions greater or equal to 0.10.0 are checked. Before that version, signatures for SHA2-256 hashes might not be provided (and can not be installed with the `strict` setting for that reason).
-												Check signatures/checksums to ensure authenticity

Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: https://github.com/asdf-vm/asdf/issues/158
Mitigates: https://github.com/nodejs/node/issues/9859
Mitigates: https://github.com/nodejs/node/issues/6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: #15
Closes: #16
Closes: #19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or #16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: https://github.com/creationix/nvm/pull/736
Related to: https://github.com/creationix/nvm/issues/793

											
										
										
											2017-02-13 03:44:21 +08:00
 								This behavior can be influenced by the `NODEJS_CHECK_SIGNATURES` variable which supports the following options:
 								`no`: Do not check signatures/checksums.
 								`yes`: Check signatures/checksums if they should be present (enforced for >= 0.10.0).
-												Fix version note in README

											
										
										
											2017-02-13 15:16:28 +08:00
+								`strict` (default): Check signatures/checksums and don’t operate on package versions which did not provide signatures/checksums properly (< 0.10.0).
-												Check signatures/checksums to ensure authenticity

Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: https://github.com/asdf-vm/asdf/issues/158
Mitigates: https://github.com/nodejs/node/issues/9859
Mitigates: https://github.com/nodejs/node/issues/6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: #15
Closes: #16
Closes: #19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or #16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: https://github.com/creationix/nvm/pull/736
Related to: https://github.com/creationix/nvm/issues/793

											
										
										
											2017-02-13 03:44:21 +08:00
-												Add readme

											
										
										
											2015-05-24 12:27:40 +08:00
+								## Use
-												Update to refer to new organization
											
										
										
											2016-03-16 12:24:18 +08:00
+								Check [asdf](https://github.com/asdf-vm/asdf) readme for instructions on how to install & manage versions of Node.js.
-												Add readme

											
										
										
											2015-05-24 12:27:40 +08:00
 								When installing Node.js using `asdf install`, you can pass custom configure options with the following env vars:
 								* `NODEJS_CONFIGURE_OPTIONS` - use only your configure options
 								* `NODEJS_EXTRA_CONFIGURE_OPTIONS` - append these configure options along with ones that this plugin already uses