c213d9c20e
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important. Related to: https://github.com/asdf-vm/asdf/issues/158 Mitigates: https://github.com/nodejs/node/issues/9859 Mitigates: https://github.com/nodejs/node/issues/6821 Implementing this feature required some rework of the `install` script which is included in this PR. The following other PR are superseded/included in this one: Closes: #15 Closes: #16 Closes: #19 Note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or #16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit! Related to: https://github.com/creationix/nvm/pull/736 Related to: https://github.com/creationix/nvm/issues/793 |
||
---|---|---|
bin | ||
npm-hooks | ||
.travis.yml | ||
README.md |
asdf-nodejs
Node.js plugin for asdf version manager
Install
asdf plugin-add nodejs https://github.com/asdf-vm/asdf-nodejs.git
Bootstrap trust for signature validation
The plugin properly valides OpenPGP signatures, which is not yet done in any other NodeJS version manager as of 2017-02. All you have to do is to bootstrap the trust once as follows.
You can either import the OpenPGP public keys in your main OpenPGP keyring or use a dedicated keyring (recommended). If you decided to do the later, prepare the dedicated keyring and make it temporarily the default one in your current shell:
export GNUPGHOME="$HOME/.asdf/keyrings/nodejs" && mkdir -p "$GNUPGHOME" && chmod 0700 "$GNUPGHOME"
Then import the OpenPGP public keys of the Release Team.
For more details, refer to Verifying Node.js Binaries. Note that only versions greater or equal to 0.10.0 are checked. Before that version, signatures for SHA2-256 hashes might not be provided.
This behavior can be influenced by the NODEJS_CHECK_SIGNATURES
variable which supports the following options:
no
: Do not check signatures/checksums.
yes
: Check signatures/checksums if they should be present (enforced for >= 0.10.0).
strict
(default): Check signatures/checksums and don’t operate on package versions which did not provide signatures/checksums properly (>= 0.10.0).
Use
Check asdf readme for instructions on how to install & manage versions of Node.js.
When installing Node.js using asdf install
, you can pass custom configure options with the following env vars:
NODEJS_CONFIGURE_OPTIONS
- use only your configure optionsNODEJS_EXTRA_CONFIGURE_OPTIONS
- append these configure options along with ones that this plugin already uses