github/asdf-nodejs
github/asdf-nodejs
3
0
Fork 0
mirror of https://github.com/asdf-vm/asdf-nodejs.git synced 2024-10-06 07:42:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
42 Commits 2 Branches 0 Tags 577 KiB
Shell 100%
c213d9c20e
Go to file
Robin Schneider c213d9c20e
Check signatures/checksums to ensure authenticity 
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/)
for why this is important.

Related to: https://github.com/asdf-vm/asdf/issues/158
Mitigates: https://github.com/nodejs/node/issues/9859
Mitigates: https://github.com/nodejs/node/issues/6821

Implementing this feature required some rework of the `install` script
which is included in this PR. The following other PR are
superseded/included in this one:

Closes: #15
Closes: #16
Closes: #19

Note that this PR also updates the base download URL from
"http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that
before this PR (or #16 which is not merged), binaries where downloaded
over plain legacy HTTP! (those binaries where later executed by the
user). This is really bad and is fairly easy to exploit!

Related to: https://github.com/creationix/nvm/pull/736
Related to: https://github.com/creationix/nvm/issues/793
2017-02-20 06:58:02 +01:00
bin Check signatures/checksums to ensure authenticity 2017-02-20 06:58:02 +01:00
npm-hooks Revert back post-install 2016-03-12 22:20:10 +05:30
.travis.yml Add CI integration. 2016-05-14 15:27:38 +09:00
README.md Check signatures/checksums to ensure authenticity 2017-02-20 06:58:02 +01:00

README.md

asdf-nodejs

Node.js plugin for asdf version manager

Install

asdf plugin-add nodejs https://github.com/asdf-vm/asdf-nodejs.git

Bootstrap trust for signature validation

The plugin properly valides OpenPGP signatures, which is not yet done in any other NodeJS version manager as of 2017-02. All you have to do is to bootstrap the trust once as follows.

You can either import the OpenPGP public keys in your main OpenPGP keyring or use a dedicated keyring (recommended). If you decided to do the later, prepare the dedicated keyring and make it temporarily the default one in your current shell:

export GNUPGHOME="$HOME/.asdf/keyrings/nodejs" && mkdir -p "$GNUPGHOME" && chmod 0700 "$GNUPGHOME"

Then import the OpenPGP public keys of the Release Team.

For more details, refer to Verifying Node.js Binaries. Note that only versions greater or equal to 0.10.0 are checked. Before that version, signatures for SHA2-256 hashes might not be provided.

This behavior can be influenced by the NODEJS_CHECK_SIGNATURES variable which supports the following options:

no: Do not check signatures/checksums. yes: Check signatures/checksums if they should be present (enforced for >= 0.10.0). strict (default): Check signatures/checksums and dont operate on package versions which did not provide signatures/checksums properly (>= 0.10.0).

Use

Check asdf readme for instructions on how to install & manage versions of Node.js.

When installing Node.js using asdf install, you can pass custom configure options with the following env vars:

  • NODEJS_CONFIGURE_OPTIONS - use only your configure options
  • NODEJS_EXTRA_CONFIGURE_OPTIONS - append these configure options along with ones that this plugin already uses