You npm install a package with a prebuilt .node binary. The package
is signed — but how do you know the binary was built from the same
source? You don't, unless both artifacts are verified against the same
CI run.
node-addon-slsa cross-checks sigstore npm provenance with
GitHub Attestations to confirm the package and its
binary were produced by the same GitHub Actions workflow run.
If they were not, installation aborts with a SECURITY error.
npm install node-addon-slsa{
"addon": {
"path": "./dist/my_addon.node",
"url": "https://github.com/owner/repo/releases/download/v{version}/my_addon-v{version}-{platform}-{arch}.node.gz"
},
"scripts": {
"postinstall": "slsa wget",
"pack-addon": "slsa pack"
}
}Programmatic API:
import {
verifyPackageProvenance,
semVerString,
githubRepo,
} from "node-addon-slsa";
const provenance = await verifyPackageProvenance({
packageName: "my-native-addon",
version: semVerString("1.0.0"),
repo: githubRepo("owner/repo"),
});
await provenance.verifyAddon({ sha256: sha256Hex(hexHash) });Setup guide, threat model, and full API reference:
package/README.md
The publishable npm package lives in the package/
directory. Source code, tests, and full documentation are there.
See CONTRIBUTING.md.
Apache-2.0 OR MIT — see LICENSE-APACHE.txt and LICENSE-MIT.txt.
