feat: add npm audit signatures (#4827)

* feat: add npm audit signatures

Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)

Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))

This command will verify registry signatures stored in the packument against a public key on the registry.

Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats

3 files changed, 229 insertions, 2 deletions

diff --git a/tap-snapshots/test/lib/commands/audit.js.test.cjs b/tap-snapshots/test/lib/commands/audit.js.test.cjs
index c3680933e..3e7658c14 100644
--- a/tap-snapshots/test/lib/commands/audit.js.test.cjs
+++ b/tap-snapshots/test/lib/commands/audit.js.test.cjs
@@ -41,6 +41,233 @@ added 1 package, and audited 2 packages in xxx
 found 0 vulnerabilities
 `
 
+exports[`test/lib/commands/audit.js TAP audit signatures ignores optional dependencies > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures json output with invalid and missing signatures > must match snapshot 1`] = `
+{
+  "invalid": [
+    {
+      "name": "kms-demo",
+      "version": "1.0.0",
+      "location": "node_modules/kms-demo",
+      "resolved": "https://registry.npmjs.org/kms-demo/-/kms-demo-1.0.0.tgz",
+      "integrity": "sha512-QqZ7VJ/8xPkS9s2IWB7Shj3qTJdcRyeXKbPQnsZjsPEwvutGv0EGeVchPcauoiDFJlGbZMFq5GDCurAGNSghJQ==",
+      "signature": "bogus",
+      "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+    }
+  ],
+  "missing": [
+    {
+      "name": "async",
+      "version": "1.1.1",
+      "location": "node_modules/async",
+      "resolved": "https://registry.npmjs.org/async/-/async-1.1.1.tgz"
+    }
+  ]
+}
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures json output with invalid signatures > must match snapshot 1`] = `
+{
+  "invalid": [
+    {
+      "name": "kms-demo",
+      "version": "1.0.0",
+      "location": "node_modules/kms-demo",
+      "resolved": "https://registry.npmjs.org/kms-demo/-/kms-demo-1.0.0.tgz",
+      "integrity": "sha512-QqZ7VJ/8xPkS9s2IWB7Shj3qTJdcRyeXKbPQnsZjsPEwvutGv0EGeVchPcauoiDFJlGbZMFq5GDCurAGNSghJQ==",
+      "signature": "bogus",
+      "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+    }
+  ],
+  "missing": []
+}
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures json output with valid signatures > must match snapshot 1`] = `
+{
+  "invalid": [],
+  "missing": []
+}
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures multiple registries with keys and signatures > must match snapshot 1`] = `
+audited 2 packages in xxx
+
+2 packages have verified registry signatures
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures omit dev dependencies with missing signature > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures output details about missing signatures > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a missing registry signature but the registry is providing signing keys:
+
+kms-demo@1.0.0 (https://registry.npmjs.org/)
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with invalid signatures errors > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has an invalid registry signature:
+
+@npmcli/arborist@1.0.14 (https://verdaccio-clone.org)
+
+Someone might have tampered with this package since it was published on the registry!
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with keys and missing signatures errors > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a missing registry signature but the registry is providing signing keys:
+
+@npmcli/arborist@1.0.14 (https://verdaccio-clone.org)
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with keys and signatures > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with both invalid and missing signatures > must match snapshot 1`] = `
+audited 2 packages in xxx
+
+1 package has a missing registry signature but the registry is providing signing keys:
+
+async@1.1.1 (https://registry.npmjs.org/)
+
+1 package has an invalid registry signature:
+
+kms-demo@1.0.0 (https://registry.npmjs.org/)
+
+Someone might have tampered with this package since it was published on the registry!
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with bundled and peer deps and no signatures > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with invalid signatures > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has an invalid registry signature:
+
+kms-demo@1.0.0 (https://registry.npmjs.org/)
+
+Someone might have tampered with this package since it was published on the registry!
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with invalid signtaures and color output enabled > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has an invalid registry signature:
+
+kms-demo@1.0.0 (https://registry.npmjs.org/)
+
+Someone might have tampered with this package since it was published on the registry!
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with keys but missing signature > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a missing registry signature but the registry is providing signing keys:
+
+kms-demo@1.0.0 (https://registry.npmjs.org/)
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with multiple invalid signatures > must match snapshot 1`] = `
+audited 2 packages in xxx
+
+2 packages have invalid registry signatures:
+
+async@1.1.1 (https://registry.npmjs.org/)
+kms-demo@1.0.0 (https://registry.npmjs.org/)
+
+Someone might have tampered with these packages since they where published on the registry!
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with multiple missing signatures > must match snapshot 1`] = `
+audited 2 packages in xxx
+
+2 packages have missing registry signatures but the registry is providing signing keys:
+
+async@1.1.1 (https://registry.npmjs.org/)
+kms-demo@1.0.0 (https://registry.npmjs.org/)
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with multiple valid signatures and one invalid > must match snapshot 1`] = `
+audited 3 packages in xxx
+
+2 packages have verified registry signatures
+
+1 package has an invalid registry signature:
+
+node-fetch@1.6.0 (https://registry.npmjs.org/)
+
+Someone might have tampered with this package since it was published on the registry!
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with valid and missing signatures > must match snapshot 1`] = `
+audited 2 packages in xxx
+
+1 package has a verified registry signature
+
+1 package has a missing registry signature but the registry is providing signing keys:
+
+async@1.1.1 (https://registry.npmjs.org/)
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with valid signatures > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures with valid signatures using alias > must match snapshot 1`] = `
+audited 1 package in xxx
+
+1 package has a verified registry signature
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps and ignores local workspace deps > must match snapshot 1`] = `
+audited 3 packages in xxx
+
+3 packages have verified registry signatures
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps when filtering by workspace name > must match snapshot 1`] = `
+audited 2 packages in xxx
+
+2 packages have verified registry signatures
+
+`
+
 exports[`test/lib/commands/audit.js TAP fallback audit > must match snapshot 1`] = `
 # npm audit report
 
diff --git a/tap-snapshots/test/lib/load-all-commands.js.test.cjs b/tap-snapshots/test/lib/load-all-commands.js.test.cjs
index 57dd61266..ef832be1b 100644
--- a/tap-snapshots/test/lib/load-all-commands.js.test.cjs
+++ b/tap-snapshots/test/lib/load-all-commands.js.test.cjs
@@ -44,7 +44,7 @@ exports[`test/lib/load-all-commands.js TAP load each command audit > must match
 Run a security audit
 
 Usage:
-npm audit [fix]
+npm audit [fix|signatures]
 
 Options:
 [--audit-level <info|low|moderate|high|critical|none>] [--dry-run] [-f|--force]
diff --git a/tap-snapshots/test/lib/npm.js.test.cjs b/tap-snapshots/test/lib/npm.js.test.cjs
index b287e73f7..c87e947fc 100644
--- a/tap-snapshots/test/lib/npm.js.test.cjs
+++ b/tap-snapshots/test/lib/npm.js.test.cjs
@@ -199,7 +199,7 @@ All commands:
     audit           Run a security audit
                     
                     Usage:
-                    npm audit [fix]
+                    npm audit [fix|signatures]
                     
                     Options:
                     [--audit-level <info|low|moderate|high|critical|none>] [--dry-run] [-f|--force]