WAPM is a new package manager from Wasmer designed to make packaging and distributing WebAssembly simple and easy.

We released wapm about two months ago and have been iterating from all the feedback that we’ve received. In response we quickly released version 0.2.0 with many usability improvements and some new functionality too.

Following up on that, we began development of a package signing system as part of 0.3.0 and 0.3.1, which we will dive into the details of here.

What is Package Signing?

Package signing is a way for the author of the package to allow users of their package to verify that it really came from the author and that it hasn’t been tampered with.

It’s like the modern version of using sealing wax with a difficult to replicate imprint to verify the authenticity and integrity of the letter.

Package signing is a critical ingredient in a Package Manager. Here are a few reasons why:

Prevention of tampering : without package signing, the owner of the package repository, or anyone who may have gained illegitimate access, can make undetectable, malicious changes to packages.

: without package signing, the owner of the package repository, or anyone who may have gained illegitimate access, can make undetectable, malicious changes to packages. Verification of identity : the maintainer can publish proofs through other trusted channels such as: their own website, Keybase, social media, or in person. This allows users to know the origin of the package.

: the maintainer can publish proofs through other trusted channels such as: their own website, Keybase, social media, or in person. This allows users to know the origin of the package. Verification of continuity: even if the package maintainer’s account is compromised, the signing key will remain secret, thus updates signed with the same key can be trusted and updates that are not signed with that key will not be implicitly trusted.

Our implementation uses Minisign (which uses Ed25519) for the public-private key pairs used for package signing. In the future wapm may support various types of cryptography for verification for users with additional needs, but Minisign has many desirable properties that make it a fantastic default choice.

Our trust system is a simple TOFU (Trust On First Use) scheme where the package-consuming user is prompted to verify public keys from the package-producing user, if they haven’t seen the key before.

High level control flow of TOFU

Currently all new keys must be validated by the package-consuming user manually. The next improvement to our TOFU system will be to add support for key revocation and chains of trust (using a trusted key to sign a new key).

In addition to our TOFU system, users may import trusted public keys manually with wapm keys import . Through this and future APIs, we may support more sophisticated trust schemes than TOFU.

How to Sign a Package

Here’s what setting up and using it as a package maintainer looks like:

# Create keys directory inside wasmer

mkdir -p ~/.wasmer/keys/ # Generate and register a key pair

wapm keys generate ~/.wasmer/keys/

Which can be done manually by generating a key with the wapm package rsign2 (or any Minisign implementation) and registering it with wapm .



wapm install -g # Install rsign to generate keyswapm install -g jedisct1/rsign2 # Generate the key pair

wapm run rsign --dir=. -- generate # Register the keys with wapm

wapm keys register --public rsign.pub --private .rsign/rsign.key

Once the keys are created and registered, we can publish the package as usual:

wapm publish

Signed Packages will show a green check icon next to the package name

Installing a Signed Package

From the package consumer’s perspective, this is what we will see once we try to install a signed package:

# Install a signed package

$ wapm install user/package [INFO] Installing user/package@0.0.4 New public key encountered: 3F6D278A36843FFE RWT+P4Q2iidtP7bkcLP4fBTYc9YPpuTKNVIquvPPnsFXrGdecaMKpQ+t while installing package@0.0.4.

Would you like to trust this key?

[y/n] y [INFO] Importing key "3F6D278A36843FFE" for user "user"

[INFO] Signature of package package@0.0.4 verified!

Package installed successfully to wapm_packages!

Additionally, there are key management commands to handle anything else related to package signing. See the wapm reference for more information.