Generating provenance statements

Table of contents

You can generate provenance statements for the packages you publish. This allows you to publicly establish where a package was built and who published a package, which can increase supply-chain security for your packages.

About npm provenance

npm provenance includes two types of attestations:

Provenance attestation
Publish attestation

The provenance attestation is established by publicly providing a link to a package's source code and build instructions from the build environment. This allows developers to verify where and how your package was built before they download it.

Publish attestations are generated by the registry when a package is published by an authorized user. When an npm package is published with provenance, it is signed by Sigstore public good servers and logged in a public transparency ledger, where users can view this information.

About Sigstore

Sigstore is a collection of tools and services aimed at making it easy to use short-lived, ephemeral certificates to sign software. Its three main components are a CLI tool, a certificate authority, and a time-stamping transparency log.

The certificate authority federates with any OIDC provider that includes verifiable build information. It acts as an intermediary between build systems and package registries by verifying the integrity of the OIDC token, issues a signing certificate that contains that build information, and then logging the signing certificate to an immutable ledger.

The transparency log service provides a public, verifiable, tamper-evident ledger of signed attestations. This ensures transparency of the public service, as well as providing a way to detect attempts to tamper with a package if a package registry were to be compromised.

Provenance limitations

To publish a package with provenance, you must build your package with a supported cloud CI/CD provider using a cloud-hosted runner. Today this includes GitHub Actions and GitLab CI/CD.
When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not. For more information, see "Searching for and choosing packages to download."

Prerequisites

Before you can publish your packages with provenance, you must:

Review the Linux Foundation Immutable Record notice, which applies to the public transparency log.
Install the latest version of the npm CLI (ensure you are on 9.5.0+ as older versions don't support npm provenance). For more information, see "Try the latest stable version of npm."
Ensure your package.json is configured with a public repository that matches (case-sensitive) where you are publishing with provenance from.
Set up automation with a supported CI/CD provider to publish your packages to the npm registry. The following providers are supported:
- GitHub Actions. For more information, see "Publishing packages with provenance via GitHub Actions."
- GitLab CI/CD. For more information, see "Publishing packages with provenance via GitLab CI/CD."

Note: If you use trusted publishing, provenance attestations are automatically generated for your packages without requiring the --provenance flag. This provides enhanced security and eliminates the need for access tokens in your CI/CD workflows.

Publishing packages with provenance via GitHub Actions

In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitHub Actions is a supported CI/CD platform that allows you to automate software development tasks. For more information, see GitHub Actions in the GitHub documentation.

To update your GitHub Actions workflow to publish your packages with provenance, you must:

Give permission to mint an ID-token:
```
permissions:
  id-token: write
```
Run on a GitHub-hosted runner:
```
runs-on: ubuntu-latest
```
Add the --provenance flag to your publish command:
```
npm publish --provenance
```
If you are publishing a package for the first time you will also need to explicitly set access to public:
```
npm publish --provenance --access public
```

Example GitHub Actions workflow

This example workflow publishes a package to the npm registry with provenance.

name: Publish Package to npmjs
on:
  release:
    types: [published]
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20.x'
          registry-url: 'https://registry.npmjs.org'
      - run: npm ci
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Using third-party package publishing tools

If you publish your packages with tools that do not directly invoke the npm publish command, you can do one of the following in your GitHub Actions workflow to publish your packages with provenance.

Configure environment variables: In your GitHub Actions workflow, you can use an environment variable called NPM_CONFIG_PROVENANCE, and set it to true.
Configure your package.json file: You can add a publishConfig block to your package.json file:
```
"publishConfig": {
  "provenance": true
},
```
Add an .npmrc file: You can add an .npmrc file to your project with the following entry:
```
provenance=true
```

Note: To publish packages with provenance using Yarn, v4.9.0 or greater is required.

Publishing packages with provenance via GitLab CI/CD

In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitLab CI/CD is a supported CI/CD platform that allows you to automate software development tasks. For more information, see Generating provenance in GitLab CI/CD in the GitLab documentation.

Example GitLab CI job

This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don't forget to define the NPM_TOKEN variable in your GitLab project settings.

publish:
  image: 'node:20'
  rules:
    - if: $CI_COMMIT_TAG
  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore
  script:
    - npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
    - npm publish --provenance --access public

Verifying provenance attestations

You can verify the provenance attestations of downloaded packages with the following audit command:

npm audit signatures

Example response showing the count of verified registry signatures and verified attestations for all of the packages in a project:

audited 1267 packages in 6s

1267 packages have verified registry signatures

74 packages have verified attestations

Because provenance attestations are such a new feature, security features may be added to (or changed in) the attestation format over time. To ensure that you're always able to verify attestation signatures check that you're running the latest version of the npm CLI. Please note this often means updating npm beyond the version that ships with Node.js.