@salesforce/sfdx-trust - npm explorer

npm install @salesforce/sfdx-trust

Overview
========

Use the sfdx_trust commands to digitally sign and verify your plugins.

Two command are offerered:

1) plugins:trust:sign - This produces a packed npm with a digital signature.
The npm gets published to the npm registry and the signature file is published to
target url specified in the signature url. See command details.

2) plugins:trust:verify - This command verifies the digital siganture of a published npm.
This verification is the same verification that occurs during sfdx plugins:install.

Allowlisting
============

If a plugin needs to be installed in a unattended fashion as is the case with automation.
The plugin acceptance prompt can be avoided by placing the plugin name in
$HOME/.config/sfdx/unsignedPluginAllowList.json

``javascript [ "@salesforce/npmName", "plugin2", ... ]`

If a plugin is not signed you then won't get a prompt confirming the installation of an unsigned plugin. Instead you'll get a message logged stating that the plugin was allowlisted and the installation will proceed as normal.

Additional Verification Information ===================================

In addition to signature verification additional checks are in place to help ensure authenticity of plugins.

1) DNS - The public key url and signature urls must have an https scheme and originate from developer.salesforce.com 2) Cert Pinning - The digial fingerprint of developer.salesforce.com's certificate is validated. This helps prevent man in the middle attacks.

Relevant Environment Variables ==============================

Use the following environment variable settings with caution.

- NODE_TLS_REJECT_UNAUTHORIZED: enables self signed certificates. - SFDX_DEVELOPER_TRUSTED_FINGERPRINT: Allows changing the expected digital fingerprint. - SFDX_ALLOW_ALL_SALESFORCE_CERTSIG_HOSTING: Enlarges the circle of trust to include any salesforce.com host. - SFDX_DISABLE_CERT_PINNING: Completly disable the fingerprint check.

Command Details =============== * [@salesforce/sfdx-trust <%= command.id %> -s -p -k [--json] [--loglevel trace|debug|info|warn|error|fatal]](#salesforcesfdx-trust--commandid---s-string--p-string--k-string---json---loglevel-tracedebuginfowarnerrorfatal) * [@salesforce/sfdx-trust <%= command.id %> -n [-r ] [--json] [--loglevel trace|debug|info|warn|error|fatal]](#salesforcesfdx-trust--commandid---n-string--r-string---json---loglevel-tracedebuginfowarnerrorfatal)

@salesforce/sfdx-trust <%= command.id %> -s -p -k [--json] [--loglevel trace|debug|info|warn|error|fatal]

pack an npm package and produce a tgz file along with a corresponding digital signature

OPTIONS -k, --privatekeypath=privatekeypath (required) the local file path for the private key. -p, --publickeyurl=publickeyurl (required) the url where the public key/certificate will be hosted.

-s, --signatureurl=signatureurl (required) the url location where the signature will be hosted minus the name of the actual signature file.

--json format output as json

EXAMPLE $ sfdx plugins:trust:sign --signature npmName-0.0.1.sig --publicKeyUrl https://developer.salesforce.com/media/salesforce-cli/sfdx.cer --privateKeyPath $HOME/secret.key`

_See code: dist/commands/plugins/trust/sign.ts_

@salesforce/sfdx-trust <%= command.id %> -n [-r ] [--json] [--loglevel trace|debug|info|warn|error|fatal]

For an npm validate the associated digital signature if it exits.

OPTIONS -n, --npm=npm (required) Specify the npm name. This can include a tag/version -r, --registry=registry The registry name. the behavior is the same as npm. --json format output as json --loglevel=(trace|debug|info|warn|error|fatal) [default: warn] logging level for this command invocation

EXAMPLES $ sfdx plugins:trust:verifySignature --npm @scope/npmName --registry http://my.repo.org:4874 $ sfdx plugins:trust:verifySignature --npm @scope/npmName``

_See code: dist/commands/plugins/trust/verify.ts_