This repository was archived by the owner on Apr 3, 2020. It is now read-only.
This repository was archived by the owner on Apr 3, 2020. It is now read-only.
Support signing unsigned dependencies of a package #15
Description
We want to allow package developers to "sign on behalf of", that is, signing the code of a dependency which is unsigned and thus indicating that the exact code in that version is to be trusted as part of the main package.
There's a lot of packages in the NPM ecosystem that have not yet adopted pkgsign for signing / trust, so this allows those dependencies to be signed and trusted by consumers, even while they are not signed by the original authors.
Once this is complete, pkgsign should starting "signing on behalf of" it's own dependencies, such that pkgsign itself can be completely verified by end users.