Verifying Node.js Binaries
Colin J. Ihrig
The Internet is not a safe place. Sometimes, not even the simple act of downloading a file is what it seems. On February 20th 2016, hackers created a modified Linux Mint ISO containing a backdoor, and linked to it from linuxmint.com. A blog post was issued containing instructions for detecting the compromised ISO.
While this doesn't directly effect Node.js, it could have just as easily been Node that was hacked. Luckily, you can verify the Node.js binaries that you download from nodejs.org.
Start by downloading an official Node.js binary. For the sake of this example, we're going to download Node v5.3.0 for OS X.
curl -SLO "https://nodejs.org/dist/v5.3.0/node-v5.3.0-darwin-x64.tar.gz"
Next, download the SHA checksums corresponding to your binary.
curl -SLO "https://nodejs.org/dist/v5.3.0/SHASUMS256.txt.asc"
Now, you can verify that your binary is authentic using the following command:
grep node-v5.3.0-darwin-x64.tar.gz SHASUMS256.txt.asc | shasum -a 256 -c -
If everything is correct, the output should say that the file is OK. If the binary had been tampered with, you would get a warning about a mismatched computed checksum.
Of course, if attackers were able to provide you with a compromised binary, they could also compromise the checksum file. To mitigate this, you can verify that the files have been signed by a member of the Node.js release team. In order to do this, you must first import the keys of each member of the release team. For example, the command to import my key is:
gpg --keyserver pool.sks-keyservers.net --recv-keys 94AE36675C464D64BAFA68DD7434390BDBE9B9C5
The Node.js README contains a Release Team section listing all members of the release team, their email address, and signing key. It also contains a list of commands needed to import all of the necessary keys.
Once you have all of the requisite keys, verify the checksums you previously downloaded using the following command.
gpg --verify SHASUMS256.txt.asc
Assuming that nothing has been tampered with, you should see a response similar to the following:
gpg: Signature made Wed Dec 16 15:05:05 2015 EST using RSA key ID DBE9B9C5
gpg: Good signature from "Colin Ihrig <cjihrig@gmail.com>" [ultimate]
Looks like we eluded the hackers... this time.