There are language package managers with package signing. At the very least, pinning the key fingerprint on first use with a mechanism for automatically rotating to requiring signatures from additional new keys works well.
Conversation
I'm not sure that end-user key management actually does work well for a system that operates at the scale that NPM does. Do you know what the largest deployment of such a package manager is?
2
I don't understand what scale has to do with it. Package signing works fine for many other package managers with a large scale. The basic trust on first use security properties don't require any end user key management or extra work on their part.
1
This Tweet was deleted by the Tweet author. Learn more
I too have direct experience working on many package managers specifically on the problem of package signing, and I would argue for a signing system to be useful, at a minimum every package needs to be signed by a key which is ultimately trusted by the end user
2
...but then there’s this problem to consider: how to handle key rotation
1
1
For package signing, automatic rotation based on the old key signing a off on the rotation to a new key works well. Here's an example:
source.android.com/security/apksi
I don't understand making this out to be so hard when package signing is used at huge scales surprisingly successfully.
1
...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯
2
1
“We let any rando ship binaries, but it’s cool, they’re GPG signed!”
1