npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@chipkey/cli

v0.5.1

Published

Hardware-backed key management CLI using Secure Enclave (macOS) and TPM 2.0 (Linux/Windows)

Downloads

319

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jeanregisserjeanregisser

Keywords

Readme

chipkey

Give any machine a hardware-bound signing identity. chipkey is a JSON CLI that creates and signs with non-extractable ECDSA keys stored in your device's security hardware -- Secure Enclave on Mac, TPM 2.0 on Linux and Windows.

Private keys never leave the chip. Not to disk, not to the cloud, not to you. If the device is lost or destroyed, the keys are gone. That's a feature: there is nothing to steal, leak, or subpoena.

Use cases

  • AI agents with their own identity -- Give an agent a hardware-bound key pair. It can sign actions, outputs, or transactions autonomously, but nobody -- not even the operator -- can extract the private key.
  • Device attestation -- Prove a request came from a specific physical machine, not a cloned credential. The key is fused to the hardware and can't be copied.
  • Local-first crypto custody -- No cloud KMS, no HSM service, no API keys to rotate. Any machine with security hardware becomes a non-custodial signer.
  • Artifact signing -- Sign builds, releases, or documents with a key that's physically bound to your machine. Even a full disk compromise can't leak it.

How it works

chipkey is a thin wrapper around sks (Secure Key Store), a Go library from Meta that abstracts Secure Enclave and TPM behind a unified API. chipkey adds a JSON CLI on top, making it callable from any language.

| Platform | Hardware | Notes | |----------|----------|-------| | macOS 11+ | Secure Enclave (Apple Silicon, T2) | Requires a signed .app bundle (see macOS key scoping) | | Linux | TPM 2.0 | | | Windows | TPM 2.0 | |

Keys are ECDSA P-256 (secp256r1). Signatures are returned in the 64-byte raw R||S format used by Ethereum and similar systems. Keys are non-exportable by design -- there is no backup or recovery mechanism, so plan for key rotation.

Installation

Install from npm

npm install -g @chipkey/cli

Then verify the install:

chipkey version

Download a release

Grab the latest archive for your platform from the Releases page.

macOS: download Chipkey_*_macos_app.zip, unzip, and run the binary inside the bundle:

Chipkey.app/Contents/MacOS/chipkey version

Linux / Windows: download the appropriate archive and extract the chipkey binary.

Build from source

git clone https://github.com/jeanregisser/chipkey.git
cd chipkey
make build    # universal macOS binary (requires macOS)
make bundle   # signed .app bundle (requires Developer ID certificate)

For Linux or Windows cross-compilation: make build-linux or make build-windows.

Usage

All commands output JSON to stdout and use exit code 1 on failure.

Create a key

chipkey create --key-id "myapp:some-uuid"
{"keyId":"myapp:some-uuid","ok":true,"publicKey":"0x04..."}

The --key-id is a label:tag pair. If a key with that identity already exists, its public key is returned without creating a duplicate.

Sign a payload

chipkey sign --key-id "myapp:some-uuid" --payload-hex "0xdeadbeef"
{"ok":true,"signature":"0x..."}

By default, the payload is SHA-256 hashed before signing. To pass a pre-hashed 32-byte digest directly:

chipkey sign --key-id "myapp:some-uuid" --payload-hex "0x<64-hex-chars>" --hash none

Check if a key exists

chipkey info --key-id "myapp:some-uuid"
{"curve":"p256","exists":true,"ok":true}

Version

chipkey version
{"commit":"abc1234","date":"2026-02-26T10:30:00Z","ok":true,"version":"1.0.0"}

macOS key scoping

On macOS, sks uses the Data Protection Keychain, which scopes key access by application identifier. The com.apple.application-identifier entitlement (<TeamID>.<BundleID>) in the signed .app bundle determines which keys a binary can see. A binary signed with a different team or bundle identifier cannot access keys created by another -- they live in separate keychain namespaces enforced by the OS.

The pre-built releases are signed with the project's Developer ID. If you build and sign from source with your own certificate, your keys will be in a separate namespace.

Development

Prerequisites

  • Go 1.24+
  • macOS for Secure Enclave builds (CGO required for the sks darwin backend)
  • An Apple Developer ID Application certificate (for signing the .app bundle)

Make targets

| Target | Description | |--------|-------------| | make build | Build universal macOS binary | | make build-linux | Cross-compile Linux amd64/arm64 | | make build-windows | Cross-compile Windows amd64/arm64 | | make bundle | Build, sign, and package the .app bundle | | make test | Run tests | | make lint | Run golangci-lint (installs it first if needed) | | make check-tidy | Verify go.mod/go.sum are tidy | | make tools | Install dev tools into .tools/ | | make clean | Remove build artifacts and tools |

Running tests

make test

Unit and CLI argument-validation tests run on any platform. The end-to-end test (TestE2E_CreateSignInfo) requires a signed binary with Secure Enclave entitlements:

make bundle
CHIPKEY_BINARY=bin/Chipkey.app/Contents/MacOS/chipkey go test -run TestE2E ./...

CI/CD

Pushes to main trigger the full pipeline:

  1. Lint -- golangci-lint, go mod tidy check, goreleaser config validation
  2. Test -- go test on macOS, Linux, and Windows
  3. Version -- Semantic version determined from Conventional Commits
  4. Release -- goreleaser builds Linux/Windows archives, then the signed macOS .app bundle is built and uploaded

To enable macOS code signing in CI, add these repository secrets:

| Secret | Description | |--------|-------------| | APPLE_CERTIFICATE_P12_BASE64 | Base64-encoded .p12 export of your Developer ID Application certificate | | APPLE_CERTIFICATE_PASSWORD | Password used when exporting the .p12 |

The CI checks the certificate's expiry and warns when it's within 30 days of expiring.

Error codes

All errors include a machine-readable code and a human-readable message:

{"error":{"code":"INVALID_KEY_ID","message":"key-id \"bad\" is not valid — must be non-empty label:tag (e.g. chipkey:my-uuid)"},"ok":false}

| Code | Meaning | |------|---------| | INVALID_ARGUMENTS | Missing or malformed flags | | INVALID_COMMAND | Unknown subcommand | | INVALID_KEY_ID | --key-id is not in label:tag format | | INVALID_PAYLOAD | --payload-hex is not valid hex | | INVALID_HASH_MODE | --hash must be sha256 or none | | INVALID_DIGEST_LENGTH | --hash none requires exactly 32 bytes | | KEY_CREATION_FAILED | Hardware key creation failed | | SIGNING_FAILED | Signing operation failed | | PUBLIC_KEY_UNAVAILABLE | Could not retrieve public key after creation | | SIGNATURE_PARSE_FAILED | Internal error parsing DER signature |

Acknowledgments

All the heavy lifting is done by sks from Meta. chipkey just adds a JSON CLI on top.

License

MIT