npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@freedomofpress/sigsum

v0.3.7

Published

A Sigsum proof verifier for the browser.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

freedomofpress_adminfreedomofpress_adminada_fpfada_fpfmdaleo404mdaleo404mig5_fpfmig5_fpfharrislapiroffharrislapiroffsoleilerasoleileralsd-catlsd-cat

Keywords

sigsumed25519transparencybrowsertypescript

Readme

sigsum-ts

Note: this library has not been audited, thus its security has not been independently verified.

sigsum-ts is a small, (runtime) dependency-free TypeScript library for verifying Sigsum proofs in the browser. It is designed to work with the Sigsum policy format and verify inclusion proofs, Signed Tree Heads, and cosignatures according to quorum rules. The implementation is strictly for verification purposes, and any cryptographic or format error will throw an exception, ensuring that failures are always explicit and must be caught by the caller. It uses only the Web Crypto API. The library mirrors the logic of the original Go implementation from the Sigsum repository, and aims to be as close in behavior and structure as possible.

sigsum-ts has complete test coverage. Its primary use case is as part of WEBCAT, a transparency and integrity layer for web-based applications, where client-side verification of cryptographic proofs is required.

For more information on Sigsum visit the sigsum.org or the development repository.

Nominal crypto types

To prevent accidental misuse of cryptographic material, sigsum-ts defines explicit nominal wrapper classes for each crypto type. Although many of them internally wrap a Uint8Array or a string, they are not interchangeable, and TypeScript will refuse to pass a Hash where a Signature is expected.

Usage

To verify a Sigsum proof, call the verifyMessage() function with the message, the raw submitter public key, a Sigsum policy, and the proof text.

import { verifyMessage } from "sigsum-ts";

const isValid = await verify(
  messageBytes, // Uint8Array
  submitterRawPublicKey, // Uint8Array as RawPublicKey (32 bytes, Ed25519)
  policyText, // string (Sigsum policy format)
  proofText, // string (Sigsum proof format)
);

Sometimes, especially when fetching updates remotely, it could be useful to verify a proof for a hash of a file that has not been obtained yet. verifyHash takes the same arguments of verifyMessage, except that the first one is expected to be already an hash.

import { verifyMessage } from "sigsum-ts";

const isValid = await verifyMessage(
  messageHash, // Uint8Array
  submitterRawPublicKey, // Uint8Array as RawPublicKey (32 bytes, Ed25519)
  policyText, // string (Sigsum policy format)
  proofText, // string (Sigsum proof format)
);

Experimental policy compilation & evaluation

This project includes a policy compiler and bytecode-based evaluator adapted from the Sigsum C reference implementation. The goal is to make policy verification compact and efficient, suitable for constrained environments with limited memory and binary size requirements (e.g., embedded devices).

Both the compiled format and the evaluation logic are experimental and unstable as they may change without notice as the Sigsum ecosystem evolves.

References: