node.jsnpmgitlab

"npm error code CA_CREATE_SIGNING_CERTIFICATE_ERROR" publishing to private registry

I have a private Gitlab server and I'm trying to publish an npm package in a CI pipeline to the project package registry following this guide.

Here's my job:

npm:
  image: node
  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore
  variables:
    npm_config_cafile: $CI_SERVER_TLS_CA_FILE
    npm_config_registry: $CI_API_V4_URL/projects/$CI_PROJECT_ID/packages/npm/
  before_script: npm config set -- //$CI_SERVER_HOST/api/v4/projects/$CI_PROJECT_ID/packages/npm/:_authToken=$CI_JOB_TOKEN
  script:
    - npm config set strict-ssl false
    - npm publish

I was originally getting this error:

npm error Provenance generation in GitLab CI requires "SIGSTORE_ID_TOKEN" with "sigstore" audience to be present in "id_tokens". For more info see:

Which was solved by the id_tokens:SIGSTORE_ID_TOKEN:aud: sigstore.

But now I'm getting this error:

npm error code CA_CREATE_SIGNING_CERTIFICATE_ERROR

npm error error creating signing certificate - (400) There was an error processing the identity token

npm error cause (400) There was an error processing the identity token

Since it mentions identity token, it seems like this could be an authentication error due to either SIGSTORE_ID_TOKEN or CI_JOB_TOKEN. But since it mentions CA, CERTIFICATE, and create signing certificate it could also be a certificate/SSL issue.

My Gitlab instance uses a custom CA certificate, which tends to cause issues. So I was hoping setting npm_config_cafile: $CI_SERVER_TLS_CA_FILE or npm config set strict-ssl false would resolve that but so far no luck.

Looking at the debug logs:

notice Publishing to https://my-gitlab.myserver.com/api/v4/projects/1234/packages/npm/ with tag latest and public access

http fetch POST https://fulcio.sigstore.dev/api/v2/signingCert attempt 1 failed with 400

It appears to be failing to set up something related to sigstore, so I assume this is because of the SIGSTORE_ID_TOKEN I added. But without that, I get the error I mentioned above.

What's the right way to accomplish this?

Solution

  • My publishConfig in package.json was the problem:

    "publishConfig": {
    "access": "public",
    "provenance": true
},

    The original error indicated the provenance was the problem:

    npm error Provenance generation in GitLab CI requires "SIGSTORE_ID_TOKEN" with "sigstore" audience to be present in "id_tokens".

    From the documentation, it seems that provenance is a way to link the package back to the CI pipeline. But since I'm using a private Gitlab instance I think that's why it wasn't working.

    Removing "provenance": true from my package.json and then the id_tokens section from the CI job fixed the issue.