fix: bug to support rotated keys in signature/attestation audit

[feelepxyz]

Context

npm audit signatures performs the registry signature and sigstore attestation bundle verification in pacote.

The current code checks if the public key from the tuf trust root keys target has expires set to in the past:
https://github.com/npm/pacote/blob/main/lib/registry.js#L174-L175

If we decide to rotate signing keys and add expires to a old public key, verification will always fail saying the key for old packages has expired.

This means we can't rotate signing keys for npm at the moment!

Solution

Check public key expiry against either integratedTime for attestations or the publish time for registry signatures.

This allows us to rotate a key, setting expiry to after all packages that where signed with that key where published.

Complication: some really old npm packages don't have time set so we need some kind of cutoff date for these packages.

Having time in the packument also requires the npm/cli to fetch the full manifest, not the minified packument that does not contain time.

This will restrict usage in the npm/cli install loop.

Some other solutions I considered where backfilling packages with a signedAt timestamp in the dist object but this is a pretty big effort.

[wraithgar]

I can't recommend changes outside of your diff so I'll just put it here:

  async manifest () {
    if (this.package) {
      return this.package
    }

    if (this.opts.verifySignatures) {
       this.fullMetadata = true
    }


    const packument = await this.packument()

[feelepxyz]

@wraithgar thanks for review, applied suggestions. I think there might be some unrelated test failures due to changed digests?

[bdehamer]

One question, but looks good otherwise 👍

[wraithgar]

The failing test is most likely a change node made to a compression setting. It affects the cli and probably other tests too.