Working With Remote Repositories
When running npm audit signatures
from a remote repository, the signature process is up to the upstream registry. The official npm registry already signs using ECDSA, therefore the Artifactory provides the signature directly from the remote repository.
Please note that if you are pointing to a different remote repository and want to use the audit signatures command, you must verify that the upstream registry is signing the packages: otherwise, the audit command will always show you exceptions.
Working With Virtual Repositories
When running npm audit signatures
from a virtual repository, make sure to enable ECDSA signing on all of your local repositories nested under the virtual repository, so that all of the packages will be signed.
In addition, verify that all your remote repositories are pointing to registries that are signing the packages.
Avoid mixing signed and unsigned repositories in Virtual repositories
If you mix repositories with signed and unsigned packages, the npm audit signatures command will always display an error that you have packages that do not have signatures. This is expected, of course, but will stop the npm client from continuing its usual actions, e.g. proceeding to download packages.