Skip to content

Commit

Permalink
Merge pull request actions#1701 from actions/bdehamer/attest-v03-bundle
Browse files Browse the repository at this point in the history
(@actions/attest) generate attestations using v0.3 bundle format
  • Loading branch information
bdehamer authored Apr 3, 2024
2 parents 59e9d28 + f8d95a8 commit 9ddf153
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 43 deletions.
6 changes: 6 additions & 0 deletions packages/attest/RELEASES.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# @actions/attest Releases

### 1.2.0

- Generate attestations using the v0.3 Sigstore bundle format.
- Bump @sigstore/bundle from 2.2.0 to 2.3.0.
- Bump @sigstore/sign from 2.2.3 to 2.3.0.

### 1.1.0

- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement.
Expand Down
12 changes: 4 additions & 8 deletions packages/attest/__tests__/sign.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -64,13 +64,11 @@ describe('signProvenance', () => {

expect(att).toBeDefined()
expect(att.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
'application/vnd.dev.sigstore.bundle.v0.3+json'
)

expect(att.content.$case).toEqual('dsseEnvelope')
expect(att.verificationMaterial.content.$case).toEqual(
'x509CertificateChain'
)
expect(att.verificationMaterial.content.$case).toEqual('certificate')
expect(att.verificationMaterial.tlogEntries).toHaveLength(1)
expect(
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
Expand All @@ -89,13 +87,11 @@ describe('signProvenance', () => {

expect(att).toBeDefined()
expect(att.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
'application/vnd.dev.sigstore.bundle.v0.3+json'
)

expect(att.content.$case).toEqual('dsseEnvelope')
expect(att.verificationMaterial.content.$case).toEqual(
'x509CertificateChain'
)
expect(att.verificationMaterial.content.$case).toEqual('certificate')
expect(att.verificationMaterial.tlogEntries).toHaveLength(0)
expect(
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
Expand Down
58 changes: 29 additions & 29 deletions packages/attest/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions packages/attest/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@actions/attest",
"version": "1.1.0",
"version": "1.2.0",
"description": "Actions attestation lib",
"keywords": [
"github",
Expand Down Expand Up @@ -46,8 +46,8 @@
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
"@actions/http-client": "^2.2.1",
"@sigstore/bundle": "^2.2.0",
"@sigstore/sign": "^2.2.3",
"@sigstore/bundle": "^2.3.0",
"@sigstore/sign": "^2.3.0",
"jsonwebtoken": "^9.0.2",
"jwks-rsa": "^3.1.0",
"make-fetch-happen": "^13.0.0"
Expand Down
3 changes: 2 additions & 1 deletion packages/attest/src/attest.ts
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
import {Bundle, bundleToJSON} from '@sigstore/bundle'
import {bundleToJSON} from '@sigstore/bundle'
import {X509Certificate} from 'crypto'
import {SigstoreInstance, signingEndpoints} from './endpoints'
import {buildIntotoStatement} from './intoto'
import {Payload, signPayload} from './sign'
import {writeAttestation} from './store'

import type {Bundle} from '@sigstore/sign'
import type {Attestation, Predicate, Subject} from './shared.types'

const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'
Expand Down
6 changes: 4 additions & 2 deletions packages/attest/src/sign.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import {Bundle} from '@sigstore/bundle'
import {
Bundle,
BundleBuilder,
CIContextProvider,
DSSEBundleBuilder,
Expand Down Expand Up @@ -103,5 +103,7 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
)
}

return new DSSEBundleBuilder({signer, witnesses})
// Build the bundle with the singleCertificate option which will
// trigger the creation of v0.3 DSSE bundles
return new DSSEBundleBuilder({signer, witnesses, singleCertificate: true})
}

0 comments on commit 9ddf153

Please sign in to comment.