Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
wraithgar committed Apr 9, 2024
1 parent fd4153b commit c18a0ad
Show file tree
Hide file tree
Showing 17 changed files with 147 additions and 68 deletions.
28 changes: 20 additions & 8 deletions node_modules/@sigstore/bundle/dist/build.js
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ const bundle_1 = require("./bundle");
// Message signature bundle - $case: 'messageSignature'
function toMessageSignatureBundle(options) {
return {
mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE,
mediaType: options.singleCertificate
? bundle_1.BUNDLE_V03_MEDIA_TYPE
: bundle_1.BUNDLE_V02_MEDIA_TYPE,
content: {
$case: 'messageSignature',
messageSignature: {
Expand All @@ -39,7 +41,9 @@ exports.toMessageSignatureBundle = toMessageSignatureBundle;
// DSSE envelope bundle - $case: 'dsseEnvelope'
function toDSSEBundle(options) {
return {
mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE,
mediaType: options.singleCertificate
? bundle_1.BUNDLE_V03_MEDIA_TYPE
: bundle_1.BUNDLE_V02_MEDIA_TYPE,
content: {
$case: 'dsseEnvelope',
dsseEnvelope: toEnvelope(options),
Expand Down Expand Up @@ -71,12 +75,20 @@ function toVerificationMaterial(options) {
}
function toKeyContent(options) {
if (options.certificate) {
return {
$case: 'x509CertificateChain',
x509CertificateChain: {
certificates: [{ rawBytes: options.certificate }],
},
};
if (options.singleCertificate) {
return {
$case: 'certificate',
certificate: { rawBytes: options.certificate },
};
}
else {
return {
$case: 'x509CertificateChain',
x509CertificateChain: {
certificates: [{ rawBytes: options.certificate }],
},
};
}
}
else {
return {
Expand Down
5 changes: 3 additions & 2 deletions node_modules/@sigstore/bundle/dist/bundle.js
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
exports.BUNDLE_V01_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1';
exports.BUNDLE_V02_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.2';
exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle.v0.3+json';
// Type guards for bundle variants.
function isBundleWithCertificateChain(b) {
return b.verificationMaterial.content.$case === 'x509CertificateChain';
Expand Down
3 changes: 2 additions & 1 deletion node_modules/@sigstore/bundle/dist/index.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0;
exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0;
/*
Copyright 2023 The Sigstore Authors.
Expand All @@ -22,6 +22,7 @@ Object.defineProperty(exports, "toMessageSignatureBundle", { enumerable: true, g
var bundle_1 = require("./bundle");
Object.defineProperty(exports, "BUNDLE_V01_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V01_MEDIA_TYPE; } });
Object.defineProperty(exports, "BUNDLE_V02_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V02_MEDIA_TYPE; } });
Object.defineProperty(exports, "BUNDLE_V03_LEGACY_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_LEGACY_MEDIA_TYPE; } });
Object.defineProperty(exports, "BUNDLE_V03_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_MEDIA_TYPE; } });
Object.defineProperty(exports, "isBundleWithCertificateChain", { enumerable: true, get: function () { return bundle_1.isBundleWithCertificateChain; } });
Object.defineProperty(exports, "isBundleWithDsseEnvelope", { enumerable: true, get: function () { return bundle_1.isBundleWithDsseEnvelope; } });
Expand Down
3 changes: 2 additions & 1 deletion node_modules/@sigstore/bundle/dist/validate.js
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,8 @@ function validateBundleBase(b) {
const invalidValues = [];
// Media type validation
if (b.mediaType === undefined ||
!b.mediaType.startsWith('application/vnd.dev.sigstore.bundle+json;version=')) {
(!b.mediaType.match(/^application\/vnd\.dev\.sigstore\.bundle\+json;version=\d\.\d/) &&
!b.mediaType.match(/^application\/vnd\.dev\.sigstore\.bundle\.v\d\.\d\+json/))) {
invalidValues.push('mediaType');
}
// Content-related validation
Expand Down
4 changes: 2 additions & 2 deletions node_modules/@sigstore/bundle/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sigstore/bundle",
"version": "2.2.0",
"version": "2.3.1",
"description": "Sigstore bundle type",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand All @@ -27,7 +27,7 @@
"provenance": true
},
"dependencies": {
"@sigstore/protobuf-specs": "^0.3.0"
"@sigstore/protobuf-specs": "^0.3.1"
},
"engines": {
"node": "^16.14.0 || >=18.0.0"
Expand Down
4 changes: 2 additions & 2 deletions node_modules/@sigstore/core/dist/crypto.js
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@ limitations under the License.
*/
const crypto_1 = __importDefault(require("crypto"));
const SHA256_ALGORITHM = 'sha256';
function createPublicKey(key) {
function createPublicKey(key, type = 'spki') {
if (typeof key === 'string') {
return crypto_1.default.createPublicKey(key);
}
else {
return crypto_1.default.createPublicKey({ key, format: 'der', type: 'spki' });
return crypto_1.default.createPublicKey({ key, format: 'der', type: type });
}
}
exports.createPublicKey = createPublicKey;
Expand Down
2 changes: 1 addition & 1 deletion node_modules/@sigstore/core/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sigstore/core",
"version": "1.0.0",
"version": "1.1.0",
"description": "Base library for Sigstore",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = void 0;
exports.ClientTrustConfig = exports.SigningConfig = exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = void 0;
/* eslint-disable */
const sigstore_common_1 = require("./sigstore_common");
function createBaseTransparencyLogInstance() {
Expand Down Expand Up @@ -98,6 +98,58 @@ exports.TrustedRoot = {
return obj;
},
};
function createBaseSigningConfig() {
return { caUrl: "", oidcUrl: "", tlogUrls: [], tsaUrls: [] };
}
exports.SigningConfig = {
fromJSON(object) {
return {
caUrl: isSet(object.caUrl) ? String(object.caUrl) : "",
oidcUrl: isSet(object.oidcUrl) ? String(object.oidcUrl) : "",
tlogUrls: Array.isArray(object?.tlogUrls) ? object.tlogUrls.map((e) => String(e)) : [],
tsaUrls: Array.isArray(object?.tsaUrls) ? object.tsaUrls.map((e) => String(e)) : [],
};
},
toJSON(message) {
const obj = {};
message.caUrl !== undefined && (obj.caUrl = message.caUrl);
message.oidcUrl !== undefined && (obj.oidcUrl = message.oidcUrl);
if (message.tlogUrls) {
obj.tlogUrls = message.tlogUrls.map((e) => e);
}
else {
obj.tlogUrls = [];
}
if (message.tsaUrls) {
obj.tsaUrls = message.tsaUrls.map((e) => e);
}
else {
obj.tsaUrls = [];
}
return obj;
},
};
function createBaseClientTrustConfig() {
return { mediaType: "", trustedRoot: undefined, signingConfig: undefined };
}
exports.ClientTrustConfig = {
fromJSON(object) {
return {
mediaType: isSet(object.mediaType) ? String(object.mediaType) : "",
trustedRoot: isSet(object.trustedRoot) ? exports.TrustedRoot.fromJSON(object.trustedRoot) : undefined,
signingConfig: isSet(object.signingConfig) ? exports.SigningConfig.fromJSON(object.signingConfig) : undefined,
};
},
toJSON(message) {
const obj = {};
message.mediaType !== undefined && (obj.mediaType = message.mediaType);
message.trustedRoot !== undefined &&
(obj.trustedRoot = message.trustedRoot ? exports.TrustedRoot.toJSON(message.trustedRoot) : undefined);
message.signingConfig !== undefined &&
(obj.signingConfig = message.signingConfig ? exports.SigningConfig.toJSON(message.signingConfig) : undefined);
return obj;
},
};
function isSet(value) {
return value !== null && value !== undefined;
}
6 changes: 3 additions & 3 deletions node_modules/@sigstore/protobuf-specs/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sigstore/protobuf-specs",
"version": "0.3.0",
"version": "0.3.1",
"description": "code-signing for npm packages",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand All @@ -21,11 +21,11 @@
},
"homepage": "https://github.com/sigstore/protobuf-specs#readme",
"devDependencies": {
"@tsconfig/node14": "^1.0.3",
"@tsconfig/node16": "^16.1.1",
"@types/node": "^18.14.0",
"typescript": "^4.9.5"
},
"engines": {
"node": "^14.17.0 || ^16.13.0 || >=18.0.0"
"node": "^16.14.0 || >=18.0.0"
}
}
3 changes: 2 additions & 1 deletion node_modules/@sigstore/sign/dist/bundler/bundle.js
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ function toMessageSignatureBundle(artifact, signature) {
}
exports.toMessageSignatureBundle = toMessageSignatureBundle;
// DSSE envelope bundle - $case: 'dsseEnvelope'
function toDSSEBundle(artifact, signature) {
function toDSSEBundle(artifact, signature, singleCertificate) {
return sigstore.toDSSEBundle({
artifact: artifact.data,
artifactType: artifact.type,
Expand All @@ -65,6 +65,7 @@ function toDSSEBundle(artifact, signature) {
? util_1.pem.toDER(signature.key.certificate)
: undefined,
keyHint: signature.key.$case === 'publicKey' ? signature.key.hint : undefined,
singleCertificate,
});
}
exports.toDSSEBundle = toDSSEBundle;
3 changes: 2 additions & 1 deletion node_modules/@sigstore/sign/dist/bundler/dsse.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ const bundle_1 = require("./bundle");
class DSSEBundleBuilder extends base_1.BaseBundleBuilder {
constructor(options) {
super(options);
this.singleCertificate = options.singleCertificate ?? false;
}
// DSSE requires the artifact to be pre-encoded with the payload type
// before the signature is generated.
Expand All @@ -32,7 +33,7 @@ class DSSEBundleBuilder extends base_1.BaseBundleBuilder {
}
// Packages the artifact and signature into a DSSE bundle
async package(artifact, signature) {
return (0, bundle_1.toDSSEBundle)(artifactDefaults(artifact), signature);
return (0, bundle_1.toDSSEBundle)(artifactDefaults(artifact), signature, this.singleCertificate);
}
}
exports.DSSEBundleBuilder = DSSEBundleBuilder;
Expand Down
8 changes: 4 additions & 4 deletions node_modules/@sigstore/sign/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sigstore/sign",
"version": "2.2.3",
"version": "2.3.0",
"description": "Sigstore signing library",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand All @@ -27,14 +27,14 @@
},
"devDependencies": {
"@sigstore/jest": "^0.0.0",
"@sigstore/mock": "^0.6.5",
"@sigstore/mock": "^0.7.0",
"@sigstore/rekor-types": "^2.0.0",
"@types/make-fetch-happen": "^10.0.4"
},
"dependencies": {
"@sigstore/bundle": "^2.2.0",
"@sigstore/bundle": "^2.3.0",
"@sigstore/core": "^1.0.0",
"@sigstore/protobuf-specs": "^0.3.0",
"@sigstore/protobuf-specs": "^0.3.1",
"make-fetch-happen": "^13.0.0"
},
"engines": {
Expand Down
3 changes: 2 additions & 1 deletion node_modules/@sigstore/verify/dist/tlog/intoto.js
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,12 @@ function verifyIntoto002TLogBody(tlogEntry, content) {
// Signature is double-base64-encoded in the tlog entry
const tlogSig = base64Decode(tlogEntry.spec.content.envelope.signatures[0].sig);
// Ensure that the signature in the bundle's DSSE matches tlog entry
if (!content.compareSignature(Buffer.from(tlogSig, 'base64')))
if (!content.compareSignature(Buffer.from(tlogSig, 'base64'))) {
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: 'tlog entry signature mismatch',
});
}
// Ensure the digest of the bundle's DSSE payload matches the digest in the
// tlog entry
const tlogHash = tlogEntry.spec.content.payloadHash?.value || '';
Expand Down
11 changes: 10 additions & 1 deletion node_modules/@sigstore/verify/dist/trust/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const protobuf_specs_1 = require("@sigstore/protobuf-specs");
const error_1 = require("../error");
const BEGINNING_OF_TIME = new Date(0);
const END_OF_TIME = new Date(8640000000000000);
Expand All @@ -35,9 +36,17 @@ function toTrustMaterial(root, keys) {
}
exports.toTrustMaterial = toTrustMaterial;
function createTLogAuthority(tlogInstance) {
const keyDetails = tlogInstance.publicKey.keyDetails;
const keyType = keyDetails === protobuf_specs_1.PublicKeyDetails.PKCS1_RSA_PKCS1V5 ||
keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V5 ||
keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_2048_SHA256 ||
keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256 ||
keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256
? 'pkcs1'
: 'spki';
return {
logID: tlogInstance.logId.keyId,
publicKey: core_1.crypto.createPublicKey(tlogInstance.publicKey.rawBytes),
publicKey: core_1.crypto.createPublicKey(tlogInstance.publicKey.rawBytes, keyType),
validFor: {
start: tlogInstance.publicKey.validFor?.start || BEGINNING_OF_TIME,
end: tlogInstance.publicKey.validFor?.end || END_OF_TIME,
Expand Down
8 changes: 4 additions & 4 deletions node_modules/@sigstore/verify/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sigstore/verify",
"version": "1.1.0",
"version": "1.2.0",
"description": "Verification of Sigstore signatures",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand All @@ -26,9 +26,9 @@
"provenance": true
},
"dependencies": {
"@sigstore/protobuf-specs": "^0.3.0",
"@sigstore/bundle": "^2.2.0",
"@sigstore/core": "^1.0.0"
"@sigstore/protobuf-specs": "^0.3.1",
"@sigstore/bundle": "^2.3.1",
"@sigstore/core": "^1.1.0"
},
"engines": {
"node": "^16.14.0 || >=18.0.0"
Expand Down
12 changes: 6 additions & 6 deletions node_modules/sigstore/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "sigstore",
"version": "2.2.2",
"version": "2.3.0",
"description": "code-signing for npm packages",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand Down Expand Up @@ -29,17 +29,17 @@
"devDependencies": {
"@sigstore/rekor-types": "^2.0.0",
"@sigstore/jest": "^0.0.0",
"@sigstore/mock": "^0.6.5",
"@sigstore/mock": "^0.7.0",
"@tufjs/repo-mock": "^2.0.0",
"@types/make-fetch-happen": "^10.0.4"
},
"dependencies": {
"@sigstore/bundle": "^2.2.0",
"@sigstore/bundle": "^2.3.1",
"@sigstore/core": "^1.0.0",
"@sigstore/protobuf-specs": "^0.3.0",
"@sigstore/sign": "^2.2.3",
"@sigstore/protobuf-specs": "^0.3.1",
"@sigstore/sign": "^2.3.0",
"@sigstore/tuf": "^2.3.1",
"@sigstore/verify": "^1.1.0"
"@sigstore/verify": "^1.2.0"
},
"engines": {
"node": "^16.14.0 || >=18.0.0"
Expand Down
Loading

0 comments on commit c18a0ad

Please sign in to comment.