@sigstore/protobuf-specs - npm Package Compare versions

Comparing version 0.1.0 to 0.2.0

dist/__generated__/envelope.d.ts

		@@ -16,5 +16,5 @@ /// <reference types="node" />
		* Signature over:
		* PAE(type, body)
		* PAE(type, payload)
		* Where PAE is defined as:
		* PAE(type, body) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(body) + SP + body
		* PAE(type, payload) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload
		* + = concatenation
		@@ -21,0 +21,0 @@ * SP = ASCII space [0x20]

dist/__generated__/sigstore_bundle.d.ts

		@@ -32,4 +32,10 @@ import { Envelope } from "./envelope";
		/**
		* This is the inclusion promise and/or proof, where
		* the timestamp is coming from the transparency log.
		* This is the inclusion proof, where the timestamp is coming from
		* the transparency log.
		* Client verification libraries MAY provide an option to support v0.1
		* bundles for backwards compatibility, which may contain an inclusion
		* promise and not an inclusion proof. In this case, the client MUST
		* validate the promise.
		* Verifiers SHOULD NOT allow v0.1 bundles if they're used in an
		* ecosystem which never produced them.
		*/
		@@ -43,2 +49,3 @@ tlogEntries: TransparencyLogEntry[];
		* MUST be application/vnd.dev.sigstore.bundle+json;version=0.1
		* or application/vnd.dev.sigstore.bundle+json;version=0.2
		* when encoded as JSON.
		@@ -45,0 +52,0 @@ */

dist/__generated__/sigstore_common.d.ts

		@@ -87,4 +87,5 @@ /// <reference types="node" />
		* The unique id of the log, represented as the SHA-256 hash
		* of the log's public key, computed over the DER encoding.
		* <https://www.rfc-editor.org/rfc/rfc6962#section-3.2>
		* of the log's public key, calculated over the DER encoding
		* of the key represented as SubjectPublicKeyInfo.
		* See https://www.rfc-editor.org/rfc/rfc6962#section-3.2
		*/
		@@ -109,3 +110,3 @@ keyId: Buffer;
		keyDetails: PublicKeyDetails;
		/** Optional validity period for this key. */
		/** Optional validity period for this key, inclusive of the endpoints. */
		validFor?: TimeRange \| undefined;
		@@ -163,5 +164,17 @@ }
		* The first certificate in the array must be the leaf
		* certificate used for signing. Any intermediate certificates
		* must be stored as offset 1 to n-1, and the root certificate at
		* position n.
		* certificate used for signing.
		*
		* Signers MUST NOT include their root CA certificates in their embedded
		* certificate chains, and SHOULD NOT include intermediate CA
		* certificates that appear in independent roots of trust.
		*
		* Verifiers MUST validate the chain carefully to ensure that it chains
		* up to a root CA certificate that they trust, regardless of whether
		* the chain includes additional intermediate/root CA certificates.
		* Verifiers MAY enforce additional constraints, such as requiring that
		* all intermediate CA certificates appear in an independent root of
		* trust.
		*
		* Verifiers SHOULD handle old or non-complying bundles that have
		* additional intermediate/root CA certificates.
		*/
		@@ -171,4 +184,4 @@ certificates: X509Certificate[];
		/**
		* The time range is half-open and does not include the end timestamp,
		* i.e [start, end).
		* The time range is closed and includes both the start and end times,
		* (i.e., [start, end]).
		* End is optional to be able to capture a period that has started but
		@@ -175,0 +188,0 @@ * has no known end.

dist/__generated__/sigstore_rekor.d.ts

		@@ -28,3 +28,3 @@ /// <reference types="node" />
		* InclusionProof is the proof returned from the transparency log. Can
		* be used for on line verification against the log.
		* be used for offline or online verification against the log.
		*/
		@@ -78,3 +78,3 @@ export interface InclusionProof {
		* the response from Rekor) is similar to a Signed Certificate Timestamp
		* as described here https://www.rfc-editor.org/rfc/rfc9162#name-signed-certificate-timestam.
		* as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2.
		*/
		@@ -94,7 +94,11 @@ export interface TransparencyLogEntry {
		integratedTime: string;
		/** The inclusion promise/signed entry timestamp from the log. */
		/**
		* The inclusion promise/signed entry timestamp from the log.
		* Required for v0.1 bundles, and MUST be verified.
		* Optional for >= v0.2 bundles, and SHOULD be verified when present.
		*/
		inclusionPromise: InclusionPromise \| undefined;
		/**
		* The inclusion proof can be used for online verification that the
		* entry was appended to the log, and that the log has not been
		* The inclusion proof can be used for offline or online verification
		* that the entry was appended to the log, and that the log has not been
		* altered.
		@@ -104,4 +108,4 @@ */
		/**
		* The canonicalized transparency log entry, used to reconstruct
		* the Signed Entry Timestamp (SET) during verification.
		* Optional. The canonicalized transparency log entry, used to
		* reconstruct the Signed Entry Timestamp (SET) during verification.
		* The contents of this field are the same as the `body` field in
		@@ -114,6 +118,11 @@ * a Rekor response, meaning that it does not include the "full"
		* is generated over.
		* This field is intended to be used in cases where the SET cannot be
		* produced determinisitically (e.g. inconsistent JSON field ordering,
		* differing whitespace, etc).
		*
		* Clients MUST verify that the signatured referenced in the
		* If set, clients MUST verify that the signature referenced in the
		* `canonicalized_body` matches the signature provided in the
		* `Bundle.content`.
		* If not set, clients are responsible for constructing an equivalent
		* payload from other sources to verify the signature.
		*/
		@@ -120,0 +129,0 @@ canonicalizedBody: Buffer;

dist/__generated__/sigstore_trustroot.d.ts

		@@ -7,4 +7,4 @@ import { DistinguishedName, HashAlgorithm, LogId, PublicKey, TimeRange, X509CertificateChain } from "./sigstore_common";
		* for more details.
		* The incluced parameters are the minimal set required to identify a log,
		* and verify an inclusion promise.
		* The included parameters are the minimal set required to identify a log,
		* and verify an inclusion proof/promise.
		*/
		@@ -41,3 +41,7 @@ export interface TransparencyLogInstance {
		* longest interval when all certificates in the chain were valid,
		* but it MAY be shorter.
		* but it MAY be shorter. Clients MUST check timestamps against both
		* the `valid_for` time range and the entire certificate chain.
		*
		* The TimeRange should be considered valid inclusive of the
		* endpoints.
		*/
		@@ -55,5 +59,13 @@ validFor: TimeRange \| undefined;
		* of keys/authorities are expected to be extracted and provided to the
		* verification function. This way the set of keys/authorities kan be kept to
		* verification function. This way the set of keys/authorities can be kept to
		* a minimal set by the policy to gain better control over what signatures
		* that are allowed.
		*
		* The embedded transparency logs, CT logs, CAs and TSAs MUST include any
		* previously used instance -- otherwise signatures made in the past cannot
		* be verified.
		* The currently used instances MUST NOT have their 'end' timestamp set in
		* their 'valid_for' attribute for easy identification.
		* All the listed instances SHOULD be sorted by the 'valid_for' in ascending
		* order, that is, the oldest instance first and the current instance last.
		*/
		@@ -66,3 +78,3 @@ export interface TrustedRoot {
		/**
		* A set of trusted certificate authorites (e.g Fulcio), and any
		* A set of trusted certificate authorities (e.g Fulcio), and any
		* intermediate certificates they provide.
		@@ -69,0 +81,0 @@ * If a CA is issuing multiple intermediate certificate, each

package.json

		{
		"name": "@sigstore/protobuf-specs",
		"version": "0.1.0",
		"version": "0.2.0",
		"description": "code-signing for npm packages",
		@@ -5,0 +5,0 @@ "main": "dist/index.js",

@sigstore/protobuf-specs - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics