Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →

@sigstore/verify

Package Overview

Dependencies

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

@sigstore/verify - npm Package Compare versions

Comparing version 1.2.1 to 2.0.0

dist/bundle/dsse.d.ts

		@@ -1,3 +0,1 @@
		/// <reference types="node" />
		/// <reference types="node" />
		import { crypto } from '@sigstore/core';
		@@ -4,0 +2,0 @@ import type { Envelope } from '@sigstore/bundle';

dist/bundle/dsse.js

		@@ -25,3 +25,3 @@ "use strict";
		compareDigest(digest) {
		return core_1.crypto.bufferEqual(digest, core_1.crypto.hash(this.env.payload));
		return core_1.crypto.bufferEqual(digest, core_1.crypto.digest('sha256', this.env.payload));
		}
		@@ -28,0 +28,0 @@ compareSignature(signature) {

dist/bundle/index.d.ts

		@@ -1,2 +0,1 @@
		/// <reference types="node" />
		import { Bundle } from '@sigstore/bundle';
		@@ -3,0 +2,0 @@ import type { SignatureContent, SignedEntity } from '../shared.types';

dist/bundle/index.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.signatureContent = exports.toSignedEntity = void 0;
		exports.toSignedEntity = toSignedEntity;
		exports.signatureContent = signatureContent;
		const core_1 = require("@sigstore/core");
		@@ -29,3 +30,2 @@ const dsse_1 = require("./dsse");
		}
		exports.toSignedEntity = toSignedEntity;
		function signatureContent(bundle, artifact) {
		@@ -39,3 +39,2 @@ switch (bundle.content.$case) {
		}
		exports.signatureContent = signatureContent;
		function key(bundle) {
		@@ -42,0 +41,0 @@ switch (bundle.verificationMaterial.content.$case) {

dist/bundle/message.d.ts

		@@ -1,3 +0,1 @@
		/// <reference types="node" />
		/// <reference types="node" />
		import { crypto } from '@sigstore/core';
		@@ -4,0 +2,0 @@ import type { MessageSignature } from '@sigstore/bundle';

dist/key/certificate.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.CertificateChainVerifier = exports.verifyCertificateChain = void 0;
		exports.CertificateChainVerifier = void 0;
		exports.verifyCertificateChain = verifyCertificateChain;
		const error_1 = require("../error");
		@@ -35,3 +36,2 @@ const trust_1 = require("../trust");
		}
		exports.verifyCertificateChain = verifyCertificateChain;
		class CertificateChainVerifier {
		@@ -38,0 +38,0 @@ constructor(opts) {

dist/key/index.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyCertificate = exports.verifyPublicKey = void 0;
		exports.verifyPublicKey = verifyPublicKey;
		exports.verifyCertificate = verifyCertificate;
		/*
		@@ -37,3 +38,2 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.verifyPublicKey = verifyPublicKey;
		function verifyCertificate(leaf, timestamps, trustMaterial) {
		@@ -55,6 +55,6 @@ // Check that leaf certificate chains to a trusted CA
		}
		exports.verifyCertificate = verifyCertificate;
		function getSigner(cert) {
		let issuer;
		const issuerExtension = cert.extension(OID_FULCIO_ISSUER_V2);
		/* istanbul ignore next */
		if (issuerExtension) {
		@@ -61,0 +61,0 @@ issuer = issuerExtension.valueObj.subs?.[0]?.value.toString('ascii');

dist/key/sct.d.ts

		@@ -1,2 +0,1 @@
		/// <reference types="node" />
		import { X509Certificate } from '@sigstore/core';
		@@ -3,0 +2,0 @@ import type { TLogAuthority } from '../trust';

dist/key/sct.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifySCTs = void 0;
		exports.verifySCTs = verifySCTs;
		/*
		@@ -55,3 +55,3 @@ Copyright 2023 The Sigstore Authors.
		// Calculate hash of the issuer's public key
		const issuerId = core_1.crypto.hash(issuer.publicKey);
		const issuerId = core_1.crypto.digest('sha256', issuer.publicKey);
		preCert.appendView(issuerId);
		@@ -80,2 +80,1 @@ // Re-encodes the certificate to DER after removing the SCT extension
		}
		exports.verifySCTs = verifySCTs;

dist/policy.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyExtensions = exports.verifySubjectAlternativeName = void 0;
		exports.verifySubjectAlternativeName = verifySubjectAlternativeName;
		exports.verifyExtensions = verifyExtensions;
		const error_1 = require("./error");
		@@ -13,3 +14,2 @@ function verifySubjectAlternativeName(policyIdentity, signerIdentity) {
		}
		exports.verifySubjectAlternativeName = verifySubjectAlternativeName;
		function verifyExtensions(policyExtensions, signerExtensions = {}) {
		@@ -26,2 +26,1 @@ let key;
		}
		exports.verifyExtensions = verifyExtensions;

dist/shared.types.d.ts

		@@ -1,3 +0,1 @@
		/// <reference types="node" />
		/// <reference types="node" />
		import type { TransparencyLogEntry } from '@sigstore/bundle';
		@@ -4,0 +2,0 @@ import type { RFC3161Timestamp, X509Certificate, crypto } from '@sigstore/core';

dist/timestamp/checkpoint.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyCheckpoint = void 0;
		exports.verifyCheckpoint = verifyCheckpoint;
		/*
		@@ -64,3 +64,2 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.verifyCheckpoint = verifyCheckpoint;
		// Verifies the signatures in the SignedNote. For each signature, the
		@@ -67,0 +66,0 @@ // corresponding transparency log is looked up by the key hint and the

dist/timestamp/index.d.ts

		@@ -1,2 +0,1 @@
		/// <reference types="node" />
		import { RFC3161Timestamp } from '@sigstore/core';
		@@ -3,0 +2,0 @@ import type { TransparencyLogEntry } from '@sigstore/bundle';

dist/timestamp/index.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyTLogTimestamp = exports.verifyTSATimestamp = void 0;
		exports.verifyTSATimestamp = verifyTSATimestamp;
		exports.verifyTLogTimestamp = verifyTLogTimestamp;
		const error_1 = require("../error");
		@@ -17,3 +18,2 @@ const checkpoint_1 = require("./checkpoint");
		}
		exports.verifyTSATimestamp = verifyTSATimestamp;
		function verifyTLogTimestamp(entry, tlogAuthorities) {
		@@ -42,3 +42,2 @@ let inclusionVerified = false;
		}
		exports.verifyTLogTimestamp = verifyTLogTimestamp;
		function isTLogEntryWithInclusionPromise(entry) {
		@@ -45,0 +44,0 @@ return entry.inclusionPromise !== undefined;

dist/timestamp/merkle.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyMerkleInclusion = void 0;
		exports.verifyMerkleInclusion = verifyMerkleInclusion;
		/*
		@@ -56,3 +56,2 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.verifyMerkleInclusion = verifyMerkleInclusion;
		// Breaks down inclusion proof for a leaf at the specified index in a tree of
		@@ -102,6 +101,6 @@ // the specified size. The split point is where paths to the index leaf and
		function hashChildren(left, right) {
		return core_1.crypto.hash(RFC6962_NODE_HASH_PREFIX, left, right);
		return core_1.crypto.digest('sha256', RFC6962_NODE_HASH_PREFIX, left, right);
		}
		function hashLeaf(leaf) {
		return core_1.crypto.hash(RFC6962_LEAF_HASH_PREFIX, leaf);
		return core_1.crypto.digest('sha256', RFC6962_LEAF_HASH_PREFIX, leaf);
		}

dist/timestamp/set.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyTLogSET = void 0;
		exports.verifyTLogSET = verifyTLogSET;
		/*
		@@ -49,3 +49,2 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.verifyTLogSET = verifyTLogSET;
		// Returns a properly formatted "VerificationPayload" for one of the
		@@ -52,0 +51,0 @@ // transaction log entires in the given bundle which can be used for SET

dist/timestamp/tsa.d.ts

		@@ -1,4 +0,3 @@
		/// <reference types="node" />
		import { RFC3161Timestamp } from '@sigstore/core';
		import { CertAuthority } from '../trust';
		export declare function verifyRFC3161Timestamp(timestamp: RFC3161Timestamp, data: Buffer, timestampAuthorities: CertAuthority[]): void;

dist/timestamp/tsa.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyRFC3161Timestamp = void 0;
		exports.verifyRFC3161Timestamp = verifyRFC3161Timestamp;
		const core_1 = require("@sigstore/core");
		@@ -38,3 +38,2 @@ const error_1 = require("../error");
		}
		exports.verifyRFC3161Timestamp = verifyRFC3161Timestamp;
		function verifyTimestampForCA(timestamp, data, ca) {
		@@ -41,0 +40,0 @@ const [leaf, ...cas] = ca.certChain;

dist/tlog/dsse.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyDSSETLogBody = void 0;
		exports.verifyDSSETLogBody = verifyDSSETLogBody;
		/*
		@@ -32,3 +32,2 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.verifyDSSETLogBody = verifyDSSETLogBody;
		// Compare the given dsse v0.0.1 tlog entry to the given DSSE envelope.
		@@ -35,0 +34,0 @@ function verifyDSSE001TLogBody(tlogEntry, content) {

dist/tlog/hashedrekord.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyHashedRekordTLogBody = void 0;
		exports.verifyHashedRekordTLogBody = verifyHashedRekordTLogBody;
		/*
		@@ -32,3 +32,2 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.verifyHashedRekordTLogBody = verifyHashedRekordTLogBody;
		// Compare the given hashedrekord v0.0.1 tlog entry to the given message
		@@ -35,0 +34,0 @@ // signature

dist/tlog/index.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyTLogBody = void 0;
		exports.verifyTLogBody = verifyTLogBody;
		/*
		@@ -48,2 +48,1 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.verifyTLogBody = verifyTLogBody;

dist/tlog/intoto.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verifyIntotoTLogBody = void 0;
		exports.verifyIntotoTLogBody = verifyIntotoTLogBody;
		/*
		@@ -32,3 +32,2 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.verifyIntotoTLogBody = verifyIntotoTLogBody;
		// Compare the given intoto v0.0.2 tlog entry to the given DSSE envelope.
		@@ -35,0 +34,0 @@ function verifyIntoto002TLogBody(tlogEntry, content) {

dist/trust/filter.d.ts

		@@ -1,2 +0,1 @@
		/// <reference types="node" />
		import type { CertAuthority, TLogAuthority } from './trust.types';
		@@ -3,0 +2,0 @@ type CertAuthorityFilterCriteria = {

dist/trust/filter.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.filterTLogAuthorities = exports.filterCertAuthorities = void 0;
		exports.filterCertAuthorities = filterCertAuthorities;
		exports.filterTLogAuthorities = filterTLogAuthorities;
		function filterCertAuthorities(certAuthorities, criteria) {
		@@ -9,3 +10,2 @@ return certAuthorities.filter((ca) => {
		}
		exports.filterCertAuthorities = filterCertAuthorities;
		// Filter the list of tlog instances to only those which match the given log
		@@ -25,2 +25,1 @@ // ID and have public keys which are valid for the given integrated time.
		}
		exports.filterTLogAuthorities = filterTLogAuthorities;

dist/trust/index.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.toTrustMaterial = exports.filterTLogAuthorities = exports.filterCertAuthorities = void 0;
		exports.filterTLogAuthorities = exports.filterCertAuthorities = void 0;
		exports.toTrustMaterial = toTrustMaterial;
		/*
		@@ -37,3 +38,2 @@ Copyright 2023 The Sigstore Authors.
		}
		exports.toTrustMaterial = toTrustMaterial;
		function createTLogAuthority(tlogInstance) {
		@@ -58,2 +58,3 @@ const keyDetails = tlogInstance.publicKey.keyDetails;
		function createCertAuthority(ca) {
		/* istanbul ignore next */
		return {
		@@ -81,2 +82,3 @@ certChain: ca.certChain.certificates.map((cert) => {
		validFor: (date) => {
		/* istanbul ignore next */
		return ((key.validFor?.start \|\| BEGINNING_OF_TIME) <= date &&
		@@ -83,0 +85,0 @@ (key.validFor?.end \|\| END_OF_TIME) >= date);

dist/trust/trust.types.d.ts

		@@ -1,3 +0,1 @@
		/// <reference types="node" />
		/// <reference types="node" />
		import type { X509Certificate, crypto } from '@sigstore/core';
		@@ -4,0 +2,0 @@ export type TLogAuthority = {

package.json

		{
		"name": "@sigstore/verify",
		"version": "1.2.1",
		"version": "2.0.0",
		"description": "Verification of Sigstore signatures",
		@@ -30,8 +30,8 @@ "main": "dist/index.js",
		"@sigstore/protobuf-specs": "^0.3.2",
		"@sigstore/bundle": "^2.3.2",
		"@sigstore/core": "^1.1.0"
		"@sigstore/bundle": "^3.0.0",
		"@sigstore/core": "^2.0.0"
		},
		"engines": {
		"node": "^16.14.0 \|\| >=18.0.0"
		"node": "^18.17.0 \|\| >=20.5.0"
		}
		}

README.md

		@@ -7,4 +7,4 @@ # @sigstore/verify · [![npm version](https://img.shields.io/npm/v/@sigstore/verify.svg?style=flat)](https://www.npmjs.com/package/@sigstore/verify) [![CI Status](https://github.com/sigstore/sigstore-js/workflows/CI/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/ci.yml) [![Smoke Test Status](https://github.com/sigstore/sigstore-js/workflows/smoke-test/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/smoke-test.yml)

		- Node.js version >= 16.14.0
		- Node.js version >= 18.17.0

		[1]: https://www.sigstore.dev

@sigstore/verify - npm Package Compare versions

New alerts

Fixed alerts

Worsened metrics

Dependency changes