npm
Advanced tools
Comparing version 9.8.1 to 9.9.0
@@ -35,2 +35,9 @@ --- | ||
### Package lock | ||
By default npm requires a package-lock or shrinkwrap in order to run the | ||
audit. You can bypass the package lock with `--no-package-lock` but be | ||
aware the results may be different with every run, since npm will | ||
re-build the dependency tree each time. | ||
### Audit Signatures | ||
@@ -325,2 +332,12 @@ | ||
#### `package-lock` | ||
* Default: true | ||
* Type: Boolean | ||
If set to false, then ignore `package-lock.json` files when installing. This | ||
will also prevent _writing_ `package-lock.json` if `save` is true. | ||
#### `omit` | ||
@@ -327,0 +344,0 @@ |
@@ -259,2 +259,22 @@ --- | ||
#### `cpu` | ||
* Default: null | ||
* Type: null or String | ||
Override CPU architecture of native modules to install. Acceptable values | ||
are same as `cpu` field of package.json, which comes from `process.arch`. | ||
#### `os` | ||
* Default: null | ||
* Type: null or String | ||
Override OS of native modules to install. Acceptable values are same as `os` | ||
field of package.json, which comes from `process.platform`. | ||
#### `workspace` | ||
@@ -261,0 +281,0 @@ |
@@ -649,2 +649,22 @@ --- | ||
#### `cpu` | ||
* Default: null | ||
* Type: null or String | ||
Override CPU architecture of native modules to install. Acceptable values | ||
are same as `cpu` field of package.json, which comes from `process.arch`. | ||
#### `os` | ||
* Default: null | ||
* Type: null or String | ||
Override OS of native modules to install. Acceptable values are same as `os` | ||
field of package.json, which comes from `process.platform`. | ||
#### `workspace` | ||
@@ -651,0 +671,0 @@ |
@@ -30,3 +30,3 @@ --- | ||
```bash | ||
npm@9.8.1 /path/to/npm | ||
npm@9.9.0 /path/to/npm | ||
└─┬ init-package-json@0.0.4 | ||
@@ -33,0 +33,0 @@ └── promzard@0.1.5 |
@@ -138,3 +138,16 @@ --- | ||
``` | ||
### Package lock only mode | ||
If package-lock-only is enabled, only the information in the package | ||
lock (or shrinkwrap) is loaded. This means that information from the | ||
package.json files of your dependencies will not be included in the | ||
result set (e.g. description, homepage, engines). | ||
### Package lock only mode | ||
If package-lock-only is enabled, only the information in the package | ||
lock (or shrinkwrap) is loaded. This means that information from the | ||
package.json files of your dependencies will not be included in the | ||
result set (e.g. description, homepage, engines). | ||
### Configuration | ||
@@ -210,2 +223,18 @@ | ||
This value is not exported to the environment for child processes. | ||
#### `package-lock-only` | ||
* Default: false | ||
* Type: Boolean | ||
If set to true, the current operation will only use the `package-lock.json`, | ||
ignoring `node_modules`. | ||
For `update` this means only the `package-lock.json` will be updated, | ||
instead of checking `node_modules` and downloading dependencies. | ||
For `list` this means the output will be based on the tree described by the | ||
`package-lock.json`, rather than the contents of `node_modules`. | ||
## See Also | ||
@@ -212,0 +241,0 @@ |
@@ -17,3 +17,3 @@ --- | ||
9.8.1 | ||
9.9.0 | ||
@@ -20,0 +20,0 @@ ### Description |
@@ -348,2 +348,12 @@ --- | ||
#### `cpu` | ||
* Default: null | ||
* Type: null or String | ||
Override CPU architecture of native modules to install. Acceptable values | ||
are same as `cpu` field of package.json, which comes from `process.arch`. | ||
#### `depth` | ||
@@ -1042,2 +1052,12 @@ | ||
#### `os` | ||
* Default: null | ||
* Type: null or String | ||
Override OS of native modules to install. Acceptable values are same as `os` | ||
field of package.json, which comes from `process.platform`. | ||
#### `otp` | ||
@@ -1343,2 +1363,22 @@ | ||
#### `sbom-format` | ||
* Default: null | ||
* Type: "cyclonedx" or "spdx" | ||
SBOM format to use when generating SBOMs. | ||
#### `sbom-type` | ||
* Default: "library" | ||
* Type: "library", "application", or "framework" | ||
The type of package described by the generated SBOM. For SPDX, this is the | ||
value for the `primaryPackagePurpose` field. For CycloneDX, this is the | ||
value for the `type` field. | ||
#### `scope` | ||
@@ -1345,0 +1385,0 @@ |
@@ -105,3 +105,3 @@ --- | ||
``` | ||
npm install abbrev -w a | ||
npm install abbrev -w packages/a | ||
``` | ||
@@ -108,0 +108,0 @@ |
@@ -407,2 +407,3 @@ const npmAuditReport = require('npm-audit-report') | ||
'package-lock-only', | ||
'package-lock', | ||
'omit', | ||
@@ -443,2 +444,6 @@ 'foreground-scripts', | ||
async auditAdvisories (args) { | ||
const fix = args[0] === 'fix' | ||
if (this.npm.config.get('package-lock') === false && fix) { | ||
throw this.usageError('fix can not be used without a package-lock') | ||
} | ||
const reporter = this.npm.config.get('json') ? 'json' : 'detail' | ||
@@ -455,3 +460,2 @@ const Arborist = require('@npmcli/arborist') | ||
const arb = new Arborist(opts) | ||
const fix = args[0] === 'fix' | ||
await arb.audit({ fix }) | ||
@@ -458,0 +462,0 @@ if (fix) { |
@@ -18,3 +18,3 @@ const fetch = require('npm-registry-fetch') | ||
static ignoreImplicitWorkspace = false | ||
static ignoreImplicitWorkspace = true | ||
@@ -21,0 +21,0 @@ static async completion (opts, npm) { |
@@ -37,2 +37,4 @@ /* eslint-disable camelcase */ | ||
'dry-run', | ||
'cpu', | ||
'os', | ||
...super.params, | ||
@@ -39,0 +41,0 @@ ] |
@@ -5,2 +5,3 @@ 'use strict' | ||
const BaseCommand = require('../base-command.js') | ||
const log = require('../utils/log-shim.js') | ||
@@ -52,2 +53,3 @@ class QuerySelectorItem { | ||
'include-workspace-root', | ||
'package-lock-only', | ||
] | ||
@@ -69,3 +71,14 @@ | ||
const arb = new Arborist(opts) | ||
const tree = await arb.loadActual(opts) | ||
let tree | ||
if (this.npm.config.get('package-lock-only')) { | ||
try { | ||
tree = await arb.loadVirtual() | ||
} catch (err) { | ||
log.verbose('loadVirtual', err.stack) | ||
/* eslint-disable-next-line max-len */ | ||
throw this.usageError('A package lock or shrinkwrap file is required in package-lock-only mode') | ||
} | ||
} else { | ||
tree = await arb.loadActual(opts) | ||
} | ||
const items = await tree.querySelectorAll(args[0], this.npm.flatOptions) | ||
@@ -72,0 +85,0 @@ this.buildResponse(items) |
@@ -55,2 +55,3 @@ const abbrev = require('abbrev') | ||
'run-script', | ||
'sbom', | ||
'search', | ||
@@ -57,0 +58,0 @@ 'set', |
@@ -146,3 +146,3 @@ const { Minipass } = require('minipass') | ||
name: ansiTrim(data.name), | ||
description: ansiTrim(data.description), | ||
description: ansiTrim(data.description ?? ''), | ||
author: data.maintainers.map((m) => `=${ansiTrim(m.username)}`).join(' '), | ||
@@ -149,0 +149,0 @@ keywords: Array.isArray(data.keywords) |
@@ -25,3 +25,11 @@ // mixin implementing the audit method | ||
process.emit('time', 'audit') | ||
const tree = await this.loadVirtual() | ||
let tree | ||
if (options.packageLock === false) { | ||
// build ideal tree | ||
await this.loadActual(options) | ||
await this.buildIdealTree() | ||
tree = this.idealTree | ||
} else { | ||
tree = await this.loadVirtual() | ||
} | ||
if (this[_workspaces] && this[_workspaces].length) { | ||
@@ -28,0 +36,0 @@ options.filterSet = this.workspaceDependencySet( |
@@ -631,3 +631,3 @@ // mixin implementing the reify method | ||
const { npmVersion, nodeVersion } = this.options | ||
const { npmVersion, nodeVersion, cpu, os } = this.options | ||
const p = Promise.resolve().then(async () => { | ||
@@ -642,3 +642,3 @@ // when we reify an optional node, check the engine and platform | ||
checkEngine(node.package, npmVersion, nodeVersion, false) | ||
checkPlatform(node.package, false) | ||
checkPlatform(node.package, false, { cpu, os }) | ||
} | ||
@@ -645,0 +645,0 @@ await this[_checkBins](node) |
@@ -722,3 +722,6 @@ 'use strict' | ||
if (node.isTop && node.resolveParent) { | ||
return hasAscendant(node.resolveParent, compareNodes) | ||
/* istanbul ignore if - investigate if linksIn check obviates need for this */ | ||
if (hasAscendant(node.resolveParent, compareNodes)) { | ||
return true | ||
} | ||
} | ||
@@ -735,2 +738,7 @@ for (const edge of node.edgesIn) { | ||
} | ||
for (const linkNode of node.linksIn) { | ||
if (hasAscendant(linkNode, compareNodes, seen)) { | ||
return true | ||
} | ||
} | ||
return false | ||
@@ -737,0 +745,0 @@ } |
{ | ||
"name": "@npmcli/arborist", | ||
"version": "6.3.0", | ||
"version": "6.5.0", | ||
"description": "Manage node_modules trees", | ||
@@ -24,3 +24,3 @@ "dependencies": { | ||
"nopt": "^7.0.0", | ||
"npm-install-checks": "^6.0.0", | ||
"npm-install-checks": "^6.2.0", | ||
"npm-package-arg": "^10.1.0", | ||
@@ -43,3 +43,3 @@ "npm-pick-manifest": "^8.0.1", | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"benchmark": "^2.1.4", | ||
@@ -96,5 +96,5 @@ "minify-registry-metadata": "^3.0.0", | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
} | ||
} |
{ | ||
"name": "@npmcli/config", | ||
"version": "6.2.1", | ||
"version": "6.4.0", | ||
"files": [ | ||
@@ -35,3 +35,3 @@ "bin/", | ||
"@npmcli/mock-globals": "^1.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"tap": "^16.3.4" | ||
@@ -54,4 +54,5 @@ }, | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0" | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
} | ||
} |
@@ -47,3 +47,3 @@ "use strict"; | ||
}; | ||
var globalThis = (() => { | ||
var tsProtoGlobalThis = (() => { | ||
if (typeof globalThis !== "undefined") { | ||
@@ -64,7 +64,7 @@ return globalThis; | ||
function bytesFromBase64(b64) { | ||
if (globalThis.Buffer) { | ||
return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return Uint8Array.from(tsProtoGlobalThis.Buffer.from(b64, "base64")); | ||
} | ||
else { | ||
const bin = globalThis.atob(b64); | ||
const bin = tsProtoGlobalThis.atob(b64); | ||
const arr = new Uint8Array(bin.length); | ||
@@ -78,4 +78,4 @@ for (let i = 0; i < bin.length; ++i) { | ||
function base64FromBytes(arr) { | ||
if (globalThis.Buffer) { | ||
return globalThis.Buffer.from(arr).toString("base64"); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return tsProtoGlobalThis.Buffer.from(arr).toString("base64"); | ||
} | ||
@@ -87,3 +87,3 @@ else { | ||
}); | ||
return globalThis.btoa(bin.join("")); | ||
return tsProtoGlobalThis.btoa(bin.join("")); | ||
} | ||
@@ -90,0 +90,0 @@ } |
@@ -80,3 +80,3 @@ "use strict"; | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldBehavior"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldBehavior"); | ||
} | ||
@@ -102,7 +102,7 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldBehavior"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldBehavior"); | ||
} | ||
} | ||
exports.fieldBehaviorToJSON = fieldBehaviorToJSON; | ||
var globalThis = (() => { | ||
var tsProtoGlobalThis = (() => { | ||
if (typeof globalThis !== "undefined") { | ||
@@ -109,0 +109,0 @@ return globalThis; |
@@ -105,3 +105,3 @@ "use strict"; | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldDescriptorProto_Type"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldDescriptorProto_Type"); | ||
} | ||
@@ -149,3 +149,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldDescriptorProto_Type"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldDescriptorProto_Type"); | ||
} | ||
@@ -173,3 +173,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldDescriptorProto_Label"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldDescriptorProto_Label"); | ||
} | ||
@@ -187,3 +187,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldDescriptorProto_Label"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldDescriptorProto_Label"); | ||
} | ||
@@ -214,3 +214,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FileOptions_OptimizeMode"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FileOptions_OptimizeMode"); | ||
} | ||
@@ -228,3 +228,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FileOptions_OptimizeMode"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FileOptions_OptimizeMode"); | ||
} | ||
@@ -252,3 +252,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldOptions_CType"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldOptions_CType"); | ||
} | ||
@@ -266,3 +266,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldOptions_CType"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldOptions_CType"); | ||
} | ||
@@ -292,3 +292,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldOptions_JSType"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldOptions_JSType"); | ||
} | ||
@@ -306,3 +306,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FieldOptions_JSType"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum FieldOptions_JSType"); | ||
} | ||
@@ -336,3 +336,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum MethodOptions_IdempotencyLevel"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum MethodOptions_IdempotencyLevel"); | ||
} | ||
@@ -350,3 +350,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum MethodOptions_IdempotencyLevel"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum MethodOptions_IdempotencyLevel"); | ||
} | ||
@@ -1278,3 +1278,3 @@ } | ||
}; | ||
var globalThis = (() => { | ||
var tsProtoGlobalThis = (() => { | ||
if (typeof globalThis !== "undefined") { | ||
@@ -1295,7 +1295,7 @@ return globalThis; | ||
function bytesFromBase64(b64) { | ||
if (globalThis.Buffer) { | ||
return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return Uint8Array.from(tsProtoGlobalThis.Buffer.from(b64, "base64")); | ||
} | ||
else { | ||
const bin = globalThis.atob(b64); | ||
const bin = tsProtoGlobalThis.atob(b64); | ||
const arr = new Uint8Array(bin.length); | ||
@@ -1309,4 +1309,4 @@ for (let i = 0; i < bin.length; ++i) { | ||
function base64FromBytes(arr) { | ||
if (globalThis.Buffer) { | ||
return globalThis.Buffer.from(arr).toString("base64"); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return tsProtoGlobalThis.Buffer.from(arr).toString("base64"); | ||
} | ||
@@ -1318,3 +1318,3 @@ else { | ||
}); | ||
return globalThis.btoa(bin.join("")); | ||
return tsProtoGlobalThis.btoa(bin.join("")); | ||
} | ||
@@ -1321,0 +1321,0 @@ } |
@@ -29,3 +29,3 @@ "use strict"; | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum HashAlgorithm"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum HashAlgorithm"); | ||
} | ||
@@ -41,3 +41,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum HashAlgorithm"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum HashAlgorithm"); | ||
} | ||
@@ -97,3 +97,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum PublicKeyDetails"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum PublicKeyDetails"); | ||
} | ||
@@ -121,3 +121,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum PublicKeyDetails"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum PublicKeyDetails"); | ||
} | ||
@@ -153,3 +153,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum SubjectAlternativeNameType"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum SubjectAlternativeNameType"); | ||
} | ||
@@ -169,3 +169,3 @@ } | ||
default: | ||
throw new globalThis.Error("Unrecognized enum value " + object + " for enum SubjectAlternativeNameType"); | ||
throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum SubjectAlternativeNameType"); | ||
} | ||
@@ -405,3 +405,3 @@ } | ||
}; | ||
var globalThis = (() => { | ||
var tsProtoGlobalThis = (() => { | ||
if (typeof globalThis !== "undefined") { | ||
@@ -422,7 +422,7 @@ return globalThis; | ||
function bytesFromBase64(b64) { | ||
if (globalThis.Buffer) { | ||
return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return Uint8Array.from(tsProtoGlobalThis.Buffer.from(b64, "base64")); | ||
} | ||
else { | ||
const bin = globalThis.atob(b64); | ||
const bin = tsProtoGlobalThis.atob(b64); | ||
const arr = new Uint8Array(bin.length); | ||
@@ -436,4 +436,4 @@ for (let i = 0; i < bin.length; ++i) { | ||
function base64FromBytes(arr) { | ||
if (globalThis.Buffer) { | ||
return globalThis.Buffer.from(arr).toString("base64"); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return tsProtoGlobalThis.Buffer.from(arr).toString("base64"); | ||
} | ||
@@ -445,3 +445,3 @@ else { | ||
}); | ||
return globalThis.btoa(bin.join("")); | ||
return tsProtoGlobalThis.btoa(bin.join("")); | ||
} | ||
@@ -448,0 +448,0 @@ } |
@@ -125,3 +125,3 @@ "use strict"; | ||
}; | ||
var globalThis = (() => { | ||
var tsProtoGlobalThis = (() => { | ||
if (typeof globalThis !== "undefined") { | ||
@@ -142,7 +142,7 @@ return globalThis; | ||
function bytesFromBase64(b64) { | ||
if (globalThis.Buffer) { | ||
return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return Uint8Array.from(tsProtoGlobalThis.Buffer.from(b64, "base64")); | ||
} | ||
else { | ||
const bin = globalThis.atob(b64); | ||
const bin = tsProtoGlobalThis.atob(b64); | ||
const arr = new Uint8Array(bin.length); | ||
@@ -156,4 +156,4 @@ for (let i = 0; i < bin.length; ++i) { | ||
function base64FromBytes(arr) { | ||
if (globalThis.Buffer) { | ||
return globalThis.Buffer.from(arr).toString("base64"); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return tsProtoGlobalThis.Buffer.from(arr).toString("base64"); | ||
} | ||
@@ -165,3 +165,3 @@ else { | ||
}); | ||
return globalThis.btoa(bin.join("")); | ||
return tsProtoGlobalThis.btoa(bin.join("")); | ||
} | ||
@@ -168,0 +168,0 @@ } |
@@ -231,3 +231,3 @@ "use strict"; | ||
}; | ||
var globalThis = (() => { | ||
var tsProtoGlobalThis = (() => { | ||
if (typeof globalThis !== "undefined") { | ||
@@ -248,7 +248,7 @@ return globalThis; | ||
function bytesFromBase64(b64) { | ||
if (globalThis.Buffer) { | ||
return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return Uint8Array.from(tsProtoGlobalThis.Buffer.from(b64, "base64")); | ||
} | ||
else { | ||
const bin = globalThis.atob(b64); | ||
const bin = tsProtoGlobalThis.atob(b64); | ||
const arr = new Uint8Array(bin.length); | ||
@@ -262,4 +262,4 @@ for (let i = 0; i < bin.length; ++i) { | ||
function base64FromBytes(arr) { | ||
if (globalThis.Buffer) { | ||
return globalThis.Buffer.from(arr).toString("base64"); | ||
if (tsProtoGlobalThis.Buffer) { | ||
return tsProtoGlobalThis.Buffer.from(arr).toString("base64"); | ||
} | ||
@@ -271,3 +271,3 @@ else { | ||
}); | ||
return globalThis.btoa(bin.join("")); | ||
return tsProtoGlobalThis.btoa(bin.join("")); | ||
} | ||
@@ -274,0 +274,0 @@ } |
{ | ||
"name": "@sigstore/protobuf-specs", | ||
"version": "0.1.0", | ||
"version": "0.2.1", | ||
"description": "code-signing for npm packages", | ||
@@ -5,0 +5,0 @@ "main": "dist/index.js", |
{ | ||
"name": "@sigstore/tuf", | ||
"version": "1.0.2", | ||
"version": "1.0.3", | ||
"description": "Client for the Sigstore TUF repository", | ||
@@ -35,3 +35,3 @@ "main": "dist/index.js", | ||
"dependencies": { | ||
"@sigstore/protobuf-specs": "^0.1.0", | ||
"@sigstore/protobuf-specs": "^0.2.0", | ||
"tuf-js": "^1.1.7" | ||
@@ -38,0 +38,0 @@ }, |
@@ -20,3 +20,3 @@ { | ||
"@npmcli/mock-registry": "^1.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"nock": "^13.3.0", | ||
@@ -45,3 +45,3 @@ "tap": "^16.3.4" | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -48,0 +48,0 @@ }, |
{ | ||
"name": "libnpmdiff", | ||
"version": "5.0.19", | ||
"version": "5.0.20", | ||
"description": "The registry diff", | ||
@@ -45,7 +45,7 @@ "repository": { | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"tap": "^16.3.4" | ||
}, | ||
"dependencies": { | ||
"@npmcli/arborist": "^6.3.0", | ||
"@npmcli/arborist": "^6.5.0", | ||
"@npmcli/disparity-colors": "^3.0.0", | ||
@@ -62,3 +62,3 @@ "@npmcli/installed-package-contents": "^2.0.2", | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -65,0 +65,0 @@ }, |
{ | ||
"name": "libnpmexec", | ||
"version": "6.0.3", | ||
"version": "6.0.4", | ||
"files": [ | ||
@@ -54,3 +54,3 @@ "bin/", | ||
"@npmcli/mock-registry": "^1.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"bin-links": "^4.0.1", | ||
@@ -63,3 +63,3 @@ "chalk": "^5.2.0", | ||
"dependencies": { | ||
"@npmcli/arborist": "^6.3.0", | ||
"@npmcli/arborist": "^6.5.0", | ||
"@npmcli/run-script": "^6.0.0", | ||
@@ -78,5 +78,5 @@ "ci-info": "^3.7.1", | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
} | ||
} |
{ | ||
"name": "libnpmfund", | ||
"version": "4.0.19", | ||
"version": "4.2.1", | ||
"main": "lib/index.js", | ||
@@ -44,7 +44,7 @@ "files": [ | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"tap": "^16.3.4" | ||
}, | ||
"dependencies": { | ||
"@npmcli/arborist": "^6.3.0" | ||
"@npmcli/arborist": "^6.5.0" | ||
}, | ||
@@ -56,3 +56,3 @@ "engines": { | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -59,0 +59,0 @@ }, |
@@ -38,3 +38,3 @@ { | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"nock": "^13.3.0", | ||
@@ -48,3 +48,3 @@ "tap": "^16.3.4" | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -51,0 +51,0 @@ }, |
@@ -31,3 +31,3 @@ { | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"minipass": "^5.0.0", | ||
@@ -53,3 +53,3 @@ "nock": "^13.3.0", | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -56,0 +56,0 @@ }, |
{ | ||
"name": "libnpmpack", | ||
"version": "5.0.19", | ||
"version": "5.0.20", | ||
"description": "Programmatic API for the bits behind npm pack", | ||
@@ -26,3 +26,3 @@ "author": "GitHub Inc.", | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"nock": "^13.3.0", | ||
@@ -40,3 +40,3 @@ "spawk": "^1.7.1", | ||
"dependencies": { | ||
"@npmcli/arborist": "^6.3.0", | ||
"@npmcli/arborist": "^6.5.0", | ||
"@npmcli/run-script": "^6.0.0", | ||
@@ -51,3 +51,3 @@ "npm-package-arg": "^10.1.0", | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -54,0 +54,0 @@ }, |
@@ -29,3 +29,3 @@ { | ||
"@npmcli/mock-registry": "^1.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"lodash.clonedeep": "^4.5.0", | ||
@@ -57,3 +57,3 @@ "nock": "^13.3.0", | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -60,0 +60,0 @@ }, |
@@ -29,3 +29,3 @@ { | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"nock": "^13.3.0", | ||
@@ -49,3 +49,3 @@ "tap": "^16.3.4" | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -52,0 +52,0 @@ }, |
@@ -19,3 +19,3 @@ { | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"nock": "^13.3.0", | ||
@@ -43,3 +43,3 @@ "tap": "^16.3.4" | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
@@ -46,0 +46,0 @@ }, |
@@ -35,3 +35,3 @@ { | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"require-inject": "^1.4.4", | ||
@@ -52,5 +52,5 @@ "tap": "^16.3.4" | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "../../scripts/template-oss/index.js" | ||
} | ||
} |
@@ -25,3 +25,3 @@ const semver = require('semver') | ||
const checkPlatform = (target, force = false) => { | ||
const checkPlatform = (target, force = false, environment = {}) => { | ||
if (force) { | ||
@@ -31,4 +31,4 @@ return | ||
const platform = process.platform | ||
const arch = process.arch | ||
const platform = environment.os || process.platform | ||
const arch = environment.cpu || process.arch | ||
const osOk = target.os ? checkList(platform, target.os) : true | ||
@@ -35,0 +35,0 @@ const cpuOk = target.cpu ? checkList(arch, target.cpu) : true |
{ | ||
"name": "npm-install-checks", | ||
"version": "6.1.1", | ||
"version": "6.2.0", | ||
"description": "Check the engines and platform fields in package.json", | ||
@@ -11,3 +11,3 @@ "main": "lib/index.js", | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.13.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"tap": "^16.0.1" | ||
@@ -43,3 +43,3 @@ }, | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.13.0", | ||
"version": "4.18.0", | ||
"publish": "true" | ||
@@ -46,0 +46,0 @@ }, |
@@ -213,3 +213,3 @@ 'use strict' | ||
wanted, | ||
versions: Object.keys(packument.versions), | ||
versions: Object.keys(packument.versions ?? {}), | ||
name, | ||
@@ -216,0 +216,0 @@ distTags: packument['dist-tags'], |
{ | ||
"name": "npm-pick-manifest", | ||
"version": "8.0.1", | ||
"version": "8.0.2", | ||
"description": "Resolves a matching manifest from a package metadata document according to standard npm semver resolution rules.", | ||
@@ -39,3 +39,3 @@ "main": "./lib", | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.6.1", | ||
"@npmcli/template-oss": "4.18.0", | ||
"tap": "^16.0.1" | ||
@@ -55,4 +55,5 @@ }, | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.6.1" | ||
"version": "4.18.0", | ||
"publish": true | ||
} | ||
} |
import * as sigstore from '../../types/sigstore'; | ||
import { x509Certificate } from '../../x509/cert'; | ||
export declare function verifyChain(certificate: sigstore.X509Certificate, certificateAuthorities: sigstore.CertificateAuthority[]): x509Certificate[]; | ||
import type { X509Certificate } from '@sigstore/bundle'; | ||
export declare function verifyChain(certificate: X509Certificate, certificateAuthorities: sigstore.CertificateAuthority[]): x509Certificate[]; |
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifySigningCertificate(bundle: sigstore.BundleWithCertificateChain, trustedRoot: sigstore.TrustedRoot, options: sigstore.CAArtifactVerificationOptions): void; | ||
import type { BundleWithCertificateChain } from '@sigstore/bundle'; | ||
export declare function verifySigningCertificate(bundle: BundleWithCertificateChain, trustedRoot: sigstore.TrustedRoot, options: sigstore.CAArtifactVerificationOptions): void; |
@@ -1,18 +0,14 @@ | ||
import { CA } from './ca'; | ||
import { Provider } from './identity'; | ||
import { TLog } from './tlog'; | ||
import { TSA } from './tsa'; | ||
import { DSSEBundleBuilder, IdentityProvider, MessageSignatureBundleBuilder } from '@sigstore/sign'; | ||
import { SignerFunc } from './types/signature'; | ||
import * as sigstore from './types/sigstore'; | ||
import type { FetchOptions, Retry } from './types/fetch'; | ||
import type { KeySelector } from './verify'; | ||
interface CAOptions { | ||
export type TUFOptions = { | ||
tufMirrorURL?: string; | ||
tufRootPath?: string; | ||
tufCachePath?: string; | ||
} & FetchOptions; | ||
export type SignOptions = { | ||
fulcioURL?: string; | ||
} | ||
interface TLogOptions { | ||
rekorURL?: string; | ||
} | ||
interface TSAOptions { | ||
tsaServerURL?: string; | ||
} | ||
export interface IdentityProviderOptions { | ||
identityProvider?: IdentityProvider; | ||
identityToken?: string; | ||
@@ -23,12 +19,7 @@ oidcIssuer?: string; | ||
oidcRedirectURL?: string; | ||
} | ||
export type TUFOptions = { | ||
tufMirrorURL?: string; | ||
tufRootPath?: string; | ||
tufCachePath?: string; | ||
rekorURL?: string; | ||
signer?: SignerFunc; | ||
tlogUpload?: boolean; | ||
tsaServerURL?: string; | ||
} & FetchOptions; | ||
export type SignOptions = { | ||
identityProvider?: Provider; | ||
tlogUpload?: boolean; | ||
} & CAOptions & TLogOptions & TSAOptions & FetchOptions & IdentityProviderOptions; | ||
export type VerifyOptions = { | ||
@@ -42,3 +33,4 @@ ctLogThreshold?: number; | ||
keySelector?: KeySelector; | ||
} & TLogOptions & TUFOptions; | ||
rekorURL?: string; | ||
} & TUFOptions; | ||
export type CreateVerifierOptions = { | ||
@@ -51,7 +43,5 @@ keySelector?: KeySelector; | ||
export declare const DEFAULT_TIMEOUT = 5000; | ||
export declare function createCAClient(options: CAOptions & FetchOptions): CA; | ||
export declare function createTLogClient(options: TLogOptions & FetchOptions): TLog; | ||
export declare function createTSAClient(options: TSAOptions & FetchOptions): TSA | undefined; | ||
export type BundleType = 'messageSignature' | 'dsseEnvelope'; | ||
export declare function createBundleBuilder(bundleType: 'messageSignature', options: SignOptions): MessageSignatureBundleBuilder; | ||
export declare function createBundleBuilder(bundleType: 'dsseEnvelope', options: SignOptions): DSSEBundleBuilder; | ||
export declare function artifactVerificationOptions(options: VerifyOptions): sigstore.RequiredArtifactVerificationOptions; | ||
export declare function identityProviders(options: IdentityProviderOptions): Provider[]; | ||
export {}; |
@@ -29,3 +29,3 @@ "use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.identityProviders = exports.artifactVerificationOptions = exports.createTSAClient = exports.createTLogClient = exports.createCAClient = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0; | ||
exports.artifactVerificationOptions = exports.createBundleBuilder = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0; | ||
/* | ||
@@ -46,6 +46,5 @@ Copyright 2023 The Sigstore Authors. | ||
*/ | ||
const ca_1 = require("./ca"); | ||
const sign_1 = require("@sigstore/sign"); | ||
const identity_1 = __importDefault(require("./identity")); | ||
const tlog_1 = require("./tlog"); | ||
const tsa_1 = require("./tsa"); | ||
const signature_1 = require("./types/signature"); | ||
const sigstore = __importStar(require("./types/sigstore")); | ||
@@ -56,28 +55,84 @@ exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev'; | ||
exports.DEFAULT_TIMEOUT = 5000; | ||
function createCAClient(options) { | ||
return new ca_1.CAClient({ | ||
fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL, | ||
retry: options.retry ?? exports.DEFAULT_RETRY, | ||
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, | ||
}); | ||
function createBundleBuilder(bundleType, options) { | ||
const bundlerOptions = { | ||
signer: initSigner(options), | ||
witnesses: initWitnesses(options), | ||
}; | ||
switch (bundleType) { | ||
case 'messageSignature': | ||
return new sign_1.MessageSignatureBundleBuilder(bundlerOptions); | ||
case 'dsseEnvelope': | ||
return new sign_1.DSSEBundleBuilder(bundlerOptions); | ||
} | ||
} | ||
exports.createCAClient = createCAClient; | ||
function createTLogClient(options) { | ||
return new tlog_1.TLogClient({ | ||
rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL, | ||
retry: options.retry ?? exports.DEFAULT_RETRY, | ||
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, | ||
}); | ||
exports.createBundleBuilder = createBundleBuilder; | ||
// Instantiate a signer based on the supplied options. If a signer function is | ||
// provided, use that. Otherwise, if a Fulcio URL is provided, use the Fulcio | ||
// signer. Otherwise, throw an error. | ||
function initSigner(options) { | ||
if (isCallbackSignerEnabled(options)) { | ||
return new signature_1.CallbackSigner(options); | ||
} | ||
else { | ||
return new sign_1.FulcioSigner({ | ||
fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL, | ||
identityProvider: options.identityProvider || initIdentityProvider(options), | ||
retry: options.retry ?? exports.DEFAULT_RETRY, | ||
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, | ||
}); | ||
} | ||
} | ||
exports.createTLogClient = createTLogClient; | ||
function createTSAClient(options) { | ||
return options.tsaServerURL | ||
? new tsa_1.TSAClient({ | ||
// Instantiate an identity provider based on the supplied options. If an | ||
// explicit identity token is provided, use that. Otherwise, if an OIDC issuer | ||
// and client ID are provided, use the OIDC provider. Otherwise, use the CI | ||
// context provider. | ||
function initIdentityProvider(options) { | ||
const token = options.identityToken; | ||
if (token) { | ||
return { getToken: () => Promise.resolve(token) }; | ||
} | ||
else if (options.oidcIssuer && options.oidcClientID) { | ||
return identity_1.default.oauthProvider({ | ||
issuer: options.oidcIssuer, | ||
clientID: options.oidcClientID, | ||
clientSecret: options.oidcClientSecret, | ||
redirectURL: options.oidcRedirectURL, | ||
}); | ||
} | ||
else { | ||
return new sign_1.CIContextProvider('sigstore'); | ||
} | ||
} | ||
// Instantiate a collection of witnesses based on the supplied options. | ||
function initWitnesses(options) { | ||
const witnesses = []; | ||
if (isRekorEnabled(options)) { | ||
witnesses.push(new sign_1.RekorWitness({ | ||
rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL, | ||
fetchOnConflict: false, | ||
retry: options.retry ?? exports.DEFAULT_RETRY, | ||
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, | ||
})); | ||
} | ||
if (isTSAEnabled(options)) { | ||
witnesses.push(new sign_1.TSAWitness({ | ||
tsaBaseURL: options.tsaServerURL, | ||
retry: options.retry ?? exports.DEFAULT_RETRY, | ||
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, | ||
}) | ||
: undefined; | ||
})); | ||
} | ||
return witnesses; | ||
} | ||
exports.createTSAClient = createTSAClient; | ||
// Type assertion to ensure that the signer is enabled | ||
function isCallbackSignerEnabled(options) { | ||
return options.signer !== undefined; | ||
} | ||
// Type assertion to ensure that Rekor is enabled | ||
function isRekorEnabled(options) { | ||
return options.tlogUpload !== false; | ||
} | ||
// Type assertion to ensure that TSA is enabled | ||
function isTSAEnabled(options) { | ||
return options.tsaServerURL !== undefined; | ||
} | ||
// Assembles the AtifactVerificationOptions from the supplied VerifyOptions. | ||
@@ -108,3 +163,3 @@ function artifactVerificationOptions(options) { | ||
} | ||
const oids = Object.entries(options.certificateOIDs || {}).map(([oid, value]) => ({ | ||
const oids = Object.entries(options.certificateOIDs || /* istanbul ignore next */ {}).map(([oid, value]) => ({ | ||
oid: { id: oid.split('.').map((s) => parseInt(s, 10)) }, | ||
@@ -129,9 +184,9 @@ value: Buffer.from(value), | ||
ctlogOptions: { | ||
disable: false, | ||
threshold: options.ctLogThreshold || 1, | ||
disable: options.ctLogThreshold === 0, | ||
threshold: options.ctLogThreshold ?? 1, | ||
detachedSct: false, | ||
}, | ||
tlogOptions: { | ||
disable: false, | ||
threshold: options.tlogThreshold || 1, | ||
disable: options.tlogThreshold === 0, | ||
threshold: options.tlogThreshold ?? 1, | ||
performOnlineVerification: false, | ||
@@ -143,26 +198,1 @@ }, | ||
exports.artifactVerificationOptions = artifactVerificationOptions; | ||
// Translates the IdenityProviderOptions into a list of Providers which | ||
// should be queried to retrieve an identity token. | ||
function identityProviders(options) { | ||
const idps = []; | ||
const token = options.identityToken; | ||
// If an explicit identity token is provided, use that. Setup a dummy | ||
// provider that just returns the token. Otherwise, setup the CI context | ||
// provider and (optionally) the OAuth provider. | ||
if (token) { | ||
idps.push({ getToken: () => Promise.resolve(token) }); | ||
} | ||
else { | ||
idps.push(identity_1.default.ciContextProvider()); | ||
if (options.oidcIssuer && options.oidcClientID) { | ||
idps.push(identity_1.default.oauthProvider({ | ||
issuer: options.oidcIssuer, | ||
clientID: options.oidcClientID, | ||
clientSecret: options.oidcClientSecret, | ||
redirectURL: options.oidcRedirectURL, | ||
})); | ||
} | ||
} | ||
return idps; | ||
} | ||
exports.identityProviders = identityProviders; |
@@ -5,13 +5,6 @@ declare class BaseError extends Error { | ||
} | ||
export declare class VerificationError extends BaseError { | ||
} | ||
export declare class ValidationError extends BaseError { | ||
} | ||
export declare class PolicyError extends BaseError { | ||
} | ||
type InternalErrorCode = 'TLOG_FETCH_ENTRY_ERROR' | 'TLOG_CREATE_ENTRY_ERROR' | 'CA_CREATE_SIGNING_CERTIFICATE_ERROR' | 'TSA_CREATE_TIMESTAMP_ERROR' | 'TUF_FIND_TARGET_ERROR' | 'TUF_REFRESH_METADATA_ERROR' | 'TUF_DOWNLOAD_TARGET_ERROR' | 'TUF_READ_TARGET_ERROR'; | ||
export declare class InternalError extends BaseError { | ||
code: InternalErrorCode; | ||
declare class ErrorWithCode<T extends string> extends BaseError { | ||
code: T; | ||
constructor({ code, message, cause, }: { | ||
code: InternalErrorCode; | ||
code: T; | ||
message: string; | ||
@@ -21,2 +14,12 @@ cause?: any; | ||
} | ||
export declare class VerificationError extends BaseError { | ||
} | ||
export declare class PolicyError extends BaseError { | ||
} | ||
type InternalErrorCode = 'TUF_FIND_TARGET_ERROR' | 'TUF_REFRESH_METADATA_ERROR' | 'TUF_DOWNLOAD_TARGET_ERROR' | 'TUF_READ_TARGET_ERROR'; | ||
export declare class InternalError extends ErrorWithCode<InternalErrorCode> { | ||
} | ||
type SignatureErrorCode = 'MISSING_SIGNATURE_ERROR' | 'MISSING_PUBLIC_KEY_ERROR'; | ||
export declare class SignatureError extends ErrorWithCode<SignatureErrorCode> { | ||
} | ||
export {}; |
"use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.InternalError = exports.PolicyError = exports.ValidationError = exports.VerificationError = void 0; | ||
exports.SignatureError = exports.InternalError = exports.PolicyError = exports.VerificationError = void 0; | ||
/* | ||
@@ -27,17 +27,20 @@ Copyright 2023 The Sigstore Authors. | ||
} | ||
class ErrorWithCode extends BaseError { | ||
constructor({ code, message, cause, }) { | ||
super(message, cause); | ||
this.code = code; | ||
this.name = this.constructor.name; | ||
} | ||
} | ||
class VerificationError extends BaseError { | ||
} | ||
exports.VerificationError = VerificationError; | ||
class ValidationError extends BaseError { | ||
} | ||
exports.ValidationError = ValidationError; | ||
class PolicyError extends BaseError { | ||
} | ||
exports.PolicyError = PolicyError; | ||
class InternalError extends BaseError { | ||
constructor({ code, message, cause, }) { | ||
super(message, cause); | ||
this.code = code; | ||
} | ||
class InternalError extends ErrorWithCode { | ||
} | ||
exports.InternalError = InternalError; | ||
class SignatureError extends ErrorWithCode { | ||
} | ||
exports.SignatureError = SignatureError; |
@@ -1,2 +0,2 @@ | ||
import { Provider } from './provider'; | ||
import { IdentityProvider } from '@sigstore/sign'; | ||
/** | ||
@@ -9,3 +9,3 @@ * oauthProvider returns a new Provider instance which attempts to retrieve | ||
* @param clientSecret Client secret for the issuer (optional) | ||
* @returns {Provider} | ||
* @returns {IdentityProvider} | ||
*/ | ||
@@ -17,16 +17,6 @@ declare function oauthProvider(options: { | ||
redirectURL?: string; | ||
}): Provider; | ||
/** | ||
* ciContextProvider returns a new Provider instance which attempts to retrieve | ||
* an identity token from the CI context. | ||
* | ||
* @param audience audience claim for the generated token | ||
* @returns {Provider} | ||
*/ | ||
declare function ciContextProvider(audience?: string): Provider; | ||
}): IdentityProvider; | ||
declare const _default: { | ||
ciContextProvider: typeof ciContextProvider; | ||
oauthProvider: typeof oauthProvider; | ||
}; | ||
export default _default; | ||
export { Provider } from './provider'; |
"use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
/* | ||
Copyright 2022 The Sigstore Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
const ci_1 = require("./ci"); | ||
const issuer_1 = require("./issuer"); | ||
@@ -28,3 +12,3 @@ const oauth_1 = require("./oauth"); | ||
* @param clientSecret Client secret for the issuer (optional) | ||
* @returns {Provider} | ||
* @returns {IdentityProvider} | ||
*/ | ||
@@ -39,15 +23,4 @@ function oauthProvider(options) { | ||
} | ||
/** | ||
* ciContextProvider returns a new Provider instance which attempts to retrieve | ||
* an identity token from the CI context. | ||
* | ||
* @param audience audience claim for the generated token | ||
* @returns {Provider} | ||
*/ | ||
function ciContextProvider(audience = 'sigstore') { | ||
return new ci_1.CIContextProvider(audience); | ||
} | ||
exports.default = { | ||
ciContextProvider, | ||
oauthProvider, | ||
}; |
import { Issuer } from './issuer'; | ||
import { Provider } from './provider'; | ||
import type { IdentityProvider } from '@sigstore/sign'; | ||
interface OAuthProviderOptions { | ||
@@ -9,3 +9,3 @@ issuer: Issuer; | ||
} | ||
export declare class OAuthProvider implements Provider { | ||
export declare class OAuthProvider implements IdentityProvider { | ||
private clientID; | ||
@@ -12,0 +12,0 @@ private clientSecret; |
@@ -1,2 +0,2 @@ | ||
export type { Provider as IdentityProvider } from './identity'; | ||
export type { IdentityProvider } from '@sigstore/sign'; | ||
export * as sigstore from './sigstore'; |
/// <reference types="node" /> | ||
import { SerializedBundle, SerializedEnvelope } from '@sigstore/bundle'; | ||
import { SignOptions } from './config'; | ||
import { SignerFunc } from './types/signature'; | ||
import * as sigstore from './types/sigstore'; | ||
export declare function createDSSEEnvelope(payload: Buffer, payloadType: string, options: { | ||
signer: SignerFunc; | ||
}): Promise<sigstore.SerializedEnvelope>; | ||
export declare function createRekorEntry(dsseEnvelope: sigstore.SerializedEnvelope, publicKey: string, options?: SignOptions): Promise<sigstore.SerializedBundle>; | ||
}): Promise<SerializedEnvelope>; | ||
export declare function createRekorEntry(dsseEnvelope: SerializedEnvelope, publicKey: string, options?: SignOptions): Promise<SerializedBundle>; |
"use strict"; | ||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { | ||
if (k2 === undefined) k2 = k; | ||
var desc = Object.getOwnPropertyDescriptor(m, k); | ||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { | ||
desc = { enumerable: true, get: function() { return m[k]; } }; | ||
} | ||
Object.defineProperty(o, k2, desc); | ||
}) : (function(o, m, k, k2) { | ||
if (k2 === undefined) k2 = k; | ||
o[k2] = m[k]; | ||
})); | ||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { | ||
Object.defineProperty(o, "default", { enumerable: true, value: v }); | ||
}) : function(o, v) { | ||
o["default"] = v; | ||
}); | ||
var __importStar = (this && this.__importStar) || function (mod) { | ||
if (mod && mod.__esModule) return mod; | ||
var result = {}; | ||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); | ||
__setModuleDefault(result, mod); | ||
return result; | ||
}; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
@@ -42,22 +19,12 @@ exports.createRekorEntry = exports.createDSSEEnvelope = void 0; | ||
*/ | ||
const bundle_1 = require("@sigstore/bundle"); | ||
const sign_1 = require("@sigstore/sign"); | ||
const config_1 = require("./config"); | ||
const signature_1 = require("./types/signature"); | ||
const sigstore = __importStar(require("./types/sigstore")); | ||
const util_1 = require("./util"); | ||
async function createDSSEEnvelope(payload, payloadType, options) { | ||
// Pre-authentication encoding to be signed | ||
const paeBuffer = util_1.dsse.preAuthEncoding(payloadType, payload); | ||
// Get signature and verification material for pae | ||
const sigMaterial = await options.signer(paeBuffer); | ||
const envelope = { | ||
payloadType, | ||
payload, | ||
signatures: [ | ||
{ | ||
keyid: sigMaterial.key?.id || '', | ||
sig: sigMaterial.signature, | ||
}, | ||
], | ||
}; | ||
return sigstore.Envelope.toJSON(envelope); | ||
const bundler = (0, config_1.createBundleBuilder)('dsseEnvelope', { | ||
signer: options.signer, | ||
tlogUpload: false, | ||
}); | ||
const bundle = await bundler.create({ data: payload, type: payloadType }); | ||
return (0, bundle_1.envelopeToJSON)(bundle.content.dsseEnvelope); | ||
} | ||
@@ -67,16 +34,24 @@ exports.createDSSEEnvelope = createDSSEEnvelope; | ||
// transparency log. Returns a Sigstore bundle suitable for offline verification. | ||
async function createRekorEntry(dsseEnvelope, publicKey, options = {}) { | ||
const envelope = sigstore.Envelope.fromJSON(dsseEnvelope); | ||
const tlog = (0, config_1.createTLogClient)(options); | ||
const sigMaterial = (0, signature_1.extractSignatureMaterial)(envelope, publicKey); | ||
const entry = await tlog.createDSSEEntry(envelope, sigMaterial, { | ||
async function createRekorEntry(dsseEnvelope, publicKey, | ||
/* istanbul ignore next */ | ||
options = {}) { | ||
const envelope = (0, bundle_1.envelopeFromJSON)(dsseEnvelope); | ||
const bundle = (0, bundle_1.toDSSEBundle)({ | ||
artifact: envelope.payload, | ||
artifactType: envelope.payloadType, | ||
signature: envelope.signatures[0].sig, | ||
keyHint: envelope.signatures[0].keyid, | ||
}); | ||
const tlog = new sign_1.RekorWitness({ | ||
rekorBaseURL: options.rekorURL || /* istanbul ignore next */ config_1.DEFAULT_REKOR_URL, | ||
fetchOnConflict: true, | ||
retry: options.retry ?? config_1.DEFAULT_RETRY, | ||
timeout: options.timeout ?? config_1.DEFAULT_TIMEOUT, | ||
}); | ||
const bundle = sigstore.toDSSEBundle({ | ||
envelope, | ||
signature: sigMaterial, | ||
tlogEntry: entry, | ||
}); | ||
return sigstore.bundleToJSON(bundle); | ||
// Add entry to transparency log | ||
const vm = await tlog.testify(bundle.content, publicKey); | ||
// Add transparency log entries to bundle | ||
bundle.verificationMaterial.tlogEntries = [...vm.tlogEntries]; | ||
return (0, bundle_1.bundleToJSON)(bundle); | ||
} | ||
exports.createRekorEntry = createRekorEntry; |
/// <reference types="node" /> | ||
import { SerializedBundle } from '@sigstore/bundle'; | ||
import * as tuf from '@sigstore/tuf'; | ||
import * as config from './config'; | ||
import * as sigstore from './types/sigstore'; | ||
export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<sigstore.SerializedBundle>; | ||
export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<sigstore.SerializedBundle>; | ||
export declare function verify(bundle: sigstore.SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>; | ||
export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<SerializedBundle>; | ||
export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<SerializedBundle>; | ||
export declare function verify(bundle: SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>; | ||
export interface BundleVerifier { | ||
verify(bundle: sigstore.SerializedBundle): void; | ||
verify(bundle: SerializedBundle): void; | ||
} | ||
@@ -16,9 +16,10 @@ export declare function createVerifier(options: config.CreateVerifierOptions): Promise<BundleVerifier>; | ||
}; | ||
export { ValidationError } from '@sigstore/bundle'; | ||
export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from '@sigstore/bundle'; | ||
export type { TUF } from '@sigstore/tuf'; | ||
export type { SignOptions, VerifyOptions } from './config'; | ||
export { InternalError, PolicyError, ValidationError, VerificationError, } from './error'; | ||
export { InternalError, PolicyError, VerificationError } from './error'; | ||
export * as utils from './sigstore-utils'; | ||
export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from './types/sigstore'; | ||
export { tufUtils as tuf }; | ||
export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev"; | ||
export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev"; |
@@ -26,3 +26,3 @@ "use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0; | ||
exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.PolicyError = exports.InternalError = exports.ValidationError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0; | ||
/* | ||
@@ -43,39 +43,16 @@ Copyright 2023 The Sigstore Authors. | ||
*/ | ||
const bundle_1 = require("@sigstore/bundle"); | ||
const tuf = __importStar(require("@sigstore/tuf")); | ||
const config = __importStar(require("./config")); | ||
const sign_1 = require("./sign"); | ||
const sigstore = __importStar(require("./types/sigstore")); | ||
const verify_1 = require("./verify"); | ||
async function sign(payload, options = {}) { | ||
const ca = config.createCAClient(options); | ||
const tlog = config.createTLogClient(options); | ||
const idps = config.identityProviders(options); | ||
const signer = new sign_1.Signer({ | ||
ca, | ||
tlog, | ||
identityProviders: options.identityProvider | ||
? [options.identityProvider] | ||
: idps, | ||
tlogUpload: options.tlogUpload, | ||
}); | ||
const bundle = await signer.signBlob(payload); | ||
return sigstore.bundleToJSON(bundle); | ||
const bundler = config.createBundleBuilder('messageSignature', options); | ||
const bundle = await bundler.create({ data: payload }); | ||
return (0, bundle_1.bundleToJSON)(bundle); | ||
} | ||
exports.sign = sign; | ||
async function attest(payload, payloadType, options = {}) { | ||
const ca = config.createCAClient(options); | ||
const tlog = config.createTLogClient(options); | ||
const tsa = config.createTSAClient(options); | ||
const idps = config.identityProviders(options); | ||
const signer = new sign_1.Signer({ | ||
ca, | ||
tlog, | ||
tsa, | ||
identityProviders: options.identityProvider | ||
? [options.identityProvider] | ||
: idps, | ||
tlogUpload: options.tlogUpload, | ||
}); | ||
const bundle = await signer.signAttestation(payload, payloadType); | ||
return sigstore.bundleToJSON(bundle); | ||
const bundler = config.createBundleBuilder('dsseEnvelope', options); | ||
const bundle = await bundler.create({ data: payload, type: payloadType }); | ||
return (0, bundle_1.bundleToJSON)(bundle); | ||
} | ||
@@ -92,3 +69,3 @@ exports.attest = attest; | ||
const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); | ||
const deserializedBundle = sigstore.bundleFromJSON(bundle); | ||
const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle); | ||
const opts = config.artifactVerificationOptions(options); | ||
@@ -110,3 +87,3 @@ return verifier.verify(deserializedBundle, opts, payload); | ||
verify: (bundle) => { | ||
const deserializedBundle = sigstore.bundleFromJSON(bundle); | ||
const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle); | ||
return verifier.verify(deserializedBundle, verifyOpts); | ||
@@ -143,6 +120,7 @@ }, | ||
exports.tuf = tufUtils; | ||
var bundle_2 = require("@sigstore/bundle"); | ||
Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return bundle_2.ValidationError; } }); | ||
var error_1 = require("./error"); | ||
Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return error_1.InternalError; } }); | ||
Object.defineProperty(exports, "PolicyError", { enumerable: true, get: function () { return error_1.PolicyError; } }); | ||
Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return error_1.ValidationError; } }); | ||
Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return error_1.VerificationError; } }); | ||
@@ -149,0 +127,0 @@ exports.utils = __importStar(require("./sigstore-utils")); |
@@ -1,2 +0,2 @@ | ||
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifyTLogBody(entry: sigstore.VerifiableTransparencyLogEntry, bundleContent: sigstore.Bundle['content']): boolean; | ||
import type { Bundle, TransparencyLogEntry } from '@sigstore/bundle'; | ||
export declare function verifyTLogBody(entry: TransparencyLogEntry, bundleContent: Bundle['content']): boolean; |
@@ -0,2 +1,3 @@ | ||
import { Bundle } from '@sigstore/bundle'; | ||
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifyTLogEntries(bundle: sigstore.Bundle, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void; | ||
export declare function verifyTLogEntries(bundle: Bundle, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void; |
"use strict"; | ||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { | ||
if (k2 === undefined) k2 = k; | ||
var desc = Object.getOwnPropertyDescriptor(m, k); | ||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { | ||
desc = { enumerable: true, get: function() { return m[k]; } }; | ||
} | ||
Object.defineProperty(o, k2, desc); | ||
}) : (function(o, m, k, k2) { | ||
if (k2 === undefined) k2 = k; | ||
o[k2] = m[k]; | ||
})); | ||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { | ||
Object.defineProperty(o, "default", { enumerable: true, value: v }); | ||
}) : function(o, v) { | ||
o["default"] = v; | ||
}); | ||
var __importStar = (this && this.__importStar) || function (mod) { | ||
if (mod && mod.__esModule) return mod; | ||
var result = {}; | ||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); | ||
__setModuleDefault(result, mod); | ||
return result; | ||
}; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
@@ -42,6 +19,8 @@ exports.verifyTLogEntries = void 0; | ||
*/ | ||
const bundle_1 = require("@sigstore/bundle"); | ||
const error_1 = require("../../error"); | ||
const sigstore = __importStar(require("../../types/sigstore")); | ||
const cert_1 = require("../../x509/cert"); | ||
const body_1 = require("./body"); | ||
const checkpoint_1 = require("./checkpoint"); | ||
const merkle_1 = require("./merkle"); | ||
const set_1 = require("./set"); | ||
@@ -51,2 +30,13 @@ // Verifies that the number of tlog entries that pass offline verification | ||
function verifyTLogEntries(bundle, trustedRoot, options) { | ||
if (bundle.mediaType === bundle_1.BUNDLE_V01_MEDIA_TYPE) { | ||
(0, bundle_1.assertBundleV01)(bundle); | ||
verifyTLogEntriesForBundleV01(bundle, trustedRoot, options); | ||
} | ||
else { | ||
(0, bundle_1.assertBundleLatest)(bundle); | ||
verifyTLogEntriesForBundleLatest(bundle, trustedRoot, options); | ||
} | ||
} | ||
exports.verifyTLogEntries = verifyTLogEntries; | ||
function verifyTLogEntriesForBundleV01(bundle, trustedRoot, options) { | ||
if (options.performOnlineVerification) { | ||
@@ -58,3 +48,3 @@ throw new error_1.VerificationError('Online verification not implemented'); | ||
// Iterate over the tlog entries and verify each one | ||
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryOffline(entry, bundle.content, trustedRoot.tlogs, signingCert)); | ||
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryWithInclusionPromise(entry, bundle.content, trustedRoot.tlogs, signingCert)); | ||
if (verifiedEntries.length < options.threshold) { | ||
@@ -64,8 +54,15 @@ throw new error_1.VerificationError('tlog verification failed'); | ||
} | ||
exports.verifyTLogEntries = verifyTLogEntries; | ||
function verifyTLogEntryOffline(entry, bundleContent, tlogs, signingCert) { | ||
// Check that the TLog entry has the fields necessary for verification | ||
if (!sigstore.isVerifiableTransparencyLogEntry(entry)) { | ||
return false; | ||
function verifyTLogEntriesForBundleLatest(bundle, trustedRoot, options) { | ||
if (options.performOnlineVerification) { | ||
throw new error_1.VerificationError('Online verification not implemented'); | ||
} | ||
// Extract the signing cert, if available | ||
const signingCert = signingCertificate(bundle); | ||
// Iterate over the tlog entries and verify each one | ||
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryWithInclusionProof(entry, bundle.content, trustedRoot.tlogs, signingCert)); | ||
if (verifiedEntries.length < options.threshold) { | ||
throw new error_1.VerificationError('tlog verification failed'); | ||
} | ||
} | ||
function verifyTLogEntryWithInclusionPromise(entry, bundleContent, tlogs, signingCert) { | ||
// If there is a signing certificate availble, check that the tlog integrated | ||
@@ -81,4 +78,16 @@ // time is within the certificate's validity period; otherwise, skip this | ||
} | ||
function verifyTLogEntryWithInclusionProof(entry, bundleContent, tlogs, signingCert) { | ||
// If there is a signing certificate availble, check that the tlog integrated | ||
// time is within the certificate's validity period; otherwise, skip this | ||
// check. | ||
const verifyTLogIntegrationTime = signingCert | ||
? () => signingCert.validForDate(new Date(Number(entry.integratedTime) * 1000)) | ||
: () => true; | ||
return ((0, body_1.verifyTLogBody)(entry, bundleContent) && | ||
(0, merkle_1.verifyMerkleInclusion)(entry) && | ||
(0, checkpoint_1.verifyCheckpoint)(entry, tlogs) && | ||
verifyTLogIntegrationTime()); | ||
} | ||
function signingCertificate(bundle) { | ||
if (!sigstore.isBundleWithCertificateChain(bundle)) { | ||
if (!(0, bundle_1.isBundleWithCertificateChain)(bundle)) { | ||
return undefined; | ||
@@ -85,0 +94,0 @@ } |
@@ -1,2 +0,2 @@ | ||
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifyMerkleInclusion(entry: sigstore.TransparencyLogEntry): boolean; | ||
import type { TLogEntryWithInclusionProof } from '@sigstore/bundle'; | ||
export declare function verifyMerkleInclusion(entry: TLogEntryWithInclusionProof): boolean; |
@@ -28,5 +28,2 @@ "use strict"; | ||
const inclusionProof = entry.inclusionProof; | ||
if (!inclusionProof) { | ||
throw new error_1.VerificationError('tlog entry has no inclusion proof'); | ||
} | ||
const logIndex = BigInt(inclusionProof.logIndex); | ||
@@ -80,3 +77,3 @@ const treeSize = BigInt(inclusionProof.treeSize); | ||
function innerProofSize(index, size) { | ||
return (index ^ (size - BigInt(1))).toString(2).length; | ||
return bitLength(index ^ (size - BigInt(1))); | ||
} | ||
@@ -88,2 +85,9 @@ // Counts the number of ones in the binary representation of the given number. | ||
} | ||
// Returns the number of bits necessary to represent an integer in binary. | ||
function bitLength(n) { | ||
if (n === 0n) { | ||
return 0; | ||
} | ||
return n.toString(2).length; | ||
} | ||
// Hashing logic according to RFC6962. | ||
@@ -90,0 +94,0 @@ // https://datatracker.ietf.org/doc/html/rfc6962#section-2 |
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifyTLogSET(entry: sigstore.VerifiableTransparencyLogEntry, tlogs: sigstore.TransparencyLogInstance[]): boolean; | ||
import type { TLogEntryWithInclusionPromise } from '@sigstore/bundle'; | ||
export declare function verifyTLogSET(entry: TLogEntryWithInclusionPromise, tlogs: sigstore.TransparencyLogInstance[]): boolean; |
@@ -14,5 +14,2 @@ "use strict"; | ||
return validTLogs.some((tlog) => { | ||
if (!tlog.publicKey?.rawBytes) { | ||
return false; | ||
} | ||
const publicKey = util_1.crypto.createPublicKey(tlog.publicKey.rawBytes); | ||
@@ -64,3 +61,3 @@ // Re-create the original Rekor verification payload | ||
// Check that the integrated time is within the validFor range | ||
return (publicKey.validFor.start && | ||
return (publicKey.validFor.start !== undefined && | ||
publicKey.validFor.start <= targetDate && | ||
@@ -67,0 +64,0 @@ (!publicKey.validFor.end || targetDate <= publicKey.validFor.end)); |
/// <reference types="node" /> | ||
import { Envelope } from './sigstore'; | ||
import { Signature, Signer } from '@sigstore/sign'; | ||
import { OneOf } from './utility'; | ||
@@ -15,3 +15,10 @@ interface VerificationMaterial { | ||
export type SignerFunc = (payload: Buffer) => Promise<SignatureMaterial>; | ||
export declare function extractSignatureMaterial(dsseEnvelope: Envelope, publicKey: string): SignatureMaterial; | ||
type CallbackSignerOptions = { | ||
signer: SignerFunc; | ||
}; | ||
export declare class CallbackSigner implements Signer { | ||
private signer; | ||
constructor(options: CallbackSignerOptions); | ||
sign(data: Buffer): Promise<Signature>; | ||
} | ||
export {}; |
"use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.extractSignatureMaterial = void 0; | ||
function extractSignatureMaterial(dsseEnvelope, publicKey) { | ||
const signature = dsseEnvelope.signatures[0]; | ||
return { | ||
signature: signature.sig, | ||
key: { | ||
id: signature.keyid, | ||
value: publicKey, | ||
}, | ||
certificates: undefined, | ||
}; | ||
exports.CallbackSigner = void 0; | ||
const error_1 = require("../error"); | ||
// Adapter to allow the legacy SignerFunc callback to be used as a new Signer | ||
// interface. | ||
class CallbackSigner { | ||
constructor(options) { | ||
this.signer = options.signer; | ||
} | ||
async sign(data) { | ||
const sigMaterial = await this.signer(data); | ||
// Since we're getting data from an external source, we need to validate | ||
// that it's well-formed and complete. | ||
if (!sigMaterial.signature) { | ||
throw new error_1.SignatureError({ | ||
code: 'MISSING_SIGNATURE_ERROR', | ||
message: 'no signature returned from signer', | ||
}); | ||
} | ||
if (!sigMaterial.key?.value) { | ||
throw new error_1.SignatureError({ | ||
code: 'MISSING_PUBLIC_KEY_ERROR', | ||
message: 'no key returned from signer', | ||
}); | ||
} | ||
return { | ||
signature: sigMaterial.signature, | ||
key: { | ||
$case: 'publicKey', | ||
hint: sigMaterial.key.id, | ||
publicKey: sigMaterial.key.value, | ||
}, | ||
}; | ||
} | ||
} | ||
exports.extractSignatureMaterial = extractSignatureMaterial; | ||
exports.CallbackSigner = CallbackSigner; |
/// <reference types="node" /> | ||
/// <reference types="node" /> | ||
/// <reference types="node" /> | ||
import { BinaryLike, KeyLike, KeyPairKeyObjectResult } from 'crypto'; | ||
export declare function generateKeyPair(): KeyPairKeyObjectResult; | ||
import { BinaryLike, KeyLike } from 'crypto'; | ||
export declare function createPublicKey(key: string | Buffer): KeyLike; | ||
export declare function signBlob(data: NodeJS.ArrayBufferView, privateKey: KeyLike): Buffer; | ||
export declare function verifyBlob(data: Buffer, key: KeyLike, signature: Buffer, algorithm?: string): boolean; | ||
export declare function hash(data: BinaryLike): Buffer; | ||
export declare function randomBytes(count: number): Buffer; | ||
export declare function bufferEqual(a: Buffer, b: Buffer): boolean; |
@@ -6,3 +6,3 @@ "use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.randomBytes = exports.hash = exports.verifyBlob = exports.signBlob = exports.createPublicKey = exports.generateKeyPair = void 0; | ||
exports.bufferEqual = exports.randomBytes = exports.hash = exports.verifyBlob = exports.createPublicKey = void 0; | ||
/* | ||
@@ -24,11 +24,3 @@ Copyright 2022 The Sigstore Authors. | ||
const crypto_1 = __importDefault(require("crypto")); | ||
const EC_KEYPAIR_TYPE = 'ec'; | ||
const P256_CURVE = 'P-256'; | ||
const SHA256_ALGORITHM = 'sha256'; | ||
function generateKeyPair() { | ||
return crypto_1.default.generateKeyPairSync(EC_KEYPAIR_TYPE, { | ||
namedCurve: P256_CURVE, | ||
}); | ||
} | ||
exports.generateKeyPair = generateKeyPair; | ||
function createPublicKey(key) { | ||
@@ -43,6 +35,2 @@ if (typeof key === 'string') { | ||
exports.createPublicKey = createPublicKey; | ||
function signBlob(data, privateKey) { | ||
return crypto_1.default.sign(null, data, privateKey); | ||
} | ||
exports.signBlob = signBlob; | ||
function verifyBlob(data, key, signature, algorithm) { | ||
@@ -55,2 +43,3 @@ // The try/catch is to work around an issue in Node 14.x where verify throws | ||
catch (e) { | ||
/* istanbul ignore next */ | ||
return false; | ||
@@ -69,1 +58,11 @@ } | ||
exports.randomBytes = randomBytes; | ||
function bufferEqual(a, b) { | ||
try { | ||
return crypto_1.default.timingSafeEqual(a, b); | ||
} | ||
catch { | ||
/* istanbul ignore next */ | ||
return false; | ||
} | ||
} | ||
exports.bufferEqual = bufferEqual; |
@@ -6,5 +6,2 @@ export * as asn1 from './asn1'; | ||
export * as json from './json'; | ||
export * as oidc from './oidc'; | ||
export * as pem from './pem'; | ||
export * as promise from './promise'; | ||
export * as ua from './ua'; |
@@ -26,3 +26,3 @@ "use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.ua = exports.promise = exports.pem = exports.oidc = exports.json = exports.encoding = exports.dsse = exports.crypto = exports.asn1 = void 0; | ||
exports.pem = exports.json = exports.encoding = exports.dsse = exports.crypto = exports.asn1 = void 0; | ||
/* | ||
@@ -48,5 +48,2 @@ Copyright 2022 The Sigstore Authors. | ||
exports.json = __importStar(require("./json")); | ||
exports.oidc = __importStar(require("./oidc")); | ||
exports.pem = __importStar(require("./pem")); | ||
exports.promise = __importStar(require("./promise")); | ||
exports.ua = __importStar(require("./ua")); |
/// <reference types="node" /> | ||
import { Bundle } from '@sigstore/bundle'; | ||
import * as sigstore from './types/sigstore'; | ||
@@ -8,3 +9,3 @@ export type KeySelector = (hint: string) => string | Buffer | undefined; | ||
constructor(trustedRoot: sigstore.TrustedRoot, keySelector?: KeySelector); | ||
verify(bundle: sigstore.Bundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void; | ||
verify(bundle: Bundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void; | ||
private verifyArtifactSignature; | ||
@@ -11,0 +12,0 @@ private verifySigningCertificate; |
@@ -27,2 +27,18 @@ "use strict"; | ||
exports.Verifier = void 0; | ||
/* | ||
Copyright 2023 The Sigstore Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
const bundle_1 = require("@sigstore/bundle"); | ||
const ca = __importStar(require("./ca/verify")); | ||
@@ -42,3 +58,3 @@ const error_1 = require("./error"); | ||
this.verifyArtifactSignature(bundle, data); | ||
if (sigstore.isBundleWithCertificateChain(bundle)) { | ||
if ((0, bundle_1.isBundleWithCertificateChain)(bundle)) { | ||
this.verifySigningCertificate(bundle, options); | ||
@@ -45,0 +61,0 @@ } |
{ | ||
"name": "sigstore", | ||
"version": "1.7.0", | ||
"version": "1.9.0", | ||
"description": "code-signing for npm packages", | ||
@@ -35,2 +35,3 @@ "main": "dist/index.js", | ||
"@sigstore/jest": "^0.0.0", | ||
"@sigstore/mock": "^0.2.0", | ||
"@tufjs/repo-mock": "^1.1.0", | ||
@@ -40,4 +41,6 @@ "@types/make-fetch-happen": "^10.0.0" | ||
"dependencies": { | ||
"@sigstore/protobuf-specs": "^0.1.0", | ||
"@sigstore/tuf": "^1.0.1", | ||
"@sigstore/bundle": "^1.1.0", | ||
"@sigstore/protobuf-specs": "^0.2.0", | ||
"@sigstore/sign": "^1.0.0", | ||
"@sigstore/tuf": "^1.0.3", | ||
"make-fetch-happen": "^11.0.1" | ||
@@ -44,0 +47,0 @@ }, |
@@ -23,2 +23,119 @@ # sigstore · [![npm version](https://img.shields.io/npm/v/sigstore.svg?style=flat)](https://www.npmjs.com/package/sigstore) [![CI Status](https://github.com/sigstore/sigstore-js/workflows/CI/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/ci.yml) [![Smoke Test Status](https://github.com/sigstore/sigstore-js/workflows/smoke-test/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/smoke-test.yml) | ||
## Compatibility | ||
The following table documents which combinations of Sigstore bundle versions | ||
and Rekor types can be verified by different versions of the `sigstore` | ||
library. It also lists which `sigstore` versions were shipped with different | ||
`npm` CLI versions. | ||
<table> | ||
<thead> | ||
<tr> | ||
<th colspan=2><code>sigstore</code></th> | ||
<th>1.0</th> | ||
<th>1.1</th> | ||
<th>1.2</th> | ||
<th>1.3</th> | ||
<th>1.4</th> | ||
<th>1.5</th> | ||
<th>1.6</th> | ||
<th>1.7</th> | ||
<th>1.8</th> | ||
</tr> | ||
<tr> | ||
<th colspan=2><code>npm</code></th> | ||
<th>9.5.0</th> | ||
<th>9.6.2</th> | ||
<th>9.6.3</th> | ||
<th>9.6.5</th> | ||
<th>9.6.6</th> | ||
<th>9.6.7</th> | ||
<th>9.7.2</th> | ||
<th>9.8.0</th> | ||
<th></th> | ||
</tr> | ||
<tr> | ||
<th>Bundle Version</th> | ||
<th>Rekor Type</th> | ||
<th colspan=9></th> | ||
</tr> | ||
</thead> | ||
<tbody> | ||
<tr> | ||
<td rowspan=3>0.1</td> | ||
<td>hashedrekord</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
</tr> | ||
<tr> | ||
<td>intoto</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
</tr> | ||
<tr> | ||
<td>dsse</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
</tr> | ||
<tr> | ||
<td rowspan=3>0.2</td> | ||
<td>hashedrekord</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
</tr> | ||
<tr> | ||
<td>intoto</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
</tr> | ||
<tr> | ||
<td>dsse</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:x:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
<td>:white_check_mark:</td> | ||
</tr> | ||
</tbody> | ||
</table> | ||
## Usage | ||
@@ -25,0 +142,0 @@ |
{ | ||
"version": "9.8.1", | ||
"version": "9.9.0", | ||
"name": "npm", | ||
@@ -55,4 +55,4 @@ "description": "a package manager for JavaScript", | ||
"@isaacs/string-locale-compare": "^1.1.0", | ||
"@npmcli/arborist": "^6.3.0", | ||
"@npmcli/config": "^6.2.1", | ||
"@npmcli/arborist": "^6.5.0", | ||
"@npmcli/config": "^6.4.0", | ||
"@npmcli/fs": "^3.1.0", | ||
@@ -81,8 +81,8 @@ "@npmcli/map-workspaces": "^3.0.4", | ||
"libnpmaccess": "^7.0.2", | ||
"libnpmdiff": "^5.0.19", | ||
"libnpmexec": "^6.0.3", | ||
"libnpmfund": "^4.0.19", | ||
"libnpmdiff": "^5.0.20", | ||
"libnpmexec": "^6.0.4", | ||
"libnpmfund": "^4.2.1", | ||
"libnpmhook": "^9.0.3", | ||
"libnpmorg": "^5.0.4", | ||
"libnpmpack": "^5.0.19", | ||
"libnpmpack": "^5.0.20", | ||
"libnpmpublish": "^7.5.0", | ||
@@ -99,6 +99,7 @@ "libnpmsearch": "^6.0.2", | ||
"nopt": "^7.2.0", | ||
"normalize-package-data": "^5.0.0", | ||
"npm-audit-report": "^5.0.0", | ||
"npm-install-checks": "^6.1.1", | ||
"npm-install-checks": "^6.2.0", | ||
"npm-package-arg": "^10.1.0", | ||
"npm-pick-manifest": "^8.0.1", | ||
"npm-pick-manifest": "^8.0.2", | ||
"npm-profile": "^7.0.1", | ||
@@ -115,3 +116,4 @@ "npm-registry-fetch": "^14.0.5", | ||
"semver": "^7.5.4", | ||
"sigstore": "^1.7.0", | ||
"sigstore": "^1.9.0", | ||
"spdx-expression-parse": "^3.0.1", | ||
"ssri": "^10.0.4", | ||
@@ -171,2 +173,3 @@ "supports-color": "^9.4.0", | ||
"nopt", | ||
"normalize-package-data", | ||
"npm-audit-report", | ||
@@ -188,2 +191,3 @@ "npm-install-checks", | ||
"sigstore", | ||
"spdx-expression-parse", | ||
"ssri", | ||
@@ -205,4 +209,7 @@ "supports-color", | ||
"@npmcli/mock-registry": "^1.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"@npmcli/template-oss": "4.19.0", | ||
"@tufjs/repo-mock": "^1.3.1", | ||
"ajv": "^8.12.0", | ||
"ajv-formats": "^2.1.1", | ||
"ajv-formats-draft2019": "^1.6.1", | ||
"diff": "^5.1.0", | ||
@@ -259,3 +266,3 @@ "licensee": "^10.0.0", | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"version": "4.19.0", | ||
"content": "./scripts/template-oss/root.js" | ||
@@ -262,0 +269,0 @@ }, |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is too big to display
11223223
2285
162746
1
27
70
19
+ Addedspdx-expression-parse@^3.0.1
Updated@npmcli/arborist@^6.5.0
Updated@npmcli/config@^6.4.0
Updatedlibnpmdiff@^5.0.20
Updatedlibnpmexec@^6.0.4
Updatedlibnpmfund@^4.2.1
Updatedlibnpmpack@^5.0.20
Updatednpm-install-checks@^6.2.0
Updatednpm-pick-manifest@^8.0.2
Updatedsigstore@^1.9.0