		/// <reference types="node" />
		/// <reference types="node" />
		import { KeyObject } from 'crypto';
		import { SigningCertificateRequest } from '../client/fulcio';
		import type { SigningCertificateRequest } from '../external/fulcio';
		export declare function toCertificateRequest(identityToken: string, publicKey: KeyObject, challenge: Buffer): SigningCertificateRequest;

dist/ca/index.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.CAClient = void 0;
		const client_1 = require("../client");
		const error_1 = require("../error");
		const external_1 = require("../external");
		const format_1 = require("./format");
		class CAClient {
		constructor(options) {
		this.fulcio = new client_1.Fulcio({ baseURL: options.fulcioBaseURL });
		this.fulcio = new external_1.Fulcio({ baseURL: options.fulcioBaseURL });
		}
		@@ -11,0 +11,0 @@ async createSigningCertificate(identityToken, publicKey, challenge) {

dist/ca/verify/signer.js

		@@ -129,4 +129,16 @@ "use strict";
		const extension = cert.extension(oid);
		return extension?.value.equals(expectedExtension.value);
		// If the extension is not present, or there is no value, return false
		const valueObj = extension?.valueObj;
		if (!valueObj) {
		return false;
		}
		// Check to see if this is a newer style extension with an embedded
		// UTF8String, or an older style extension with a raw string
		if (valueObj.subs.length > 0) {
		return valueObj.subs[0].value.equals(expectedExtension.value);
		}
		else {
		return valueObj.value.equals(expectedExtension.value);
		}
		});
		}

dist/identity/ci.js

		@@ -25,3 +25,3 @@ "use strict";
		// Collection of all the CI-specific providers we have implemented
		const providers = [getGHAToken];
		const providers = [getGHAToken, getEnv];
		/**
		@@ -67,1 +67,11 @@ * CIContextProvider is a composite identity provider which will iterate
		}
		/**
		* getEnv can retrieve an OIDC token from an environment variable.
		* This matches the behavior of https://github.com/sigstore/cosign/tree/main/pkg/providers/envvar
		*/
		async function getEnv() {
		if (!process.env.SIGSTORE_ID_TOKEN) {
		return Promise.reject('no token available');
		}
		return process.env.SIGSTORE_ID_TOKEN;
		}

dist/sigstore-utils.d.ts

		/// <reference types="node" />
		import { Bundle, Envelope, SignOptions } from './sigstore';
		import { SignOptions } from './config';
		import { SignerFunc } from './types/signature';
		import * as sigstore from './types/sigstore';
		export declare function createDSSEEnvelope(payload: Buffer, payloadType: string, options: {
		signer: SignerFunc;
		}): Promise<Envelope>;
		export declare function createRekorEntry(dsseEnvelope: Envelope, publicKey: string, options?: SignOptions): Promise<Bundle>;
		}): Promise<sigstore.SerializedEnvelope>;
		export declare function createRekorEntry(dsseEnvelope: sigstore.SerializedEnvelope, publicKey: string, options?: SignOptions): Promise<sigstore.SerializedBundle>;

dist/sigstore-utils.js

		"use strict";
		var __createBinding = (this && this.__createBinding) \|\| (Object.create ? (function(o, m, k, k2) {
		if (k2 === undefined) k2 = k;
		var desc = Object.getOwnPropertyDescriptor(m, k);
		if (!desc \|\| ("get" in desc ? !m.__esModule : desc.writable \|\| desc.configurable)) {
		desc = { enumerable: true, get: function() { return m[k]; } };
		}
		Object.defineProperty(o, k2, desc);
		}) : (function(o, m, k, k2) {
		if (k2 === undefined) k2 = k;
		o[k2] = m[k];
		}));
		var __setModuleDefault = (this && this.__setModuleDefault) \|\| (Object.create ? (function(o, v) {
		Object.defineProperty(o, "default", { enumerable: true, value: v });
		}) : function(o, v) {
		o["default"] = v;
		});
		var __importStar = (this && this.__importStar) \|\| function (mod) {
		if (mod && mod.__esModule) return mod;
		var result = {};
		if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
		__setModuleDefault(result, mod);
		return result;
		};
		Object.defineProperty(exports, "__esModule", { value: true });
		@@ -19,12 +42,6 @@ exports.createRekorEntry = exports.createDSSEEnvelope = void 0;
		*/
		const sigstore_1 = require("./sigstore");
		const tlog_1 = require("./tlog");
		const config_1 = require("./config");
		const signature_1 = require("./types/signature");
		const sigstore_2 = require("./types/sigstore");
		const sigstore = __importStar(require("./types/sigstore"));
		const util_1 = require("./util");
		function createTLogClient(options) {
		return new tlog_1.TLogClient({
		rekorBaseURL: options.rekorURL \|\| sigstore_1.DEFAULT_REKOR_URL,
		});
		}
		async function createDSSEEnvelope(payload, payloadType, options) {
		@@ -45,3 +62,3 @@ // Pre-authentication encoding to be signed
		};
		return (0, sigstore_2.envelopeToJSON)(envelope);
		return sigstore.Envelope.toJSON(envelope);
		}
		@@ -52,4 +69,4 @@ exports.createDSSEEnvelope = createDSSEEnvelope;
		async function createRekorEntry(dsseEnvelope, publicKey, options = {}) {
		const envelope = (0, sigstore_2.envelopeFromJSON)(dsseEnvelope);
		const tlog = createTLogClient(options);
		const envelope = sigstore.Envelope.fromJSON(dsseEnvelope);
		const tlog = (0, config_1.createTLogClient)(options);
		const sigMaterial = (0, signature_1.extractSignatureMaterial)(envelope, publicKey);
		@@ -59,4 +76,4 @@ const bundle = await tlog.createDSSEEntry(envelope, sigMaterial, {
		});
		return (0, sigstore_2.bundleToJSON)(bundle);
		return sigstore.Bundle.toJSON(bundle);
		}
		exports.createRekorEntry = createRekorEntry;

dist/sigstore.d.ts

		/// <reference types="node" />
		import * as config from './config';
		import * as sigstore from './types/sigstore';
		import { KeySelector } from './verify';
		export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<sigstore.SerializedBundle>;
		export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<sigstore.SerializedBundle>;
		export declare function verify(bundle: sigstore.SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>;
		declare const tufUtils: {
		getTarget: (path: string, options?: config.TUFOptions) => Promise<string>;
		};
		export type { SignOptions, VerifyOptions } from './config';
		export * as utils from './sigstore-utils';
		export { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from './types/sigstore';
		export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from './types/sigstore';
		export { tufUtils as tuf };
		export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev";
		export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev";
		interface TLogOptions {
		rekorURL?: string;
		}
		interface TUFOptions {
		tufMirrorURL?: string;
		tufRootPath?: string;
		}
		export type SignOptions = {
		fulcioURL?: string;
		identityToken?: string;
		oidcIssuer?: string;
		oidcClientID?: string;
		oidcClientSecret?: string;
		oidcRedirectURL?: string;
		} & TLogOptions;
		export type VerifyOptions = {
		ctLogThreshold?: number;
		tlogThreshold?: number;
		certificateIssuer?: string;
		certificateIdentityEmail?: string;
		certificateIdentityURI?: string;
		certificateOIDs?: Record<string, string>;
		keySelector?: KeySelector;
		} & TLogOptions & TUFOptions;
		type Bundle = sigstore.SerializedBundle;
		export declare function sign(payload: Buffer, options?: SignOptions): Promise<Bundle>;
		export declare function attest(payload: Buffer, payloadType: string, options?: SignOptions): Promise<Bundle>;
		export declare function verify(bundle: Bundle, payload?: Buffer, options?: VerifyOptions): Promise<void>;

135

dist/sigstore.js

		@@ -25,7 +25,4 @@ "use strict";
		};
		var __importDefault = (this && this.__importDefault) \|\| function (mod) {
		return (mod && mod.__esModule) ? mod : { "default": mod };
		};
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.verify = exports.attest = exports.sign = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.utils = void 0;
		exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.verify = exports.attest = exports.sign = void 0;
		/*
		@@ -46,28 +43,11 @@ Copyright 2023 The Sigstore Authors.
		*/
		const ca_1 = require("./ca");
		const identity_1 = __importDefault(require("./identity"));
		const config = __importStar(require("./config"));
		const sign_1 = require("./sign");
		const tlog_1 = require("./tlog");
		const tuf = __importStar(require("./tuf"));
		const sigstore = __importStar(require("./types/sigstore"));
		const util_1 = require("./util");
		const verify_1 = require("./verify");
		exports.utils = __importStar(require("./sigstore-utils"));
		exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev';
		exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev';
		function createCAClient(options) {
		return new ca_1.CAClient({
		fulcioBaseURL: options.fulcioURL \|\| exports.DEFAULT_FULCIO_URL,
		});
		}
		function createTLogClient(options) {
		return new tlog_1.TLogClient({
		rekorBaseURL: options.rekorURL \|\| exports.DEFAULT_REKOR_URL,
		});
		}
		const tufCacheDir = util_1.appdata.appDataPath('sigstore-js');
		async function sign(payload, options = {}) {
		const ca = createCAClient(options);
		const tlog = createTLogClient(options);
		const idps = configureIdentityProviders(options);
		const ca = config.createCAClient(options);
		const tlog = config.createTLogClient(options);
		const idps = config.identityProviders(options);
		const signer = new sign_1.Signer({
		@@ -83,5 +63,5 @@ ca,
		async function attest(payload, payloadType, options = {}) {
		const ca = createCAClient(options);
		const tlog = createTLogClient(options);
		const idps = configureIdentityProviders(options);
		const ca = config.createCAClient(options);
		const tlog = config.createTLogClient(options);
		const idps = config.identityProviders(options);
		const signer = new sign_1.Signer({
		@@ -97,92 +77,25 @@ ca,
		async function verify(bundle, payload, options = {}) {
		const trustedRoot = await tuf.getTrustedRoot(tufCacheDir, {
		const trustedRoot = await tuf.getTrustedRoot({
		mirrorURL: options.tufMirrorURL,
		rootPath: options.tufRootPath,
		cachePath: options.tufCachePath,
		});
		const verifier = new verify_1.Verifier(trustedRoot, options.keySelector);
		const deserializedBundle = sigstore.bundleFromJSON(bundle);
		const opts = collectArtifactVerificationOptions(options);
		const opts = config.artifactVerificationOptions(options);
		return verifier.verify(deserializedBundle, opts, payload);
		}
		exports.verify = verify;
		// Translates the IdenityProviderOptions into a list of Providers which
		// should be queried to retrieve an identity token.
		function configureIdentityProviders(options) {
		const idps = [];
		const token = options.identityToken;
		// If an explicit identity token is provided, use that. Setup a dummy
		// provider that just returns the token. Otherwise, setup the CI context
		// provider and (optionally) the OAuth provider.
		if (token) {
		idps.push({ getToken: () => Promise.resolve(token) });
		}
		else {
		idps.push(identity_1.default.ciContextProvider());
		if (options.oidcIssuer && options.oidcClientID) {
		idps.push(identity_1.default.oauthProvider({
		issuer: options.oidcIssuer,
		clientID: options.oidcClientID,
		clientSecret: options.oidcClientSecret,
		redirectURL: options.oidcRedirectURL,
		}));
		}
		}
		return idps;
		}
		// Assembles the AtifactVerificationOptions from the supplied VerifyOptions.
		function collectArtifactVerificationOptions(options) {
		// The trusted signers are only used if the options contain a certificate
		// issuer
		let signers;
		if (options.certificateIssuer) {
		let san = undefined;
		if (options.certificateIdentityEmail) {
		san = {
		type: sigstore.SubjectAlternativeNameType.EMAIL,
		identity: {
		$case: 'value',
		value: options.certificateIdentityEmail,
		},
		};
		}
		else if (options.certificateIdentityURI) {
		san = {
		type: sigstore.SubjectAlternativeNameType.URI,
		identity: {
		$case: 'value',
		value: options.certificateIdentityURI,
		},
		};
		}
		const oids = Object.entries(options.certificateOIDs \|\| {}).map(([oid, value]) => ({
		oid: { id: oid.split('.').map((s) => parseInt(s, 10)) },
		value: Buffer.from(value),
		}));
		signers = {
		$case: 'certificateIdentities',
		certificateIdentities: {
		identities: [
		{
		issuer: options.certificateIssuer,
		san: san,
		oids: oids,
		},
		],
		},
		};
		}
		// Construct the artifact verification options w/ defaults
		return {
		ctlogOptions: {
		disable: false,
		threshold: options.ctLogThreshold \|\| 1,
		detachedSct: false,
		},
		tlogOptions: {
		disable: false,
		threshold: options.tlogThreshold \|\| 1,
		performOnlineVerification: false,
		},
		signers,
		};
		}
		const tufUtils = {
		getTarget: (path, options = {}) => {
		return tuf.getTarget(path, {
		mirrorURL: options.tufMirrorURL,
		rootPath: options.tufRootPath,
		cachePath: options.tufCachePath,
		});
		},
		};
		exports.tuf = tufUtils;
		exports.utils = __importStar(require("./sigstore-utils"));
		exports.DEFAULT_FULCIO_URL = config.DEFAULT_FULCIO_URL;
		exports.DEFAULT_REKOR_URL = config.DEFAULT_REKOR_URL;

dist/tlog/index.js

		@@ -19,5 +19,4 @@ "use strict";
		*/
		const client_1 = require("../client");
		const error_1 = require("../client/error");
		const error_2 = require("../error");
		const error_1 = require("../error");
		const external_1 = require("../external");
		const sigstore_1 = require("../types/sigstore");
		@@ -27,3 +26,3 @@ const format_1 = require("./format");
		constructor(options) {
		this.rekor = new client_1.Rekor({ baseURL: options.rekorBaseURL });
		this.rekor = new external_1.Rekor({ baseURL: options.rekorBaseURL });
		}
		@@ -54,7 +53,7 @@ async createMessageSignatureEntry(digest, sigMaterial, options = {}) {
		catch (err) {
		throw new error_2.InternalError('error fetching tlog entry', err);
		throw new error_1.InternalError('error fetching tlog entry', err);
		}
		}
		else {
		throw new error_2.InternalError('error creating tlog entry', err);
		throw new error_1.InternalError('error creating tlog entry', err);
		}
		@@ -67,5 +66,5 @@ }
		function entryExistsError(value) {
		return (value instanceof error_1.HTTPError &&
		return (value instanceof external_1.HTTPError &&
		value.statusCode === 409 &&
		value.location !== undefined);
		}

dist/tuf/index.d.ts

		import * as sigstore from '../types/sigstore';
		export interface TUFOptions {
		cachePath?: string;
		mirrorURL?: string;
		rootPath?: string;
		}
		export declare function getTrustedRoot(cachePath: string, options?: TUFOptions): Promise<sigstore.TrustedRoot>;
		export declare function getTrustedRoot(options?: TUFOptions): Promise<sigstore.TrustedRoot>;
		export declare function getTarget(targetName: string, options?: TUFOptions): Promise<string>;

dist/tuf/index.js

		@@ -29,3 +29,3 @@ "use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.getTrustedRoot = void 0;
		exports.getTarget = exports.getTrustedRoot = void 0;
		/*
		@@ -50,7 +50,15 @@ Copyright 2023 The Sigstore Authors.
		const sigstore = __importStar(require("../types/sigstore"));
		const util_1 = require("../util");
		const target_1 = require("./target");
		const TRUSTED_ROOT_TARGET = 'trusted_root.json';
		const DEFAULT_MIRROR_URL = 'https://sigstore-tuf-root.storage.googleapis.com';
		const DEFAULT_CACHE_DIR = util_1.appdata.appDataPath('sigstore-js');
		const DEFAULT_MIRROR_URL = 'https://tuf-repo-cdn.sigstore.dev';
		const DEFAULT_TUF_ROOT_PATH = '../../store/public-good-instance-root.json';
		async function getTrustedRoot(cachePath, options = {}) {
		async function getTrustedRoot(options = {}) {
		const trustedRoot = await getTarget(TRUSTED_ROOT_TARGET, options);
		return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot));
		}
		exports.getTrustedRoot = getTrustedRoot;
		async function getTarget(targetName, options = {}) {
		const cachePath = options.cachePath \|\| DEFAULT_CACHE_DIR;
		const tufRootPath = options.rootPath \|\| require.resolve(DEFAULT_TUF_ROOT_PATH);
		@@ -61,6 +69,5 @@ const mirrorURL = options.mirrorURL \|\| DEFAULT_MIRROR_URL;
		const repoClient = initClient(cachePath, remote);
		const trustedRoot = await (0, target_1.getTarget)(repoClient, TRUSTED_ROOT_TARGET);
		return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot));
		return (0, target_1.readTarget)(repoClient, targetName);
		}
		exports.getTrustedRoot = getTrustedRoot;
		exports.getTarget = getTarget;
		// Initializes the TUF cache directory structure including the initial
		@@ -67,0 +74,0 @@ // root.json file. If the cache directory does not exist, it will be

dist/tuf/target.d.ts

		import { Updater } from 'tuf-js';
		export declare function getTarget(tuf: Updater, targetPath: string): Promise<string>;
		export declare function readTarget(tuf: Updater, targetPath: string): Promise<string>;

dist/tuf/target.js

		@@ -6,3 +6,3 @@ "use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.getTarget = void 0;
		exports.readTarget = void 0;
		/*
		@@ -25,15 +25,20 @@ Copyright 2023 The Sigstore Authors.
		const error_1 = require("../error");
		// Downloads and returns the specified target from the provided TUF Updater.
		async function readTarget(tuf, targetPath) {
		const path = await getTargetPath(tuf, targetPath);
		return new Promise((resolve, reject) => {
		fs_1.default.readFile(path, 'utf-8', (err, data) => {
		if (err) {
		reject(new error_1.InternalError(`error reading target: ${err}`));
		}
		else {
		resolve(data);
		}
		});
		});
		}
		exports.readTarget = readTarget;
		// Returns the local path to the specified target. If the target is not yet
		// cached locally, the provided TUF Updater will be used to download and
		// cache the target.
		async function getTarget(tuf, targetPath) {
		const path = await getTargetPath(tuf, targetPath);
		try {
		return fs_1.default.readFileSync(path, 'utf-8');
		}
		catch (err) {
		throw new error_1.InternalError(`error reading trusted root: ${err}`);
		}
		}
		exports.getTarget = getTarget;
		async function getTargetPath(tuf, target) {
		@@ -40,0 +45,0 @@ let targetInfo;

dist/types/sigstore/index.d.ts

		@@ -11,6 +11,3 @@ /// <reference types="node" />
		export * from './validate';
		export declare const bundleToJSON: (message: Bundle) => unknown;
		export declare const bundleFromJSON: (obj: any) => ValidBundle;
		export declare const envelopeToJSON: (message: Envelope) => unknown;
		export declare const envelopeFromJSON: (object: any) => Envelope;
		export type BundleWithVerificationMaterial = WithRequired<Bundle, 'verificationMaterial'>;
		@@ -17,0 +14,0 @@ export declare function isBundleWithVerificationMaterial(bundle: Bundle): bundle is BundleWithVerificationMaterial;

dist/types/sigstore/index.js

		@@ -17,3 +17,3 @@ "use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.signingCertificate = exports.bundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.envelopeFromJSON = exports.envelopeToJSON = exports.bundleFromJSON = exports.bundleToJSON = void 0;
		exports.signingCertificate = exports.bundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.bundleFromJSON = void 0;
		/*
		@@ -41,3 +41,2 @@ Copyright 2023 The Sigstore Authors.
		__exportStar(require("./validate"), exports);
		exports.bundleToJSON = protobuf_specs_1.Bundle.toJSON;
		// eslint-disable-next-line @typescript-eslint/no-explicit-any
		@@ -50,4 +49,2 @@ const bundleFromJSON = (obj) => {
		exports.bundleFromJSON = bundleFromJSON;
		exports.envelopeToJSON = protobuf_specs_1.Envelope.toJSON;
		exports.envelopeFromJSON = protobuf_specs_1.Envelope.fromJSON;
		const BUNDLE_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1';
		@@ -54,0 +51,0 @@ // Type guard for narrowing a Bundle to a BundleWithVerificationMaterial

dist/x509/ext.d.ts

		@@ -10,2 +10,3 @@ /// <reference types="node" />
		get value(): Buffer;
		get valueObj(): ASN1Obj;
		protected get extnValueObj(): ASN1Obj;
		@@ -12,0 +13,0 @@ }

dist/x509/ext.js

		@@ -37,2 +37,5 @@ "use strict";
		}
		get valueObj() {
		return this.extnValueObj;
		}
		get extnValueObj() {
		@@ -39,0 +42,0 @@ // The extnValue field will be the last element of the extension sequence

package.json

		{
		"name": "sigstore",
		"version": "1.2.0",
		"version": "1.3.0",
		"description": "code-signing for npm packages",
		@@ -41,2 +41,3 @@ "main": "dist/index.js",
		"@tsconfig/node14": "^1.0.3",
		"@tufjs/repo-mock": "^1.1.0",
		"@types/jest": "^29.4.0",
		@@ -60,3 +61,3 @@ "@types/make-fetch-happen": "^10.0.0",
		"make-fetch-happen": "^11.0.1",
		"tuf-js": "^1.0.0"
		"tuf-js": "^1.1.3"
		},
		@@ -63,0 +64,0 @@ "engines": {

README.md

		@@ -75,3 +75,17 @@ # sigstore-js · [![npm version](https://img.shields.io/npm/v/sigstore.svg?style=flat)](https://www.npmjs.com/package/sigstore) [![CI Status](https://github.com/sigstore/sigstore-js/workflows/CI/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/ci.yml) [![Smoke Test Status](https://github.com/sigstore/sigstore-js/workflows/smoke-test/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/smoke-test.yml)

		### tuf

		The `tuf` object contains utility function for working with the Sigstore TUF repository.

		#### getTarget(path[, options])

		Returns the contents of the target at the specified path in the Sigstore TUF repository.

		* `path` `<string>`: The [path-relative-url string](https://url.spec.whatwg.org/#path-relative-url-string) that uniquely identifies the target within the Sigstore TUF repository.
		* `options` `<Object>`
		* `tufMirrorURL` `<string>`: Base URL for the Sigstore TUF repository. Defaults to `'https://tuf-repo-cdn.sigstore.dev'`
		* `tufRootPath` `<string>`: Path to the initial trusted root for the TUF repository. Defaults to the embedded root.
		* `tufCachePath` `<string>`: Absolute path to the directory to be used for caching downloaded TUF metadata and targets. Defaults to a directory named "sigstore-js" within the platform-specific application data directory.


		### utils
		@@ -103,2 +117,24 @@

		## Credential Sources

		### GitHub Actions

		If sigstore-js detects that it is being executed on GitHub Actions, it will use `ACTIONS_ID_TOKEN_REQUEST_URL`
		and `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variables to request an OIDC token with the correct scope.

		Note: the `id_token: write` permission must be granted to the GitHub Action Job.

		See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
		for more details.

		### Environment Variables

		If the `SIGSTORE_ID_TOKEN` environment variable is set, it will use this to authenticate to Fulcio.
		It is the callers responsibility to make sure that this token has the correct scopes.

		### Interactive Flow

		If sigstore-js cannot detect ambient credentials, then it will prompt the user to go through the
		interactive flow.

		## Development
		@@ -105,0 +141,0 @@

dist/client/error.d.ts

dist/client/error.js

dist/client/fulcio.d.ts

dist/client/fulcio.js

dist/client/index.d.ts

dist/client/index.js

dist/client/rekor.d.ts

dist/client/rekor.js

sigstore - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes