Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
sigstore - npm Package Compare versions
Comparing version 1.6.0 to 1.7.0
@@ -42,2 +42,5 @@ import { CA } from './ca'; | ||
| } & TLogOptions & TUFOptions; | ||
| export type CreateVerifierOptions = { | ||
| keySelector?: KeySelector; | ||
| } & TUFOptions; | ||
| export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev"; | ||
@@ -44,0 +47,0 @@ export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev"; |
@@ -1,4 +0,4 @@ | ||
| import type { LogEntry, ProposedEntry, ProposedDSSEEntry, ProposedHashedRekordEntry, ProposedIntotoEntry, SearchIndex, SearchLogQuery } from '@sigstore/rekor-types'; | ||
| import type { LogEntry, ProposedDSSEEntry, ProposedEntry, ProposedHashedRekordEntry, ProposedIntotoEntry, InclusionProof as RekorInclusionProof, SearchIndex, SearchLogQuery } from '@sigstore/rekor-types'; | ||
| import type { FetchOptions } from '../types/fetch'; | ||
| export type { ProposedEntry, SearchIndex, SearchLogQuery, ProposedDSSEEntry, ProposedHashedRekordEntry, ProposedIntotoEntry, }; | ||
| export type { ProposedDSSEEntry, ProposedEntry, ProposedHashedRekordEntry, ProposedIntotoEntry, RekorInclusionProof, SearchIndex, SearchLogQuery, }; | ||
| export type Entry = { | ||
@@ -5,0 +5,0 @@ uuid: string; |
@@ -78,4 +78,4 @@ "use strict"; | ||
| }); | ||
| return sigstore.Bundle.toJSON(bundle); | ||
| return sigstore.bundleToJSON(bundle); | ||
| } | ||
| exports.createRekorEntry = createRekorEntry; |
@@ -8,2 +8,6 @@ /// <reference types="node" /> | ||
| export declare function verify(bundle: sigstore.SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>; | ||
| export interface BundleVerifier { | ||
| verify(bundle: sigstore.SerializedBundle): void; | ||
| } | ||
| export declare function createVerifier(options: config.CreateVerifierOptions): Promise<BundleVerifier>; | ||
| declare const tufUtils: { | ||
@@ -10,0 +14,0 @@ client: (options?: config.TUFOptions) => Promise<tuf.TUF>; |
@@ -26,3 +26,3 @@ "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.verify = exports.attest = exports.sign = void 0; | ||
| exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0; | ||
| /* | ||
@@ -61,3 +61,3 @@ Copyright 2023 The Sigstore Authors. | ||
| const bundle = await signer.signBlob(payload); | ||
| return sigstore.Bundle.toJSON(bundle); | ||
| return sigstore.bundleToJSON(bundle); | ||
| } | ||
@@ -80,3 +80,3 @@ exports.sign = sign; | ||
| const bundle = await signer.signAttestation(payload, payloadType); | ||
| return sigstore.Bundle.toJSON(bundle); | ||
| return sigstore.bundleToJSON(bundle); | ||
| } | ||
@@ -98,2 +98,20 @@ exports.attest = attest; | ||
| exports.verify = verify; | ||
| async function createVerifier(options) { | ||
| const trustedRoot = await tuf.getTrustedRoot({ | ||
| mirrorURL: options.tufMirrorURL, | ||
| rootPath: options.tufRootPath, | ||
| cachePath: options.tufCachePath, | ||
| retry: options.retry ?? config.DEFAULT_RETRY, | ||
| timeout: options.timeout ?? config.DEFAULT_TIMEOUT, | ||
| }); | ||
| const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); | ||
| const verifyOpts = config.artifactVerificationOptions(options); | ||
| return { | ||
| verify: (bundle) => { | ||
| const deserializedBundle = sigstore.bundleFromJSON(bundle); | ||
| return verifier.verify(deserializedBundle, verifyOpts); | ||
| }, | ||
| }; | ||
| } | ||
| exports.createVerifier = createVerifier; | ||
| const tufUtils = { | ||
@@ -100,0 +118,0 @@ client: (options = {}) => { |
| import * as sigstore from '../../types/sigstore'; | ||
| export declare function verifyTLogEntries(bundle: sigstore.BundleWithVerificationMaterial, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void; | ||
| export declare function verifyTLogEntries(bundle: sigstore.Bundle, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void; |
@@ -44,2 +44,3 @@ "use strict"; | ||
| const sigstore = __importStar(require("../../types/sigstore")); | ||
| const cert_1 = require("../../x509/cert"); | ||
| const body_1 = require("./body"); | ||
@@ -54,3 +55,3 @@ const set_1 = require("./set"); | ||
| // Extract the signing cert, if available | ||
| const signingCert = sigstore.signingCertificate(bundle); | ||
| const signingCert = signingCertificate(bundle); | ||
| // Iterate over the tlog entries and verify each one | ||
@@ -78,1 +79,8 @@ const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryOffline(entry, bundle.content, trustedRoot.tlogs, signingCert)); | ||
| } | ||
| function signingCertificate(bundle) { | ||
| if (!sigstore.isBundleWithCertificateChain(bundle)) { | ||
| return undefined; | ||
| } | ||
| const signingCert = bundle.verificationMaterial.content.x509CertificateChain.certificates[0]; | ||
| return cert_1.x509Certificate.parse(signingCert.rawBytes); | ||
| } |
| /// <reference types="node" /> | ||
| import { ArtifactVerificationOptions, Bundle, Envelope, TransparencyLogEntry, VerificationMaterial } from '@sigstore/protobuf-specs'; | ||
| import { x509Certificate } from '../../x509/cert'; | ||
| import { WithRequired } from '../utility'; | ||
| import { SignatureMaterial } from '../signature'; | ||
| import { ValidBundle } from './validate'; | ||
| import type { ArtifactVerificationOptions, Envelope, TransparencyLogEntry, VerificationMaterial } from '@sigstore/protobuf-specs'; | ||
| import type { Entry } from '../../external/rekor'; | ||
| import type { SignatureMaterial } from '../signature'; | ||
| export * from '@sigstore/protobuf-specs'; | ||
| export * from './serialized'; | ||
| export * from './validate'; | ||
| import type { WithRequired } from '../utility'; | ||
| import type { SerializedBundle } from './serialized'; | ||
| export { Envelope, HashAlgorithm, PublicKeyDetails, SubjectAlternativeNameType, } from '@sigstore/protobuf-specs'; | ||
| export type { ArtifactVerificationOptions, ArtifactVerificationOptions_CtlogOptions, ArtifactVerificationOptions_TlogOptions, CertificateAuthority, CertificateIdentities, CertificateIdentity, MessageSignature, ObjectIdentifierValuePair, PublicKey, PublicKeyIdentifier, RFC3161SignedTimestamp, Signature, SubjectAlternativeName, TimestampVerificationData, TransparencyLogEntry, TransparencyLogInstance, TrustedRoot, X509Certificate, X509CertificateChain, } from '@sigstore/protobuf-specs'; | ||
| export type { SerializedBundle, SerializedEnvelope } from './serialized'; | ||
| export type { ValidBundle as Bundle }; | ||
| export declare const bundleFromJSON: (obj: any) => ValidBundle; | ||
| export type BundleWithVerificationMaterial = WithRequired<Bundle, 'verificationMaterial'>; | ||
| export declare function isBundleWithVerificationMaterial(bundle: Bundle): bundle is BundleWithVerificationMaterial; | ||
| export type BundleWithCertificateChain = Bundle & { | ||
| export declare const bundleToJSON: (bundle: ValidBundle) => SerializedBundle; | ||
| export type BundleWithCertificateChain = ValidBundle & { | ||
| verificationMaterial: VerificationMaterial & { | ||
@@ -21,3 +21,3 @@ content: Extract<VerificationMaterial['content'], { | ||
| }; | ||
| export declare function isBundleWithCertificateChain(bundle: Bundle): bundle is BundleWithCertificateChain; | ||
| export declare function isBundleWithCertificateChain(bundle: ValidBundle): bundle is BundleWithCertificateChain; | ||
| export type RequiredArtifactVerificationOptions = WithRequired<ArtifactVerificationOptions, 'ctlogOptions' | 'tlogOptions'>; | ||
@@ -37,3 +37,3 @@ export type CAArtifactVerificationOptions = WithRequired<ArtifactVerificationOptions, 'ctlogOptions'> & { | ||
| timestamp?: Buffer; | ||
| }): Bundle; | ||
| }): ValidBundle; | ||
| export declare function toMessageSignatureBundle({ digest, signature, tlogEntry, timestamp, }: { | ||
@@ -44,3 +44,2 @@ digest: Buffer; | ||
| timestamp?: Buffer; | ||
| }): Bundle; | ||
| export declare function signingCertificate(bundle: Bundle): x509Certificate | undefined; | ||
| }): ValidBundle; |
| "use strict"; | ||
| var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { | ||
| if (k2 === undefined) k2 = k; | ||
| var desc = Object.getOwnPropertyDescriptor(m, k); | ||
| if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { | ||
| desc = { enumerable: true, get: function() { return m[k]; } }; | ||
| } | ||
| Object.defineProperty(o, k2, desc); | ||
| }) : (function(o, m, k, k2) { | ||
| if (k2 === undefined) k2 = k; | ||
| o[k2] = m[k]; | ||
| })); | ||
| var __exportStar = (this && this.__exportStar) || function(m, exports) { | ||
| for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p); | ||
| }; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.signingCertificate = exports.toMessageSignatureBundle = exports.toDSSEBundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.bundleFromJSON = void 0; | ||
| exports.toMessageSignatureBundle = exports.toDSSEBundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.bundleToJSON = exports.bundleFromJSON = exports.SubjectAlternativeNameType = exports.PublicKeyDetails = exports.HashAlgorithm = exports.Envelope = void 0; | ||
| /* | ||
@@ -35,7 +21,10 @@ Copyright 2023 The Sigstore Authors. | ||
| const util_1 = require("../../util"); | ||
| const cert_1 = require("../../x509/cert"); | ||
| const validate_1 = require("./validate"); | ||
| __exportStar(require("@sigstore/protobuf-specs"), exports); | ||
| __exportStar(require("./serialized"), exports); | ||
| __exportStar(require("./validate"), exports); | ||
| // Enums from protobuf-specs | ||
| // TODO: Move Envelope to "type" export once @sigstore/sign is a thing | ||
| var protobuf_specs_2 = require("@sigstore/protobuf-specs"); | ||
| Object.defineProperty(exports, "Envelope", { enumerable: true, get: function () { return protobuf_specs_2.Envelope; } }); | ||
| Object.defineProperty(exports, "HashAlgorithm", { enumerable: true, get: function () { return protobuf_specs_2.HashAlgorithm; } }); | ||
| Object.defineProperty(exports, "PublicKeyDetails", { enumerable: true, get: function () { return protobuf_specs_2.PublicKeyDetails; } }); | ||
| Object.defineProperty(exports, "SubjectAlternativeNameType", { enumerable: true, get: function () { return protobuf_specs_2.SubjectAlternativeNameType; } }); | ||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any | ||
@@ -48,12 +37,11 @@ const bundleFromJSON = (obj) => { | ||
| exports.bundleFromJSON = bundleFromJSON; | ||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any | ||
| const bundleToJSON = (bundle) => { | ||
| return protobuf_specs_1.Bundle.toJSON(bundle); | ||
| }; | ||
| exports.bundleToJSON = bundleToJSON; | ||
| const BUNDLE_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1'; | ||
| // Type guard for narrowing a Bundle to a BundleWithVerificationMaterial | ||
| function isBundleWithVerificationMaterial(bundle) { | ||
| return bundle.verificationMaterial !== undefined; | ||
| } | ||
| exports.isBundleWithVerificationMaterial = isBundleWithVerificationMaterial; | ||
| // Type guard for narrowing a Bundle to a BundleWithCertificateChain | ||
| function isBundleWithCertificateChain(bundle) { | ||
| return (isBundleWithVerificationMaterial(bundle) && | ||
| bundle.verificationMaterial.content !== undefined && | ||
| return (bundle.verificationMaterial.content !== undefined && | ||
| bundle.verificationMaterial.content.$case === 'x509CertificateChain'); | ||
@@ -74,2 +62,5 @@ } | ||
| exports.isVerifiableTransparencyLogEntry = isVerifiableTransparencyLogEntry; | ||
| // All of the following functions are used to construct a ValidBundle | ||
| // from various types of input. When this code moves into the | ||
| // @sigstore/sign package, these functions will be exported from there. | ||
| function toDSSEBundle({ envelope, signature, tlogEntry, timestamp, }) { | ||
@@ -112,2 +103,5 @@ return { | ||
| const logID = Buffer.from(entry.logID, 'hex'); | ||
| const proof = entry.verification?.inclusionProof | ||
| ? toInclusionProof(entry.verification.inclusionProof) | ||
| : undefined; | ||
| // Parse entry body so we can extract the kind and version. | ||
@@ -129,6 +123,17 @@ const bodyJSON = util_1.encoding.base64Decode(entry.body); | ||
| }, | ||
| inclusionProof: undefined, | ||
| inclusionProof: proof, | ||
| canonicalizedBody: Buffer.from(entry.body, 'base64'), | ||
| }; | ||
| } | ||
| function toInclusionProof(proof) { | ||
| return { | ||
| logIndex: proof.logIndex.toString(), | ||
| rootHash: Buffer.from(proof.rootHash, 'hex'), | ||
| treeSize: proof.treeSize.toString(), | ||
| checkpoint: { | ||
| envelope: proof.checkpoint, | ||
| }, | ||
| hashes: proof.hashes.map((h) => Buffer.from(h, 'hex')), | ||
| }; | ||
| } | ||
| function toVerificationMaterial({ signature, tlogEntry, timestamp, }) { | ||
@@ -163,9 +168,1 @@ return { | ||
| } | ||
| function signingCertificate(bundle) { | ||
| if (!isBundleWithCertificateChain(bundle)) { | ||
| return undefined; | ||
| } | ||
| const signingCert = bundle.verificationMaterial.content.x509CertificateChain.certificates[0]; | ||
| return cert_1.x509Certificate.parse(signingCert.rawBytes); | ||
| } | ||
| exports.signingCertificate = signingCertificate; |
@@ -46,2 +46,3 @@ import { OneOf } from '../utility'; | ||
| }; | ||
| export type { SerializedDSSEEnvelope as SerializedEnvelope }; | ||
| export type SerializedBundle = { | ||
@@ -66,11 +67,1 @@ mediaType: string; | ||
| }>; | ||
| interface SerializedSignature { | ||
| sig: string; | ||
| keyid: string; | ||
| } | ||
| export type SerializedEnvelope = { | ||
| payload: string; | ||
| payloadType: string; | ||
| signatures: SerializedSignature[]; | ||
| }; | ||
| export {}; |
@@ -1,3 +0,3 @@ | ||
| import { Bundle, MessageSignature, VerificationMaterial } from '@sigstore/protobuf-specs'; | ||
| import { WithRequired } from '../utility'; | ||
| import type { Bundle, MessageSignature, VerificationMaterial } from '@sigstore/protobuf-specs'; | ||
| export type ValidBundle = Bundle & { | ||
@@ -4,0 +4,0 @@ verificationMaterial: VerificationMaterial & { |
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.assertValidBundle = void 0; | ||
| /* | ||
| Copyright 2023 The Sigstore Authors. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
| const error_1 = require("../../error"); | ||
@@ -5,0 +20,0 @@ // Performs basic validation of a Sigstore bundle to ensure that all required |
@@ -8,3 +8,3 @@ /// <reference types="node" /> | ||
| constructor(trustedRoot: sigstore.TrustedRoot, keySelector?: KeySelector); | ||
| verify(bundle: sigstore.ValidBundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void; | ||
| verify(bundle: sigstore.Bundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void; | ||
| private verifyArtifactSignature; | ||
@@ -11,0 +11,0 @@ private verifySigningCertificate; |
| { | ||
| "name": "sigstore", | ||
| "version": "1.6.0", | ||
| "version": "1.7.0", | ||
| "description": "code-signing for npm packages", | ||
@@ -34,17 +34,10 @@ "main": "dist/index.js", | ||
| "@sigstore/rekor-types": "^1.0.0", | ||
| "@total-typescript/shoehorn": "^0.1.0", | ||
| "@sigstore/jest": "^0.0.0", | ||
| "@tufjs/repo-mock": "^1.1.0", | ||
| "@types/make-fetch-happen": "^10.0.0", | ||
| "@types/sigstore-jest-extended": "^0.0.0", | ||
| "@types/node": "^20.2.5", | ||
| "json-schema-to-typescript": "^13.0.0", | ||
| "nock": "^13.2.4", | ||
| "shx": "^0.3.3", | ||
| "typescript": "^5.1.3" | ||
| "@types/make-fetch-happen": "^10.0.0" | ||
| }, | ||
| "dependencies": { | ||
| "@sigstore/protobuf-specs": "^0.1.0", | ||
| "@sigstore/tuf": "^1.0.0", | ||
| "make-fetch-happen": "^11.0.1", | ||
| "tuf-js": "^1.1.3" | ||
| "@sigstore/tuf": "^1.0.1", | ||
| "make-fetch-happen": "^11.0.1" | ||
| }, | ||
@@ -51,0 +44,0 @@ "engines": { |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Dependency count
- decreased by-25%
3
- Dev dependency count
- decreased by-60%
4
Worsened metrics
- Total package byte prevSize
- decreased by-1.9%
234372
- Number of package files
- decreased by-4%
120
- Lines of code
- decreased by-0.57%
5226
Dependency changes
- Removedtuf-js@^1.1.3
Updated@sigstore/tuf@^1.0.1