sigstore - npm Package Compare versions

Comparing version 1.7.0 to 1.8.0

dist/ca/verify/chain.d.ts

 import * as sigstore from '../../types/sigstore';
 import { x509Certificate } from '../../x509/cert';
-export declare function verifyChain(certificate: sigstore.X509Certificate, certificateAuthorities: sigstore.CertificateAuthority[]): x509Certificate[];
+import type { X509Certificate } from '@sigstore/bundle';
+export declare function verifyChain(certificate: X509Certificate, certificateAuthorities: sigstore.CertificateAuthority[]): x509Certificate[];

dist/ca/verify/index.d.ts

 import * as sigstore from '../../types/sigstore';
-export declare function verifySigningCertificate(bundle: sigstore.BundleWithCertificateChain, trustedRoot: sigstore.TrustedRoot, options: sigstore.CAArtifactVerificationOptions): void;
+import type { BundleWithCertificateChain } from '@sigstore/bundle';
+export declare function verifySigningCertificate(bundle: BundleWithCertificateChain, trustedRoot: sigstore.TrustedRoot, options: sigstore.CAArtifactVerificationOptions): void;

dist/config.js

@@ -125,9 +125,9 @@ "use strict";
         ctlogOptions: {
-            disable: false,
-            threshold: options.ctLogThreshold || 1,
+            disable: options.ctLogThreshold === 0,
+            threshold: options.ctLogThreshold ?? 1,
             detachedSct: false,
         },
         tlogOptions: {
-            disable: false,
-            threshold: options.tlogThreshold || 1,
+            disable: options.tlogThreshold === 0,
+            threshold: options.tlogThreshold ?? 1,
             performOnlineVerification: false,
@@ -134,0 +134,0 @@ },

dist/error.d.ts

@@ -7,4 +7,2 @@ declare class BaseError extends Error {
 }
-export declare class ValidationError extends BaseError {
-}
 export declare class PolicyError extends BaseError {
@@ -11,0 +9,0 @@ }

dist/error.js

 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.InternalError = exports.PolicyError = exports.ValidationError = exports.VerificationError = void 0;
+exports.InternalError = exports.PolicyError = exports.VerificationError = void 0;
 /*
@@ -30,5 +30,2 @@ Copyright 2023 The Sigstore Authors.
 exports.VerificationError = VerificationError;
-class ValidationError extends BaseError {
-}
-exports.ValidationError = ValidationError;
 class PolicyError extends BaseError {
@@ -35,0 +32,0 @@ }

dist/sign.d.ts

 /// <reference types="node" />
 import { SignerFunc } from './types/signature';
-import * as sigstore from './types/sigstore';
+import type { Bundle } from '@sigstore/bundle';
 import type { CA } from './ca';
@@ -24,6 +24,6 @@ import type { Provider } from './identity';
     constructor(options: SignOptions);
-    signBlob(payload: Buffer): Promise<sigstore.Bundle>;
-    signAttestation(payload: Buffer, payloadType: string): Promise<sigstore.Bundle>;
+    signBlob(payload: Buffer): Promise<Bundle>;
+    signAttestation(payload: Buffer, payloadType: string): Promise<Bundle>;
     private signWithEphemeralKey;
     private getIdentityToken;
 }

dist/sigstore-utils.d.ts

 /// <reference types="node" />
+import { SerializedBundle, SerializedEnvelope } from '@sigstore/bundle';
 import { SignOptions } from './config';
 import { SignerFunc } from './types/signature';
-import * as sigstore from './types/sigstore';
 export declare function createDSSEEnvelope(payload: Buffer, payloadType: string, options: {
     signer: SignerFunc;
-}): Promise<sigstore.SerializedEnvelope>;
-export declare function createRekorEntry(dsseEnvelope: sigstore.SerializedEnvelope, publicKey: string, options?: SignOptions): Promise<sigstore.SerializedBundle>;
+}): Promise<SerializedEnvelope>;
+export declare function createRekorEntry(dsseEnvelope: SerializedEnvelope, publicKey: string, options?: SignOptions): Promise<SerializedBundle>;

dist/sigstore-utils.js

@@ -42,2 +42,3 @@ "use strict";
 */
+const bundle_1 = require("@sigstore/bundle");
 const config_1 = require("./config");
@@ -79,4 +80,4 @@ const signature_1 = require("./types/signature");
     });
-    return sigstore.bundleToJSON(bundle);
+    return (0, bundle_1.bundleToJSON)(bundle);
 }
 exports.createRekorEntry = createRekorEntry;

dist/sigstore.d.ts

 /// <reference types="node" />
+import { SerializedBundle } from '@sigstore/bundle';
 import * as tuf from '@sigstore/tuf';
 import * as config from './config';
-import * as sigstore from './types/sigstore';
-export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<sigstore.SerializedBundle>;
-export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<sigstore.SerializedBundle>;
-export declare function verify(bundle: sigstore.SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>;
+export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<SerializedBundle>;
+export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<SerializedBundle>;
+export declare function verify(bundle: SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>;
 export interface BundleVerifier {
-    verify(bundle: sigstore.SerializedBundle): void;
+    verify(bundle: SerializedBundle): void;
 }
@@ -16,9 +16,10 @@ export declare function createVerifier(options: config.CreateVerifierOptions): Promise<BundleVerifier>;
 };
+export { ValidationError } from '@sigstore/bundle';
+export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from '@sigstore/bundle';
 export type { TUF } from '@sigstore/tuf';
 export type { SignOptions, VerifyOptions } from './config';
-export { InternalError, PolicyError, ValidationError, VerificationError, } from './error';
+export { InternalError, PolicyError, VerificationError } from './error';
 export * as utils from './sigstore-utils';
-export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from './types/sigstore';
 export { tufUtils as tuf };
 export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev";
 export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev";

dist/sigstore.js

@@ -26,3 +26,3 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0;
+exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.PolicyError = exports.InternalError = exports.ValidationError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0;
 /*
@@ -43,6 +43,6 @@ Copyright 2023 The Sigstore Authors.
 */
+const bundle_1 = require("@sigstore/bundle");
 const tuf = __importStar(require("@sigstore/tuf"));
 const config = __importStar(require("./config"));
 const sign_1 = require("./sign");
-const sigstore = __importStar(require("./types/sigstore"));
 const verify_1 = require("./verify");
@@ -62,3 +62,3 @@ async function sign(payload, options = {}) {
     const bundle = await signer.signBlob(payload);
-    return sigstore.bundleToJSON(bundle);
+    return (0, bundle_1.bundleToJSON)(bundle);
 }
@@ -81,3 +81,3 @@ exports.sign = sign;
     const bundle = await signer.signAttestation(payload, payloadType);
-    return sigstore.bundleToJSON(bundle);
+    return (0, bundle_1.bundleToJSON)(bundle);
 }
@@ -94,3 +94,3 @@ exports.attest = attest;
     const verifier = new verify_1.Verifier(trustedRoot, options.keySelector);
-    const deserializedBundle = sigstore.bundleFromJSON(bundle);
+    const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle);
     const opts = config.artifactVerificationOptions(options);
@@ -112,3 +112,3 @@ return verifier.verify(deserializedBundle, opts, payload);
         verify: (bundle) => {
-            const deserializedBundle = sigstore.bundleFromJSON(bundle);
+            const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle);
             return verifier.verify(deserializedBundle, verifyOpts);
@@ -145,6 +145,7 @@ },
 exports.tuf = tufUtils;
+var bundle_2 = require("@sigstore/bundle");
+Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return bundle_2.ValidationError; } });
 var error_1 = require("./error");
 Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return error_1.InternalError; } });
 Object.defineProperty(exports, "PolicyError", { enumerable: true, get: function () { return error_1.PolicyError; } });
-Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return error_1.ValidationError; } });
 Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return error_1.VerificationError; } });
@@ -151,0 +152,0 @@ exports.utils = __importStar(require("./sigstore-utils"));

dist/tlog/verify/body.d.ts

@@ -1,2 +0,2 @@
-import * as sigstore from '../../types/sigstore';
-export declare function verifyTLogBody(entry: sigstore.VerifiableTransparencyLogEntry, bundleContent: sigstore.Bundle['content']): boolean;
+import type { Bundle, TransparencyLogEntry } from '@sigstore/bundle';
+export declare function verifyTLogBody(entry: TransparencyLogEntry, bundleContent: Bundle['content']): boolean;

dist/tlog/verify/index.d.ts

@@ -0,2 +1,3 @@
+import { Bundle } from '@sigstore/bundle';
 import * as sigstore from '../../types/sigstore';
-export declare function verifyTLogEntries(bundle: sigstore.Bundle, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void;
+export declare function verifyTLogEntries(bundle: Bundle, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void;

dist/tlog/verify/index.js

 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
 Object.defineProperty(exports, "__esModule", { value: true });
@@ -42,6 +19,8 @@ exports.verifyTLogEntries = void 0;
 */
+const bundle_1 = require("@sigstore/bundle");
 const error_1 = require("../../error");
-const sigstore = __importStar(require("../../types/sigstore"));
 const cert_1 = require("../../x509/cert");
 const body_1 = require("./body");
+const checkpoint_1 = require("./checkpoint");
+const merkle_1 = require("./merkle");
 const set_1 = require("./set");
@@ -51,2 +30,13 @@ // Verifies that the number of tlog entries that pass offline verification
 function verifyTLogEntries(bundle, trustedRoot, options) {
+    if (bundle.mediaType === bundle_1.BUNDLE_V01_MEDIA_TYPE) {
+        (0, bundle_1.assertBundleV01)(bundle);
+        verifyTLogEntriesForBundleV01(bundle, trustedRoot, options);
+    }
+    else {
+        (0, bundle_1.assertBundleLatest)(bundle);
+        verifyTLogEntriesForBundleLatest(bundle, trustedRoot, options);
+    }
+}
+exports.verifyTLogEntries = verifyTLogEntries;
+function verifyTLogEntriesForBundleV01(bundle, trustedRoot, options) {
     if (options.performOnlineVerification) {
@@ -58,3 +48,3 @@ throw new error_1.VerificationError('Online verification not implemented');
     // Iterate over the tlog entries and verify each one
-    const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryOffline(entry, bundle.content, trustedRoot.tlogs, signingCert));
+    const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryWithInclusionPromise(entry, bundle.content, trustedRoot.tlogs, signingCert));
     if (verifiedEntries.length < options.threshold) {
@@ -64,8 +54,15 @@ throw new error_1.VerificationError('tlog verification failed');
 }
-exports.verifyTLogEntries = verifyTLogEntries;
-function verifyTLogEntryOffline(entry, bundleContent, tlogs, signingCert) {
-    // Check that the TLog entry has the fields necessary for verification
-    if (!sigstore.isVerifiableTransparencyLogEntry(entry)) {
-        return false;
+function verifyTLogEntriesForBundleLatest(bundle, trustedRoot, options) {
+    if (options.performOnlineVerification) {
+        throw new error_1.VerificationError('Online verification not implemented');
     }
+    // Extract the signing cert, if available
+    const signingCert = signingCertificate(bundle);
+    // Iterate over the tlog entries and verify each one
+    const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryWithInclusionProof(entry, bundle.content, trustedRoot.tlogs, signingCert));
+    if (verifiedEntries.length < options.threshold) {
+        throw new error_1.VerificationError('tlog verification failed');
+    }
+}
+function verifyTLogEntryWithInclusionPromise(entry, bundleContent, tlogs, signingCert) {
     // If there is a signing certificate availble, check that the tlog integrated
@@ -81,4 +78,16 @@ // time is within the certificate's validity period; otherwise, skip this
 }
+function verifyTLogEntryWithInclusionProof(entry, bundleContent, tlogs, signingCert) {
+    // If there is a signing certificate availble, check that the tlog integrated
+    // time is within the certificate's validity period; otherwise, skip this
+    // check.
+    const verifyTLogIntegrationTime = signingCert
+        ? () => signingCert.validForDate(new Date(Number(entry.integratedTime) * 1000))
+        : () => true;
+    return ((0, body_1.verifyTLogBody)(entry, bundleContent) &&
+        (0, merkle_1.verifyMerkleInclusion)(entry) &&
+        (0, checkpoint_1.verifyCheckpoint)(entry, tlogs) &&
+        verifyTLogIntegrationTime());
+}
 function signingCertificate(bundle) {
-    if (!sigstore.isBundleWithCertificateChain(bundle)) {
+    if (!(0, bundle_1.isBundleWithCertificateChain)(bundle)) {
         return undefined;
@@ -85,0 +94,0 @@ }

dist/tlog/verify/merkle.d.ts

@@ -1,2 +0,2 @@
-import * as sigstore from '../../types/sigstore';
-export declare function verifyMerkleInclusion(entry: sigstore.TransparencyLogEntry): boolean;
+import type { TLogEntryWithInclusionProof } from '@sigstore/bundle';
+export declare function verifyMerkleInclusion(entry: TLogEntryWithInclusionProof): boolean;

dist/tlog/verify/merkle.js

@@ -28,5 +28,2 @@ "use strict";
     const inclusionProof = entry.inclusionProof;
-    if (!inclusionProof) {
-        throw new error_1.VerificationError('tlog entry has no inclusion proof');
-    }
     const logIndex = BigInt(inclusionProof.logIndex);
@@ -33,0 +30,0 @@ const treeSize = BigInt(inclusionProof.treeSize);

dist/tlog/verify/set.d.ts

 import * as sigstore from '../../types/sigstore';
-export declare function verifyTLogSET(entry: sigstore.VerifiableTransparencyLogEntry, tlogs: sigstore.TransparencyLogInstance[]): boolean;
+import type { TLogEntryWithInclusionPromise } from '@sigstore/bundle';
+export declare function verifyTLogSET(entry: TLogEntryWithInclusionPromise, tlogs: sigstore.TransparencyLogInstance[]): boolean;

dist/tlog/verify/set.js

@@ -14,5 +14,2 @@ "use strict";
     return validTLogs.some((tlog) => {
-        if (!tlog.publicKey?.rawBytes) {
-            return false;
-        }
         const publicKey = util_1.crypto.createPublicKey(tlog.publicKey.rawBytes);
@@ -64,3 +61,3 @@ // Re-create the original Rekor verification payload
         // Check that the integrated time is within the validFor range
-        return (publicKey.validFor.start &&
+        return (publicKey.validFor.start !== undefined &&
             publicKey.validFor.start <= targetDate &&
@@ -67,0 +64,0 @@ (!publicKey.validFor.end || targetDate <= publicKey.validFor.end));

dist/util/crypto.d.ts

@@ -11,1 +11,2 @@ /// <reference types="node" />
 export declare function randomBytes(count: number): Buffer;
+export declare function bufferEqual(a: Buffer, b: Buffer): boolean;

dist/util/crypto.js

@@ -6,3 +6,3 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.randomBytes = exports.hash = exports.verifyBlob = exports.signBlob = exports.createPublicKey = exports.generateKeyPair = void 0;
+exports.bufferEqual = exports.randomBytes = exports.hash = exports.verifyBlob = exports.signBlob = exports.createPublicKey = exports.generateKeyPair = void 0;
 /*
@@ -66,1 +66,11 @@ Copyright 2022 The Sigstore Authors.
 exports.randomBytes = randomBytes;
+function bufferEqual(a, b) {
+    try {
+        return crypto_1.default.timingSafeEqual(a, b);
+    }
+    catch {
+        /* istanbul ignore next */
+        return false;
+    }
+}
+exports.bufferEqual = bufferEqual;

dist/verify.d.ts

 /// <reference types="node" />
+import { Bundle } from '@sigstore/bundle';
 import * as sigstore from './types/sigstore';
@@ -8,3 +9,3 @@ export type KeySelector = (hint: string) => string | Buffer | undefined;
     constructor(trustedRoot: sigstore.TrustedRoot, keySelector?: KeySelector);
-    verify(bundle: sigstore.Bundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void;
+    verify(bundle: Bundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void;
     private verifyArtifactSignature;
@@ -11,0 +12,0 @@ private verifySigningCertificate;

dist/verify.js

@@ -27,2 +27,18 @@ "use strict";
 exports.Verifier = void 0;
+/*
+Copyright 2023 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const bundle_1 = require("@sigstore/bundle");
 const ca = __importStar(require("./ca/verify"));
@@ -42,3 +58,3 @@ const error_1 = require("./error");
         this.verifyArtifactSignature(bundle, data);
-        if (sigstore.isBundleWithCertificateChain(bundle)) {
+        if ((0, bundle_1.isBundleWithCertificateChain)(bundle)) {
             this.verifySigningCertificate(bundle, options);
@@ -45,0 +61,0 @@ }

package.json

 {
   "name": "sigstore",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "description": "code-signing for npm packages",
@@ -39,4 +39,5 @@ "main": "dist/index.js",
   "dependencies": {
-    "@sigstore/protobuf-specs": "^0.1.0",
-    "@sigstore/tuf": "^1.0.1",
+    "@sigstore/bundle": "^1.0.0",
+    "@sigstore/protobuf-specs": "^0.2.0",
+    "@sigstore/tuf": "^1.0.3",
     "make-fetch-happen": "^11.0.1"
@@ -43,0 +44,0 @@ },

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

234998

increased by0.27%

Worsened metrics

Dependency count

4

increased by33.33%

Number of package files

118

decreased by-1.67%

Lines of code

5204

decreased by-0.42%

Dependency changes

• + Added@sigstore/bundle@^1.0.0

• + Added@sigstore/bundle@1.1.0(transitive)

• - Removed@sigstore/protobuf-specs@0.1.0(transitive)

• Updated@sigstore/protobuf-specs@^0.2.0

• Updated@sigstore/tuf@^1.0.3