Comparing version 1.7.0 to 1.8.0
import * as sigstore from '../../types/sigstore'; | ||
import { x509Certificate } from '../../x509/cert'; | ||
export declare function verifyChain(certificate: sigstore.X509Certificate, certificateAuthorities: sigstore.CertificateAuthority[]): x509Certificate[]; | ||
import type { X509Certificate } from '@sigstore/bundle'; | ||
export declare function verifyChain(certificate: X509Certificate, certificateAuthorities: sigstore.CertificateAuthority[]): x509Certificate[]; |
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifySigningCertificate(bundle: sigstore.BundleWithCertificateChain, trustedRoot: sigstore.TrustedRoot, options: sigstore.CAArtifactVerificationOptions): void; | ||
import type { BundleWithCertificateChain } from '@sigstore/bundle'; | ||
export declare function verifySigningCertificate(bundle: BundleWithCertificateChain, trustedRoot: sigstore.TrustedRoot, options: sigstore.CAArtifactVerificationOptions): void; |
@@ -125,9 +125,9 @@ "use strict"; | ||
ctlogOptions: { | ||
disable: false, | ||
threshold: options.ctLogThreshold || 1, | ||
disable: options.ctLogThreshold === 0, | ||
threshold: options.ctLogThreshold ?? 1, | ||
detachedSct: false, | ||
}, | ||
tlogOptions: { | ||
disable: false, | ||
threshold: options.tlogThreshold || 1, | ||
disable: options.tlogThreshold === 0, | ||
threshold: options.tlogThreshold ?? 1, | ||
performOnlineVerification: false, | ||
@@ -134,0 +134,0 @@ }, |
@@ -7,4 +7,2 @@ declare class BaseError extends Error { | ||
} | ||
export declare class ValidationError extends BaseError { | ||
} | ||
export declare class PolicyError extends BaseError { | ||
@@ -11,0 +9,0 @@ } |
"use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.InternalError = exports.PolicyError = exports.ValidationError = exports.VerificationError = void 0; | ||
exports.InternalError = exports.PolicyError = exports.VerificationError = void 0; | ||
/* | ||
@@ -30,5 +30,2 @@ Copyright 2023 The Sigstore Authors. | ||
exports.VerificationError = VerificationError; | ||
class ValidationError extends BaseError { | ||
} | ||
exports.ValidationError = ValidationError; | ||
class PolicyError extends BaseError { | ||
@@ -35,0 +32,0 @@ } |
/// <reference types="node" /> | ||
import { SignerFunc } from './types/signature'; | ||
import * as sigstore from './types/sigstore'; | ||
import type { Bundle } from '@sigstore/bundle'; | ||
import type { CA } from './ca'; | ||
@@ -24,6 +24,6 @@ import type { Provider } from './identity'; | ||
constructor(options: SignOptions); | ||
signBlob(payload: Buffer): Promise<sigstore.Bundle>; | ||
signAttestation(payload: Buffer, payloadType: string): Promise<sigstore.Bundle>; | ||
signBlob(payload: Buffer): Promise<Bundle>; | ||
signAttestation(payload: Buffer, payloadType: string): Promise<Bundle>; | ||
private signWithEphemeralKey; | ||
private getIdentityToken; | ||
} |
/// <reference types="node" /> | ||
import { SerializedBundle, SerializedEnvelope } from '@sigstore/bundle'; | ||
import { SignOptions } from './config'; | ||
import { SignerFunc } from './types/signature'; | ||
import * as sigstore from './types/sigstore'; | ||
export declare function createDSSEEnvelope(payload: Buffer, payloadType: string, options: { | ||
signer: SignerFunc; | ||
}): Promise<sigstore.SerializedEnvelope>; | ||
export declare function createRekorEntry(dsseEnvelope: sigstore.SerializedEnvelope, publicKey: string, options?: SignOptions): Promise<sigstore.SerializedBundle>; | ||
}): Promise<SerializedEnvelope>; | ||
export declare function createRekorEntry(dsseEnvelope: SerializedEnvelope, publicKey: string, options?: SignOptions): Promise<SerializedBundle>; |
@@ -42,2 +42,3 @@ "use strict"; | ||
*/ | ||
const bundle_1 = require("@sigstore/bundle"); | ||
const config_1 = require("./config"); | ||
@@ -79,4 +80,4 @@ const signature_1 = require("./types/signature"); | ||
}); | ||
return sigstore.bundleToJSON(bundle); | ||
return (0, bundle_1.bundleToJSON)(bundle); | ||
} | ||
exports.createRekorEntry = createRekorEntry; |
/// <reference types="node" /> | ||
import { SerializedBundle } from '@sigstore/bundle'; | ||
import * as tuf from '@sigstore/tuf'; | ||
import * as config from './config'; | ||
import * as sigstore from './types/sigstore'; | ||
export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<sigstore.SerializedBundle>; | ||
export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<sigstore.SerializedBundle>; | ||
export declare function verify(bundle: sigstore.SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>; | ||
export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<SerializedBundle>; | ||
export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<SerializedBundle>; | ||
export declare function verify(bundle: SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>; | ||
export interface BundleVerifier { | ||
verify(bundle: sigstore.SerializedBundle): void; | ||
verify(bundle: SerializedBundle): void; | ||
} | ||
@@ -16,9 +16,10 @@ export declare function createVerifier(options: config.CreateVerifierOptions): Promise<BundleVerifier>; | ||
}; | ||
export { ValidationError } from '@sigstore/bundle'; | ||
export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from '@sigstore/bundle'; | ||
export type { TUF } from '@sigstore/tuf'; | ||
export type { SignOptions, VerifyOptions } from './config'; | ||
export { InternalError, PolicyError, ValidationError, VerificationError, } from './error'; | ||
export { InternalError, PolicyError, VerificationError } from './error'; | ||
export * as utils from './sigstore-utils'; | ||
export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from './types/sigstore'; | ||
export { tufUtils as tuf }; | ||
export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev"; | ||
export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev"; |
@@ -26,3 +26,3 @@ "use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0; | ||
exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.PolicyError = exports.InternalError = exports.ValidationError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0; | ||
/* | ||
@@ -43,6 +43,6 @@ Copyright 2023 The Sigstore Authors. | ||
*/ | ||
const bundle_1 = require("@sigstore/bundle"); | ||
const tuf = __importStar(require("@sigstore/tuf")); | ||
const config = __importStar(require("./config")); | ||
const sign_1 = require("./sign"); | ||
const sigstore = __importStar(require("./types/sigstore")); | ||
const verify_1 = require("./verify"); | ||
@@ -62,3 +62,3 @@ async function sign(payload, options = {}) { | ||
const bundle = await signer.signBlob(payload); | ||
return sigstore.bundleToJSON(bundle); | ||
return (0, bundle_1.bundleToJSON)(bundle); | ||
} | ||
@@ -81,3 +81,3 @@ exports.sign = sign; | ||
const bundle = await signer.signAttestation(payload, payloadType); | ||
return sigstore.bundleToJSON(bundle); | ||
return (0, bundle_1.bundleToJSON)(bundle); | ||
} | ||
@@ -94,3 +94,3 @@ exports.attest = attest; | ||
const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); | ||
const deserializedBundle = sigstore.bundleFromJSON(bundle); | ||
const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle); | ||
const opts = config.artifactVerificationOptions(options); | ||
@@ -112,3 +112,3 @@ return verifier.verify(deserializedBundle, opts, payload); | ||
verify: (bundle) => { | ||
const deserializedBundle = sigstore.bundleFromJSON(bundle); | ||
const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle); | ||
return verifier.verify(deserializedBundle, verifyOpts); | ||
@@ -145,6 +145,7 @@ }, | ||
exports.tuf = tufUtils; | ||
var bundle_2 = require("@sigstore/bundle"); | ||
Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return bundle_2.ValidationError; } }); | ||
var error_1 = require("./error"); | ||
Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return error_1.InternalError; } }); | ||
Object.defineProperty(exports, "PolicyError", { enumerable: true, get: function () { return error_1.PolicyError; } }); | ||
Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return error_1.ValidationError; } }); | ||
Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return error_1.VerificationError; } }); | ||
@@ -151,0 +152,0 @@ exports.utils = __importStar(require("./sigstore-utils")); |
@@ -1,2 +0,2 @@ | ||
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifyTLogBody(entry: sigstore.VerifiableTransparencyLogEntry, bundleContent: sigstore.Bundle['content']): boolean; | ||
import type { Bundle, TransparencyLogEntry } from '@sigstore/bundle'; | ||
export declare function verifyTLogBody(entry: TransparencyLogEntry, bundleContent: Bundle['content']): boolean; |
@@ -0,2 +1,3 @@ | ||
import { Bundle } from '@sigstore/bundle'; | ||
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifyTLogEntries(bundle: sigstore.Bundle, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void; | ||
export declare function verifyTLogEntries(bundle: Bundle, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void; |
"use strict"; | ||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { | ||
if (k2 === undefined) k2 = k; | ||
var desc = Object.getOwnPropertyDescriptor(m, k); | ||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { | ||
desc = { enumerable: true, get: function() { return m[k]; } }; | ||
} | ||
Object.defineProperty(o, k2, desc); | ||
}) : (function(o, m, k, k2) { | ||
if (k2 === undefined) k2 = k; | ||
o[k2] = m[k]; | ||
})); | ||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { | ||
Object.defineProperty(o, "default", { enumerable: true, value: v }); | ||
}) : function(o, v) { | ||
o["default"] = v; | ||
}); | ||
var __importStar = (this && this.__importStar) || function (mod) { | ||
if (mod && mod.__esModule) return mod; | ||
var result = {}; | ||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); | ||
__setModuleDefault(result, mod); | ||
return result; | ||
}; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
@@ -42,6 +19,8 @@ exports.verifyTLogEntries = void 0; | ||
*/ | ||
const bundle_1 = require("@sigstore/bundle"); | ||
const error_1 = require("../../error"); | ||
const sigstore = __importStar(require("../../types/sigstore")); | ||
const cert_1 = require("../../x509/cert"); | ||
const body_1 = require("./body"); | ||
const checkpoint_1 = require("./checkpoint"); | ||
const merkle_1 = require("./merkle"); | ||
const set_1 = require("./set"); | ||
@@ -51,2 +30,13 @@ // Verifies that the number of tlog entries that pass offline verification | ||
function verifyTLogEntries(bundle, trustedRoot, options) { | ||
if (bundle.mediaType === bundle_1.BUNDLE_V01_MEDIA_TYPE) { | ||
(0, bundle_1.assertBundleV01)(bundle); | ||
verifyTLogEntriesForBundleV01(bundle, trustedRoot, options); | ||
} | ||
else { | ||
(0, bundle_1.assertBundleLatest)(bundle); | ||
verifyTLogEntriesForBundleLatest(bundle, trustedRoot, options); | ||
} | ||
} | ||
exports.verifyTLogEntries = verifyTLogEntries; | ||
function verifyTLogEntriesForBundleV01(bundle, trustedRoot, options) { | ||
if (options.performOnlineVerification) { | ||
@@ -58,3 +48,3 @@ throw new error_1.VerificationError('Online verification not implemented'); | ||
// Iterate over the tlog entries and verify each one | ||
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryOffline(entry, bundle.content, trustedRoot.tlogs, signingCert)); | ||
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryWithInclusionPromise(entry, bundle.content, trustedRoot.tlogs, signingCert)); | ||
if (verifiedEntries.length < options.threshold) { | ||
@@ -64,8 +54,15 @@ throw new error_1.VerificationError('tlog verification failed'); | ||
} | ||
exports.verifyTLogEntries = verifyTLogEntries; | ||
function verifyTLogEntryOffline(entry, bundleContent, tlogs, signingCert) { | ||
// Check that the TLog entry has the fields necessary for verification | ||
if (!sigstore.isVerifiableTransparencyLogEntry(entry)) { | ||
return false; | ||
function verifyTLogEntriesForBundleLatest(bundle, trustedRoot, options) { | ||
if (options.performOnlineVerification) { | ||
throw new error_1.VerificationError('Online verification not implemented'); | ||
} | ||
// Extract the signing cert, if available | ||
const signingCert = signingCertificate(bundle); | ||
// Iterate over the tlog entries and verify each one | ||
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryWithInclusionProof(entry, bundle.content, trustedRoot.tlogs, signingCert)); | ||
if (verifiedEntries.length < options.threshold) { | ||
throw new error_1.VerificationError('tlog verification failed'); | ||
} | ||
} | ||
function verifyTLogEntryWithInclusionPromise(entry, bundleContent, tlogs, signingCert) { | ||
// If there is a signing certificate availble, check that the tlog integrated | ||
@@ -81,4 +78,16 @@ // time is within the certificate's validity period; otherwise, skip this | ||
} | ||
function verifyTLogEntryWithInclusionProof(entry, bundleContent, tlogs, signingCert) { | ||
// If there is a signing certificate availble, check that the tlog integrated | ||
// time is within the certificate's validity period; otherwise, skip this | ||
// check. | ||
const verifyTLogIntegrationTime = signingCert | ||
? () => signingCert.validForDate(new Date(Number(entry.integratedTime) * 1000)) | ||
: () => true; | ||
return ((0, body_1.verifyTLogBody)(entry, bundleContent) && | ||
(0, merkle_1.verifyMerkleInclusion)(entry) && | ||
(0, checkpoint_1.verifyCheckpoint)(entry, tlogs) && | ||
verifyTLogIntegrationTime()); | ||
} | ||
function signingCertificate(bundle) { | ||
if (!sigstore.isBundleWithCertificateChain(bundle)) { | ||
if (!(0, bundle_1.isBundleWithCertificateChain)(bundle)) { | ||
return undefined; | ||
@@ -85,0 +94,0 @@ } |
@@ -1,2 +0,2 @@ | ||
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifyMerkleInclusion(entry: sigstore.TransparencyLogEntry): boolean; | ||
import type { TLogEntryWithInclusionProof } from '@sigstore/bundle'; | ||
export declare function verifyMerkleInclusion(entry: TLogEntryWithInclusionProof): boolean; |
@@ -28,5 +28,2 @@ "use strict"; | ||
const inclusionProof = entry.inclusionProof; | ||
if (!inclusionProof) { | ||
throw new error_1.VerificationError('tlog entry has no inclusion proof'); | ||
} | ||
const logIndex = BigInt(inclusionProof.logIndex); | ||
@@ -33,0 +30,0 @@ const treeSize = BigInt(inclusionProof.treeSize); |
import * as sigstore from '../../types/sigstore'; | ||
export declare function verifyTLogSET(entry: sigstore.VerifiableTransparencyLogEntry, tlogs: sigstore.TransparencyLogInstance[]): boolean; | ||
import type { TLogEntryWithInclusionPromise } from '@sigstore/bundle'; | ||
export declare function verifyTLogSET(entry: TLogEntryWithInclusionPromise, tlogs: sigstore.TransparencyLogInstance[]): boolean; |
@@ -14,5 +14,2 @@ "use strict"; | ||
return validTLogs.some((tlog) => { | ||
if (!tlog.publicKey?.rawBytes) { | ||
return false; | ||
} | ||
const publicKey = util_1.crypto.createPublicKey(tlog.publicKey.rawBytes); | ||
@@ -64,3 +61,3 @@ // Re-create the original Rekor verification payload | ||
// Check that the integrated time is within the validFor range | ||
return (publicKey.validFor.start && | ||
return (publicKey.validFor.start !== undefined && | ||
publicKey.validFor.start <= targetDate && | ||
@@ -67,0 +64,0 @@ (!publicKey.validFor.end || targetDate <= publicKey.validFor.end)); |
@@ -11,1 +11,2 @@ /// <reference types="node" /> | ||
export declare function randomBytes(count: number): Buffer; | ||
export declare function bufferEqual(a: Buffer, b: Buffer): boolean; |
@@ -6,3 +6,3 @@ "use strict"; | ||
Object.defineProperty(exports, "__esModule", { value: true }); | ||
exports.randomBytes = exports.hash = exports.verifyBlob = exports.signBlob = exports.createPublicKey = exports.generateKeyPair = void 0; | ||
exports.bufferEqual = exports.randomBytes = exports.hash = exports.verifyBlob = exports.signBlob = exports.createPublicKey = exports.generateKeyPair = void 0; | ||
/* | ||
@@ -66,1 +66,11 @@ Copyright 2022 The Sigstore Authors. | ||
exports.randomBytes = randomBytes; | ||
function bufferEqual(a, b) { | ||
try { | ||
return crypto_1.default.timingSafeEqual(a, b); | ||
} | ||
catch { | ||
/* istanbul ignore next */ | ||
return false; | ||
} | ||
} | ||
exports.bufferEqual = bufferEqual; |
/// <reference types="node" /> | ||
import { Bundle } from '@sigstore/bundle'; | ||
import * as sigstore from './types/sigstore'; | ||
@@ -8,3 +9,3 @@ export type KeySelector = (hint: string) => string | Buffer | undefined; | ||
constructor(trustedRoot: sigstore.TrustedRoot, keySelector?: KeySelector); | ||
verify(bundle: sigstore.Bundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void; | ||
verify(bundle: Bundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void; | ||
private verifyArtifactSignature; | ||
@@ -11,0 +12,0 @@ private verifySigningCertificate; |
@@ -27,2 +27,18 @@ "use strict"; | ||
exports.Verifier = void 0; | ||
/* | ||
Copyright 2023 The Sigstore Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
const bundle_1 = require("@sigstore/bundle"); | ||
const ca = __importStar(require("./ca/verify")); | ||
@@ -42,3 +58,3 @@ const error_1 = require("./error"); | ||
this.verifyArtifactSignature(bundle, data); | ||
if (sigstore.isBundleWithCertificateChain(bundle)) { | ||
if ((0, bundle_1.isBundleWithCertificateChain)(bundle)) { | ||
this.verifySigningCertificate(bundle, options); | ||
@@ -45,0 +61,0 @@ } |
{ | ||
"name": "sigstore", | ||
"version": "1.7.0", | ||
"version": "1.8.0", | ||
"description": "code-signing for npm packages", | ||
@@ -39,4 +39,5 @@ "main": "dist/index.js", | ||
"dependencies": { | ||
"@sigstore/protobuf-specs": "^0.1.0", | ||
"@sigstore/tuf": "^1.0.1", | ||
"@sigstore/bundle": "^1.0.0", | ||
"@sigstore/protobuf-specs": "^0.2.0", | ||
"@sigstore/tuf": "^1.0.3", | ||
"make-fetch-happen": "^11.0.1" | ||
@@ -43,0 +44,0 @@ }, |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
234998
4
118
5204
+ Added@sigstore/bundle@^1.0.0
+ Added@sigstore/bundle@1.1.0(transitive)
- Removed@sigstore/protobuf-specs@0.1.0(transitive)
Updated@sigstore/tuf@^1.0.3