Socket
Socket
Sign inDemoInstall

sigstore

Package Overview
Dependencies
Maintainers
2
Versions
34
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

sigstore - npm Package Compare versions

Comparing version 1.9.0 to 2.0.0

5

dist/ca/verify/signer.js

@@ -57,3 +57,6 @@ "use strict";

if (!signerVerified) {
throw new error_1.PolicyError('Certificate issued to untrusted signer');
throw new error_1.PolicyError({
code: 'UNTRUSTED_SIGNER_ERROR',
message: 'Certificate issued to untrusted signer',
});
}

@@ -60,0 +63,0 @@ }

20

dist/config.d.ts
import { DSSEBundleBuilder, IdentityProvider, MessageSignatureBundleBuilder } from '@sigstore/sign';
import { SignerFunc } from './types/signature';
import * as sigstore from './types/sigstore';
import type { FetchOptions, Retry } from './types/fetch';
import type { KeySelector } from './verify';
export type TUFOptions = {
tufMirrorURL?: string;
tufRootPath?: string;
tufCachePath?: string;
} & FetchOptions;
export type SignOptions = {

@@ -15,8 +9,3 @@ fulcioURL?: string;

identityToken?: string;
oidcIssuer?: string;
oidcClientID?: string;
oidcClientSecret?: string;
oidcRedirectURL?: string;
rekorURL?: string;
signer?: SignerFunc;
tlogUpload?: boolean;

@@ -33,7 +22,6 @@ tsaServerURL?: string;

keySelector?: KeySelector;
rekorURL?: string;
} & TUFOptions;
export type CreateVerifierOptions = {
keySelector?: KeySelector;
} & TUFOptions;
tufMirrorURL?: string;
tufRootPath?: string;
tufCachePath?: string;
} & FetchOptions;
export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev";

@@ -40,0 +28,0 @@ export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev";

41

dist/config.js

@@ -25,5 +25,2 @@ "use strict";

};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });

@@ -47,4 +44,2 @@ exports.artifactVerificationOptions = exports.createBundleBuilder = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0;

const sign_1 = require("@sigstore/sign");
const identity_1 = __importDefault(require("./identity"));
const signature_1 = require("./types/signature");
const sigstore = __importStar(require("./types/sigstore"));

@@ -68,21 +63,13 @@ exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev';

exports.createBundleBuilder = createBundleBuilder;
// Instantiate a signer based on the supplied options. If a signer function is
// provided, use that. Otherwise, if a Fulcio URL is provided, use the Fulcio
// signer. Otherwise, throw an error.
// Instantiate the FulcioSigner based on the supplied options.
function initSigner(options) {
if (isCallbackSignerEnabled(options)) {
return new signature_1.CallbackSigner(options);
}
else {
return new sign_1.FulcioSigner({
fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL,
identityProvider: options.identityProvider || initIdentityProvider(options),
retry: options.retry ?? exports.DEFAULT_RETRY,
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
});
}
return new sign_1.FulcioSigner({
fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL,
identityProvider: options.identityProvider || initIdentityProvider(options),
retry: options.retry ?? exports.DEFAULT_RETRY,
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
});
}
// Instantiate an identity provider based on the supplied options. If an
// explicit identity token is provided, use that. Otherwise, if an OIDC issuer
// and client ID are provided, use the OIDC provider. Otherwise, use the CI
// explicit identity token is provided, use that. Otherwise, use the CI
// context provider.

@@ -94,10 +81,2 @@ function initIdentityProvider(options) {

}
else if (options.oidcIssuer && options.oidcClientID) {
return identity_1.default.oauthProvider({
issuer: options.oidcIssuer,
clientID: options.oidcClientID,
clientSecret: options.oidcClientSecret,
redirectURL: options.oidcRedirectURL,
});
}
else {

@@ -127,6 +106,2 @@ return new sign_1.CIContextProvider('sigstore');

}
// Type assertion to ensure that the signer is enabled
function isCallbackSignerEnabled(options) {
return options.signer !== undefined;
}
// Type assertion to ensure that Rekor is enabled

@@ -133,0 +108,0 @@ function isRekorEnabled(options) {

20

dist/error.d.ts

@@ -1,7 +0,4 @@

declare class BaseError extends Error {
declare class BaseError<T extends string> extends Error {
code: T;
cause: any | undefined;
constructor(message: string, cause?: any);
}
declare class ErrorWithCode<T extends string> extends BaseError {
code: T;
constructor({ code, message, cause, }: {

@@ -13,12 +10,9 @@ code: T;

}
export declare class VerificationError extends BaseError {
type VerificationErrorCode = 'VERIFICATION_ERROR';
export declare class VerificationError extends BaseError<VerificationErrorCode> {
constructor(message: string);
}
export declare class PolicyError extends BaseError {
type PolicyErrorCode = 'UNTRUSTED_SIGNER_ERROR';
export declare class PolicyError extends BaseError<PolicyErrorCode> {
}
type InternalErrorCode = 'TUF_FIND_TARGET_ERROR' | 'TUF_REFRESH_METADATA_ERROR' | 'TUF_DOWNLOAD_TARGET_ERROR' | 'TUF_READ_TARGET_ERROR';
export declare class InternalError extends ErrorWithCode<InternalErrorCode> {
}
type SignatureErrorCode = 'MISSING_SIGNATURE_ERROR' | 'MISSING_PUBLIC_KEY_ERROR';
export declare class SignatureError extends ErrorWithCode<SignatureErrorCode> {
}
export {};

24

dist/error.js
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.SignatureError = exports.InternalError = exports.PolicyError = exports.VerificationError = void 0;
/*

@@ -19,19 +17,17 @@ Copyright 2023 The Sigstore Authors.

*/
/* eslint-disable @typescript-eslint/no-explicit-any */
Object.defineProperty(exports, "__esModule", { value: true });
exports.PolicyError = exports.VerificationError = void 0;
class BaseError extends Error {
constructor(message, cause) {
constructor({ code, message, cause, }) {
super(message);
this.name = this.constructor.name;
this.code = code;
this.cause = cause;
}
}
class ErrorWithCode extends BaseError {
constructor({ code, message, cause, }) {
super(message, cause);
this.code = code;
this.name = this.constructor.name;
class VerificationError extends BaseError {
constructor(message) {
super({ code: 'VERIFICATION_ERROR', message });
}
}
class VerificationError extends BaseError {
}
exports.VerificationError = VerificationError;

@@ -41,7 +37,1 @@ class PolicyError extends BaseError {

exports.PolicyError = PolicyError;
class InternalError extends ErrorWithCode {
}
exports.InternalError = InternalError;
class SignatureError extends ErrorWithCode {
}
exports.SignatureError = SignatureError;

10

dist/index.d.ts

@@ -0,2 +1,10 @@

export { ValidationError } from '@sigstore/bundle';
export { InternalError } from '@sigstore/sign';
export { TUFError } from '@sigstore/tuf';
export { DEFAULT_FULCIO_URL, DEFAULT_REKOR_URL } from './config';
export { PolicyError, VerificationError } from './error';
export { attest, createVerifier, sign, verify } from './sigstore';
export type { SerializedBundle as Bundle } from '@sigstore/bundle';
export type { IdentityProvider } from '@sigstore/sign';
export * as sigstore from './sigstore';
export type { SignOptions, VerifyOptions } from './config';
export type { BundleVerifier } from './sigstore';

58

dist/index.js
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.sigstore = void 0;
exports.sigstore = __importStar(require("./sigstore"));
exports.verify = exports.sign = exports.createVerifier = exports.attest = exports.VerificationError = exports.PolicyError = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.TUFError = exports.InternalError = exports.ValidationError = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
var bundle_1 = require("@sigstore/bundle");
Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return bundle_1.ValidationError; } });
var sign_1 = require("@sigstore/sign");
Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return sign_1.InternalError; } });
var tuf_1 = require("@sigstore/tuf");
Object.defineProperty(exports, "TUFError", { enumerable: true, get: function () { return tuf_1.TUFError; } });
var config_1 = require("./config");
Object.defineProperty(exports, "DEFAULT_FULCIO_URL", { enumerable: true, get: function () { return config_1.DEFAULT_FULCIO_URL; } });
Object.defineProperty(exports, "DEFAULT_REKOR_URL", { enumerable: true, get: function () { return config_1.DEFAULT_REKOR_URL; } });
var error_1 = require("./error");
Object.defineProperty(exports, "PolicyError", { enumerable: true, get: function () { return error_1.PolicyError; } });
Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return error_1.VerificationError; } });
var sigstore_1 = require("./sigstore");
Object.defineProperty(exports, "attest", { enumerable: true, get: function () { return sigstore_1.attest; } });
Object.defineProperty(exports, "createVerifier", { enumerable: true, get: function () { return sigstore_1.createVerifier; } });
Object.defineProperty(exports, "sign", { enumerable: true, get: function () { return sigstore_1.sign; } });
Object.defineProperty(exports, "verify", { enumerable: true, get: function () { return sigstore_1.verify; } });

21

dist/sigstore.d.ts
/// <reference types="node" />
import { SerializedBundle } from '@sigstore/bundle';
import * as tuf from '@sigstore/tuf';
import * as config from './config';
export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<SerializedBundle>;
export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<SerializedBundle>;
export declare function verify(bundle: SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>;
export declare function verify(bundle: SerializedBundle, options?: config.VerifyOptions): Promise<void>;
export declare function verify(bundle: SerializedBundle, data: Buffer, options?: config.VerifyOptions): Promise<void>;
export interface BundleVerifier {
verify(bundle: SerializedBundle): void;
verify(bundle: SerializedBundle, data?: Buffer): void;
}
export declare function createVerifier(options: config.CreateVerifierOptions): Promise<BundleVerifier>;
declare const tufUtils: {
client: (options?: config.TUFOptions) => Promise<tuf.TUF>;
getTarget: (path: string, options?: config.TUFOptions) => Promise<string>;
};
export { ValidationError } from '@sigstore/bundle';
export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from '@sigstore/bundle';
export type { TUF } from '@sigstore/tuf';
export type { SignOptions, VerifyOptions } from './config';
export { InternalError, PolicyError, VerificationError } from './error';
export * as utils from './sigstore-utils';
export { tufUtils as tuf };
export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev";
export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev";
export declare function createVerifier(options?: config.VerifyOptions): Promise<BundleVerifier>;

74

dist/sigstore.js

@@ -26,3 +26,3 @@ "use strict";

Object.defineProperty(exports, "__esModule", { value: true });
exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.PolicyError = exports.InternalError = exports.ValidationError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0;
exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0;
/*

@@ -47,3 +47,5 @@ Copyright 2023 The Sigstore Authors.

const verify_1 = require("./verify");
async function sign(payload, options = {}) {
async function sign(payload,
/* istanbul ignore next */
options = {}) {
const bundler = config.createBundleBuilder('messageSignature', options);

@@ -54,3 +56,5 @@ const bundle = await bundler.create({ data: payload });

exports.sign = sign;
async function attest(payload, payloadType, options = {}) {
async function attest(payload, payloadType,
/* istanbul ignore next */
options = {}) {
const bundler = config.createBundleBuilder('dsseEnvelope', options);

@@ -61,17 +65,16 @@ const bundle = await bundler.create({ data: payload, type: payloadType });

exports.attest = attest;
async function verify(bundle, payload, options = {}) {
const trustedRoot = await tuf.getTrustedRoot({
mirrorURL: options.tufMirrorURL,
rootPath: options.tufRootPath,
cachePath: options.tufCachePath,
retry: options.retry ?? config.DEFAULT_RETRY,
timeout: options.timeout ?? config.DEFAULT_TIMEOUT,
});
const verifier = new verify_1.Verifier(trustedRoot, options.keySelector);
const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle);
const opts = config.artifactVerificationOptions(options);
return verifier.verify(deserializedBundle, opts, payload);
async function verify(bundle, dataOrOptions, options) {
let data;
if (Buffer.isBuffer(dataOrOptions)) {
data = dataOrOptions;
}
else {
options = dataOrOptions;
}
return createVerifier(options).then((verifier) => verifier.verify(bundle, data));
}
exports.verify = verify;
async function createVerifier(options) {
async function createVerifier(
/* istanbul ignore next */
options = {}) {
const trustedRoot = await tuf.getTrustedRoot({

@@ -87,5 +90,5 @@ mirrorURL: options.tufMirrorURL,

return {
verify: (bundle) => {
verify: (bundle, payload) => {
const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle);
return verifier.verify(deserializedBundle, verifyOpts);
return verifier.verify(deserializedBundle, verifyOpts, payload);
},

@@ -95,36 +98,1 @@ };

exports.createVerifier = createVerifier;
const tufUtils = {
client: (options = {}) => {
return tuf.initTUF({
mirrorURL: options.tufMirrorURL,
rootPath: options.tufRootPath,
cachePath: options.tufCachePath,
retry: options.retry,
timeout: options.timeout,
});
},
/*
* @deprecated Use tufUtils.client instead.
*/
getTarget: (path, options = {}) => {
return tuf
.initTUF({
mirrorURL: options.tufMirrorURL,
rootPath: options.tufRootPath,
cachePath: options.tufCachePath,
retry: options.retry,
timeout: options.timeout,
})
.then((t) => t.getTarget(path));
},
};
exports.tuf = tufUtils;
var bundle_2 = require("@sigstore/bundle");
Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return bundle_2.ValidationError; } });
var error_1 = require("./error");
Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return error_1.InternalError; } });
Object.defineProperty(exports, "PolicyError", { enumerable: true, get: function () { return error_1.PolicyError; } });
Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return error_1.VerificationError; } });
exports.utils = __importStar(require("./sigstore-utils"));
exports.DEFAULT_FULCIO_URL = config.DEFAULT_FULCIO_URL;
exports.DEFAULT_REKOR_URL = config.DEFAULT_REKOR_URL;

11

dist/types/utility.d.ts

@@ -1,14 +0,3 @@

type ValueOf<Obj> = Obj[keyof Obj];
type OneOnly<Obj, K extends keyof Obj> = {
[key in Exclude<keyof Obj, K>]: undefined;
} & {
[key in K]: Obj[K];
};
type OneOfByKey<Obj> = {
[key in keyof Obj]: OneOnly<Obj, key>;
};
export type OneOf<T> = ValueOf<OneOfByKey<T>>;
export type WithRequired<T, K extends keyof T> = T & {
[P in K]-?: NonNullable<T[P]>;
};
export {};

1

dist/types/utility.js

@@ -17,3 +17,2 @@ "use strict";

*/
// https://dev.to/maxime1992/implement-a-generic-oneof-type-with-typescript-22em
Object.defineProperty(exports, "__esModule", { value: true });

22

package.json
{
"name": "sigstore",
"version": "1.9.0",
"version": "2.0.0",
"description": "code-signing for npm packages",

@@ -12,5 +12,2 @@ "main": "dist/index.js",

},
"bin": {
"sigstore": "bin/sigstore.js"
},
"files": [

@@ -34,18 +31,17 @@ "dist",

"devDependencies": {
"@sigstore/rekor-types": "^1.0.0",
"@sigstore/rekor-types": "^2.0.0",
"@sigstore/jest": "^0.0.0",
"@sigstore/mock": "^0.2.0",
"@tufjs/repo-mock": "^1.1.0",
"@sigstore/mock": "^0.3.0",
"@tufjs/repo-mock": "^2.0.0",
"@types/make-fetch-happen": "^10.0.0"
},
"dependencies": {
"@sigstore/bundle": "^1.1.0",
"@sigstore/protobuf-specs": "^0.2.0",
"@sigstore/sign": "^1.0.0",
"@sigstore/tuf": "^1.0.3",
"make-fetch-happen": "^11.0.1"
"@sigstore/bundle": "^2.0.0",
"@sigstore/protobuf-specs": "^0.2.1",
"@sigstore/sign": "^2.0.0",
"@sigstore/tuf": "^2.0.0"
},
"engines": {
"node": "^14.17.0 || ^16.13.0 || >=18.0.0"
"node": "^16.14.0 || >=18.0.0"
}
}

133

README.md

@@ -9,9 +9,9 @@ # sigstore &middot; [![npm version](https://img.shields.io/npm/v/sigstore.svg?style=flat)](https://www.npmjs.com/package/sigstore) [![CI Status](https://github.com/sigstore/sigstore-js/workflows/CI/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/ci.yml) [![Smoke Test Status](https://github.com/sigstore/sigstore-js/workflows/smoke-test/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/smoke-test.yml)

* Support for signing using an OpenID Connect identity
* Support for publishing signatures to a [Rekor][1] instance
* Support for verifying Sigstore bundles
- Support for signing using an OpenID Connect identity
- Support for publishing signatures to a [Rekor][1] instance
- Support for verifying Sigstore bundles
## Prerequisites
- Node.js version >= 14.17.0
- Node.js version >= 16.14.0

@@ -144,7 +144,7 @@ ## Installation

```javascript
const { sigstore } = require('sigstore')
const { attest, verify } = require('sigstore');
```
```javascript
import { sigstore } from 'sigstore'
import { attest, verify } from 'sigstore';
```

@@ -158,10 +158,10 @@

* `payload` `<Buffer>`: The bytes of the artifact to be signed.
* `options` `<Object>`
* `fulcioURL` `<string>`: The base URL of the Fulcio instance to use for retrieving the signing certificate. Defaults to `'https://fulcio.sigstore.dev'`.
* `rekorURL` `<string>`: The base URL of the Rekor instance to use when adding the signature to the transparency log. Defaults to `'https://rekor.sigstore.dev'`.
* `tsaServerURL` `<string>`: The base URL of the Timestamp Authority instance to use when requesting a signed timestamp. If omitted, no timestamp will be requested.
* `tlogUpload` `<boolean>`: Flag indicating whether or not the signature should be recorded on the Rekor transparency log. Defaults to `true`.
* `identityToken` `<string>`: The OIDC token identifying the signer. If no explicit token is supplied, an attempt will be made to retrieve one from the environment. This config cannot be used with `identityProvider`.
* `identityProvider` `<IdentityProvider>`: Object which implements `getToken: () => Promise<string>`. The supplied provider will be used to retrieve an OIDC token. If no provider is supplied, an attempt will be made to retrieve an OIDC token from the environment. This config cannot be used with `identityToken`.
- `payload` `<Buffer>`: The bytes of the artifact to be signed.
- `options` `<Object>`
- `fulcioURL` `<string>`: The base URL of the Fulcio instance to use for retrieving the signing certificate. Defaults to `'https://fulcio.sigstore.dev'`.
- `rekorURL` `<string>`: The base URL of the Rekor instance to use when adding the signature to the transparency log. Defaults to `'https://rekor.sigstore.dev'`.
- `tsaServerURL` `<string>`: The base URL of the Timestamp Authority instance to use when requesting a signed timestamp. If omitted, no timestamp will be requested.
- `tlogUpload` `<boolean>`: Flag indicating whether or not the signature should be recorded on the Rekor transparency log. Defaults to `true`.
- `identityToken` `<string>`: The OIDC token identifying the signer. If no explicit token is supplied, an attempt will be made to retrieve one from the environment. This config cannot be used with `identityProvider`.
- `identityProvider` `<IdentityProvider>`: Object which implements `getToken: () => Promise<string>`. The supplied provider will be used to retrieve an OIDC token. If no provider is supplied, an attempt will be made to retrieve an OIDC token from the environment. This config cannot be used with `identityToken`.

@@ -174,13 +174,12 @@ ### attest(payload, payloadType[, options])

* `payload` `<Buffer>`: The bytes of the statement to be signed.
* `payloadType` `<string>`: MIME or content type describing the statement to be signed.
* `options` `<Object>`
* `fulcioURL` `<string>`: The base URL of the Fulcio instance to use for retrieving the signing certificate. Defaults to `'https://fulcio.sigstore.dev'`.
* `rekorURL` `<string>`: The base URL of the Rekor instance to use when adding the signature to the transparency log. Defaults to `'https://rekor.sigstore.dev'`.
* `tsaServerURL` `<string>`: The base URL of the Timestamp Authority instance to use when requesting a signed timestamp. If omitted, no timestamp will be requested.
* `tlogUpload` `<boolean>`: Flag indicating whether or not the signed statement should be recorded on the Rekor transparency log. Defaults to `true`.
* `identityToken` `<string>`: The OIDC token identifying the signer. If no explicit token is supplied, an attempt will be made to retrieve one from the environment. This config cannot be used with `identityProvider`.
* `identityProvider` `<IdentityProvider>`: Object which implements `getToken: () => Promise<string>`. The supplied provider will be used to retrieve an OIDC token. If no provider is supplied, an attempt will be made to retrieve an OIDC token from the environment. This config cannot be used with `identityToken`.
- `payload` `<Buffer>`: The bytes of the statement to be signed.
- `payloadType` `<string>`: MIME or content type describing the statement to be signed.
- `options` `<Object>`
- `fulcioURL` `<string>`: The base URL of the Fulcio instance to use for retrieving the signing certificate. Defaults to `'https://fulcio.sigstore.dev'`.
- `rekorURL` `<string>`: The base URL of the Rekor instance to use when adding the signature to the transparency log. Defaults to `'https://rekor.sigstore.dev'`.
- `tsaServerURL` `<string>`: The base URL of the Timestamp Authority instance to use when requesting a signed timestamp. If omitted, no timestamp will be requested.
- `tlogUpload` `<boolean>`: Flag indicating whether or not the signed statement should be recorded on the Rekor transparency log. Defaults to `true`.
- `identityToken` `<string>`: The OIDC token identifying the signer. If no explicit token is supplied, an attempt will be made to retrieve one from the environment. This config cannot be used with `identityProvider`.
- `identityProvider` `<IdentityProvider>`: Object which implements `getToken: () => Promise<string>`. The supplied provider will be used to retrieve an OIDC token. If no provider is supplied, an attempt will be made to retrieve an OIDC token from the environment. This config cannot be used with `identityToken`.
### verify(bundle[, payload][, options])

@@ -190,71 +189,14 @@

* `bundle` `<Bundle>`: The Sigstore bundle containing the signature to be verified and the verification material necessary to verify the signature.
* `payload` `<Buffer>`: The bytes of the artifact over which the signature was created. Only necessary when the `sign` function was used to generate the signature since the Bundle does not contain any information about the artifact which was signed. Not required when the `attest` function was used to generate the Bundle.
* `options` `<Object>`
* `ctLogThreshold` `<number>`: The number of certificate transparency logs on which the signing certificate must appear. Defaults to `1`.
* `tlogThreshold` `<number>`: The number of transparency logs on which the signature must appear. Defaults to `1`.
* `certificateIssuer` `<string>`: Value that must appear in the signing certificate's issuer extension (OID 1.3.6.1.4.1.57264.1.1). Not verified if no value is supplied.
* `certificateIdentityEmail` `<string>`: Email address which must appear in the signing certificate's Subject Alternative Name (SAN) extension. Must be specified in conjunction with the `certificateIssuer` option. Takes precedence over the `certificateIdentityURI` option. Not verified if no value is supplied.
* `certificateIdentityURI` `<string>`: URI which must appear in the signing certificate's Subject Alternative Name (SAN) extension. Must be specified in conjunction with the `certificateIssuer` option. Ignored if the `certificateIdentityEmail` option is set. Not verified if no value is supplied.
* `certificateOIDs` `<Object>`: A collection of OID/value pairs which must be present in the certificate's extension list. Not verified if no value is supplied.
* `keySelector` `<Function>`: Callback invoked to retrieve the public key (as either `string` or `Buffer`) necessary to verify the bundle signature. Not used when the signature was generated from a Fulcio-issued signing certificate.
* `hint` `<String>`: The hint from the bundle used to identify the the signing key.
- `bundle` `<Bundle>`: The Sigstore bundle containing the signature to be verified and the verification material necessary to verify the signature.
- `payload` `<Buffer>`: The bytes of the artifact over which the signature was created. Only necessary when the `sign` function was used to generate the signature since the Bundle does not contain any information about the artifact which was signed. Not required when the `attest` function was used to generate the Bundle.
- `options` `<Object>`
- `ctLogThreshold` `<number>`: The number of certificate transparency logs on which the signing certificate must appear. Defaults to `1`.
- `tlogThreshold` `<number>`: The number of transparency logs on which the signature must appear. Defaults to `1`.
- `certificateIssuer` `<string>`: Value that must appear in the signing certificate's issuer extension (OID 1.3.6.1.4.1.57264.1.1). Not verified if no value is supplied.
- `certificateIdentityEmail` `<string>`: Email address which must appear in the signing certificate's Subject Alternative Name (SAN) extension. Must be specified in conjunction with the `certificateIssuer` option. Takes precedence over the `certificateIdentityURI` option. Not verified if no value is supplied.
- `certificateIdentityURI` `<string>`: URI which must appear in the signing certificate's Subject Alternative Name (SAN) extension. Must be specified in conjunction with the `certificateIssuer` option. Ignored if the `certificateIdentityEmail` option is set. Not verified if no value is supplied.
- `certificateOIDs` `<Object>`: A collection of OID/value pairs which must be present in the certificate's extension list. Not verified if no value is supplied.
- `keySelector` `<Function>`: Callback invoked to retrieve the public key (as either `string` or `Buffer`) necessary to verify the bundle signature. Not used when the signature was generated from a Fulcio-issued signing certificate.
- `hint` `<String>`: The hint from the bundle used to identify the the signing key.
### tuf
The `tuf` object contains utility function for working with the Sigstore TUF repository.
#### client([options])
Returns a TUF client which can be used to retrieve targets from the Sigstore TUF repository.
* `options` `<Object>`
* `tufMirrorURL` `<string>`: Base URL for the Sigstore TUF repository. Defaults to `'https://tuf-repo-cdn.sigstore.dev'`
* `tufRootPath` `<string>`: Path to the initial trusted root for the TUF repository. Defaults to the embedded root.
* `tufCachePath` `<string>`: Absolute path to the directory to be used for caching downloaded TUF metadata and targets. Defaults to a directory named "sigstore-js" within the platform-specific application data directory.
The returned object exposes a `getTarget(path)` function which returns the
contents of the target at the specified path in the Sigstore TUF repository.
#### getTarget(path[, options]) (deprecated)
Returns the contents of the target at the specified path in the Sigstore TUF repository.
This method has been deprecated and will be removed in the next major version.
You should use the TUF `client` function to retrieve a stateful TUF client and
then call `getTarget` against that object. This will avoid re-initializing the
internal TUF state between requests.
* `path` `<string>`: The [path-relative-url string](https://url.spec.whatwg.org/#path-relative-url-string) that uniquely identifies the target within the Sigstore TUF repository.
* `options` `<Object>`
* `tufMirrorURL` `<string>`: Base URL for the Sigstore TUF repository. Defaults to `'https://tuf-repo-cdn.sigstore.dev'`
* `tufRootPath` `<string>`: Path to the initial trusted root for the TUF repository. Defaults to the embedded root.
* `tufCachePath` `<string>`: Absolute path to the directory to be used for caching downloaded TUF metadata and targets. Defaults to a directory named "sigstore-js" within the platform-specific application data directory.
### utils
The `utils` object contains a few internal utility functions. These are exposed
to support the needs of specific `sigstore-js` consumers but should **NOT** be
considered part of the stable public interface.
## CLI
The `sigstore-js` library comes packaged with a basic command line interface
for testing and demo purposes. However, the CLI should **NOT** be considered
part of the stable interface of the library. If you require a production-ready
Sigstore CLI, we recommend you use [`cosign`][4].
```shell
$ npx sigstore help
sigstore <command> <artifact>
Usage:
sigstore sign sign an artifact
sigstore attest sign an artifact using dsse (Dead Simple Signing Envelope)
sigstore verify verify an artifact
sigstore version print version information
sigstore help print help information
```
## Credential Sources

@@ -277,9 +219,2 @@

### Interactive Flow
If sigstore-js cannot detect ambient credentials, then it will prompt the user to go through the
interactive flow.
[1]: https://github.com/sigstore/rekor

@@ -286,0 +221,0 @@ [2]: https://github.com/sigstore/protobuf-specs/blob/9b722b68a717778ba4f11543afa4ef93205ab502/protos/sigstore_bundle.proto#L63-L84

bin/sigstore.js
dist/cli/index.d.ts
dist/cli/index.js
dist/identity/index.d.ts
dist/identity/index.js
dist/identity/issuer.d.ts
dist/identity/issuer.js
dist/identity/oauth.d.ts
dist/identity/oauth.js
dist/sigstore-utils.d.ts
dist/sigstore-utils.js
dist/types/signature.d.ts
dist/types/signature.js
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc