diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md index d14469bdc56ff..95ef9a66dffaa 100644 --- a/DEPENDENCIES.md +++ b/DEPENDENCIES.md @@ -770,7 +770,11 @@ graph LR; shebang-command-->shebang-regex; sigstore-->make-fetch-happen; sigstore-->sigstore-protobuf-specs["@sigstore/protobuf-specs"]; + sigstore-->sigstore-tuf["@sigstore/tuf"]; sigstore-->tuf-js; + sigstore-tuf-->make-fetch-happen; + sigstore-tuf-->sigstore-protobuf-specs["@sigstore/protobuf-specs"]; + sigstore-tuf-->tuf-js; socks-->ip; socks-->smart-buffer; socks-proxy-agent-->agent-base; diff --git a/node_modules/.gitignore b/node_modules/.gitignore index a96ea88cb87dd..a32136b521357 100644 --- a/node_modules/.gitignore +++ b/node_modules/.gitignore @@ -38,6 +38,7 @@ !/@sigstore/ /@sigstore/* !/@sigstore/protobuf-specs +!/@sigstore/tuf !/@tootallnate/ /@tootallnate/* !/@tootallnate/once diff --git a/node_modules/@sigstore/tuf/LICENSE b/node_modules/@sigstore/tuf/LICENSE new file mode 100644 index 0000000000000..e9e7c1679a09d --- /dev/null +++ b/node_modules/@sigstore/tuf/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2023 The Sigstore Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/node_modules/sigstore/dist/util/appdata.js b/node_modules/@sigstore/tuf/dist/appdata.js similarity index 61% rename from node_modules/sigstore/dist/util/appdata.js rename to node_modules/@sigstore/tuf/dist/appdata.js index d0c7f6f079e50..c9a8ee92b531e 100644 --- a/node_modules/sigstore/dist/util/appdata.js +++ b/node_modules/@sigstore/tuf/dist/appdata.js @@ -4,19 +4,37 @@ var __importDefault = (this && this.__importDefault) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); exports.appDataPath = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ const os_1 = __importDefault(require("os")); const path_1 = __importDefault(require("path")); function appDataPath(name) { const homedir = os_1.default.homedir(); switch (process.platform) { + /* istanbul ignore next */ case 'darwin': { const appSupport = path_1.default.join(homedir, 'Library', 'Application Support'); return path_1.default.join(appSupport, name); } + /* istanbul ignore next */ case 'win32': { const localAppData = process.env.LOCALAPPDATA || path_1.default.join(homedir, 'AppData', 'Local'); return path_1.default.join(localAppData, name, 'Data'); } + /* istanbul ignore next */ default: { const localData = process.env.XDG_DATA_HOME || path_1.default.join(homedir, '.local', 'share'); return path_1.default.join(localData, name); diff --git a/node_modules/sigstore/dist/tuf/index.js b/node_modules/@sigstore/tuf/dist/client.js similarity index 63% rename from node_modules/sigstore/dist/tuf/index.js rename to node_modules/@sigstore/tuf/dist/client.js index 86a081de9f3af..08d6b61840909 100644 --- a/node_modules/sigstore/dist/tuf/index.js +++ b/node_modules/@sigstore/tuf/dist/client.js @@ -1,32 +1,9 @@ "use strict"; -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.TUFClient = exports.getTrustedRoot = void 0; +exports.TUFClient = void 0; /* Copyright 2023 The Sigstore Authors. @@ -45,27 +22,12 @@ limitations under the License. const fs_1 = __importDefault(require("fs")); const path_1 = __importDefault(require("path")); const tuf_js_1 = require("tuf-js"); -const sigstore = __importStar(require("../types/sigstore")); -const util_1 = require("../util"); const target_1 = require("./target"); -const TRUSTED_ROOT_TARGET = 'trusted_root.json'; -const DEFAULT_CACHE_DIR = util_1.appdata.appDataPath('sigstore-js'); -const DEFAULT_MIRROR_URL = 'https://tuf-repo-cdn.sigstore.dev'; -const DEFAULT_TUF_ROOT_PATH = '../../store/public-good-instance-root.json'; -async function getTrustedRoot(options = {}) { - const client = new TUFClient(options); - const trustedRoot = await client.getTarget(TRUSTED_ROOT_TARGET); - return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot)); -} -exports.getTrustedRoot = getTrustedRoot; class TUFClient { constructor(options) { - const cachePath = options.cachePath || DEFAULT_CACHE_DIR; - const tufRootPath = options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH); - const mirrorURL = options.mirrorURL || DEFAULT_MIRROR_URL; - initTufCache(cachePath, tufRootPath); - const remote = initRemoteConfig(cachePath, mirrorURL); - this.updater = initClient(cachePath, remote, options); + initTufCache(options.cachePath, options.rootPath); + const remote = initRemoteConfig(options.cachePath, options.mirrorURL); + this.updater = initClient(options.cachePath, remote, options); } async refresh() { return this.updater.refresh(); @@ -117,6 +79,7 @@ function initClient(cachePath, remote, options) { }; // tuf-js only supports a number for fetchRetries so we have to // convert the boolean and object options to a number. + /* istanbul ignore if */ if (typeof options.retry !== 'undefined') { if (typeof options.retry === 'number') { config.fetchRetries = options.retry; diff --git a/node_modules/@sigstore/tuf/dist/error.js b/node_modules/@sigstore/tuf/dist/error.js new file mode 100644 index 0000000000000..e13971b289ff2 --- /dev/null +++ b/node_modules/@sigstore/tuf/dist/error.js @@ -0,0 +1,12 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.TUFError = void 0; +class TUFError extends Error { + constructor({ code, message, cause, }) { + super(message); + this.code = code; + this.cause = cause; + this.name = this.constructor.name; + } +} +exports.TUFError = TUFError; diff --git a/node_modules/@sigstore/tuf/dist/index.js b/node_modules/@sigstore/tuf/dist/index.js new file mode 100644 index 0000000000000..0d201c356dffc --- /dev/null +++ b/node_modules/@sigstore/tuf/dist/index.js @@ -0,0 +1,55 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.TUFError = exports.initTUF = exports.getTrustedRoot = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +const protobuf_specs_1 = require("@sigstore/protobuf-specs"); +const appdata_1 = require("./appdata"); +const client_1 = require("./client"); +const DEFAULT_CACHE_DIR = 'sigstore-js'; +const DEFAULT_MIRROR_URL = 'https://tuf-repo-cdn.sigstore.dev'; +const DEFAULT_TUF_ROOT_PATH = '../store/public-good-instance-root.json'; +const DEFAULT_RETRY = { retries: 2 }; +const DEFAULT_TIMEOUT = 5000; +const TRUSTED_ROOT_TARGET = 'trusted_root.json'; +async function getTrustedRoot( +/* istanbul ignore next */ +options = {}) { + const client = createClient(options); + const trustedRoot = await client.getTarget(TRUSTED_ROOT_TARGET); + return protobuf_specs_1.TrustedRoot.fromJSON(JSON.parse(trustedRoot)); +} +exports.getTrustedRoot = getTrustedRoot; +async function initTUF( +/* istanbul ignore next */ +options = {}) { + const client = createClient(options); + return client.refresh().then(() => client); +} +exports.initTUF = initTUF; +// Create a TUF client with default options +function createClient(options) { + /* istanbul ignore next */ + return new client_1.TUFClient({ + cachePath: options.cachePath || (0, appdata_1.appDataPath)(DEFAULT_CACHE_DIR), + rootPath: options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH), + mirrorURL: options.mirrorURL || DEFAULT_MIRROR_URL, + retry: options.retry ?? DEFAULT_RETRY, + timeout: options.timeout ?? DEFAULT_TIMEOUT, + }); +} +var error_1 = require("./error"); +Object.defineProperty(exports, "TUFError", { enumerable: true, get: function () { return error_1.TUFError; } }); diff --git a/node_modules/sigstore/dist/tuf/target.js b/node_modules/@sigstore/tuf/dist/target.js similarity index 92% rename from node_modules/sigstore/dist/tuf/target.js rename to node_modules/@sigstore/tuf/dist/target.js index d7df61e5a4076..29eaf99a7e721 100644 --- a/node_modules/sigstore/dist/tuf/target.js +++ b/node_modules/@sigstore/tuf/dist/target.js @@ -20,14 +20,14 @@ See the License for the specific language governing permissions and limitations under the License. */ const fs_1 = __importDefault(require("fs")); -const error_1 = require("../error"); +const error_1 = require("./error"); // Downloads and returns the specified target from the provided TUF Updater. async function readTarget(tuf, targetPath) { const path = await getTargetPath(tuf, targetPath); return new Promise((resolve, reject) => { fs_1.default.readFile(path, 'utf-8', (err, data) => { if (err) { - reject(new error_1.InternalError({ + reject(new error_1.TUFError({ code: 'TUF_READ_TARGET_ERROR', message: `error reading target ${path}`, cause: err, @@ -49,14 +49,14 @@ async function getTargetPath(tuf, target) { targetInfo = await tuf.getTargetInfo(target); } catch (err) { - throw new error_1.InternalError({ + throw new error_1.TUFError({ code: 'TUF_REFRESH_METADATA_ERROR', message: 'error refreshing TUF metadata', cause: err, }); } if (!targetInfo) { - throw new error_1.InternalError({ + throw new error_1.TUFError({ code: 'TUF_FIND_TARGET_ERROR', message: `target ${target} not found`, }); @@ -69,7 +69,7 @@ async function getTargetPath(tuf, target) { path = await tuf.downloadTarget(targetInfo); } catch (err) { - throw new error_1.InternalError({ + throw new error_1.TUFError({ code: 'TUF_DOWNLOAD_TARGET_ERROR', message: `error downloading target ${path}`, cause: err, diff --git a/node_modules/@sigstore/tuf/package.json b/node_modules/@sigstore/tuf/package.json new file mode 100644 index 0000000000000..241dc32b3c8a9 --- /dev/null +++ b/node_modules/@sigstore/tuf/package.json @@ -0,0 +1,45 @@ +{ + "name": "@sigstore/tuf", + "version": "1.0.0", + "description": "Client for the Sigstore TUF repository", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "scripts": { + "clean": "shx rm -rf dist *.tsbuildinfo", + "build": "tsc --build", + "test": "jest" + }, + "files": [ + "dist", + "store" + ], + "author": "bdehamer@github.com", + "license": "Apache-2.0", + "repository": { + "type": "git", + "url": "git+https://github.com/sigstore/sigstore-js.git" + }, + "bugs": { + "url": "https://github.com/sigstore/sigstore-js/issues" + }, + "homepage": "https://github.com/sigstore/sigstore-js/tree/main/packages/tuf#readme", + "publishConfig": { + "provenance": true + }, + "devDependencies": { + "@total-typescript/shoehorn": "^0.1.0", + "@tufjs/repo-mock": "^1.1.0", + "@types/node": "^20.2.5", + "nock": "^13.2.4", + "shx": "^0.3.3", + "typescript": "^5.1.3" + }, + "dependencies": { + "@sigstore/protobuf-specs": "^0.1.0", + "tuf-js": "^1.1.3", + "make-fetch-happen": "^11.0.1" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } +} diff --git a/node_modules/@sigstore/tuf/store/public-good-instance-root.json b/node_modules/@sigstore/tuf/store/public-good-instance-root.json new file mode 100644 index 0000000000000..e95c7e88cdf09 --- /dev/null +++ b/node_modules/@sigstore/tuf/store/public-good-instance-root.json @@ -0,0 +1 @@ +{"signed":{"_type":"root","spec_version":"1.0","version":7,"expires":"2023-10-04T13:08:11Z","keys":{"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"}},"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"}},"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n"}},"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"}},"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"}},"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"}},"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"}}},"roles":{"root":{"keyids":["ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c","25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"],"threshold":3},"snapshot":{"keyids":["45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b"],"threshold":1},"targets":{"keyids":["ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c","25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"],"threshold":3},"timestamp":{"keyids":["e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","sig":"3046022100c0610c0055ce5c4a52d054d7322e7b514d55baf44423d63aa4daa077cc60fd1f022100a097f2803f090fb66c42ead915a2c46ebe7db53a32bf18f2188275cc936f8bdd"},{"keyid":"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","sig":"304502203134f0468810299d5493a867c40630b341296b92e59c29821311d353343bb3a4022100e667ae3d304e7e3da0894c7425f6b9ecd917106841280e5cf6f3496ad5f8f68e"},{"keyid":"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","sig":"3045022037fe5f45426f21eaaf4730d2136f2b1611d6379688f79b9d1e3f61719997135c022100b63b022d7b79d4694b96f416d88aa4d7b1a3bff8a01f4fb51e0f42137c7d2d06"},{"keyid":"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de","sig":"3044022007cc8fcc4940809f2751ad5b535f4c5f53f5b4952f5b5696b09668e743306ac1022006dfcdf94e94c92163eeb1b47796db62cedaa730aa13aa61b573fe23714730f2"}]} diff --git a/node_modules/sigstore/dist/external/rekor.js b/node_modules/sigstore/dist/external/rekor.js index 80650ce02ff9b..b6bbeb6f20793 100644 --- a/node_modules/sigstore/dist/external/rekor.js +++ b/node_modules/sigstore/dist/external/rekor.js @@ -39,7 +39,7 @@ class Rekor { } /** * Create a new entry in the Rekor log. - * @param propsedEntry {EntryKind} Data to create a new entry + * @param propsedEntry {ProposedEntry} Data to create a new entry * @returns {Promise} The created entry */ async createEntry(propsedEntry) { @@ -107,7 +107,7 @@ function entryFromResponse(data) { throw new Error('Received multiple entries in Rekor response'); } // Grab UUID and entry data from the response - const [uuid, entry] = Object.entries(data)[0]; + const [uuid, entry] = entries[0]; return { ...entry, uuid, diff --git a/node_modules/sigstore/dist/index.js b/node_modules/sigstore/dist/index.js index 502155e4d5f3f..126fce58e45bd 100644 --- a/node_modules/sigstore/dist/index.js +++ b/node_modules/sigstore/dist/index.js @@ -24,19 +24,4 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); exports.sigstore = void 0; -/* -Copyright 2022 The Sigstore Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ exports.sigstore = __importStar(require("./sigstore")); diff --git a/node_modules/sigstore/dist/sigstore.js b/node_modules/sigstore/dist/sigstore.js index 8d245e17b2a0c..a14c5957954d8 100644 --- a/node_modules/sigstore/dist/sigstore.js +++ b/node_modules/sigstore/dist/sigstore.js @@ -39,9 +39,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ +const tuf = __importStar(require("@sigstore/tuf")); const config = __importStar(require("./config")); const sign_1 = require("./sign"); -const tuf = __importStar(require("./tuf")); const sigstore = __importStar(require("./types/sigstore")); const verify_1 = require("./verify"); async function sign(payload, options = {}) { @@ -51,7 +51,9 @@ async function sign(payload, options = {}) { const signer = new sign_1.Signer({ ca, tlog, - identityProviders: idps, + identityProviders: options.identityProvider + ? [options.identityProvider] + : idps, tlogUpload: options.tlogUpload, }); const bundle = await signer.signBlob(payload); @@ -67,7 +69,9 @@ async function attest(payload, payloadType, options = {}) { ca, tlog, tsa, - identityProviders: idps, + identityProviders: options.identityProvider + ? [options.identityProvider] + : idps, tlogUpload: options.tlogUpload, }); const bundle = await signer.signAttestation(payload, payloadType); @@ -90,20 +94,27 @@ async function verify(bundle, payload, options = {}) { exports.verify = verify; const tufUtils = { client: (options = {}) => { - const t = new tuf.TUFClient({ + return tuf.initTUF({ mirrorURL: options.tufMirrorURL, rootPath: options.tufRootPath, cachePath: options.tufCachePath, - retry: options.retry ?? config.DEFAULT_RETRY, - timeout: options.timeout ?? config.DEFAULT_TIMEOUT, + retry: options.retry, + timeout: options.timeout, }); - return t.refresh().then(() => t); }, /* * @deprecated Use tufUtils.client instead. */ getTarget: (path, options = {}) => { - return tufUtils.client(options).then((t) => t.getTarget(path)); + return tuf + .initTUF({ + mirrorURL: options.tufMirrorURL, + rootPath: options.tufRootPath, + cachePath: options.tufCachePath, + retry: options.retry, + timeout: options.timeout, + }) + .then((t) => t.getTarget(path)); }, }; exports.tuf = tufUtils; diff --git a/node_modules/sigstore/dist/tlog/format.js b/node_modules/sigstore/dist/tlog/format.js index 67077090455a1..b0eae95098af0 100644 --- a/node_modules/sigstore/dist/tlog/format.js +++ b/node_modules/sigstore/dist/tlog/format.js @@ -1,10 +1,22 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.toProposedIntotoEntry = exports.toProposedHashedRekordEntry = void 0; +exports.toProposedIntotoEntry = exports.toProposedHashedRekordEntry = exports.toProposedDSSEEntry = void 0; +const sigstore_1 = require("../types/sigstore"); const util_1 = require("../util"); -const types_1 = require("./types"); +const DEFAULT_DSSE_API_VERSION = '0.0.1'; const DEFAULT_HASHEDREKORD_API_VERSION = '0.0.1'; const DEFAULT_INTOTO_API_VERSION = '0.0.2'; +// Returns a properly formatted Rekor "dsse" entry for the given DSSE +// envelope and signature +function toProposedDSSEEntry(envelope, signature, apiVersion = DEFAULT_DSSE_API_VERSION) { + switch (apiVersion) { + case '0.0.1': + return toProposedDSSEV001Entry(envelope, signature); + default: + throw new Error(`Unsupported dsse kind API version: ${apiVersion}`); + } +} +exports.toProposedDSSEEntry = toProposedDSSEEntry; // Returns a properly formatted Rekor "hashedrekord" entry for the given digest // and signature function toProposedHashedRekordEntry(digest, signature) { @@ -13,7 +25,7 @@ function toProposedHashedRekordEntry(digest, signature) { const b64Key = util_1.encoding.base64Encode(toPublicKey(signature)); return { apiVersion: DEFAULT_HASHEDREKORD_API_VERSION, - kind: types_1.HASHEDREKORD_KIND, + kind: 'hashedrekord', spec: { data: { hash: { @@ -42,11 +54,23 @@ function toProposedIntotoEntry(envelope, signature, apiVersion = DEFAULT_INTOTO_ } } exports.toProposedIntotoEntry = toProposedIntotoEntry; +function toProposedDSSEV001Entry(envelope, signature) { + return { + apiVersion: '0.0.1', + kind: 'dsse', + spec: { + proposedContent: { + envelope: JSON.stringify(sigstore_1.Envelope.toJSON(envelope)), + verifiers: [util_1.encoding.base64Encode(toPublicKey(signature))], + }, + }, + }; +} function toProposedIntotoV002Entry(envelope, signature) { // Calculate the value for the payloadHash field in the Rekor entry const payloadHash = util_1.crypto.hash(envelope.payload).toString('hex'); // Calculate the value for the hash field in the Rekor entry - const envelopeHash = calculateDSSEHash(envelope); + const envelopeHash = calculateDSSEHash(envelope, signature); // Collect values for re-creating the DSSE envelope. // Double-encode payload and signature cause that's what Rekor expects const payload = util_1.encoding.base64Encode(envelope.payload.toString('base64')); @@ -56,7 +80,7 @@ function toProposedIntotoV002Entry(envelope, signature) { // Create the envelope portion of the entry. Note the inclusion of the // publicKey in the signature struct is not a standard part of a DSSE // envelope, but is required by Rekor. - const dsse = { + const dsseEnv = { payloadType: envelope.payloadType, payload: payload, signatures: [{ sig, publicKey }], @@ -65,14 +89,14 @@ function toProposedIntotoV002Entry(envelope, signature) { // need to do the same here so that we can properly recreate the entry for // verification. if (keyid.length > 0) { - dsse.signatures[0].keyid = keyid; + dsseEnv.signatures[0].keyid = keyid; } return { apiVersion: '0.0.2', - kind: types_1.INTOTO_KIND, + kind: 'intoto', spec: { content: { - envelope: dsse, + envelope: dsseEnv, hash: { algorithm: 'sha256', value: envelopeHash }, payloadHash: { algorithm: 'sha256', value: payloadHash }, }, @@ -86,17 +110,22 @@ function toProposedIntotoV002Entry(envelope, signature) { // * signature is base64 encoded (only the first signature is used) // * keyid is included ONLY if it is NOT an empty string // * The resulting JSON is canonicalized and hashed to a hex string -function calculateDSSEHash(envelope) { - const dsse = { +function calculateDSSEHash(envelope, signature) { + const dsseEnv = { payloadType: envelope.payloadType, payload: envelope.payload.toString('base64'), - signatures: [{ sig: envelope.signatures[0].sig.toString('base64') }], + signatures: [ + { + sig: envelope.signatures[0].sig.toString('base64'), + publicKey: toPublicKey(signature), + }, + ], }; // If the keyid is an empty string, Rekor seems to remove it altogether. if (envelope.signatures[0].keyid.length > 0) { - dsse.signatures[0].keyid = envelope.signatures[0].keyid; + dsseEnv.signatures[0].keyid = envelope.signatures[0].keyid; } - return util_1.crypto.hash(util_1.json.canonicalize(dsse)).toString('hex'); + return util_1.crypto.hash(util_1.json.canonicalize(dsseEnv)).toString('hex'); } function toPublicKey(signature) { return signature.certificates diff --git a/node_modules/sigstore/dist/tlog/types/__generated__/hashedrekord.js b/node_modules/sigstore/dist/tlog/types/__generated__/hashedrekord.js deleted file mode 100644 index 61923a61cd8de..0000000000000 --- a/node_modules/sigstore/dist/tlog/types/__generated__/hashedrekord.js +++ /dev/null @@ -1,8 +0,0 @@ -"use strict"; -/* eslint-disable */ -/** - * This file was automatically generated by json-schema-to-typescript. - * DO NOT MODIFY IT BY HAND. Instead, modify the source JSONSchema file, - * and run json-schema-to-typescript to regenerate this file. - */ -Object.defineProperty(exports, "__esModule", { value: true }); diff --git a/node_modules/sigstore/dist/tlog/types/__generated__/intoto.js b/node_modules/sigstore/dist/tlog/types/__generated__/intoto.js deleted file mode 100644 index 61923a61cd8de..0000000000000 --- a/node_modules/sigstore/dist/tlog/types/__generated__/intoto.js +++ /dev/null @@ -1,8 +0,0 @@ -"use strict"; -/* eslint-disable */ -/** - * This file was automatically generated by json-schema-to-typescript. - * DO NOT MODIFY IT BY HAND. Instead, modify the source JSONSchema file, - * and run json-schema-to-typescript to regenerate this file. - */ -Object.defineProperty(exports, "__esModule", { value: true }); diff --git a/node_modules/sigstore/dist/tlog/types/index.js b/node_modules/sigstore/dist/tlog/types/index.js deleted file mode 100644 index d6394a95c8397..0000000000000 --- a/node_modules/sigstore/dist/tlog/types/index.js +++ /dev/null @@ -1,5 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.HASHEDREKORD_KIND = exports.INTOTO_KIND = void 0; -exports.INTOTO_KIND = 'intoto'; -exports.HASHEDREKORD_KIND = 'hashedrekord'; diff --git a/node_modules/sigstore/dist/tlog/verify/body.js b/node_modules/sigstore/dist/tlog/verify/body.js index 086e068a30dcb..5a265e5190c12 100644 --- a/node_modules/sigstore/dist/tlog/verify/body.js +++ b/node_modules/sigstore/dist/tlog/verify/body.js @@ -28,6 +28,9 @@ function verifyTLogBody(entry, bundleContent) { throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG); } switch (body.kind) { + case 'dsse': + verifyDSSETLogBody(body, bundleContent); + break; case 'intoto': verifyIntotoTLogBody(body, bundleContent); break; @@ -45,6 +48,20 @@ function verifyTLogBody(entry, bundleContent) { } exports.verifyTLogBody = verifyTLogBody; // Compare the given intoto tlog entry to the given bundle +function verifyDSSETLogBody(tlogEntry, content) { + if (content?.$case !== 'dsseEnvelope') { + throw new error_1.VerificationError(`unsupported bundle content: ${content?.$case || 'unknown'}`); + } + const dsse = content.dsseEnvelope; + switch (tlogEntry.apiVersion) { + case '0.0.1': + verifyDSSE001TLogBody(tlogEntry, dsse); + break; + default: + throw new error_1.VerificationError(`unsupported dsse version: ${tlogEntry.apiVersion}`); + } +} +// Compare the given intoto tlog entry to the given bundle function verifyIntotoTLogBody(tlogEntry, content) { if (content?.$case !== 'dsseEnvelope') { throw new error_1.VerificationError(`unsupported bundle content: ${content?.$case || 'unknown'}`); @@ -72,6 +89,28 @@ function verifyHashedRekordTLogBody(tlogEntry, content) { throw new error_1.VerificationError(`unsupported hashedrekord version: ${tlogEntry.apiVersion}`); } } +// Compare the given dsse v0.0.1 tlog entry to the given DSSE envelope. +function verifyDSSE001TLogBody(tlogEntry, dsse) { + // Collect all of the signatures from the DSSE envelope + // Turns them into base64-encoded strings for comparison + const dsseSigs = dsse.signatures.map((signature) => signature.sig.toString('base64')); + // Collect all of the signatures from the tlog entry + const tlogSigs = tlogEntry.spec.signatures?.map((signature) => signature.signature); + // Ensure the bundle's DSSE and the tlog entry contain the same number of signatures + if (dsseSigs.length !== tlogSigs?.length) { + throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG); + } + // Ensure that every signature in the bundle's DSSE is present in the tlog entry + if (!dsseSigs.every((dsseSig) => tlogSigs.includes(dsseSig))) { + throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG); + } + // Ensure the digest of the bundle's DSSE payload matches the digest in the + // tlog entry + const dssePayloadHash = util_1.crypto.hash(dsse.payload).toString('hex'); + if (dssePayloadHash !== tlogEntry.spec.payloadHash?.value) { + throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG); + } +} // Compare the given intoto v0.0.2 tlog entry to the given DSSE envelope. function verifyIntoto002TLogBody(tlogEntry, dsse) { // Collect all of the signatures from the DSSE envelope diff --git a/node_modules/sigstore/dist/types/sigstore/index.js b/node_modules/sigstore/dist/types/sigstore/index.js index 544db63b002bf..4d9f6003744da 100644 --- a/node_modules/sigstore/dist/types/sigstore/index.js +++ b/node_modules/sigstore/dist/types/sigstore/index.js @@ -103,7 +103,8 @@ function toMessageSignatureBundle({ digest, signature, tlogEntry, timestamp, }) } exports.toMessageSignatureBundle = toMessageSignatureBundle; function toTransparencyLogEntry(entry) { - const set = Buffer.from(entry.verification.signedEntryTimestamp, 'base64'); + const b64SET = entry.verification?.signedEntryTimestamp || ''; + const set = Buffer.from(b64SET, 'base64'); const logID = Buffer.from(entry.logID, 'hex'); // Parse entry body so we can extract the kind and version. const bodyJSON = util_1.encoding.base64Decode(entry.body); diff --git a/node_modules/sigstore/dist/x509/asn1/dump.js b/node_modules/sigstore/dist/util/asn1/dump.js similarity index 100% rename from node_modules/sigstore/dist/x509/asn1/dump.js rename to node_modules/sigstore/dist/util/asn1/dump.js diff --git a/node_modules/sigstore/dist/x509/asn1/error.js b/node_modules/sigstore/dist/util/asn1/error.js similarity index 100% rename from node_modules/sigstore/dist/x509/asn1/error.js rename to node_modules/sigstore/dist/util/asn1/error.js diff --git a/node_modules/sigstore/dist/util/asn1/index.js b/node_modules/sigstore/dist/util/asn1/index.js new file mode 100644 index 0000000000000..348b2ea4022e5 --- /dev/null +++ b/node_modules/sigstore/dist/util/asn1/index.js @@ -0,0 +1,20 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.ASN1Obj = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +var obj_1 = require("./obj"); +Object.defineProperty(exports, "ASN1Obj", { enumerable: true, get: function () { return obj_1.ASN1Obj; } }); diff --git a/node_modules/sigstore/dist/x509/asn1/length.js b/node_modules/sigstore/dist/util/asn1/length.js similarity index 100% rename from node_modules/sigstore/dist/x509/asn1/length.js rename to node_modules/sigstore/dist/util/asn1/length.js diff --git a/node_modules/sigstore/dist/x509/asn1/obj.js b/node_modules/sigstore/dist/util/asn1/obj.js similarity index 95% rename from node_modules/sigstore/dist/x509/asn1/obj.js rename to node_modules/sigstore/dist/util/asn1/obj.js index 712acf105adfc..5f9ac9cdbc493 100644 --- a/node_modules/sigstore/dist/x509/asn1/obj.js +++ b/node_modules/sigstore/dist/util/asn1/obj.js @@ -16,7 +16,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ -const stream_1 = require("../../util/stream"); +const stream_1 = require("../stream"); const error_1 = require("./error"); const length_1 = require("./length"); const parse_1 = require("./parse"); @@ -132,7 +132,10 @@ function parseStream(stream) { function collectSubs(stream, len) { // Calculate end of object content const end = stream.position + len; - // Make sure there are enough bytes left in the stream + // Make sure there are enough bytes left in the stream. This should never + // happen, cause it'll get caught when the stream is sliced in parseStream. + // Leaving as an extra check just in case. + /* istanbul ignore if */ if (end > stream.length) { throw new error_1.ASN1ParseError('invalid length'); } diff --git a/node_modules/sigstore/dist/x509/asn1/parse.js b/node_modules/sigstore/dist/util/asn1/parse.js similarity index 100% rename from node_modules/sigstore/dist/x509/asn1/parse.js rename to node_modules/sigstore/dist/util/asn1/parse.js diff --git a/node_modules/sigstore/dist/x509/asn1/tag.js b/node_modules/sigstore/dist/util/asn1/tag.js similarity index 100% rename from node_modules/sigstore/dist/x509/asn1/tag.js rename to node_modules/sigstore/dist/util/asn1/tag.js diff --git a/node_modules/sigstore/dist/util/index.js b/node_modules/sigstore/dist/util/index.js index 74ef9c0b1121b..b7d6ce21aafd3 100644 --- a/node_modules/sigstore/dist/util/index.js +++ b/node_modules/sigstore/dist/util/index.js @@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.ua = exports.promise = exports.pem = exports.oidc = exports.json = exports.encoding = exports.dsse = exports.crypto = exports.appdata = void 0; +exports.ua = exports.promise = exports.pem = exports.oidc = exports.json = exports.encoding = exports.dsse = exports.crypto = exports.asn1 = void 0; /* Copyright 2022 The Sigstore Authors. @@ -39,7 +39,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ -exports.appdata = __importStar(require("./appdata")); +exports.asn1 = __importStar(require("./asn1")); exports.crypto = __importStar(require("./crypto")); exports.dsse = __importStar(require("./dsse")); exports.encoding = __importStar(require("./encoding")); diff --git a/node_modules/sigstore/dist/util/stream.js b/node_modules/sigstore/dist/util/stream.js index d5c8236123cdf..b5c881bb388d4 100644 --- a/node_modules/sigstore/dist/util/stream.js +++ b/node_modules/sigstore/dist/util/stream.js @@ -112,5 +112,5 @@ class ByteStream { this.view = newView; } } -ByteStream.BLOCK_SIZE = 1024; exports.ByteStream = ByteStream; +ByteStream.BLOCK_SIZE = 1024; diff --git a/node_modules/sigstore/dist/x509/cert.js b/node_modules/sigstore/dist/x509/cert.js index 0b8ab54740a06..ec14b5f47369d 100644 --- a/node_modules/sigstore/dist/x509/cert.js +++ b/node_modules/sigstore/dist/x509/cert.js @@ -2,8 +2,8 @@ Object.defineProperty(exports, "__esModule", { value: true }); exports.x509Certificate = void 0; const util_1 = require("../util"); +const asn1_1 = require("../util/asn1"); const stream_1 = require("../util/stream"); -const obj_1 = require("./asn1/obj"); const ext_1 = require("./ext"); const EXTENSION_OID_SUBJECT_KEY_ID = '2.5.29.14'; const EXTENSION_OID_KEY_USAGE = '2.5.29.15'; @@ -33,7 +33,7 @@ class x509Certificate { } static parse(cert) { const der = typeof cert === 'string' ? util_1.pem.toDER(cert) : cert; - const asn1 = obj_1.ASN1Obj.parseBuffer(der); + const asn1 = asn1_1.ASN1Obj.parseBuffer(der); return new x509Certificate(asn1); } get tbsCertificate() { diff --git a/node_modules/sigstore/dist/x509/ext.js b/node_modules/sigstore/dist/x509/ext.js index c1743dce5556d..246aeb095802f 100644 --- a/node_modules/sigstore/dist/x509/ext.js +++ b/node_modules/sigstore/dist/x509/ext.js @@ -1,21 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.x509SCTExtension = exports.x509SubjectKeyIDExtension = exports.x509AuthorityKeyIDExtension = exports.x509SubjectAlternativeNameExtension = exports.x509KeyUsageExtension = exports.x509BasicConstraintsExtension = exports.x509Extension = void 0; -/* -Copyright 2023 The Sigstore Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ const stream_1 = require("../util/stream"); const sct_1 = require("./sct"); // https://www.rfc-editor.org/rfc/rfc5280#section-4.1 diff --git a/node_modules/sigstore/package.json b/node_modules/sigstore/package.json index 2ca34e2a445ad..b7dc6e30f0dcd 100644 --- a/node_modules/sigstore/package.json +++ b/node_modules/sigstore/package.json @@ -1,10 +1,11 @@ { "name": "sigstore", - "version": "1.5.2", + "version": "1.6.0", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", "scripts": { + "clean": "shx rm -rf dist *.tsbuildinfo", "build": "tsc --build", "test": "jest" }, @@ -29,16 +30,20 @@ "provenance": true }, "devDependencies": { + "@sigstore/rekor-types": "^1.0.0", "@total-typescript/shoehorn": "^0.1.0", "@tufjs/repo-mock": "^1.1.0", "@types/make-fetch-happen": "^10.0.0", - "@types/node": "^20.0.0", + "@types/sigstore-jest-extended": "^0.0.0", + "@types/node": "^20.2.5", "json-schema-to-typescript": "^13.0.0", "nock": "^13.2.4", - "typescript": "^5.0.2" + "shx": "^0.3.3", + "typescript": "^5.1.3" }, "dependencies": { "@sigstore/protobuf-specs": "^0.1.0", + "@sigstore/tuf": "^1.0.0", "make-fetch-happen": "^11.0.1", "tuf-js": "^1.1.3" }, diff --git a/package-lock.json b/package-lock.json index 94a29d5db33f8..47b54422e6ff1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "qrcode-terminal": "^0.12.0", "read": "^2.1.0", "semver": "^7.5.2", - "sigstore": "^1.5.0", + "sigstore": "^1.6.0", "ssri": "^10.0.4", "supports-color": "^9.3.1", "tar": "^6.1.14", @@ -2704,6 +2704,20 @@ "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, + "node_modules/@sigstore/tuf": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@sigstore/tuf/-/tuf-1.0.0.tgz", + "integrity": "sha512-bLzi9GeZgMCvjJeLUIfs8LJYCxrPRA8IXQkzUtaFKKVPTz0mucRyqFcV2U20yg9K+kYAD0YSitzGfRZCFLjdHQ==", + "inBundle": true, + "dependencies": { + "@sigstore/protobuf-specs": "^0.1.0", + "make-fetch-happen": "^11.0.1", + "tuf-js": "^1.1.3" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, "node_modules/@tootallnate/once": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.0.tgz", @@ -11447,12 +11461,13 @@ } }, "node_modules/sigstore": { - "version": "1.5.2", - "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.5.2.tgz", - "integrity": "sha512-X95v6xAAooVpn7PaB94TDmFeSO5SBfCtB1R23fvzr36WTfjtkiiyOeei979nbTjc8nzh6FSLeltQZuODsm1EjQ==", + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.6.0.tgz", + "integrity": "sha512-QODKff/qW/TXOZI6V/Clqu74xnInAS6it05mufj4/fSewexLtfEntgLZZcBtUK44CDQyUE5TUXYy1ARYzlfG9g==", "inBundle": true, "dependencies": { "@sigstore/protobuf-specs": "^0.1.0", + "@sigstore/tuf": "^1.0.0", "make-fetch-happen": "^11.0.1", "tuf-js": "^1.1.3" }, diff --git a/package.json b/package.json index fd2ef9c34e7c4..66698231fbd25 100644 --- a/package.json +++ b/package.json @@ -107,7 +107,7 @@ "qrcode-terminal": "^0.12.0", "read": "^2.1.0", "semver": "^7.5.2", - "sigstore": "^1.5.0", + "sigstore": "^1.6.0", "ssri": "^10.0.4", "supports-color": "^9.3.1", "tar": "^6.1.14",