diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md index 9fbe72ea56391..c6c01b9595a8d 100644 --- a/DEPENDENCIES.md +++ b/DEPENDENCIES.md @@ -742,6 +742,7 @@ graph LR; rimraf-->glob; semver-->lru-cache; sigstore-->make-fetch-happen; + sigstore-->sigstore-protobuf-specs["@sigstore/protobuf-specs"]; sigstore-->tuf-js; socks-->ip; socks-->smart-buffer; diff --git a/node_modules/.gitignore b/node_modules/.gitignore index 4de626fa8c6c4..4358e2de8073a 100644 --- a/node_modules/.gitignore +++ b/node_modules/.gitignore @@ -29,6 +29,9 @@ !/@npmcli/promise-spawn !/@npmcli/query !/@npmcli/run-script +!/@sigstore/ +/@sigstore/* +!/@sigstore/protobuf-specs !/@tootallnate/ /@tootallnate/* !/@tootallnate/once diff --git a/node_modules/@sigstore/protobuf-specs/LICENSE b/node_modules/@sigstore/protobuf-specs/LICENSE new file mode 100644 index 0000000000000..e9e7c1679a09d --- /dev/null +++ b/node_modules/@sigstore/protobuf-specs/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2023 The Sigstore Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/envelope.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/envelope.d.ts similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/envelope.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/envelope.d.ts diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/envelope.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/envelope.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/envelope.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/envelope.js diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/google/api/field_behavior.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/google/api/field_behavior.d.ts similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/google/api/field_behavior.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/google/api/field_behavior.d.ts diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/google/api/field_behavior.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/google/api/field_behavior.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/google/api/field_behavior.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/google/api/field_behavior.js diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/google/protobuf/descriptor.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/descriptor.d.ts similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/google/protobuf/descriptor.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/descriptor.d.ts diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/google/protobuf/descriptor.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/descriptor.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/google/protobuf/descriptor.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/descriptor.js diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/google/protobuf/timestamp.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/timestamp.d.ts similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/google/protobuf/timestamp.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/timestamp.d.ts diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/google/protobuf/timestamp.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/timestamp.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/google/protobuf/timestamp.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/timestamp.js diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_bundle.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_bundle.d.ts similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_bundle.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_bundle.d.ts diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_bundle.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_bundle.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_bundle.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_bundle.js diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_common.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_common.d.ts similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_common.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_common.d.ts diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_common.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_common.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_common.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_common.js diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_rekor.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_rekor.d.ts similarity index 87% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_rekor.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_rekor.d.ts index 9e33bb80e2a86..74eb82513ddb1 100644 --- a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_rekor.d.ts +++ b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_rekor.d.ts @@ -98,12 +98,19 @@ export interface TransparencyLogEntry { */ inclusionProof: InclusionProof | undefined; /** - * The canonicalized Rekor entry body, used for SET verification. This - * is the same as the body returned by Rekor. It's included here for - * cases where the client cannot deterministically reconstruct the - * bundle from the other fields. Clients MUST verify that the signature - * referenced in the canonicalized_body matches the signature provided - * in the bundle content. + * The canonicalized transparency log entry, used to reconstruct + * the Signed Entry Timestamp (SET) during verification. + * The contents of this field are the same as the `body` field in + * a Rekor response, meaning that it does **not** include the "full" + * canonicalized form (of log index, ID, etc.) which are + * exposed as separate fields. The verifier is responsible for + * combining the `canonicalized_body`, `log_index`, `log_id`, + * and `integrated_time` into the payload that the SET's signature + * is generated over. + * + * Clients MUST verify that the signatured referenced in the + * `canonicalized_body` matches the signature provided in the + * `Bundle.content`. */ canonicalizedBody: Buffer; } diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_rekor.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_rekor.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_rekor.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_rekor.js diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_trustroot.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.d.ts similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_trustroot.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.d.ts diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_trustroot.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_trustroot.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_verification.d.ts b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_verification.d.ts similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_verification.d.ts rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_verification.d.ts diff --git a/node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_verification.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_verification.js similarity index 100% rename from node_modules/sigstore/dist/types/sigstore/__generated__/sigstore_verification.js rename to node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_verification.js diff --git a/node_modules/@sigstore/protobuf-specs/dist/index.d.ts b/node_modules/@sigstore/protobuf-specs/dist/index.d.ts new file mode 100644 index 0000000000000..f87f0aba29ab6 --- /dev/null +++ b/node_modules/@sigstore/protobuf-specs/dist/index.d.ts @@ -0,0 +1,6 @@ +export * from './__generated__/envelope'; +export * from './__generated__/sigstore_bundle'; +export * from './__generated__/sigstore_common'; +export * from './__generated__/sigstore_rekor'; +export * from './__generated__/sigstore_trustroot'; +export * from './__generated__/sigstore_verification'; diff --git a/node_modules/@sigstore/protobuf-specs/dist/index.js b/node_modules/@sigstore/protobuf-specs/dist/index.js new file mode 100644 index 0000000000000..eafb768c48fca --- /dev/null +++ b/node_modules/@sigstore/protobuf-specs/dist/index.js @@ -0,0 +1,37 @@ +"use strict"; +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __exportStar = (this && this.__exportStar) || function(m, exports) { + for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p); +}; +Object.defineProperty(exports, "__esModule", { value: true }); +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +__exportStar(require("./__generated__/envelope"), exports); +__exportStar(require("./__generated__/sigstore_bundle"), exports); +__exportStar(require("./__generated__/sigstore_common"), exports); +__exportStar(require("./__generated__/sigstore_rekor"), exports); +__exportStar(require("./__generated__/sigstore_trustroot"), exports); +__exportStar(require("./__generated__/sigstore_verification"), exports); diff --git a/node_modules/@sigstore/protobuf-specs/package.json b/node_modules/@sigstore/protobuf-specs/package.json new file mode 100644 index 0000000000000..7cb4aa9c5364f --- /dev/null +++ b/node_modules/@sigstore/protobuf-specs/package.json @@ -0,0 +1,31 @@ +{ + "name": "@sigstore/protobuf-specs", + "version": "0.1.0", + "description": "code-signing for npm packages", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "scripts": { + "build": "tsc" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/sigstore/protobuf-specs.git" + }, + "files": [ + "dist" + ], + "author": "bdehamer@github.com", + "license": "Apache-2.0", + "bugs": { + "url": "https://github.com/sigstore/protobuf-specs/issues" + }, + "homepage": "https://github.com/sigstore/protobuf-specs#readme", + "devDependencies": { + "@tsconfig/node14": "^1.0.3", + "@types/node": "^18.14.0", + "typescript": "^4.9.5" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } +} diff --git a/node_modules/sigstore/LICENSE b/node_modules/sigstore/LICENSE index d645695673349..e9e7c1679a09d 100644 --- a/node_modules/sigstore/LICENSE +++ b/node_modules/sigstore/LICENSE @@ -187,7 +187,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright 2023 The Sigstore Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/node_modules/sigstore/dist/sigstore.d.ts b/node_modules/sigstore/dist/sigstore.d.ts index bb3034383e695..22c5d2a45f87b 100644 --- a/node_modules/sigstore/dist/sigstore.d.ts +++ b/node_modules/sigstore/dist/sigstore.d.ts @@ -8,6 +8,10 @@ export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev"; interface TLogOptions { rekorURL?: string; } +interface TUFOptions { + tufMirrorURL?: string; + tufRootPath?: string; +} export type SignOptions = { fulcioURL?: string; identityToken?: string; @@ -23,7 +27,7 @@ export type VerifyOptions = { certificateIdentityURI?: string; certificateOIDs?: Record; keySelector?: KeySelector; -} & TLogOptions; +} & TLogOptions & TUFOptions; type Bundle = sigstore.SerializedBundle; export declare function sign(payload: Buffer, options?: SignOptions): Promise; export declare function attest(payload: Buffer, payloadType: string, options?: SignOptions): Promise; diff --git a/node_modules/sigstore/dist/sigstore.js b/node_modules/sigstore/dist/sigstore.js index ef8fb2058a47e..34b269aadd7d3 100644 --- a/node_modules/sigstore/dist/sigstore.js +++ b/node_modules/sigstore/dist/sigstore.js @@ -42,15 +42,13 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ -const fs_1 = __importDefault(require("fs")); -const os_1 = __importDefault(require("os")); -const path_1 = __importDefault(require("path")); const ca_1 = require("./ca"); const identity_1 = __importDefault(require("./identity")); const sign_1 = require("./sign"); const tlog_1 = require("./tlog"); const tuf = __importStar(require("./tuf")); const sigstore = __importStar(require("./types/sigstore")); +const util_1 = require("./util"); const verify_1 = require("./verify"); exports.utils = __importStar(require("./sigstore-utils")); exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev'; @@ -65,6 +63,7 @@ function createTLogClient(options) { rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL, }); } +const tufCacheDir = util_1.appdata.appDataPath('sigstore-js'); async function sign(payload, options = {}) { const ca = createCAClient(options); const tlog = createTLogClient(options); @@ -92,8 +91,10 @@ async function attest(payload, payloadType, options = {}) { } exports.attest = attest; async function verify(bundle, payload, options = {}) { - const cacheDir = defaultCacheDir(); - const trustedRoot = await tuf.getTrustedRoot(cacheDir); + const trustedRoot = await tuf.getTrustedRoot(tufCacheDir, { + mirrorURL: options.tufMirrorURL, + rootPath: options.tufRootPath, + }); const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); const deserializedBundle = sigstore.bundleFromJSON(bundle); const opts = collectArtifactVerificationOptions(options); @@ -119,16 +120,6 @@ function configureIdentityProviders(options) { } return idps; } -function defaultCacheDir() { - let cacheRootDir = os_1.default.homedir(); - try { - fs_1.default.accessSync(os_1.default.homedir(), fs_1.default.constants.W_OK | fs_1.default.constants.R_OK); - } - catch (e) { - cacheRootDir = os_1.default.tmpdir(); - } - return path_1.default.join(cacheRootDir, '.sigstore', 'js-root'); -} // Assembles the AtifactVerificationOptions from the supplied VerifyOptions. function collectArtifactVerificationOptions(options) { // The trusted signers are only used if the options contain a certificate diff --git a/node_modules/sigstore/dist/tlog/types/__generated__/hashedrekord.js b/node_modules/sigstore/dist/tlog/types/__generated__/hashedrekord.js index 5383a370094cd..61923a61cd8de 100644 --- a/node_modules/sigstore/dist/tlog/types/__generated__/hashedrekord.js +++ b/node_modules/sigstore/dist/tlog/types/__generated__/hashedrekord.js @@ -1,5 +1,5 @@ "use strict"; -/* tslint:disable */ +/* eslint-disable */ /** * This file was automatically generated by json-schema-to-typescript. * DO NOT MODIFY IT BY HAND. Instead, modify the source JSONSchema file, diff --git a/node_modules/sigstore/dist/tlog/types/__generated__/intoto.js b/node_modules/sigstore/dist/tlog/types/__generated__/intoto.js index 5383a370094cd..61923a61cd8de 100644 --- a/node_modules/sigstore/dist/tlog/types/__generated__/intoto.js +++ b/node_modules/sigstore/dist/tlog/types/__generated__/intoto.js @@ -1,5 +1,5 @@ "use strict"; -/* tslint:disable */ +/* eslint-disable */ /** * This file was automatically generated by json-schema-to-typescript. * DO NOT MODIFY IT BY HAND. Instead, modify the source JSONSchema file, diff --git a/node_modules/sigstore/dist/tuf/index.d.ts b/node_modules/sigstore/dist/tuf/index.d.ts index 349ff08b3be4b..455fc6af06c54 100644 --- a/node_modules/sigstore/dist/tuf/index.d.ts +++ b/node_modules/sigstore/dist/tuf/index.d.ts @@ -1,2 +1,6 @@ import * as sigstore from '../types/sigstore'; -export declare function getTrustedRoot(cacheDir: string): Promise; +export interface TUFOptions { + mirrorURL?: string; + rootPath?: string; +} +export declare function getTrustedRoot(cachePath: string, options?: TUFOptions): Promise; diff --git a/node_modules/sigstore/dist/tuf/index.js b/node_modules/sigstore/dist/tuf/index.js index 1aea238ef32ff..824bce9105ed8 100644 --- a/node_modules/sigstore/dist/tuf/index.js +++ b/node_modules/sigstore/dist/tuf/index.js @@ -1,4 +1,27 @@ "use strict"; +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; @@ -22,55 +45,62 @@ limitations under the License. const fs_1 = __importDefault(require("fs")); const path_1 = __importDefault(require("path")); const tuf_js_1 = require("tuf-js"); -const trustroot_1 = require("./trustroot"); -async function getTrustedRoot(cacheDir) { - initTufCache(cacheDir); - const repoMap = initRepoMap(cacheDir); - const repoClients = Object.entries(repoMap.repositories).map(([name, urls]) => initClient(name, urls[0], cacheDir)); - // TODO: Add support for multiple repositories. For now, we just use the first - // one (the production Sigstore TUF repository). - const fetcher = new trustroot_1.TrustedRootFetcher(repoClients[0]); - return fetcher.getTrustedRoot(); +const sigstore = __importStar(require("../types/sigstore")); +const target_1 = require("./target"); +const TRUSTED_ROOT_TARGET = 'trusted_root.json'; +const DEFAULT_MIRROR_URL = 'https://sigstore-tuf-root.storage.googleapis.com'; +const DEFAULT_TUF_ROOT_PATH = '../../store/public-good-instance-root.json'; +async function getTrustedRoot(cachePath, options = {}) { + const tufRootPath = options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH); + const mirrorURL = options.mirrorURL || DEFAULT_MIRROR_URL; + initTufCache(cachePath, tufRootPath); + const remote = initRemoteConfig(cachePath, mirrorURL); + const repoClient = initClient(cachePath, remote); + const trustedRoot = await (0, target_1.getTarget)(repoClient, TRUSTED_ROOT_TARGET); + return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot)); } exports.getTrustedRoot = getTrustedRoot; -// Initializes the root TUF cache directory -function initTufCache(cacheDir) { - if (!fs_1.default.existsSync(cacheDir)) { - fs_1.default.mkdirSync(cacheDir, { recursive: true }); +// Initializes the TUF cache directory structure including the initial +// root.json file. If the cache directory does not exist, it will be +// created. If the targets directory does not exist, it will be created. +// If the root.json file does not exist, it will be copied from the +// rootPath argument. +function initTufCache(cachePath, tufRootPath) { + const targetsPath = path_1.default.join(cachePath, 'targets'); + const cachedRootPath = path_1.default.join(cachePath, 'root.json'); + if (!fs_1.default.existsSync(cachePath)) { + fs_1.default.mkdirSync(cachePath, { recursive: true }); } -} -// Initializes the repo map (copying it to the cache root dir) and returns the -// content of the repository map. -function initRepoMap(rootDir) { - const mapDest = path_1.default.join(rootDir, 'map.json'); - if (!fs_1.default.existsSync(mapDest)) { - const mapSrc = require.resolve('../../store/map.json'); - fs_1.default.copyFileSync(mapSrc, mapDest); + if (!fs_1.default.existsSync(targetsPath)) { + fs_1.default.mkdirSync(targetsPath); } - const buf = fs_1.default.readFileSync(mapDest); - return JSON.parse(buf.toString('utf-8')); + if (!fs_1.default.existsSync(cachedRootPath)) { + fs_1.default.copyFileSync(tufRootPath, cachedRootPath); + } + return cachePath; } -function initClient(name, url, rootDir) { - const repoCachePath = path_1.default.join(rootDir, name); - const targetCachePath = path_1.default.join(repoCachePath, 'targets'); - const tufRootDest = path_1.default.join(repoCachePath, 'root.json'); - // Only copy the TUF trusted root if it doesn't already exist. It's possible - // that the cached root has already been updated, so we don't want to roll it - // back. - if (!fs_1.default.existsSync(tufRootDest)) { - const tufRootSrc = require.resolve(`../../store/${name}-root.json`); - fs_1.default.mkdirSync(repoCachePath); - fs_1.default.copyFileSync(tufRootSrc, tufRootDest); +// Initializes the remote.json file, which contains the URL of the TUF +// repository. If the file does not exist, it will be created. If the file +// exists, it will be parsed and returned. +function initRemoteConfig(rootDir, mirrorURL) { + let remoteConfig; + const remoteConfigPath = path_1.default.join(rootDir, 'remote.json'); + if (fs_1.default.existsSync(remoteConfigPath)) { + const data = fs_1.default.readFileSync(remoteConfigPath, 'utf-8'); + remoteConfig = JSON.parse(data); } - if (!fs_1.default.existsSync(targetCachePath)) { - fs_1.default.mkdirSync(targetCachePath); + if (!remoteConfig) { + remoteConfig = { mirror: mirrorURL }; + fs_1.default.writeFileSync(remoteConfigPath, JSON.stringify(remoteConfig)); } - // TODO: Is there some better way to derive the base URL for the targets? - // Hard-coding for now based on current Sigstore TUF repo layout. + return remoteConfig; +} +function initClient(cachePath, remote) { + const baseURL = remote.mirror; return new tuf_js_1.Updater({ - metadataBaseUrl: url, - targetBaseUrl: `${url}/targets`, - metadataDir: repoCachePath, - targetDir: targetCachePath, + metadataBaseUrl: baseURL, + targetBaseUrl: `${baseURL}/targets`, + metadataDir: cachePath, + targetDir: path_1.default.join(cachePath, 'targets'), }); } diff --git a/node_modules/sigstore/dist/tuf/target.d.ts b/node_modules/sigstore/dist/tuf/target.d.ts new file mode 100644 index 0000000000000..aed81654f3be0 --- /dev/null +++ b/node_modules/sigstore/dist/tuf/target.d.ts @@ -0,0 +1,2 @@ +import { Updater } from 'tuf-js'; +export declare function getTarget(tuf: Updater, targetPath: string): Promise; diff --git a/node_modules/sigstore/dist/tuf/target.js b/node_modules/sigstore/dist/tuf/target.js new file mode 100644 index 0000000000000..ac708cdbcf1ce --- /dev/null +++ b/node_modules/sigstore/dist/tuf/target.js @@ -0,0 +1,60 @@ +"use strict"; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.getTarget = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +const fs_1 = __importDefault(require("fs")); +const error_1 = require("../error"); +// Returns the local path to the specified target. If the target is not yet +// cached locally, the provided TUF Updater will be used to download and +// cache the target. +async function getTarget(tuf, targetPath) { + const path = await getTargetPath(tuf, targetPath); + try { + return fs_1.default.readFileSync(path, 'utf-8'); + } + catch (err) { + throw new error_1.InternalError(`error reading trusted root: ${err}`); + } +} +exports.getTarget = getTarget; +async function getTargetPath(tuf, target) { + let targetInfo; + try { + targetInfo = await tuf.refresh().then(() => tuf.getTargetInfo(target)); + } + catch (err) { + throw new error_1.InternalError(`error refreshing TUF metadata: ${err}`); + } + if (!targetInfo) { + throw new error_1.InternalError(`target ${target} not found`); + } + let path = await tuf.findCachedTarget(targetInfo); + // An empty path here means the target has not been cached locally, or is + // out of date. In either case, we need to download it. + if (!path) { + try { + path = await tuf.downloadTarget(targetInfo); + } + catch (err) { + throw new error_1.InternalError(`error downloading target: ${err}`); + } + } + return path; +} diff --git a/node_modules/sigstore/dist/tuf/trustroot.d.ts b/node_modules/sigstore/dist/tuf/trustroot.d.ts deleted file mode 100644 index 615fffae62a80..0000000000000 --- a/node_modules/sigstore/dist/tuf/trustroot.d.ts +++ /dev/null @@ -1,11 +0,0 @@ -import { Updater } from 'tuf-js'; -import * as sigstore from '../types/sigstore'; -export declare class TrustedRootFetcher { - private tuf; - constructor(tuf: Updater); - getTrustedRoot(): Promise; - private allTargets; - private getTLogKeys; - private getCAKeys; - private readTargetBytes; -} diff --git a/node_modules/sigstore/dist/tuf/trustroot.js b/node_modules/sigstore/dist/tuf/trustroot.js deleted file mode 100644 index dcf491cdaefe8..0000000000000 --- a/node_modules/sigstore/dist/tuf/trustroot.js +++ /dev/null @@ -1,163 +0,0 @@ -"use strict"; -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -var __importDefault = (this && this.__importDefault) || function (mod) { - return (mod && mod.__esModule) ? mod : { "default": mod }; -}; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.TrustedRootFetcher = void 0; -/* -Copyright 2023 The Sigstore Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -const fs_1 = __importDefault(require("fs")); -const error_1 = require("../error"); -const sigstore = __importStar(require("../types/sigstore")); -const util_1 = require("../util"); -const TRUSTED_ROOT_MEDIA_TYPE = 'application/vnd.dev.sigstore.trustedroot+json;version=0.1'; -// Type guard for SigstoreTargetMetadata -function isTargetMetadata(m) { - return (m !== undefined && - m !== null && - typeof m === 'object' && - 'status' in m && - 'usage' in m && - 'uri' in m); -} -class TrustedRootFetcher { - constructor(tuf) { - this.tuf = tuf; - } - // Assembles a TrustedRoot from the targets in the TUF repo - async getTrustedRoot() { - // Get all available targets - const targets = await this.allTargets(); - const cas = await this.getCAKeys(targets, 'Fulcio'); - const ctlogs = await this.getTLogKeys(targets, 'CTFE'); - const tlogs = await this.getTLogKeys(targets, 'Rekor'); - return { - mediaType: TRUSTED_ROOT_MEDIA_TYPE, - certificateAuthorities: cas, - ctlogs: ctlogs, - tlogs: tlogs, - timestampAuthorities: [], - }; - } - // Retrieves the list of TUF targets. - // NOTE: This is a HACK to get around the fact that the TUF library doesn't - // expose the list of targets. This is a temporary solution until TUF comes up - // with a story for target discovery. - // https://docs.google.com/document/d/1rWHAM2qCUtnjWD4lOrGWE2EIDLoA7eSy4-jB66Wgh0o - async allTargets() { - try { - await this.tuf.refresh(); - } - catch (e) { - throw new error_1.InternalError('error refreshing trust metadata'); - } - return Object.values( - // eslint-disable-next-line @typescript-eslint/no-explicit-any - this.tuf.trustedSet.targets?.signed.targets || {}); - } - // Filters the supplied list of targets to those with the specified usage - // and returns a new TransparencyLogInstance for each with the associated - // public key populated. - async getTLogKeys(targets, usage) { - const filteredTargets = filterByUsage(targets, usage); - return Promise.all(filteredTargets.map(async (target) => { - const keyBytes = await this.readTargetBytes(target); - const uri = isTargetMetadata(target.custom.sigstore) - ? target.custom.sigstore.uri - : ''; - // The log ID is not present in the Sigstore target metadata, but - // can be derived by hashing the contents of the public key. - return { - baseUrl: uri, - hashAlgorithm: sigstore.HashAlgorithm.SHA2_256, - logId: { keyId: util_1.crypto.hash(keyBytes) }, - publicKey: { - keyDetails: sigstore.PublicKeyDetails.PKIX_ECDSA_P256_SHA_256, - rawBytes: keyBytes, - }, - }; - })); - } - // Filters the supplied list of targets to those with the specified usage - // and returns a new CertificateAuthority populated with all of the associated - // certificates. - // NOTE: The Sigstore target metadata does NOT provide any mechanism to link - // related certificates (e.g. a root and intermediate). As a result, we - // assume that all certificates located here are part of the same chain. - // This works out OK since our certificate chain verification code tries all - // possible permutations of the certificates until it finds one that results - // in a valid, trusted chain. - async getCAKeys(targets, usage) { - const filteredTargets = filterByUsage(targets, usage); - const certs = await Promise.all(filteredTargets.map(async (target) => await this.readTargetBytes(target))); - return [ - { - uri: '', - subject: undefined, - validFor: { start: new Date(0) }, - certChain: { - certificates: certs.map((cert) => ({ rawBytes: cert })), - }, - }, - ]; - } - // Reads the contents of the specified target file as a DER-encoded buffer. - async readTargetBytes(target) { - try { - let path = await this.tuf.findCachedTarget(target); - // An empty path here means the target has not been cached locally, or is - // out of date. In either case, we need to download it. - if (!path) { - path = await this.tuf.downloadTarget(target); - } - const file = fs_1.default.readFileSync(path); - return util_1.pem.toDER(file.toString('utf-8')); - } - catch (err) { - throw new error_1.InternalError(`error reading key/certificate for ${target.path}`); - } - } -} -exports.TrustedRootFetcher = TrustedRootFetcher; -function filterByUsage(targets, usage) { - return targets.filter((target) => { - const meta = target.custom.sigstore; - return isTargetMetadata(meta) && meta.usage === usage; - }); -} diff --git a/node_modules/sigstore/dist/types/sigstore/index.d.ts b/node_modules/sigstore/dist/types/sigstore/index.d.ts index 26dd2150d548e..70b2896fbdcba 100644 --- a/node_modules/sigstore/dist/types/sigstore/index.d.ts +++ b/node_modules/sigstore/dist/types/sigstore/index.d.ts @@ -1,21 +1,13 @@ /// +import { ArtifactVerificationOptions, Bundle, Envelope, TransparencyLogEntry, VerificationMaterial } from '@sigstore/protobuf-specs'; import { Entry } from '../../tlog'; import { x509Certificate } from '../../x509/cert'; import { SignatureMaterial } from '../signature'; import { WithRequired } from '../utility'; import { ValidBundle } from './validate'; -import { Envelope } from './__generated__/envelope'; -import { Bundle, VerificationMaterial } from './__generated__/sigstore_bundle'; -import { TransparencyLogEntry } from './__generated__/sigstore_rekor'; -import { ArtifactVerificationOptions } from './__generated__/sigstore_verification'; +export * from '@sigstore/protobuf-specs'; export * from './serialized'; export * from './validate'; -export * from './__generated__/envelope'; -export * from './__generated__/sigstore_bundle'; -export * from './__generated__/sigstore_common'; -export { TransparencyLogEntry } from './__generated__/sigstore_rekor'; -export * from './__generated__/sigstore_trustroot'; -export * from './__generated__/sigstore_verification'; export declare const bundleToJSON: (message: Bundle) => unknown; export declare const bundleFromJSON: (obj: any) => ValidBundle; export declare const envelopeToJSON: (message: Envelope) => unknown; diff --git a/node_modules/sigstore/dist/types/sigstore/index.js b/node_modules/sigstore/dist/types/sigstore/index.js index df07d6dc9fc29..55df7e744de19 100644 --- a/node_modules/sigstore/dist/types/sigstore/index.js +++ b/node_modules/sigstore/dist/types/sigstore/index.js @@ -14,32 +14,39 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) { for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p); }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.signingCertificate = exports.bundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.envelopeFromJSON = exports.envelopeToJSON = exports.bundleFromJSON = exports.bundleToJSON = exports.TransparencyLogEntry = void 0; +exports.signingCertificate = exports.bundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.envelopeFromJSON = exports.envelopeToJSON = exports.bundleFromJSON = exports.bundleToJSON = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +const protobuf_specs_1 = require("@sigstore/protobuf-specs"); const util_1 = require("../../util"); const cert_1 = require("../../x509/cert"); const validate_1 = require("./validate"); -const envelope_1 = require("./__generated__/envelope"); -const sigstore_bundle_1 = require("./__generated__/sigstore_bundle"); -const sigstore_common_1 = require("./__generated__/sigstore_common"); +__exportStar(require("@sigstore/protobuf-specs"), exports); __exportStar(require("./serialized"), exports); __exportStar(require("./validate"), exports); -__exportStar(require("./__generated__/envelope"), exports); -__exportStar(require("./__generated__/sigstore_bundle"), exports); -__exportStar(require("./__generated__/sigstore_common"), exports); -var sigstore_rekor_1 = require("./__generated__/sigstore_rekor"); -Object.defineProperty(exports, "TransparencyLogEntry", { enumerable: true, get: function () { return sigstore_rekor_1.TransparencyLogEntry; } }); -__exportStar(require("./__generated__/sigstore_trustroot"), exports); -__exportStar(require("./__generated__/sigstore_verification"), exports); -exports.bundleToJSON = sigstore_bundle_1.Bundle.toJSON; +exports.bundleToJSON = protobuf_specs_1.Bundle.toJSON; // eslint-disable-next-line @typescript-eslint/no-explicit-any const bundleFromJSON = (obj) => { - const bundle = sigstore_bundle_1.Bundle.fromJSON(obj); + const bundle = protobuf_specs_1.Bundle.fromJSON(obj); (0, validate_1.assertValidBundle)(bundle); return bundle; }; exports.bundleFromJSON = bundleFromJSON; -exports.envelopeToJSON = envelope_1.Envelope.toJSON; -exports.envelopeFromJSON = envelope_1.Envelope.fromJSON; +exports.envelopeToJSON = protobuf_specs_1.Envelope.toJSON; +exports.envelopeFromJSON = protobuf_specs_1.Envelope.fromJSON; const BUNDLE_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1'; // Type guard for narrowing a Bundle to a BundleWithVerificationMaterial function isBundleWithVerificationMaterial(bundle) { @@ -80,7 +87,7 @@ exports.bundle = { $case: 'messageSignature', messageSignature: { messageDigest: { - algorithm: sigstore_common_1.HashAlgorithm.SHA2_256, + algorithm: protobuf_specs_1.HashAlgorithm.SHA2_256, digest: digest, }, signature: signature.signature, diff --git a/node_modules/sigstore/dist/types/sigstore/validate.d.ts b/node_modules/sigstore/dist/types/sigstore/validate.d.ts index fd0a354282426..7d8316fd2e6a2 100644 --- a/node_modules/sigstore/dist/types/sigstore/validate.d.ts +++ b/node_modules/sigstore/dist/types/sigstore/validate.d.ts @@ -1,6 +1,5 @@ +import { Bundle, MessageSignature, VerificationMaterial } from '@sigstore/protobuf-specs'; import { WithRequired } from '../utility'; -import { Bundle, VerificationMaterial } from './__generated__/sigstore_bundle'; -import { MessageSignature } from './__generated__/sigstore_common'; export type ValidBundle = Bundle & { verificationMaterial: VerificationMaterial & { content: NonNullable; diff --git a/node_modules/sigstore/dist/types/sigstore/validate.js b/node_modules/sigstore/dist/types/sigstore/validate.js index a19d8ad3ec702..efd873ab65701 100644 --- a/node_modules/sigstore/dist/types/sigstore/validate.js +++ b/node_modules/sigstore/dist/types/sigstore/validate.js @@ -1,21 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.assertValidBundle = void 0; -/* -Copyright 2023 The Sigstore Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ const error_1 = require("../../error"); // Performs basic validation of a Sigstore bundle to ensure that all required // fields are populated. This is not a complete validation of the bundle, but diff --git a/node_modules/sigstore/dist/util/appdata.d.ts b/node_modules/sigstore/dist/util/appdata.d.ts new file mode 100644 index 0000000000000..dcdaeef418bd6 --- /dev/null +++ b/node_modules/sigstore/dist/util/appdata.d.ts @@ -0,0 +1 @@ +export declare function appDataPath(name: string): string; diff --git a/node_modules/sigstore/dist/util/appdata.js b/node_modules/sigstore/dist/util/appdata.js new file mode 100644 index 0000000000000..d0c7f6f079e50 --- /dev/null +++ b/node_modules/sigstore/dist/util/appdata.js @@ -0,0 +1,26 @@ +"use strict"; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.appDataPath = void 0; +const os_1 = __importDefault(require("os")); +const path_1 = __importDefault(require("path")); +function appDataPath(name) { + const homedir = os_1.default.homedir(); + switch (process.platform) { + case 'darwin': { + const appSupport = path_1.default.join(homedir, 'Library', 'Application Support'); + return path_1.default.join(appSupport, name); + } + case 'win32': { + const localAppData = process.env.LOCALAPPDATA || path_1.default.join(homedir, 'AppData', 'Local'); + return path_1.default.join(localAppData, name, 'Data'); + } + default: { + const localData = process.env.XDG_DATA_HOME || path_1.default.join(homedir, '.local', 'share'); + return path_1.default.join(localData, name); + } + } +} +exports.appDataPath = appDataPath; diff --git a/node_modules/sigstore/dist/util/index.d.ts b/node_modules/sigstore/dist/util/index.d.ts index 786a19630cd60..02e4ddc69b15c 100644 --- a/node_modules/sigstore/dist/util/index.d.ts +++ b/node_modules/sigstore/dist/util/index.d.ts @@ -1,3 +1,4 @@ +export * as appdata from './appdata'; export * as crypto from './crypto'; export * as dsse from './dsse'; export * as encoding from './encoding'; diff --git a/node_modules/sigstore/dist/util/index.js b/node_modules/sigstore/dist/util/index.js index 2c02116cbf07d..74ef9c0b1121b 100644 --- a/node_modules/sigstore/dist/util/index.js +++ b/node_modules/sigstore/dist/util/index.js @@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.ua = exports.promise = exports.pem = exports.oidc = exports.json = exports.encoding = exports.dsse = exports.crypto = void 0; +exports.ua = exports.promise = exports.pem = exports.oidc = exports.json = exports.encoding = exports.dsse = exports.crypto = exports.appdata = void 0; /* Copyright 2022 The Sigstore Authors. @@ -39,6 +39,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ +exports.appdata = __importStar(require("./appdata")); exports.crypto = __importStar(require("./crypto")); exports.dsse = __importStar(require("./dsse")); exports.encoding = __importStar(require("./encoding")); diff --git a/node_modules/sigstore/dist/verify.js b/node_modules/sigstore/dist/verify.js index 1bcef03b5f7ba..9d21b553ac523 100644 --- a/node_modules/sigstore/dist/verify.js +++ b/node_modules/sigstore/dist/verify.js @@ -37,7 +37,7 @@ class Verifier { // Verifies the bundle signature, the bundle's certificate chain (if present) // and the bundle's transparency log entries. verify(bundle, options, data) { - this.verifyArtifactSignature(bundle, options, data); + this.verifyArtifactSignature(bundle, data); if (sigstore.isBundleWithCertificateChain(bundle)) { this.verifySigningCertificate(bundle, options); } @@ -45,8 +45,8 @@ class Verifier { } // Performs bundle signature verification. Determines the type of the bundle // content and delegates to the appropriate signature verification function. - verifyArtifactSignature(bundle, options, data) { - const publicKey = this.getPublicKey(bundle, options); + verifyArtifactSignature(bundle, data) { + const publicKey = this.getPublicKey(bundle); switch (bundle.content?.$case) { case 'messageSignature': if (!data) { @@ -79,7 +79,7 @@ class Verifier { // Returns the public key which will be used to verify the bundle signature. // The public key is selected based on the verification material in the bundle // and the options provided. - getPublicKey(bundle, options) { + getPublicKey(bundle) { // Select the key which will be used to verify the signature switch (bundle.verificationMaterial?.content?.$case) { // If the bundle contains a certificate chain, the public key is the @@ -89,7 +89,7 @@ class Verifier { // If the bundle contains a public key hint, the public key is selected // from the list of trusted keys in the options case 'publicKey': - return getPublicKeyFromHint(bundle.verificationMaterial.content.publicKey, options, this.keySelector); + return getPublicKeyFromHint(bundle.verificationMaterial.content.publicKey, this.keySelector); } } } @@ -101,7 +101,7 @@ function getPublicKeyFromCertificateChain(certificateChain) { } // Retrieves the public key through the key selector callback, passing the // public key hint from the bundle -function getPublicKeyFromHint(publicKeyID, options, keySelector) { +function getPublicKeyFromHint(publicKeyID, keySelector) { const key = keySelector(publicKeyID.hint); if (!key) { throw new error_1.VerificationError('no public key found for signature verification'); diff --git a/node_modules/sigstore/package.json b/node_modules/sigstore/package.json index 1a5960822eb0e..b0e856df9a340 100644 --- a/node_modules/sigstore/package.json +++ b/node_modules/sigstore/package.json @@ -1,6 +1,6 @@ { "name": "sigstore", - "version": "1.0.0", + "version": "1.1.1", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -12,7 +12,7 @@ "lint": "eslint --fix --ext .ts src/**", "lint:check": "eslint --max-warnings 0 --ext .ts src/**", "format": "prettier --write \"src/**/*\"", - "codegen:sigstore": "./hack/generate-sigstore-types", + "release": "npm run build && changeset publish", "codegen:rekor": "./hack/generate-rekor-types" }, "bin": { @@ -22,6 +22,9 @@ "type": "git", "url": "git+https://github.com/sigstore/sigstore-js.git" }, + "publishConfig": { + "provenance": true + }, "files": [ "dist", "store" @@ -33,6 +36,7 @@ }, "homepage": "https://github.com/sigstore/sigstore-js#readme", "devDependencies": { + "@changesets/cli": "^2.26.0", "@tsconfig/node14": "^1.0.3", "@types/jest": "^29.4.0", "@types/make-fetch-happen": "^10.0.0", @@ -43,13 +47,14 @@ "eslint-config-prettier": "^8.5.0", "eslint-plugin-prettier": "^4.0.0", "jest": "^29.4.1", - "json-schema-to-typescript": "^11.0.2", + "json-schema-to-typescript": "^12.0.0", "nock": "^13.2.4", "prettier": "^2.6.2", "ts-jest": "^29.0.5", "typescript": "^4.7.2" }, "dependencies": { + "@sigstore/protobuf-specs": "^0.1.0", "make-fetch-happen": "^11.0.1", "tuf-js": "^1.0.0" }, diff --git a/node_modules/sigstore/store/map.json b/node_modules/sigstore/store/map.json deleted file mode 100644 index 620bf0bedbf44..0000000000000 --- a/node_modules/sigstore/store/map.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "repositories": { - "public-good-instance": [ - "https://sigstore-tuf-root.storage.googleapis.com" - ] - }, - "mapping": [ - { - "paths": [ - "*" - ], - "repositories": [ - "public-good-instance" - ], - "terminating": true, - "threshold": 1 - } - ] -} diff --git a/package-lock.json b/package-lock.json index 6dbb00892b7e5..d8583548f7af0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2429,6 +2429,15 @@ "@octokit/openapi-types": "^16.0.0" } }, + "node_modules/@sigstore/protobuf-specs": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.1.0.tgz", + "integrity": "sha512-a31EnjuIDSX8IXBUib3cYLDRlPMU36AWX4xS8ysLaNu4ZzUesDiPt83pgrW2X1YLMe5L2HbDyaKK5BrL4cNKaQ==", + "inBundle": true, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, "node_modules/@tootallnate/once": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.0.tgz", @@ -11168,11 +11177,12 @@ "inBundle": true }, "node_modules/sigstore": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.0.0.tgz", - "integrity": "sha512-e+qfbn/zf1+rCza/BhIA//Awmf0v1pa5HQS8Xk8iXrn9bgytytVLqYD0P7NSqZ6IELTgq+tcDvLPkQjNHyWLNg==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.1.1.tgz", + "integrity": "sha512-4hR3tPP1y59YWlaoAgAWFVZ7srTjNWOrrpkQXWu05qP0BvwFYyt3K3l848+IHo+mKhkOzGcNDf7ktASXLEPC+A==", "inBundle": true, "dependencies": { + "@sigstore/protobuf-specs": "^0.1.0", "make-fetch-happen": "^11.0.1", "tuf-js": "^1.0.0" },