deps: sigstore@2.3.0

wraithgar · wraithgar · commit c18a0ade8c4e · 2024-04-09T13:13:38.000-07:00
diff --git a/node_modules/@sigstore/bundle/dist/build.js b/node_modules/@sigstore/bundle/dist/build.js
@@ -21,7 +21,9 @@ const bundle_1 = require("./bundle");
 // Message signature bundle - $case: 'messageSignature'
 function toMessageSignatureBundle(options) {
     return {
-        mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE,
+        mediaType: options.singleCertificate
+            ? bundle_1.BUNDLE_V03_MEDIA_TYPE
+            : bundle_1.BUNDLE_V02_MEDIA_TYPE,
         content: {
             $case: 'messageSignature',
             messageSignature: {
@@ -39,7 +41,9 @@ exports.toMessageSignatureBundle = toMessageSignatureBundle;
 // DSSE envelope bundle - $case: 'dsseEnvelope'
 function toDSSEBundle(options) {
     return {
-        mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE,
+        mediaType: options.singleCertificate
+            ? bundle_1.BUNDLE_V03_MEDIA_TYPE
+            : bundle_1.BUNDLE_V02_MEDIA_TYPE,
         content: {
             $case: 'dsseEnvelope',
             dsseEnvelope: toEnvelope(options),
@@ -71,12 +75,20 @@ function toVerificationMaterial(options) {
 }
 function toKeyContent(options) {
     if (options.certificate) {
-        return {
-            $case: 'x509CertificateChain',
-            x509CertificateChain: {
-                certificates: [{ rawBytes: options.certificate }],
-            },
-        };
+        if (options.singleCertificate) {
+            return {
+                $case: 'certificate',
+                certificate: { rawBytes: options.certificate },
+            };
+        }
+        else {
+            return {
+                $case: 'x509CertificateChain',
+                x509CertificateChain: {
+                    certificates: [{ rawBytes: options.certificate }],
+                },
+            };
+        }
     }
     else {
         return {
diff --git a/node_modules/@sigstore/bundle/dist/bundle.js b/node_modules/@sigstore/bundle/dist/bundle.js
@@ -1,9 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
+exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
 exports.BUNDLE_V01_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1';
 exports.BUNDLE_V02_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.2';
-exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
+exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
+exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle.v0.3+json';
 // Type guards for bundle variants.
 function isBundleWithCertificateChain(b) {
     return b.verificationMaterial.content.$case === 'x509CertificateChain';
diff --git a/node_modules/@sigstore/bundle/dist/index.js b/node_modules/@sigstore/bundle/dist/index.js
@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0;
+exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -22,6 +22,7 @@ Object.defineProperty(exports, "toMessageSignatureBundle", { enumerable: true, g
 var bundle_1 = require("./bundle");
 Object.defineProperty(exports, "BUNDLE_V01_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V01_MEDIA_TYPE; } });
 Object.defineProperty(exports, "BUNDLE_V02_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V02_MEDIA_TYPE; } });
+Object.defineProperty(exports, "BUNDLE_V03_LEGACY_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_LEGACY_MEDIA_TYPE; } });
 Object.defineProperty(exports, "BUNDLE_V03_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_MEDIA_TYPE; } });
 Object.defineProperty(exports, "isBundleWithCertificateChain", { enumerable: true, get: function () { return bundle_1.isBundleWithCertificateChain; } });
 Object.defineProperty(exports, "isBundleWithDsseEnvelope", { enumerable: true, get: function () { return bundle_1.isBundleWithDsseEnvelope; } });
diff --git a/node_modules/@sigstore/bundle/dist/validate.js b/node_modules/@sigstore/bundle/dist/validate.js
@@ -74,7 +74,8 @@ function validateBundleBase(b) {
     const invalidValues = [];
     // Media type validation
     if (b.mediaType === undefined ||
-        !b.mediaType.startsWith('application/vnd.dev.sigstore.bundle+json;version=')) {
+        (!b.mediaType.match(/^application\/vnd\.dev\.sigstore\.bundle\+json;version=\d\.\d/) &&
+            !b.mediaType.match(/^application\/vnd\.dev\.sigstore\.bundle\.v\d\.\d\+json/))) {
         invalidValues.push('mediaType');
     }
     // Content-related validation
diff --git a/node_modules/@sigstore/bundle/package.json b/node_modules/@sigstore/bundle/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/bundle",
-  "version": "2.2.0",
+  "version": "2.3.1",
   "description": "Sigstore bundle type",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -27,7 +27,7 @@
     "provenance": true
   },
   "dependencies": {
-    "@sigstore/protobuf-specs": "^0.3.0"
+    "@sigstore/protobuf-specs": "^0.3.1"
   },
   "engines": {
     "node": "^16.14.0 || >=18.0.0"
diff --git a/node_modules/@sigstore/core/dist/crypto.js b/node_modules/@sigstore/core/dist/crypto.js
@@ -21,12 +21,12 @@ limitations under the License.
 */
 const crypto_1 = __importDefault(require("crypto"));
 const SHA256_ALGORITHM = 'sha256';
-function createPublicKey(key) {
+function createPublicKey(key, type = 'spki') {
     if (typeof key === 'string') {
         return crypto_1.default.createPublicKey(key);
     }
     else {
-        return crypto_1.default.createPublicKey({ key, format: 'der', type: 'spki' });
+        return crypto_1.default.createPublicKey({ key, format: 'der', type: type });
     }
 }
 exports.createPublicKey = createPublicKey;
diff --git a/node_modules/@sigstore/core/package.json b/node_modules/@sigstore/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/core",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Base library for Sigstore",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
diff --git a/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js
@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = void 0;
+exports.ClientTrustConfig = exports.SigningConfig = exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = void 0;
 /* eslint-disable */
 const sigstore_common_1 = require("./sigstore_common");
 function createBaseTransparencyLogInstance() {
@@ -98,6 +98,58 @@ exports.TrustedRoot = {
         return obj;
     },
 };
+function createBaseSigningConfig() {
+    return { caUrl: "", oidcUrl: "", tlogUrls: [], tsaUrls: [] };
+}
+exports.SigningConfig = {
+    fromJSON(object) {
+        return {
+            caUrl: isSet(object.caUrl) ? String(object.caUrl) : "",
+            oidcUrl: isSet(object.oidcUrl) ? String(object.oidcUrl) : "",
+            tlogUrls: Array.isArray(object?.tlogUrls) ? object.tlogUrls.map((e) => String(e)) : [],
+            tsaUrls: Array.isArray(object?.tsaUrls) ? object.tsaUrls.map((e) => String(e)) : [],
+        };
+    },
+    toJSON(message) {
+        const obj = {};
+        message.caUrl !== undefined && (obj.caUrl = message.caUrl);
+        message.oidcUrl !== undefined && (obj.oidcUrl = message.oidcUrl);
+        if (message.tlogUrls) {
+            obj.tlogUrls = message.tlogUrls.map((e) => e);
+        }
+        else {
+            obj.tlogUrls = [];
+        }
+        if (message.tsaUrls) {
+            obj.tsaUrls = message.tsaUrls.map((e) => e);
+        }
+        else {
+            obj.tsaUrls = [];
+        }
+        return obj;
+    },
+};
+function createBaseClientTrustConfig() {
+    return { mediaType: "", trustedRoot: undefined, signingConfig: undefined };
+}
+exports.ClientTrustConfig = {
+    fromJSON(object) {
+        return {
+            mediaType: isSet(object.mediaType) ? String(object.mediaType) : "",
+            trustedRoot: isSet(object.trustedRoot) ? exports.TrustedRoot.fromJSON(object.trustedRoot) : undefined,
+            signingConfig: isSet(object.signingConfig) ? exports.SigningConfig.fromJSON(object.signingConfig) : undefined,
+        };
+    },
+    toJSON(message) {
+        const obj = {};
+        message.mediaType !== undefined && (obj.mediaType = message.mediaType);
+        message.trustedRoot !== undefined &&
+            (obj.trustedRoot = message.trustedRoot ? exports.TrustedRoot.toJSON(message.trustedRoot) : undefined);
+        message.signingConfig !== undefined &&
+            (obj.signingConfig = message.signingConfig ? exports.SigningConfig.toJSON(message.signingConfig) : undefined);
+        return obj;
+    },
+};
 function isSet(value) {
     return value !== null && value !== undefined;
 }
diff --git a/node_modules/@sigstore/protobuf-specs/package.json b/node_modules/@sigstore/protobuf-specs/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/protobuf-specs",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "code-signing for npm packages",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -21,11 +21,11 @@
   },
   "homepage": "https://github.com/sigstore/protobuf-specs#readme",
   "devDependencies": {
-    "@tsconfig/node14": "^1.0.3",
+    "@tsconfig/node16": "^16.1.1",
     "@types/node": "^18.14.0",
     "typescript": "^4.9.5"
   },
   "engines": {
-    "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+    "node": "^16.14.0 || >=18.0.0"
   }
 }
diff --git a/node_modules/@sigstore/sign/dist/bundler/bundle.js b/node_modules/@sigstore/sign/dist/bundler/bundle.js
@@ -56,7 +56,7 @@ function toMessageSignatureBundle(artifact, signature) {
 }
 exports.toMessageSignatureBundle = toMessageSignatureBundle;
 // DSSE envelope bundle - $case: 'dsseEnvelope'
-function toDSSEBundle(artifact, signature) {
+function toDSSEBundle(artifact, signature, singleCertificate) {
     return sigstore.toDSSEBundle({
         artifact: artifact.data,
         artifactType: artifact.type,
@@ -65,6 +65,7 @@ function toDSSEBundle(artifact, signature) {
             ? util_1.pem.toDER(signature.key.certificate)
             : undefined,
         keyHint: signature.key.$case === 'publicKey' ? signature.key.hint : undefined,
+        singleCertificate,
     });
 }
 exports.toDSSEBundle = toDSSEBundle;
diff --git a/node_modules/@sigstore/sign/dist/bundler/dsse.js b/node_modules/@sigstore/sign/dist/bundler/dsse.js
@@ -23,6 +23,7 @@ const bundle_1 = require("./bundle");
 class DSSEBundleBuilder extends base_1.BaseBundleBuilder {
     constructor(options) {
         super(options);
+        this.singleCertificate = options.singleCertificate ?? false;
     }
     // DSSE requires the artifact to be pre-encoded with the payload type
     // before the signature is generated.
@@ -32,7 +33,7 @@ class DSSEBundleBuilder extends base_1.BaseBundleBuilder {
     }
     // Packages the artifact and signature into a DSSE bundle
     async package(artifact, signature) {
-        return (0, bundle_1.toDSSEBundle)(artifactDefaults(artifact), signature);
+        return (0, bundle_1.toDSSEBundle)(artifactDefaults(artifact), signature, this.singleCertificate);
     }
 }
 exports.DSSEBundleBuilder = DSSEBundleBuilder;
diff --git a/node_modules/@sigstore/sign/package.json b/node_modules/@sigstore/sign/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/sign",
-  "version": "2.2.3",
+  "version": "2.3.0",
   "description": "Sigstore signing library",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -27,14 +27,14 @@
   },
   "devDependencies": {
     "@sigstore/jest": "^0.0.0",
-    "@sigstore/mock": "^0.6.5",
+    "@sigstore/mock": "^0.7.0",
     "@sigstore/rekor-types": "^2.0.0",
     "@types/make-fetch-happen": "^10.0.4"
   },
   "dependencies": {
-    "@sigstore/bundle": "^2.2.0",
+    "@sigstore/bundle": "^2.3.0",
     "@sigstore/core": "^1.0.0",
-    "@sigstore/protobuf-specs": "^0.3.0",
+    "@sigstore/protobuf-specs": "^0.3.1",
     "make-fetch-happen": "^13.0.0"
   },
   "engines": {
diff --git a/node_modules/@sigstore/verify/dist/tlog/intoto.js b/node_modules/@sigstore/verify/dist/tlog/intoto.js
@@ -42,11 +42,12 @@ function verifyIntoto002TLogBody(tlogEntry, content) {
     // Signature is double-base64-encoded in the tlog entry
     const tlogSig = base64Decode(tlogEntry.spec.content.envelope.signatures[0].sig);
     // Ensure that the signature in the bundle's DSSE matches tlog entry
-    if (!content.compareSignature(Buffer.from(tlogSig, 'base64')))
+    if (!content.compareSignature(Buffer.from(tlogSig, 'base64'))) {
         throw new error_1.VerificationError({
             code: 'TLOG_BODY_ERROR',
             message: 'tlog entry signature mismatch',
         });
+    }
     // Ensure the digest of the bundle's DSSE payload matches the digest in the
     // tlog entry
     const tlogHash = tlogEntry.spec.content.payloadHash?.value || '';
diff --git a/node_modules/@sigstore/verify/dist/trust/index.js b/node_modules/@sigstore/verify/dist/trust/index.js
@@ -17,6 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 const core_1 = require("@sigstore/core");
+const protobuf_specs_1 = require("@sigstore/protobuf-specs");
 const error_1 = require("../error");
 const BEGINNING_OF_TIME = new Date(0);
 const END_OF_TIME = new Date(8640000000000000);
@@ -35,9 +36,17 @@ function toTrustMaterial(root, keys) {
 }
 exports.toTrustMaterial = toTrustMaterial;
 function createTLogAuthority(tlogInstance) {
+    const keyDetails = tlogInstance.publicKey.keyDetails;
+    const keyType = keyDetails === protobuf_specs_1.PublicKeyDetails.PKCS1_RSA_PKCS1V5 ||
+        keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V5 ||
+        keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_2048_SHA256 ||
+        keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256 ||
+        keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256
+        ? 'pkcs1'
+        : 'spki';
     return {
         logID: tlogInstance.logId.keyId,
-        publicKey: core_1.crypto.createPublicKey(tlogInstance.publicKey.rawBytes),
+        publicKey: core_1.crypto.createPublicKey(tlogInstance.publicKey.rawBytes, keyType),
         validFor: {
             start: tlogInstance.publicKey.validFor?.start || BEGINNING_OF_TIME,
             end: tlogInstance.publicKey.validFor?.end || END_OF_TIME,
diff --git a/node_modules/@sigstore/verify/package.json b/node_modules/@sigstore/verify/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/verify",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Verification of Sigstore signatures",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -26,9 +26,9 @@
     "provenance": true
   },
   "dependencies": {
-    "@sigstore/protobuf-specs": "^0.3.0",
-    "@sigstore/bundle": "^2.2.0",
-    "@sigstore/core": "^1.0.0"
+    "@sigstore/protobuf-specs": "^0.3.1",
+    "@sigstore/bundle": "^2.3.1",
+    "@sigstore/core": "^1.1.0"
   },
   "engines": {
     "node": "^16.14.0 || >=18.0.0"
diff --git a/node_modules/sigstore/package.json b/node_modules/sigstore/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sigstore",
-  "version": "2.2.2",
+  "version": "2.3.0",
   "description": "code-signing for npm packages",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -29,17 +29,17 @@
   "devDependencies": {
     "@sigstore/rekor-types": "^2.0.0",
     "@sigstore/jest": "^0.0.0",
-    "@sigstore/mock": "^0.6.5",
+    "@sigstore/mock": "^0.7.0",
     "@tufjs/repo-mock": "^2.0.0",
     "@types/make-fetch-happen": "^10.0.4"
   },
   "dependencies": {
-    "@sigstore/bundle": "^2.2.0",
+    "@sigstore/bundle": "^2.3.1",
     "@sigstore/core": "^1.0.0",
-    "@sigstore/protobuf-specs": "^0.3.0",
-    "@sigstore/sign": "^2.2.3",
+    "@sigstore/protobuf-specs": "^0.3.1",
+    "@sigstore/sign": "^2.3.0",
     "@sigstore/tuf": "^2.3.1",
-    "@sigstore/verify": "^1.1.0"
+    "@sigstore/verify": "^1.2.0"
   },
   "engines": {
     "node": "^16.14.0 || >=18.0.0"
diff --git a/package-lock.json b/package-lock.json

Original file line number	Diff line number	Diff line change
`@@ -21,12 +21,12 @@ limitations under the License.`
`21`	`21`	`*/`
`22`	`22`	`const crypto_1 = __importDefault(require("crypto"));`
`23`	`23`	`const SHA256_ALGORITHM = 'sha256';`
`24`		`-function createPublicKey(key) {`
	`24`	`+function createPublicKey(key, type = 'spki') {`
`25`	`25`	`if (typeof key === 'string') {`
`26`	`26`	`return crypto_1.default.createPublicKey(key);`
`27`	`27`	`}`
`28`	`28`	`else {`
`29`		`- return crypto_1.default.createPublicKey({ key, format: 'der', type: 'spki' });`
	`29`	`+ return crypto_1.default.createPublicKey({ key, format: 'der', type: type });`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`	`exports.createPublicKey = createPublicKey;`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@sigstore/core",`
`3`		`- "version": "1.0.0",`
	`3`	`+ "version": "1.1.0",`
`4`	`4`	`"description": "Base library for Sigstore",`
`5`	`5`	`"main": "dist/index.js",`
`6`	`6`	`"types": "dist/index.d.ts",`