From c18a0ade8c4e7f6e35ffa937aa7afe06351b4b60 Mon Sep 17 00:00:00 2001 From: Gar Date: Tue, 9 Apr 2024 12:41:47 -0700 Subject: [PATCH] deps: sigstore@2.3.0 --- node_modules/@sigstore/bundle/dist/build.js | 28 ++++++--- node_modules/@sigstore/bundle/dist/bundle.js | 5 +- node_modules/@sigstore/bundle/dist/index.js | 3 +- .../@sigstore/bundle/dist/validate.js | 3 +- node_modules/@sigstore/bundle/package.json | 4 +- node_modules/@sigstore/core/dist/crypto.js | 4 +- node_modules/@sigstore/core/package.json | 2 +- .../dist/__generated__/sigstore_trustroot.js | 54 ++++++++++++++++- .../@sigstore/protobuf-specs/package.json | 6 +- .../@sigstore/sign/dist/bundler/bundle.js | 3 +- .../@sigstore/sign/dist/bundler/dsse.js | 3 +- node_modules/@sigstore/sign/package.json | 8 +-- .../@sigstore/verify/dist/tlog/intoto.js | 3 +- .../@sigstore/verify/dist/trust/index.js | 11 +++- node_modules/@sigstore/verify/package.json | 8 +-- node_modules/sigstore/package.json | 12 ++-- package-lock.json | 58 +++++++++---------- 17 files changed, 147 insertions(+), 68 deletions(-) diff --git a/node_modules/@sigstore/bundle/dist/build.js b/node_modules/@sigstore/bundle/dist/build.js index 6990f5451a2d3..65c71b100ad58 100644 --- a/node_modules/@sigstore/bundle/dist/build.js +++ b/node_modules/@sigstore/bundle/dist/build.js @@ -21,7 +21,9 @@ const bundle_1 = require("./bundle"); // Message signature bundle - $case: 'messageSignature' function toMessageSignatureBundle(options) { return { - mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE, + mediaType: options.singleCertificate + ? bundle_1.BUNDLE_V03_MEDIA_TYPE + : bundle_1.BUNDLE_V02_MEDIA_TYPE, content: { $case: 'messageSignature', messageSignature: { @@ -39,7 +41,9 @@ exports.toMessageSignatureBundle = toMessageSignatureBundle; // DSSE envelope bundle - $case: 'dsseEnvelope' function toDSSEBundle(options) { return { - mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE, + mediaType: options.singleCertificate + ? bundle_1.BUNDLE_V03_MEDIA_TYPE + : bundle_1.BUNDLE_V02_MEDIA_TYPE, content: { $case: 'dsseEnvelope', dsseEnvelope: toEnvelope(options), @@ -71,12 +75,20 @@ function toVerificationMaterial(options) { } function toKeyContent(options) { if (options.certificate) { - return { - $case: 'x509CertificateChain', - x509CertificateChain: { - certificates: [{ rawBytes: options.certificate }], - }, - }; + if (options.singleCertificate) { + return { + $case: 'certificate', + certificate: { rawBytes: options.certificate }, + }; + } + else { + return { + $case: 'x509CertificateChain', + x509CertificateChain: { + certificates: [{ rawBytes: options.certificate }], + }, + }; + } } else { return { diff --git a/node_modules/@sigstore/bundle/dist/bundle.js b/node_modules/@sigstore/bundle/dist/bundle.js index 60574b309c09c..dbd35df2ca2bb 100644 --- a/node_modules/@sigstore/bundle/dist/bundle.js +++ b/node_modules/@sigstore/bundle/dist/bundle.js @@ -1,9 +1,10 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0; +exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0; exports.BUNDLE_V01_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1'; exports.BUNDLE_V02_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.2'; -exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3'; +exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3'; +exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle.v0.3+json'; // Type guards for bundle variants. function isBundleWithCertificateChain(b) { return b.verificationMaterial.content.$case === 'x509CertificateChain'; diff --git a/node_modules/@sigstore/bundle/dist/index.js b/node_modules/@sigstore/bundle/dist/index.js index f2b50994e9b1f..1b012acad4d85 100644 --- a/node_modules/@sigstore/bundle/dist/index.js +++ b/node_modules/@sigstore/bundle/dist/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0; +exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0; /* Copyright 2023 The Sigstore Authors. @@ -22,6 +22,7 @@ Object.defineProperty(exports, "toMessageSignatureBundle", { enumerable: true, g var bundle_1 = require("./bundle"); Object.defineProperty(exports, "BUNDLE_V01_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V01_MEDIA_TYPE; } }); Object.defineProperty(exports, "BUNDLE_V02_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V02_MEDIA_TYPE; } }); +Object.defineProperty(exports, "BUNDLE_V03_LEGACY_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_LEGACY_MEDIA_TYPE; } }); Object.defineProperty(exports, "BUNDLE_V03_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_MEDIA_TYPE; } }); Object.defineProperty(exports, "isBundleWithCertificateChain", { enumerable: true, get: function () { return bundle_1.isBundleWithCertificateChain; } }); Object.defineProperty(exports, "isBundleWithDsseEnvelope", { enumerable: true, get: function () { return bundle_1.isBundleWithDsseEnvelope; } }); diff --git a/node_modules/@sigstore/bundle/dist/validate.js b/node_modules/@sigstore/bundle/dist/validate.js index 6a59ecc230f4a..67079cd1f680a 100644 --- a/node_modules/@sigstore/bundle/dist/validate.js +++ b/node_modules/@sigstore/bundle/dist/validate.js @@ -74,7 +74,8 @@ function validateBundleBase(b) { const invalidValues = []; // Media type validation if (b.mediaType === undefined || - !b.mediaType.startsWith('application/vnd.dev.sigstore.bundle+json;version=')) { + (!b.mediaType.match(/^application\/vnd\.dev\.sigstore\.bundle\+json;version=\d\.\d/) && + !b.mediaType.match(/^application\/vnd\.dev\.sigstore\.bundle\.v\d\.\d\+json/))) { invalidValues.push('mediaType'); } // Content-related validation diff --git a/node_modules/@sigstore/bundle/package.json b/node_modules/@sigstore/bundle/package.json index 2cac185f73895..ab96ba7e8b2ca 100644 --- a/node_modules/@sigstore/bundle/package.json +++ b/node_modules/@sigstore/bundle/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/bundle", - "version": "2.2.0", + "version": "2.3.1", "description": "Sigstore bundle type", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -27,7 +27,7 @@ "provenance": true }, "dependencies": { - "@sigstore/protobuf-specs": "^0.3.0" + "@sigstore/protobuf-specs": "^0.3.1" }, "engines": { "node": "^16.14.0 || >=18.0.0" diff --git a/node_modules/@sigstore/core/dist/crypto.js b/node_modules/@sigstore/core/dist/crypto.js index c5d899d003e1d..dbe65b165d357 100644 --- a/node_modules/@sigstore/core/dist/crypto.js +++ b/node_modules/@sigstore/core/dist/crypto.js @@ -21,12 +21,12 @@ limitations under the License. */ const crypto_1 = __importDefault(require("crypto")); const SHA256_ALGORITHM = 'sha256'; -function createPublicKey(key) { +function createPublicKey(key, type = 'spki') { if (typeof key === 'string') { return crypto_1.default.createPublicKey(key); } else { - return crypto_1.default.createPublicKey({ key, format: 'der', type: 'spki' }); + return crypto_1.default.createPublicKey({ key, format: 'der', type: type }); } } exports.createPublicKey = createPublicKey; diff --git a/node_modules/@sigstore/core/package.json b/node_modules/@sigstore/core/package.json index b9f901652ef0f..621ff1715bcd1 100644 --- a/node_modules/@sigstore/core/package.json +++ b/node_modules/@sigstore/core/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/core", - "version": "1.0.0", + "version": "1.1.0", "description": "Base library for Sigstore", "main": "dist/index.js", "types": "dist/index.d.ts", diff --git a/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js index 05e566767cdb2..9984f7879c73f 100644 --- a/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js +++ b/node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = void 0; +exports.ClientTrustConfig = exports.SigningConfig = exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = void 0; /* eslint-disable */ const sigstore_common_1 = require("./sigstore_common"); function createBaseTransparencyLogInstance() { @@ -98,6 +98,58 @@ exports.TrustedRoot = { return obj; }, }; +function createBaseSigningConfig() { + return { caUrl: "", oidcUrl: "", tlogUrls: [], tsaUrls: [] }; +} +exports.SigningConfig = { + fromJSON(object) { + return { + caUrl: isSet(object.caUrl) ? String(object.caUrl) : "", + oidcUrl: isSet(object.oidcUrl) ? String(object.oidcUrl) : "", + tlogUrls: Array.isArray(object?.tlogUrls) ? object.tlogUrls.map((e) => String(e)) : [], + tsaUrls: Array.isArray(object?.tsaUrls) ? object.tsaUrls.map((e) => String(e)) : [], + }; + }, + toJSON(message) { + const obj = {}; + message.caUrl !== undefined && (obj.caUrl = message.caUrl); + message.oidcUrl !== undefined && (obj.oidcUrl = message.oidcUrl); + if (message.tlogUrls) { + obj.tlogUrls = message.tlogUrls.map((e) => e); + } + else { + obj.tlogUrls = []; + } + if (message.tsaUrls) { + obj.tsaUrls = message.tsaUrls.map((e) => e); + } + else { + obj.tsaUrls = []; + } + return obj; + }, +}; +function createBaseClientTrustConfig() { + return { mediaType: "", trustedRoot: undefined, signingConfig: undefined }; +} +exports.ClientTrustConfig = { + fromJSON(object) { + return { + mediaType: isSet(object.mediaType) ? String(object.mediaType) : "", + trustedRoot: isSet(object.trustedRoot) ? exports.TrustedRoot.fromJSON(object.trustedRoot) : undefined, + signingConfig: isSet(object.signingConfig) ? exports.SigningConfig.fromJSON(object.signingConfig) : undefined, + }; + }, + toJSON(message) { + const obj = {}; + message.mediaType !== undefined && (obj.mediaType = message.mediaType); + message.trustedRoot !== undefined && + (obj.trustedRoot = message.trustedRoot ? exports.TrustedRoot.toJSON(message.trustedRoot) : undefined); + message.signingConfig !== undefined && + (obj.signingConfig = message.signingConfig ? exports.SigningConfig.toJSON(message.signingConfig) : undefined); + return obj; + }, +}; function isSet(value) { return value !== null && value !== undefined; } diff --git a/node_modules/@sigstore/protobuf-specs/package.json b/node_modules/@sigstore/protobuf-specs/package.json index 047a67a7a2e20..4fefe51c761fd 100644 --- a/node_modules/@sigstore/protobuf-specs/package.json +++ b/node_modules/@sigstore/protobuf-specs/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/protobuf-specs", - "version": "0.3.0", + "version": "0.3.1", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -21,11 +21,11 @@ }, "homepage": "https://github.com/sigstore/protobuf-specs#readme", "devDependencies": { - "@tsconfig/node14": "^1.0.3", + "@tsconfig/node16": "^16.1.1", "@types/node": "^18.14.0", "typescript": "^4.9.5" }, "engines": { - "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + "node": "^16.14.0 || >=18.0.0" } } diff --git a/node_modules/@sigstore/sign/dist/bundler/bundle.js b/node_modules/@sigstore/sign/dist/bundler/bundle.js index f01aac252b304..7c2ca9164f0df 100644 --- a/node_modules/@sigstore/sign/dist/bundler/bundle.js +++ b/node_modules/@sigstore/sign/dist/bundler/bundle.js @@ -56,7 +56,7 @@ function toMessageSignatureBundle(artifact, signature) { } exports.toMessageSignatureBundle = toMessageSignatureBundle; // DSSE envelope bundle - $case: 'dsseEnvelope' -function toDSSEBundle(artifact, signature) { +function toDSSEBundle(artifact, signature, singleCertificate) { return sigstore.toDSSEBundle({ artifact: artifact.data, artifactType: artifact.type, @@ -65,6 +65,7 @@ function toDSSEBundle(artifact, signature) { ? util_1.pem.toDER(signature.key.certificate) : undefined, keyHint: signature.key.$case === 'publicKey' ? signature.key.hint : undefined, + singleCertificate, }); } exports.toDSSEBundle = toDSSEBundle; diff --git a/node_modules/@sigstore/sign/dist/bundler/dsse.js b/node_modules/@sigstore/sign/dist/bundler/dsse.js index 486d289aea38c..621700df93842 100644 --- a/node_modules/@sigstore/sign/dist/bundler/dsse.js +++ b/node_modules/@sigstore/sign/dist/bundler/dsse.js @@ -23,6 +23,7 @@ const bundle_1 = require("./bundle"); class DSSEBundleBuilder extends base_1.BaseBundleBuilder { constructor(options) { super(options); + this.singleCertificate = options.singleCertificate ?? false; } // DSSE requires the artifact to be pre-encoded with the payload type // before the signature is generated. @@ -32,7 +33,7 @@ class DSSEBundleBuilder extends base_1.BaseBundleBuilder { } // Packages the artifact and signature into a DSSE bundle async package(artifact, signature) { - return (0, bundle_1.toDSSEBundle)(artifactDefaults(artifact), signature); + return (0, bundle_1.toDSSEBundle)(artifactDefaults(artifact), signature, this.singleCertificate); } } exports.DSSEBundleBuilder = DSSEBundleBuilder; diff --git a/node_modules/@sigstore/sign/package.json b/node_modules/@sigstore/sign/package.json index 4302f6e07a2a8..09eea0a39e877 100644 --- a/node_modules/@sigstore/sign/package.json +++ b/node_modules/@sigstore/sign/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/sign", - "version": "2.2.3", + "version": "2.3.0", "description": "Sigstore signing library", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -27,14 +27,14 @@ }, "devDependencies": { "@sigstore/jest": "^0.0.0", - "@sigstore/mock": "^0.6.5", + "@sigstore/mock": "^0.7.0", "@sigstore/rekor-types": "^2.0.0", "@types/make-fetch-happen": "^10.0.4" }, "dependencies": { - "@sigstore/bundle": "^2.2.0", + "@sigstore/bundle": "^2.3.0", "@sigstore/core": "^1.0.0", - "@sigstore/protobuf-specs": "^0.3.0", + "@sigstore/protobuf-specs": "^0.3.1", "make-fetch-happen": "^13.0.0" }, "engines": { diff --git a/node_modules/@sigstore/verify/dist/tlog/intoto.js b/node_modules/@sigstore/verify/dist/tlog/intoto.js index e706887a95043..74c7f50d763e1 100644 --- a/node_modules/@sigstore/verify/dist/tlog/intoto.js +++ b/node_modules/@sigstore/verify/dist/tlog/intoto.js @@ -42,11 +42,12 @@ function verifyIntoto002TLogBody(tlogEntry, content) { // Signature is double-base64-encoded in the tlog entry const tlogSig = base64Decode(tlogEntry.spec.content.envelope.signatures[0].sig); // Ensure that the signature in the bundle's DSSE matches tlog entry - if (!content.compareSignature(Buffer.from(tlogSig, 'base64'))) + if (!content.compareSignature(Buffer.from(tlogSig, 'base64'))) { throw new error_1.VerificationError({ code: 'TLOG_BODY_ERROR', message: 'tlog entry signature mismatch', }); + } // Ensure the digest of the bundle's DSSE payload matches the digest in the // tlog entry const tlogHash = tlogEntry.spec.content.payloadHash?.value || ''; diff --git a/node_modules/@sigstore/verify/dist/trust/index.js b/node_modules/@sigstore/verify/dist/trust/index.js index 7991f351949a0..954de55841590 100644 --- a/node_modules/@sigstore/verify/dist/trust/index.js +++ b/node_modules/@sigstore/verify/dist/trust/index.js @@ -17,6 +17,7 @@ See the License for the specific language governing permissions and limitations under the License. */ const core_1 = require("@sigstore/core"); +const protobuf_specs_1 = require("@sigstore/protobuf-specs"); const error_1 = require("../error"); const BEGINNING_OF_TIME = new Date(0); const END_OF_TIME = new Date(8640000000000000); @@ -35,9 +36,17 @@ function toTrustMaterial(root, keys) { } exports.toTrustMaterial = toTrustMaterial; function createTLogAuthority(tlogInstance) { + const keyDetails = tlogInstance.publicKey.keyDetails; + const keyType = keyDetails === protobuf_specs_1.PublicKeyDetails.PKCS1_RSA_PKCS1V5 || + keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V5 || + keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_2048_SHA256 || + keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256 || + keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256 + ? 'pkcs1' + : 'spki'; return { logID: tlogInstance.logId.keyId, - publicKey: core_1.crypto.createPublicKey(tlogInstance.publicKey.rawBytes), + publicKey: core_1.crypto.createPublicKey(tlogInstance.publicKey.rawBytes, keyType), validFor: { start: tlogInstance.publicKey.validFor?.start || BEGINNING_OF_TIME, end: tlogInstance.publicKey.validFor?.end || END_OF_TIME, diff --git a/node_modules/@sigstore/verify/package.json b/node_modules/@sigstore/verify/package.json index dcfb587e084a6..edd6566e10ece 100644 --- a/node_modules/@sigstore/verify/package.json +++ b/node_modules/@sigstore/verify/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/verify", - "version": "1.1.0", + "version": "1.2.0", "description": "Verification of Sigstore signatures", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -26,9 +26,9 @@ "provenance": true }, "dependencies": { - "@sigstore/protobuf-specs": "^0.3.0", - "@sigstore/bundle": "^2.2.0", - "@sigstore/core": "^1.0.0" + "@sigstore/protobuf-specs": "^0.3.1", + "@sigstore/bundle": "^2.3.1", + "@sigstore/core": "^1.1.0" }, "engines": { "node": "^16.14.0 || >=18.0.0" diff --git a/node_modules/sigstore/package.json b/node_modules/sigstore/package.json index 3dca00636b8d9..f39fc63b5a91d 100644 --- a/node_modules/sigstore/package.json +++ b/node_modules/sigstore/package.json @@ -1,6 +1,6 @@ { "name": "sigstore", - "version": "2.2.2", + "version": "2.3.0", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -29,17 +29,17 @@ "devDependencies": { "@sigstore/rekor-types": "^2.0.0", "@sigstore/jest": "^0.0.0", - "@sigstore/mock": "^0.6.5", + "@sigstore/mock": "^0.7.0", "@tufjs/repo-mock": "^2.0.0", "@types/make-fetch-happen": "^10.0.4" }, "dependencies": { - "@sigstore/bundle": "^2.2.0", + "@sigstore/bundle": "^2.3.1", "@sigstore/core": "^1.0.0", - "@sigstore/protobuf-specs": "^0.3.0", - "@sigstore/sign": "^2.2.3", + "@sigstore/protobuf-specs": "^0.3.1", + "@sigstore/sign": "^2.3.0", "@sigstore/tuf": "^2.3.1", - "@sigstore/verify": "^1.1.0" + "@sigstore/verify": "^1.2.0" }, "engines": { "node": "^16.14.0 || >=18.0.0" diff --git a/package-lock.json b/package-lock.json index ddccaa17e8a26..8f57bad765c0a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2162,44 +2162,44 @@ } }, "node_modules/@sigstore/bundle": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.2.0.tgz", - "integrity": "sha512-5VI58qgNs76RDrwXNhpmyN/jKpq9evV/7f1XrcqcAfvxDl5SeVY/I5Rmfe96ULAV7/FK5dge9RBKGBJPhL1WsQ==", + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.1.tgz", + "integrity": "sha512-eqV17lO3EIFqCWK3969Rz+J8MYrRZKw9IBHpSo6DEcEX2c+uzDFOgHE9f2MnyDpfs48LFO4hXmk9KhQ74JzU1g==", "inBundle": true, "dependencies": { - "@sigstore/protobuf-specs": "^0.3.0" + "@sigstore/protobuf-specs": "^0.3.1" }, "engines": { "node": "^16.14.0 || >=18.0.0" } }, "node_modules/@sigstore/core": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/core/-/core-1.0.0.tgz", - "integrity": "sha512-dW2qjbWLRKGu6MIDUTBuJwXCnR8zivcSpf5inUzk7y84zqy/dji0/uahppoIgMoKeR+6pUZucrwHfkQQtiG9Rw==", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@sigstore/core/-/core-1.1.0.tgz", + "integrity": "sha512-JzBqdVIyqm2FRQCulY6nbQzMpJJpSiJ8XXWMhtOX9eKgaXXpfNOF53lzQEjIydlStnd/eFtuC1dW4VYdD93oRg==", "inBundle": true, "engines": { "node": "^16.14.0 || >=18.0.0" } }, "node_modules/@sigstore/protobuf-specs": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.0.tgz", - "integrity": "sha512-zxiQ66JFOjVvP9hbhGj/F/qNdsZfkGb/dVXSanNRNuAzMlr4MC95voPUBX8//ZNnmv3uSYzdfR/JSkrgvZTGxA==", + "version": "0.3.1", + "resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.1.tgz", + "integrity": "sha512-aIL8Z9NsMr3C64jyQzE0XlkEyBLpgEJJFDHLVVStkFV5Q3Il/r/YtY6NJWKQ4cy4AE7spP1IX5Jq7VCAxHHMfQ==", "inBundle": true, "engines": { - "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + "node": "^16.14.0 || >=18.0.0" } }, "node_modules/@sigstore/sign": { - "version": "2.2.3", - "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.2.3.tgz", - "integrity": "sha512-LqlA+ffyN02yC7RKszCdMTS6bldZnIodiox+IkT8B2f8oRYXCB3LQ9roXeiEL21m64CVH1wyveYAORfD65WoSw==", + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.0.tgz", + "integrity": "sha512-tsAyV6FC3R3pHmKS880IXcDJuiFJiKITO1jxR1qbplcsBkZLBmjrEw5GbC7ikD6f5RU1hr7WnmxB/2kKc1qUWQ==", "inBundle": true, "dependencies": { - "@sigstore/bundle": "^2.2.0", + "@sigstore/bundle": "^2.3.0", "@sigstore/core": "^1.0.0", - "@sigstore/protobuf-specs": "^0.3.0", + "@sigstore/protobuf-specs": "^0.3.1", "make-fetch-happen": "^13.0.0" }, "engines": { @@ -2220,14 +2220,14 @@ } }, "node_modules/@sigstore/verify": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@sigstore/verify/-/verify-1.1.0.tgz", - "integrity": "sha512-1fTqnqyTBWvV7cftUUFtDcHPdSox0N3Ub7C0lRyReYx4zZUlNTZjCV+HPy4Lre+r45dV7Qx5JLKvqqsgxuyYfg==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@sigstore/verify/-/verify-1.2.0.tgz", + "integrity": "sha512-hQF60nc9yab+Csi4AyoAmilGNfpXT+EXdBgFkP9OgPwIBPwyqVf7JAWPtmqrrrneTmAT6ojv7OlH1f6Ix5BG4Q==", "inBundle": true, "dependencies": { - "@sigstore/bundle": "^2.2.0", - "@sigstore/core": "^1.0.0", - "@sigstore/protobuf-specs": "^0.3.0" + "@sigstore/bundle": "^2.3.1", + "@sigstore/core": "^1.1.0", + "@sigstore/protobuf-specs": "^0.3.1" }, "engines": { "node": "^16.14.0 || >=18.0.0" @@ -12120,17 +12120,17 @@ } }, "node_modules/sigstore": { - "version": "2.2.2", - "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-2.2.2.tgz", - "integrity": "sha512-2A3WvXkQurhuMgORgT60r6pOWiCOO5LlEqY2ADxGBDGVYLSo5HN0uLtb68YpVpuL/Vi8mLTe7+0Dx2Fq8lLqEg==", + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-2.3.0.tgz", + "integrity": "sha512-q+o8L2ebiWD1AxD17eglf1pFrl9jtW7FHa0ygqY6EKvibK8JHyq9Z26v9MZXeDiw+RbfOJ9j2v70M10Hd6E06A==", "inBundle": true, "dependencies": { - "@sigstore/bundle": "^2.2.0", + "@sigstore/bundle": "^2.3.1", "@sigstore/core": "^1.0.0", - "@sigstore/protobuf-specs": "^0.3.0", - "@sigstore/sign": "^2.2.3", + "@sigstore/protobuf-specs": "^0.3.1", + "@sigstore/sign": "^2.3.0", "@sigstore/tuf": "^2.3.1", - "@sigstore/verify": "^1.1.0" + "@sigstore/verify": "^1.2.0" }, "engines": { "node": "^16.14.0 || >=18.0.0"