diff --git a/node_modules/sigstore/dist/ca/index.js b/node_modules/sigstore/dist/ca/index.js index 7e0f9e0c5c4c0..340dd46609aad 100644 --- a/node_modules/sigstore/dist/ca/index.js +++ b/node_modules/sigstore/dist/ca/index.js @@ -6,13 +6,26 @@ const external_1 = require("../external"); const format_1 = require("./format"); class CAClient { constructor(options) { - this.fulcio = new external_1.Fulcio({ baseURL: options.fulcioBaseURL }); + this.fulcio = new external_1.Fulcio({ + baseURL: options.fulcioBaseURL, + retry: options.retry, + timeout: options.timeout, + }); } async createSigningCertificate(identityToken, publicKey, challenge) { const request = (0, format_1.toCertificateRequest)(identityToken, publicKey, challenge); try { - const certificate = await this.fulcio.createSigningCertificate(request); - return certificate.signedCertificateEmbeddedSct.chain.certificates; + const resp = await this.fulcio.createSigningCertificate(request); + // Account for the fact that the response may contain either a + // signedCertificateEmbeddedSct or a signedCertificateDetachedSct. + const cert = resp.signedCertificateEmbeddedSct + ? resp.signedCertificateEmbeddedSct + : resp.signedCertificateDetachedSct; + // Return the first certificate in the chain, which is the signing + // certificate. Specifically not returning the rest of the chain to + // mitigate the risk of errors when verifying the certificate chain. + // eslint-disable-next-line @typescript-eslint/no-non-null-assertion + return cert.chain.certificates.slice(0, 1); } catch (err) { throw new error_1.InternalError({ diff --git a/node_modules/sigstore/dist/ca/verify/chain.js b/node_modules/sigstore/dist/ca/verify/chain.js index 0f6f714695728..3246c7a154e2d 100644 --- a/node_modules/sigstore/dist/ca/verify/chain.js +++ b/node_modules/sigstore/dist/ca/verify/chain.js @@ -19,12 +19,11 @@ limitations under the License. const error_1 = require("../../error"); const cert_1 = require("../../x509/cert"); const verify_1 = require("../../x509/verify"); -function verifyChain(bundleCerts, certificateAuthorities) { - const certs = parseCerts(bundleCerts); - const signingCert = certs[0]; +function verifyChain(certificate, certificateAuthorities) { + const untrustedCert = cert_1.x509Certificate.parse(certificate.rawBytes); // Filter the list of certificate authorities to those which are valid for the // signing certificate's notBefore date. - const validCAs = filterCertificateAuthorities(certificateAuthorities, signingCert.notBefore); + const validCAs = filterCertificateAuthorities(certificateAuthorities, untrustedCert.notBefore); if (validCAs.length === 0) { throw new error_1.VerificationError('No valid certificate authorities'); } @@ -34,9 +33,9 @@ function verifyChain(bundleCerts, certificateAuthorities) { const trustedCerts = parseCerts(ca.certChain?.certificates || []); try { trustedChain = (0, verify_1.verifyCertificateChain)({ + untrustedCert, trustedCerts, - certs, - validAt: signingCert.notBefore, + validAt: untrustedCert.notBefore, }); return true; } diff --git a/node_modules/sigstore/dist/ca/verify/index.js b/node_modules/sigstore/dist/ca/verify/index.js index 9c42f3094338f..32f85c828fe5a 100644 --- a/node_modules/sigstore/dist/ca/verify/index.js +++ b/node_modules/sigstore/dist/ca/verify/index.js @@ -6,8 +6,9 @@ const sct_1 = require("./sct"); const signer_1 = require("./signer"); function verifySigningCertificate(bundle, trustedRoot, options) { // Check that a trusted certificate chain can be found for the signing - // certificate in the bundle - const trustedChain = (0, chain_1.verifyChain)(bundle.verificationMaterial.content.x509CertificateChain.certificates, trustedRoot.certificateAuthorities); + // certificate in the bundle. Only the first certificate in the bundle's + // chain is used -- everything else must come from the trusted root. + const trustedChain = (0, chain_1.verifyChain)(bundle.verificationMaterial.content.x509CertificateChain.certificates[0], trustedRoot.certificateAuthorities); // Unless disabled, verify the SCTs in the signing certificate if (options.ctlogOptions.disable === false) { (0, sct_1.verifySCTs)(trustedChain, trustedRoot.ctlogs, options.ctlogOptions); diff --git a/node_modules/sigstore/dist/config.js b/node_modules/sigstore/dist/config.js index 7e6e42d9bf369..1a22c5fef313b 100644 --- a/node_modules/sigstore/dist/config.js +++ b/node_modules/sigstore/dist/config.js @@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.identityProviders = exports.artifactVerificationOptions = exports.createTLogClient = exports.createCAClient = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0; +exports.identityProviders = exports.artifactVerificationOptions = exports.createTSAClient = exports.createTLogClient = exports.createCAClient = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0; /* Copyright 2023 The Sigstore Authors. @@ -45,21 +45,38 @@ limitations under the License. const ca_1 = require("./ca"); const identity_1 = __importDefault(require("./identity")); const tlog_1 = require("./tlog"); +const tsa_1 = require("./tsa"); const sigstore = __importStar(require("./types/sigstore")); exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev'; exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev'; +exports.DEFAULT_RETRY = { retries: 2 }; +exports.DEFAULT_TIMEOUT = 5000; function createCAClient(options) { return new ca_1.CAClient({ fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL, + retry: options.retry ?? exports.DEFAULT_RETRY, + timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, }); } exports.createCAClient = createCAClient; function createTLogClient(options) { return new tlog_1.TLogClient({ rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL, + retry: options.retry ?? exports.DEFAULT_RETRY, + timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, }); } exports.createTLogClient = createTLogClient; +function createTSAClient(options) { + return options.tsaServerURL + ? new tsa_1.TSAClient({ + tsaBaseURL: options.tsaServerURL, + retry: options.retry ?? exports.DEFAULT_RETRY, + timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, + }) + : undefined; +} +exports.createTSAClient = createTSAClient; // Assembles the AtifactVerificationOptions from the supplied VerifyOptions. function artifactVerificationOptions(options) { // The trusted signers are only used if the options contain a certificate diff --git a/node_modules/sigstore/dist/external/fulcio.js b/node_modules/sigstore/dist/external/fulcio.js index 288ca32caaea7..aeb48d58d8d83 100644 --- a/node_modules/sigstore/dist/external/fulcio.js +++ b/node_modules/sigstore/dist/external/fulcio.js @@ -28,8 +28,8 @@ const error_1 = require("./error"); class Fulcio { constructor(options) { this.fetch = make_fetch_happen_1.default.defaults({ - retry: { retries: 2 }, - timeout: 5000, + retry: options.retry, + timeout: options.timeout, headers: { 'Content-Type': 'application/json', 'User-Agent': util_1.ua.getUserAgent(), diff --git a/node_modules/sigstore/dist/external/index.js b/node_modules/sigstore/dist/external/index.js index da5f084001279..f40816e9b7ca4 100644 --- a/node_modules/sigstore/dist/external/index.js +++ b/node_modules/sigstore/dist/external/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.Rekor = exports.Fulcio = exports.HTTPError = void 0; +exports.TimestampAuthority = exports.Rekor = exports.Fulcio = exports.HTTPError = void 0; /* Copyright 2022 The Sigstore Authors. @@ -22,3 +22,5 @@ var fulcio_1 = require("./fulcio"); Object.defineProperty(exports, "Fulcio", { enumerable: true, get: function () { return fulcio_1.Fulcio; } }); var rekor_1 = require("./rekor"); Object.defineProperty(exports, "Rekor", { enumerable: true, get: function () { return rekor_1.Rekor; } }); +var tsa_1 = require("./tsa"); +Object.defineProperty(exports, "TimestampAuthority", { enumerable: true, get: function () { return tsa_1.TimestampAuthority; } }); diff --git a/node_modules/sigstore/dist/external/rekor.js b/node_modules/sigstore/dist/external/rekor.js index 6bb085c44cecd..80650ce02ff9b 100644 --- a/node_modules/sigstore/dist/external/rekor.js +++ b/node_modules/sigstore/dist/external/rekor.js @@ -28,8 +28,8 @@ const error_1 = require("./error"); class Rekor { constructor(options) { this.fetch = make_fetch_happen_1.default.defaults({ - retry: { retries: 2 }, - timeout: 5000, + retry: options.retry, + timeout: options.timeout, headers: { Accept: 'application/json', 'User-Agent': util_1.ua.getUserAgent(), diff --git a/node_modules/sigstore/dist/external/tsa.js b/node_modules/sigstore/dist/external/tsa.js new file mode 100644 index 0000000000000..5277d7d3f9707 --- /dev/null +++ b/node_modules/sigstore/dist/external/tsa.js @@ -0,0 +1,47 @@ +"use strict"; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.TimestampAuthority = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +const make_fetch_happen_1 = __importDefault(require("make-fetch-happen")); +const util_1 = require("../util"); +const error_1 = require("./error"); +class TimestampAuthority { + constructor(options) { + this.fetch = make_fetch_happen_1.default.defaults({ + retry: options.retry, + timeout: options.timeout, + headers: { + 'Content-Type': 'application/json', + 'User-Agent': util_1.ua.getUserAgent(), + }, + }); + this.baseUrl = options.baseURL; + } + async createTimestamp(request) { + const url = `${this.baseUrl}/api/v1/timestamp`; + const response = await this.fetch(url, { + method: 'POST', + body: JSON.stringify(request), + }); + (0, error_1.checkStatus)(response); + return response.buffer(); + } +} +exports.TimestampAuthority = TimestampAuthority; diff --git a/node_modules/sigstore/dist/sign.js b/node_modules/sigstore/dist/sign.js index 97c3da04b065b..96e6272750b49 100644 --- a/node_modules/sigstore/dist/sign.js +++ b/node_modules/sigstore/dist/sign.js @@ -1,13 +1,39 @@ "use strict"; +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; Object.defineProperty(exports, "__esModule", { value: true }); exports.Signer = void 0; +const sigstore = __importStar(require("./types/sigstore")); const util_1 = require("./util"); class Signer { constructor(options) { this.identityProviders = []; this.ca = options.ca; this.tlog = options.tlog; + this.tsa = options.tsa; this.identityProviders = options.identityProviders; + this.tlogUpload = options.tlogUpload ?? true; this.signer = options.signer || this.signWithEphemeralKey.bind(this); } async signBlob(payload) { @@ -15,8 +41,18 @@ class Signer { const sigMaterial = await this.signer(payload); // Calculate artifact digest const digest = util_1.crypto.hash(payload); - // Create Rekor entry - return this.tlog.createMessageSignatureEntry(digest, sigMaterial); + // Create a Rekor entry (if tlogUpload is enabled) + const entry = this.tlogUpload + ? await this.tlog.createMessageSignatureEntry(digest, sigMaterial) + : undefined; + return sigstore.toMessageSignatureBundle({ + digest, + signature: sigMaterial, + tlogEntry: entry, + timestamp: this.tsa + ? await this.tsa.createTimestamp(sigMaterial.signature) + : undefined, + }); } async signAttestation(payload, payloadType) { // Pre-authentication encoding to be signed @@ -33,7 +69,18 @@ class Signer { }, ], }; - return this.tlog.createDSSEEntry(envelope, sigMaterial); + // Create a Rekor entry (if tlogUpload is enabled) + const entry = this.tlogUpload + ? await this.tlog.createDSSEEntry(envelope, sigMaterial) + : undefined; + return sigstore.toDSSEBundle({ + envelope, + signature: sigMaterial, + tlogEntry: entry, + timestamp: this.tsa + ? await this.tsa.createTimestamp(sigMaterial.signature) + : undefined, + }); } async signWithEphemeralKey(payload) { // Create emphemeral key pair diff --git a/node_modules/sigstore/dist/sigstore-utils.js b/node_modules/sigstore/dist/sigstore-utils.js index 79918a806b17d..1341052047229 100644 --- a/node_modules/sigstore/dist/sigstore-utils.js +++ b/node_modules/sigstore/dist/sigstore-utils.js @@ -67,9 +67,14 @@ async function createRekorEntry(dsseEnvelope, publicKey, options = {}) { const envelope = sigstore.Envelope.fromJSON(dsseEnvelope); const tlog = (0, config_1.createTLogClient)(options); const sigMaterial = (0, signature_1.extractSignatureMaterial)(envelope, publicKey); - const bundle = await tlog.createDSSEEntry(envelope, sigMaterial, { + const entry = await tlog.createDSSEEntry(envelope, sigMaterial, { fetchOnConflict: true, }); + const bundle = sigstore.toDSSEBundle({ + envelope, + signature: sigMaterial, + tlogEntry: entry, + }); return sigstore.Bundle.toJSON(bundle); } exports.createRekorEntry = createRekorEntry; diff --git a/node_modules/sigstore/dist/sigstore.js b/node_modules/sigstore/dist/sigstore.js index f45270217b017..8d245e17b2a0c 100644 --- a/node_modules/sigstore/dist/sigstore.js +++ b/node_modules/sigstore/dist/sigstore.js @@ -52,6 +52,7 @@ async function sign(payload, options = {}) { ca, tlog, identityProviders: idps, + tlogUpload: options.tlogUpload, }); const bundle = await signer.signBlob(payload); return sigstore.Bundle.toJSON(bundle); @@ -60,11 +61,14 @@ exports.sign = sign; async function attest(payload, payloadType, options = {}) { const ca = config.createCAClient(options); const tlog = config.createTLogClient(options); + const tsa = config.createTSAClient(options); const idps = config.identityProviders(options); const signer = new sign_1.Signer({ ca, tlog, + tsa, identityProviders: idps, + tlogUpload: options.tlogUpload, }); const bundle = await signer.signAttestation(payload, payloadType); return sigstore.Bundle.toJSON(bundle); @@ -75,6 +79,8 @@ async function verify(bundle, payload, options = {}) { mirrorURL: options.tufMirrorURL, rootPath: options.tufRootPath, cachePath: options.tufCachePath, + retry: options.retry ?? config.DEFAULT_RETRY, + timeout: options.timeout ?? config.DEFAULT_TIMEOUT, }); const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); const deserializedBundle = sigstore.bundleFromJSON(bundle); @@ -83,12 +89,21 @@ async function verify(bundle, payload, options = {}) { } exports.verify = verify; const tufUtils = { - getTarget: (path, options = {}) => { - return tuf.getTarget(path, { + client: (options = {}) => { + const t = new tuf.TUFClient({ mirrorURL: options.tufMirrorURL, rootPath: options.tufRootPath, cachePath: options.tufCachePath, + retry: options.retry ?? config.DEFAULT_RETRY, + timeout: options.timeout ?? config.DEFAULT_TIMEOUT, }); + return t.refresh().then(() => t); + }, + /* + * @deprecated Use tufUtils.client instead. + */ + getTarget: (path, options = {}) => { + return tufUtils.client(options).then((t) => t.getTarget(path)); }, }; exports.tuf = tufUtils; diff --git a/node_modules/sigstore/dist/tlog/index.js b/node_modules/sigstore/dist/tlog/index.js index 4193e55752ff0..7f5f531983b37 100644 --- a/node_modules/sigstore/dist/tlog/index.js +++ b/node_modules/sigstore/dist/tlog/index.js @@ -18,21 +18,22 @@ limitations under the License. */ const error_1 = require("../error"); const external_1 = require("../external"); -const sigstore_1 = require("../types/sigstore"); const format_1 = require("./format"); class TLogClient { constructor(options) { - this.rekor = new external_1.Rekor({ baseURL: options.rekorBaseURL }); + this.rekor = new external_1.Rekor({ + baseURL: options.rekorBaseURL, + retry: options.retry, + timeout: options.timeout, + }); } async createMessageSignatureEntry(digest, sigMaterial, options = {}) { const proposedEntry = (0, format_1.toProposedHashedRekordEntry)(digest, sigMaterial); - const entry = await this.createEntry(proposedEntry, options.fetchOnConflict); - return sigstore_1.bundle.toMessageSignatureBundle(digest, sigMaterial, entry); + return this.createEntry(proposedEntry, options.fetchOnConflict); } async createDSSEEntry(envelope, sigMaterial, options = {}) { const proposedEntry = (0, format_1.toProposedIntotoEntry)(envelope, sigMaterial); - const entry = await this.createEntry(proposedEntry, options.fetchOnConflict); - return sigstore_1.bundle.toDSSEBundle(envelope, sigMaterial, entry); + return this.createEntry(proposedEntry, options.fetchOnConflict); } async createEntry(proposedEntry, fetchOnConflict = false) { let entry; diff --git a/node_modules/sigstore/dist/tsa/index.js b/node_modules/sigstore/dist/tsa/index.js new file mode 100644 index 0000000000000..4951b24a93f4f --- /dev/null +++ b/node_modules/sigstore/dist/tsa/index.js @@ -0,0 +1,47 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.TSAClient = void 0; +/* +Copyright 2022 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +const error_1 = require("../error"); +const external_1 = require("../external"); +const util_1 = require("../util"); +class TSAClient { + constructor(options) { + this.tsa = new external_1.TimestampAuthority({ + baseURL: options.tsaBaseURL, + retry: options.retry, + timeout: options.timeout, + }); + } + async createTimestamp(signature) { + const request = { + artifactHash: util_1.crypto.hash(signature).toString('base64'), + hashAlgorithm: 'sha256', + }; + try { + return await this.tsa.createTimestamp(request); + } + catch (err) { + throw new error_1.InternalError({ + code: 'TSA_CREATE_TIMESTAMP_ERROR', + message: 'error creating timestamp', + cause: err, + }); + } + } +} +exports.TSAClient = TSAClient; diff --git a/node_modules/sigstore/dist/tuf/index.js b/node_modules/sigstore/dist/tuf/index.js index 89923d63fa657..86a081de9f3af 100644 --- a/node_modules/sigstore/dist/tuf/index.js +++ b/node_modules/sigstore/dist/tuf/index.js @@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.getTarget = exports.getTrustedRoot = void 0; +exports.TUFClient = exports.getTrustedRoot = void 0; /* Copyright 2023 The Sigstore Authors. @@ -53,20 +53,28 @@ const DEFAULT_CACHE_DIR = util_1.appdata.appDataPath('sigstore-js'); const DEFAULT_MIRROR_URL = 'https://tuf-repo-cdn.sigstore.dev'; const DEFAULT_TUF_ROOT_PATH = '../../store/public-good-instance-root.json'; async function getTrustedRoot(options = {}) { - const trustedRoot = await getTarget(TRUSTED_ROOT_TARGET, options); + const client = new TUFClient(options); + const trustedRoot = await client.getTarget(TRUSTED_ROOT_TARGET); return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot)); } exports.getTrustedRoot = getTrustedRoot; -async function getTarget(targetName, options = {}) { - const cachePath = options.cachePath || DEFAULT_CACHE_DIR; - const tufRootPath = options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH); - const mirrorURL = options.mirrorURL || DEFAULT_MIRROR_URL; - initTufCache(cachePath, tufRootPath); - const remote = initRemoteConfig(cachePath, mirrorURL); - const repoClient = initClient(cachePath, remote); - return (0, target_1.readTarget)(repoClient, targetName); +class TUFClient { + constructor(options) { + const cachePath = options.cachePath || DEFAULT_CACHE_DIR; + const tufRootPath = options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH); + const mirrorURL = options.mirrorURL || DEFAULT_MIRROR_URL; + initTufCache(cachePath, tufRootPath); + const remote = initRemoteConfig(cachePath, mirrorURL); + this.updater = initClient(cachePath, remote, options); + } + async refresh() { + return this.updater.refresh(); + } + getTarget(targetName) { + return (0, target_1.readTarget)(this.updater, targetName); + } } -exports.getTarget = getTarget; +exports.TUFClient = TUFClient; // Initializes the TUF cache directory structure including the initial // root.json file. If the cache directory does not exist, it will be // created. If the targets directory does not exist, it will be created. @@ -102,12 +110,29 @@ function initRemoteConfig(rootDir, mirrorURL) { } return remoteConfig; } -function initClient(cachePath, remote) { +function initClient(cachePath, remote, options) { const baseURL = remote.mirror; + const config = { + fetchTimeout: options.timeout, + }; + // tuf-js only supports a number for fetchRetries so we have to + // convert the boolean and object options to a number. + if (typeof options.retry !== 'undefined') { + if (typeof options.retry === 'number') { + config.fetchRetries = options.retry; + } + else if (typeof options.retry === 'object') { + config.fetchRetries = options.retry.retries; + } + else if (options.retry === true) { + config.fetchRetries = 1; + } + } return new tuf_js_1.Updater({ metadataBaseUrl: baseURL, targetBaseUrl: `${baseURL}/targets`, metadataDir: cachePath, targetDir: path_1.default.join(cachePath, 'targets'), + config, }); } diff --git a/node_modules/sigstore/dist/tuf/target.js b/node_modules/sigstore/dist/tuf/target.js index b79411c3dd0a4..d7df61e5a4076 100644 --- a/node_modules/sigstore/dist/tuf/target.js +++ b/node_modules/sigstore/dist/tuf/target.js @@ -46,7 +46,7 @@ exports.readTarget = readTarget; async function getTargetPath(tuf, target) { let targetInfo; try { - targetInfo = await tuf.refresh().then(() => tuf.getTargetInfo(target)); + targetInfo = await tuf.getTargetInfo(target); } catch (err) { throw new error_1.InternalError({ diff --git a/node_modules/sigstore/dist/types/fetch.js b/node_modules/sigstore/dist/types/fetch.js new file mode 100644 index 0000000000000..c8ad2e549bdc6 --- /dev/null +++ b/node_modules/sigstore/dist/types/fetch.js @@ -0,0 +1,2 @@ +"use strict"; +Object.defineProperty(exports, "__esModule", { value: true }); diff --git a/node_modules/sigstore/dist/types/sigstore/index.js b/node_modules/sigstore/dist/types/sigstore/index.js index 9fcdb42bdcf34..544db63b002bf 100644 --- a/node_modules/sigstore/dist/types/sigstore/index.js +++ b/node_modules/sigstore/dist/types/sigstore/index.js @@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) { for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p); }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.signingCertificate = exports.bundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.bundleFromJSON = void 0; +exports.signingCertificate = exports.toMessageSignatureBundle = exports.toDSSEBundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.bundleFromJSON = void 0; /* Copyright 2023 The Sigstore Authors. @@ -69,16 +69,20 @@ function isVerifiableTransparencyLogEntry(entry) { entry.kindVersion !== undefined); } exports.isVerifiableTransparencyLogEntry = isVerifiableTransparencyLogEntry; -exports.bundle = { - toDSSEBundle: (envelope, signature, rekorEntry) => ({ +function toDSSEBundle({ envelope, signature, tlogEntry, timestamp, }) { + return { mediaType: BUNDLE_MEDIA_TYPE, - content: { - $case: 'dsseEnvelope', - dsseEnvelope: envelope, - }, - verificationMaterial: toVerificationMaterial(signature, rekorEntry), - }), - toMessageSignatureBundle: (digest, signature, rekorEntry) => ({ + content: { $case: 'dsseEnvelope', dsseEnvelope: envelope }, + verificationMaterial: toVerificationMaterial({ + signature, + tlogEntry, + timestamp, + }), + }; +} +exports.toDSSEBundle = toDSSEBundle; +function toMessageSignatureBundle({ digest, signature, tlogEntry, timestamp, }) { + return { mediaType: BUNDLE_MEDIA_TYPE, content: { $case: 'messageSignature', @@ -90,9 +94,14 @@ exports.bundle = { signature: signature.signature, }, }, - verificationMaterial: toVerificationMaterial(signature, rekorEntry), - }), -}; + verificationMaterial: toVerificationMaterial({ + signature, + tlogEntry, + timestamp, + }), + }; +} +exports.toMessageSignatureBundle = toMessageSignatureBundle; function toTransparencyLogEntry(entry) { const set = Buffer.from(entry.verification.signedEntryTimestamp, 'base64'); const logID = Buffer.from(entry.logID, 'hex'); @@ -116,13 +125,15 @@ function toTransparencyLogEntry(entry) { canonicalizedBody: Buffer.from(entry.body, 'base64'), }; } -function toVerificationMaterial(signature, entry) { +function toVerificationMaterial({ signature, tlogEntry, timestamp, }) { return { content: signature.certificates ? toVerificationMaterialx509CertificateChain(signature.certificates) : toVerificationMaterialPublicKey(signature.key.id || ''), - tlogEntries: [toTransparencyLogEntry(entry)], - timestampVerificationData: undefined, + tlogEntries: tlogEntry ? [toTransparencyLogEntry(tlogEntry)] : [], + timestampVerificationData: timestamp + ? toTimestampVerificationData(timestamp) + : undefined, }; } function toVerificationMaterialx509CertificateChain(certificates) { @@ -138,6 +149,11 @@ function toVerificationMaterialx509CertificateChain(certificates) { function toVerificationMaterialPublicKey(hint) { return { $case: 'publicKey', publicKey: { hint } }; } +function toTimestampVerificationData(timestamp) { + return { + rfc3161Timestamps: [{ signedTimestamp: timestamp }], + }; +} function signingCertificate(bundle) { if (!isBundleWithCertificateChain(bundle)) { return undefined; diff --git a/node_modules/sigstore/dist/verify.js b/node_modules/sigstore/dist/verify.js index 9d21b553ac523..49f63d93abb26 100644 --- a/node_modules/sigstore/dist/verify.js +++ b/node_modules/sigstore/dist/verify.js @@ -41,7 +41,9 @@ class Verifier { if (sigstore.isBundleWithCertificateChain(bundle)) { this.verifySigningCertificate(bundle, options); } - this.verifyTLogEntries(bundle, options); + if (options.tlogOptions.disable === false) { + this.verifyTLogEntries(bundle, options); + } } // Performs bundle signature verification. Determines the type of the bundle // content and delegates to the appropriate signature verification function. diff --git a/node_modules/sigstore/dist/x509/verify.js b/node_modules/sigstore/dist/x509/verify.js index cc34a9ea23abe..b4c7f39912a84 100644 --- a/node_modules/sigstore/dist/x509/verify.js +++ b/node_modules/sigstore/dist/x509/verify.js @@ -24,15 +24,15 @@ function verifyCertificateChain(opts) { exports.verifyCertificateChain = verifyCertificateChain; class CertificateChainVerifier { constructor(opts) { - this.certs = opts.certs; + this.untrustedCert = opts.untrustedCert; this.trustedCerts = opts.trustedCerts; - this.localCerts = dedupeCertificates([...opts.trustedCerts, ...opts.certs]); + this.localCerts = dedupeCertificates([ + ...opts.trustedCerts, + opts.untrustedCert, + ]); this.validAt = opts.validAt || new Date(); } verify() { - if (this.certs.length === 0) { - throw new error_1.VerificationError('No certificates provided'); - } // Construct certificate path from leaf to root const certificatePath = this.sort(); // Perform validation checks on each certificate in the path @@ -41,7 +41,7 @@ class CertificateChainVerifier { return certificatePath; } sort() { - const leafCert = this.localCerts[this.localCerts.length - 1]; + const leafCert = this.untrustedCert; // Construct all possible paths from the leaf let paths = this.buildPaths(leafCert); // Filter for paths which contain a trusted certificate @@ -52,7 +52,9 @@ class CertificateChainVerifier { // Find the shortest of possible paths const path = paths.reduce((prev, curr) => prev.length < curr.length ? prev : curr); // Construct chain from shortest path - return [leafCert, ...path]; + // Removes the last certificate in the path, which will be a second copy + // of the root certificate given that the root is self-signed. + return [leafCert, ...path].slice(0, -1); } // Recursively build all possible paths from the leaf to the root buildPaths(certificate) { @@ -123,8 +125,8 @@ class CertificateChainVerifier { return issuers; } checkPath(path) { - if (path.length < 2) { - throw new error_1.VerificationError('Certificate chain must contain at least two certificates'); + if (path.length < 1) { + throw new error_1.VerificationError('Certificate chain must contain at least one certificate'); } // Check that all certificates are valid at the check date const validForDate = path.every((cert) => cert.validForDate(this.validAt)); @@ -143,6 +145,22 @@ class CertificateChainVerifier { throw new error_1.VerificationError('Incorrect certificate name chaining'); } } + // Check pathlength constraints + for (let i = 0; i < path.length; i++) { + const cert = path[i]; + // If the certificate is a CA, check the path length + if (cert.extBasicConstraints?.isCA) { + const pathLength = cert.extBasicConstraints.pathLenConstraint; + // The path length, if set, indicates how many intermediate + // certificates (NOT including the leaf) are allowed to follow. The + // pathLength constraint of any intermediate CA certificate MUST be + // greater than or equal to it's own depth in the chain (with an + // adjustment for the leaf certificate) + if (pathLength !== undefined && pathLength < i - 1) { + throw new error_1.VerificationError('Path length constraint exceeded'); + } + } + } } } // Remove duplicate certificates from the array diff --git a/node_modules/sigstore/package.json b/node_modules/sigstore/package.json index 2df3467186765..2ca34e2a445ad 100644 --- a/node_modules/sigstore/package.json +++ b/node_modules/sigstore/package.json @@ -1,58 +1,40 @@ { "name": "sigstore", - "version": "1.4.0", + "version": "1.5.2", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", "scripts": { - "build": "tsc", - "test": "jest", - "test:watch": "jest --watch", - "test:ci": "jest --maxWorkers=2 --coverage", - "lint": "eslint --fix --ext .ts src/**", - "lint:check": "eslint --max-warnings 0 --ext .ts src/**", - "format": "prettier --write \"src/**/*\"", - "release": "npm run build && changeset publish", - "codegen:rekor": "./hack/generate-rekor-types" + "build": "tsc --build", + "test": "jest" }, "bin": { "sigstore": "bin/sigstore.js" }, - "repository": { - "type": "git", - "url": "git+https://github.com/sigstore/sigstore-js.git" - }, - "publishConfig": { - "provenance": true - }, "files": [ "dist", "store" ], "author": "bdehamer@github.com", "license": "Apache-2.0", + "repository": { + "type": "git", + "url": "git+https://github.com/sigstore/sigstore-js.git" + }, "bugs": { "url": "https://github.com/sigstore/sigstore-js/issues" }, - "homepage": "https://github.com/sigstore/sigstore-js#readme", + "homepage": "https://github.com/sigstore/sigstore-js/tree/main/packages/client#readme", + "publishConfig": { + "provenance": true + }, "devDependencies": { - "@changesets/cli": "^2.26.0", "@total-typescript/shoehorn": "^0.1.0", - "@tsconfig/node14": "^1.0.3", "@tufjs/repo-mock": "^1.1.0", - "@types/jest": "^29.4.0", "@types/make-fetch-happen": "^10.0.0", - "@types/node": "^18.6.5", - "@typescript-eslint/eslint-plugin": "^5.26.0", - "@typescript-eslint/parser": "^5.26.0", - "eslint": "^8.16.0", - "eslint-config-prettier": "^8.5.0", - "eslint-plugin-prettier": "^4.0.0", - "jest": "^29.4.1", - "json-schema-to-typescript": "^12.0.0", + "@types/node": "^20.0.0", + "json-schema-to-typescript": "^13.0.0", "nock": "^13.2.4", - "prettier": "^2.6.2", - "ts-jest": "^29.0.5", "typescript": "^5.0.2" }, "dependencies": { diff --git a/node_modules/sigstore/store/public-good-instance-root.json b/node_modules/sigstore/store/public-good-instance-root.json index 38f80f940473a..e95c7e88cdf09 100644 --- a/node_modules/sigstore/store/public-good-instance-root.json +++ b/node_modules/sigstore/store/public-good-instance-root.json @@ -1,156 +1 @@ -{ - "signed": { - "_type": "root", - "spec_version": "1.0", - "version": 5, - "expires": "2023-04-18T18:13:43Z", - "keys": { - "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99": { - "keytype": "ecdsa-sha2-nistp256", - "scheme": "ecdsa-sha2-nistp256", - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n" - } - }, - "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de": { - "keytype": "ecdsa-sha2-nistp256", - "scheme": "ecdsa-sha2-nistp256", - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" - } - }, - "45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b": { - "keytype": "ecdsa-sha2-nistp256", - "scheme": "ecdsa-sha2-nistp256", - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n" - } - }, - "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b": { - "keytype": "ecdsa-sha2-nistp256", - "scheme": "ecdsa-sha2-nistp256", - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" - } - }, - "e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a": { - "keytype": "ecdsa-sha2-nistp256", - "scheme": "ecdsa-sha2-nistp256", - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n" - } - }, - "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f": { - "keytype": "ecdsa-sha2-nistp256", - "scheme": "ecdsa-sha2-nistp256", - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n" - } - }, - "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c": { - "keytype": "ecdsa-sha2-nistp256", - "scheme": "ecdsa-sha2-nistp256", - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" - } - } - }, - "roles": { - "root": { - "keyids": [ - "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c", - "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99", - "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f", - "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b", - "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de" - ], - "threshold": 3 - }, - "snapshot": { - "keyids": [ - "45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b" - ], - "threshold": 1 - }, - "targets": { - "keyids": [ - "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c", - "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99", - "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f", - "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b", - "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de" - ], - "threshold": 3 - }, - "timestamp": { - "keyids": [ - "e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a" - ], - "threshold": 1 - } - }, - "consistent_snapshot": true - }, - "signatures": [ - { - "keyid": "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c", - "sig": "3045022100fc1c2be509ce50ea917bbad1d9efe9d96c8c2ebea04af2717aa3d9c6fe617a75022012eef282a19f2d8bd4818aa333ef48a06489f49d4d34a20b8fe8fc867bb25a7a" - }, - { - "keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99", - "sig": "30450221008a4392ae5057fc00778b651e61fea244766a4ae58db84d9f1d3810720ab0f3b702207c49e59e8031318caf02252ecea1281cecc1e5986c309a9cef61f455ecf7165d" - }, - { - "keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b", - "sig": "3046022100da1b8dc5d53aaffbbfac98de3e23ee2d2ad3446a7bed09fac0f88bae19be2587022100b681c046afc3919097dfe794e0d819be891e2e850aade315bec06b0c4dea221b" - }, - { - "keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de", - "sig": "3046022100b534e0030e1b271133ecfbdf3ba9fbf3becb3689abea079a2150afbb63cdb7c70221008c39a718fd9495f249b4ab8788d5b9dc269f0868dbe38b272f48207359d3ded9" - }, - { - "keyid": "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "sig": "3045022100fc1c2be509ce50ea917bbad1d9efe9d96c8c2ebea04af2717aa3d9c6fe617a75022012eef282a19f2d8bd4818aa333ef48a06489f49d4d34a20b8fe8fc867bb25a7a" - }, - { - "keyid": "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "sig": "30450221008a4392ae5057fc00778b651e61fea244766a4ae58db84d9f1d3810720ab0f3b702207c49e59e8031318caf02252ecea1281cecc1e5986c309a9cef61f455ecf7165d" - }, - { - "keyid": "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209", - "sig": "3046022100da1b8dc5d53aaffbbfac98de3e23ee2d2ad3446a7bed09fac0f88bae19be2587022100b681c046afc3919097dfe794e0d819be891e2e850aade315bec06b0c4dea221b" - }, - { - "keyid": "75e867ab10e121fdef32094af634707f43ddd79c6bab8ad6c5ab9f03f4ea8c90", - "sig": "3046022100b534e0030e1b271133ecfbdf3ba9fbf3becb3689abea079a2150afbb63cdb7c70221008c39a718fd9495f249b4ab8788d5b9dc269f0868dbe38b272f48207359d3ded9" - } - ] -} \ No newline at end of file +{"signed":{"_type":"root","spec_version":"1.0","version":7,"expires":"2023-10-04T13:08:11Z","keys":{"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"}},"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"}},"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n"}},"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"}},"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"}},"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"}},"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"}}},"roles":{"root":{"keyids":["ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c","25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"],"threshold":3},"snapshot":{"keyids":["45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b"],"threshold":1},"targets":{"keyids":["ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c","25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"],"threshold":3},"timestamp":{"keyids":["e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","sig":"3046022100c0610c0055ce5c4a52d054d7322e7b514d55baf44423d63aa4daa077cc60fd1f022100a097f2803f090fb66c42ead915a2c46ebe7db53a32bf18f2188275cc936f8bdd"},{"keyid":"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","sig":"304502203134f0468810299d5493a867c40630b341296b92e59c29821311d353343bb3a4022100e667ae3d304e7e3da0894c7425f6b9ecd917106841280e5cf6f3496ad5f8f68e"},{"keyid":"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","sig":"3045022037fe5f45426f21eaaf4730d2136f2b1611d6379688f79b9d1e3f61719997135c022100b63b022d7b79d4694b96f416d88aa4d7b1a3bff8a01f4fb51e0f42137c7d2d06"},{"keyid":"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de","sig":"3044022007cc8fcc4940809f2751ad5b535f4c5f53f5b4952f5b5696b09668e743306ac1022006dfcdf94e94c92163eeb1b47796db62cedaa730aa13aa61b573fe23714730f2"}]} diff --git a/package-lock.json b/package-lock.json index 2fde2175fb1ef..692a5871b7678 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11436,9 +11436,9 @@ } }, "node_modules/sigstore": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.4.0.tgz", - "integrity": "sha512-N7TRpSbFjY/TrFDg6yGAQSYBrQ5s6qmPiq4pD6fkv1LoyfMsLG0NwZWG2s5q+uttLHgyVyTa0Rogx2P78rN8kQ==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.5.2.tgz", + "integrity": "sha512-X95v6xAAooVpn7PaB94TDmFeSO5SBfCtB1R23fvzr36WTfjtkiiyOeei979nbTjc8nzh6FSLeltQZuODsm1EjQ==", "inBundle": true, "dependencies": { "@sigstore/protobuf-specs": "^0.1.0",