diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md index a9ee271aac6c3..f42af93817594 100644 --- a/DEPENDENCIES.md +++ b/DEPENDENCIES.md @@ -772,6 +772,7 @@ graph LR; tuf-js-->make-fetch-happen; tuf-js-->tufjs-models["@tufjs/models"]; tufjs-models-->minimatch; + tufjs-models-->tufjs-canonical-json["@tufjs/canonical-json"]; unique-filename-->unique-slug; unique-slug-->imurmurhash; validate-npm-package-license-->spdx-correct; diff --git a/node_modules/.gitignore b/node_modules/.gitignore index acdf10b731829..ca227a0a25eab 100644 --- a/node_modules/.gitignore +++ b/node_modules/.gitignore @@ -37,6 +37,7 @@ !/@tootallnate/once !/@tufjs/ /@tufjs/* +!/@tufjs/canonical-json !/@tufjs/models !/abbrev !/abort-controller diff --git a/node_modules/@tufjs/canonical-json/LICENSE b/node_modules/@tufjs/canonical-json/LICENSE new file mode 100644 index 0000000000000..420700f5d3765 --- /dev/null +++ b/node_modules/@tufjs/canonical-json/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2022 GitHub and the TUF Contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/node_modules/@tufjs/canonical-json/lib/index.js b/node_modules/@tufjs/canonical-json/lib/index.js new file mode 100644 index 0000000000000..d480696de1f6c --- /dev/null +++ b/node_modules/@tufjs/canonical-json/lib/index.js @@ -0,0 +1,64 @@ +const COMMA = ','; +const COLON = ':'; +const LEFT_SQUARE_BRACKET = '['; +const RIGHT_SQUARE_BRACKET = ']'; +const LEFT_CURLY_BRACKET = '{'; +const RIGHT_CURLY_BRACKET = '}'; + +// Recursively encodes the supplied object according to the canonical JSON form +// as specified at http://wiki.laptop.org/go/Canonical_JSON. It's a restricted +// dialect of JSON in which keys are lexically sorted, floats are not allowed, +// and only double quotes and backslashes are escaped. +function canonicalize(object) { + const buffer = []; + if (typeof object === 'string') { + buffer.push(canonicalizeString(object)); + } else if (typeof object === 'boolean') { + buffer.push(JSON.stringify(object)); + } else if (Number.isInteger(object)) { + buffer.push(JSON.stringify(object)); + } else if (object === null) { + buffer.push(JSON.stringify(object)); + } else if (Array.isArray(object)) { + buffer.push(LEFT_SQUARE_BRACKET); + let first = true; + object.forEach((element) => { + if (!first) { + buffer.push(COMMA); + } + first = false; + buffer.push(canonicalize(element)); + }); + buffer.push(RIGHT_SQUARE_BRACKET); + } else if (typeof object === 'object') { + buffer.push(LEFT_CURLY_BRACKET); + let first = true; + Object.keys(object) + .sort() + .forEach((property) => { + if (!first) { + buffer.push(COMMA); + } + first = false; + buffer.push(canonicalizeString(property)); + buffer.push(COLON); + buffer.push(canonicalize(object[property])); + }); + buffer.push(RIGHT_CURLY_BRACKET); + } else { + throw new TypeError('cannot encode ' + object.toString()); + } + + return buffer.join(''); +} + +// String canonicalization consists of escaping backslash (\) and double +// quote (") characters and wrapping the resulting string in double quotes. +function canonicalizeString(string) { + const escapedString = string.replace(/\\/g, '\\\\').replace(/"/g, '\\"'); + return '"' + escapedString + '"'; +} + +module.exports = { + canonicalize, +}; diff --git a/node_modules/@tufjs/canonical-json/package.json b/node_modules/@tufjs/canonical-json/package.json new file mode 100644 index 0000000000000..688c9b93c3a4e --- /dev/null +++ b/node_modules/@tufjs/canonical-json/package.json @@ -0,0 +1,39 @@ +{ + "name": "@tufjs/canonical-json", + "version": "1.0.0", + "description": "OLPC JSON canonicalization", + "main": "lib/index.js", + "typings": "lib/index.d.ts", + "license": "MIT", + "keywords": [ + "json", + "canonical", + "canonicalize", + "canonicalization", + "crypto", + "signature", + "olpc" + ], + "author": "bdehamer@github.com", + "repository": { + "type": "git", + "url": "git+https://github.com/theupdateframework/tuf-js.git" + }, + "homepage": "https://github.com/theupdateframework/tuf-js/packages/canonical-json#readme", + "bugs": { + "url": "https://github.com/theupdateframework/tuf-js/issues" + }, + "files": [ + "lib/" + ], + "scripts": { + "test": "jest" + }, + "devDependencies": { + "@types/node": "^18.14.1", + "typescript": "^4.9.5" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } +} diff --git a/node_modules/@tufjs/models/dist/metadata.js b/node_modules/@tufjs/models/dist/metadata.js index 945d3a42a7cfb..9668b6f14fa70 100644 --- a/node_modules/@tufjs/models/dist/metadata.js +++ b/node_modules/@tufjs/models/dist/metadata.js @@ -4,6 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); exports.Metadata = void 0; +const canonical_json_1 = require("@tufjs/canonical-json"); const util_1 = __importDefault(require("util")); const base_1 = require("./base"); const error_1 = require("./error"); @@ -13,7 +14,6 @@ const snapshot_1 = require("./snapshot"); const targets_1 = require("./targets"); const timestamp_1 = require("./timestamp"); const utils_1 = require("./utils"); -const json_1 = require("./utils/json"); /*** * A container for signed TUF metadata. * @@ -45,7 +45,7 @@ class Metadata { this.unrecognizedFields = unrecognizedFields || {}; } sign(signer, append = true) { - const bytes = (0, json_1.canonicalize)(this.signed.toJSON()); + const bytes = Buffer.from((0, canonical_json_1.canonicalize)(this.signed.toJSON())); const signature = signer(bytes); if (!append) { this.signatures = {}; diff --git a/node_modules/@tufjs/models/dist/utils/json.js b/node_modules/@tufjs/models/dist/utils/json.js deleted file mode 100644 index 30f82ea4c3d84..0000000000000 --- a/node_modules/@tufjs/models/dist/utils/json.js +++ /dev/null @@ -1,62 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.canonicalize = void 0; -const QUOTATION_MARK = Buffer.from('"'); -const COMMA = Buffer.from(','); -const COLON = Buffer.from(':'); -const LEFT_SQUARE_BRACKET = Buffer.from('['); -const RIGHT_SQUARE_BRACKET = Buffer.from(']'); -const LEFT_CURLY_BRACKET = Buffer.from('{'); -const RIGHT_CURLY_BRACKET = Buffer.from('}'); -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function canonicalize(object) { - let buffer = Buffer.from(''); - if (object === null || typeof object !== 'object' || object.toJSON != null) { - // Primitives or toJSONable objects - if (typeof object === 'string') { - buffer = Buffer.concat([ - buffer, - QUOTATION_MARK, - Buffer.from(object), - QUOTATION_MARK, - ]); - } - else { - buffer = Buffer.concat([buffer, Buffer.from(JSON.stringify(object))]); - } - } - else if (Array.isArray(object)) { - // Array - maintain element order - buffer = Buffer.concat([buffer, LEFT_SQUARE_BRACKET]); - let first = true; - object.forEach((element) => { - if (!first) { - buffer = Buffer.concat([buffer, COMMA]); - } - first = false; - // recursive call - buffer = Buffer.concat([buffer, canonicalize(element)]); - }); - buffer = Buffer.concat([buffer, RIGHT_SQUARE_BRACKET]); - } - else { - // Object - Sort properties before serializing - buffer = Buffer.concat([buffer, LEFT_CURLY_BRACKET]); - let first = true; - Object.keys(object) - .sort() - .forEach((property) => { - if (!first) { - buffer = Buffer.concat([buffer, COMMA]); - } - first = false; - buffer = Buffer.concat([buffer, Buffer.from(JSON.stringify(property))]); - buffer = Buffer.concat([buffer, COLON]); - // recursive call - buffer = Buffer.concat([buffer, canonicalize(object[property])]); - }); - buffer = Buffer.concat([buffer, RIGHT_CURLY_BRACKET]); - } - return buffer; -} -exports.canonicalize = canonicalize; diff --git a/node_modules/@tufjs/models/dist/utils/verify.js b/node_modules/@tufjs/models/dist/utils/verify.js index d3b2e7515d7f9..8232b6f6a97ab 100644 --- a/node_modules/@tufjs/models/dist/utils/verify.js +++ b/node_modules/@tufjs/models/dist/utils/verify.js @@ -4,10 +4,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); exports.verifySignature = void 0; +const canonical_json_1 = require("@tufjs/canonical-json"); const crypto_1 = __importDefault(require("crypto")); -const json_1 = require("./json"); const verifySignature = (metaDataSignedData, key, signature) => { - const canonicalData = (0, json_1.canonicalize)(metaDataSignedData) || ''; + const canonicalData = Buffer.from((0, canonical_json_1.canonicalize)(metaDataSignedData)); return crypto_1.default.verify(undefined, canonicalData, key, Buffer.from(signature, 'hex')); }; exports.verifySignature = verifySignature; diff --git a/node_modules/@tufjs/models/package.json b/node_modules/@tufjs/models/package.json index d8b2a189a1425..eb3f132d217ae 100644 --- a/node_modules/@tufjs/models/package.json +++ b/node_modules/@tufjs/models/package.json @@ -1,6 +1,6 @@ { "name": "@tufjs/models", - "version": "1.0.1", + "version": "1.0.3", "description": "TUF metadata models", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -29,11 +29,12 @@ "homepage": "https://github.com/theupdateframework/tuf-js/tree/main/packages/models#readme", "devDependencies": { "@types/minimatch": "^5.1.2", - "@types/node": "^18.15.3", - "typescript": "^4.9.5" + "@types/node": "^18.15.11", + "typescript": "^5.0.4" }, "dependencies": { - "minimatch": "^7.4.2" + "minimatch": "^7.4.6", + "@tufjs/canonical-json": "1.0.0" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" diff --git a/node_modules/sigstore/dist/ca/index.js b/node_modules/sigstore/dist/ca/index.js index 6c6e267011e2c..0345b31720148 100644 --- a/node_modules/sigstore/dist/ca/index.js +++ b/node_modules/sigstore/dist/ca/index.js @@ -1,12 +1,12 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.CAClient = void 0; -const client_1 = require("../client"); const error_1 = require("../error"); +const external_1 = require("../external"); const format_1 = require("./format"); class CAClient { constructor(options) { - this.fulcio = new client_1.Fulcio({ baseURL: options.fulcioBaseURL }); + this.fulcio = new external_1.Fulcio({ baseURL: options.fulcioBaseURL }); } async createSigningCertificate(identityToken, publicKey, challenge) { const request = (0, format_1.toCertificateRequest)(identityToken, publicKey, challenge); diff --git a/node_modules/sigstore/dist/ca/verify/signer.js b/node_modules/sigstore/dist/ca/verify/signer.js index 2c49f0bcd683f..51d722d7631ee 100644 --- a/node_modules/sigstore/dist/ca/verify/signer.js +++ b/node_modules/sigstore/dist/ca/verify/signer.js @@ -126,6 +126,18 @@ function verifyOIDs(cert, oids) { } const oid = expectedExtension.oid.id.join('.'); const extension = cert.extension(oid); - return extension?.value.equals(expectedExtension.value); + // If the extension is not present, or there is no value, return false + const valueObj = extension?.valueObj; + if (!valueObj) { + return false; + } + // Check to see if this is a newer style extension with an embedded + // UTF8String, or an older style extension with a raw string + if (valueObj.subs.length > 0) { + return valueObj.subs[0].value.equals(expectedExtension.value); + } + else { + return valueObj.value.equals(expectedExtension.value); + } }); } diff --git a/node_modules/sigstore/dist/config.js b/node_modules/sigstore/dist/config.js new file mode 100644 index 0000000000000..7e6e42d9bf369 --- /dev/null +++ b/node_modules/sigstore/dist/config.js @@ -0,0 +1,145 @@ +"use strict"; +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.identityProviders = exports.artifactVerificationOptions = exports.createTLogClient = exports.createCAClient = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +const ca_1 = require("./ca"); +const identity_1 = __importDefault(require("./identity")); +const tlog_1 = require("./tlog"); +const sigstore = __importStar(require("./types/sigstore")); +exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev'; +exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev'; +function createCAClient(options) { + return new ca_1.CAClient({ + fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL, + }); +} +exports.createCAClient = createCAClient; +function createTLogClient(options) { + return new tlog_1.TLogClient({ + rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL, + }); +} +exports.createTLogClient = createTLogClient; +// Assembles the AtifactVerificationOptions from the supplied VerifyOptions. +function artifactVerificationOptions(options) { + // The trusted signers are only used if the options contain a certificate + // issuer + let signers; + if (options.certificateIssuer) { + let san = undefined; + if (options.certificateIdentityEmail) { + san = { + type: sigstore.SubjectAlternativeNameType.EMAIL, + identity: { + $case: 'value', + value: options.certificateIdentityEmail, + }, + }; + } + else if (options.certificateIdentityURI) { + san = { + type: sigstore.SubjectAlternativeNameType.URI, + identity: { + $case: 'value', + value: options.certificateIdentityURI, + }, + }; + } + const oids = Object.entries(options.certificateOIDs || {}).map(([oid, value]) => ({ + oid: { id: oid.split('.').map((s) => parseInt(s, 10)) }, + value: Buffer.from(value), + })); + signers = { + $case: 'certificateIdentities', + certificateIdentities: { + identities: [ + { + issuer: options.certificateIssuer, + san: san, + oids: oids, + }, + ], + }, + }; + } + // Construct the artifact verification options w/ defaults + return { + ctlogOptions: { + disable: false, + threshold: options.ctLogThreshold || 1, + detachedSct: false, + }, + tlogOptions: { + disable: false, + threshold: options.tlogThreshold || 1, + performOnlineVerification: false, + }, + signers, + }; +} +exports.artifactVerificationOptions = artifactVerificationOptions; +// Translates the IdenityProviderOptions into a list of Providers which +// should be queried to retrieve an identity token. +function identityProviders(options) { + const idps = []; + const token = options.identityToken; + // If an explicit identity token is provided, use that. Setup a dummy + // provider that just returns the token. Otherwise, setup the CI context + // provider and (optionally) the OAuth provider. + if (token) { + idps.push({ getToken: () => Promise.resolve(token) }); + } + else { + idps.push(identity_1.default.ciContextProvider()); + if (options.oidcIssuer && options.oidcClientID) { + idps.push(identity_1.default.oauthProvider({ + issuer: options.oidcIssuer, + clientID: options.oidcClientID, + clientSecret: options.oidcClientSecret, + redirectURL: options.oidcRedirectURL, + })); + } + } + return idps; +} +exports.identityProviders = identityProviders; diff --git a/node_modules/sigstore/dist/client/error.js b/node_modules/sigstore/dist/external/error.js similarity index 100% rename from node_modules/sigstore/dist/client/error.js rename to node_modules/sigstore/dist/external/error.js diff --git a/node_modules/sigstore/dist/client/fulcio.js b/node_modules/sigstore/dist/external/fulcio.js similarity index 100% rename from node_modules/sigstore/dist/client/fulcio.js rename to node_modules/sigstore/dist/external/fulcio.js diff --git a/node_modules/sigstore/dist/client/index.js b/node_modules/sigstore/dist/external/index.js similarity index 81% rename from node_modules/sigstore/dist/client/index.js rename to node_modules/sigstore/dist/external/index.js index c6d1d9ad36a54..da5f084001279 100644 --- a/node_modules/sigstore/dist/client/index.js +++ b/node_modules/sigstore/dist/external/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.Rekor = exports.Fulcio = void 0; +exports.Rekor = exports.Fulcio = exports.HTTPError = void 0; /* Copyright 2022 The Sigstore Authors. @@ -16,6 +16,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ +var error_1 = require("./error"); +Object.defineProperty(exports, "HTTPError", { enumerable: true, get: function () { return error_1.HTTPError; } }); var fulcio_1 = require("./fulcio"); Object.defineProperty(exports, "Fulcio", { enumerable: true, get: function () { return fulcio_1.Fulcio; } }); var rekor_1 = require("./rekor"); diff --git a/node_modules/sigstore/dist/client/rekor.js b/node_modules/sigstore/dist/external/rekor.js similarity index 100% rename from node_modules/sigstore/dist/client/rekor.js rename to node_modules/sigstore/dist/external/rekor.js diff --git a/node_modules/sigstore/dist/identity/ci.js b/node_modules/sigstore/dist/identity/ci.js index fecf63f4ec991..0f01e1baaec57 100644 --- a/node_modules/sigstore/dist/identity/ci.js +++ b/node_modules/sigstore/dist/identity/ci.js @@ -22,7 +22,7 @@ limitations under the License. const make_fetch_happen_1 = __importDefault(require("make-fetch-happen")); const util_1 = require("../util"); // Collection of all the CI-specific providers we have implemented -const providers = [getGHAToken]; +const providers = [getGHAToken, getEnv]; /** * CIContextProvider is a composite identity provider which will iterate * over all of the CI-specific providers and return the token from the first @@ -63,3 +63,13 @@ async function getGHAToken(audience) { }); return response.json().then((data) => data.value); } +/** + * getEnv can retrieve an OIDC token from an environment variable. + * This matches the behavior of https://github.com/sigstore/cosign/tree/main/pkg/providers/envvar + */ +async function getEnv() { + if (!process.env.SIGSTORE_ID_TOKEN) { + return Promise.reject('no token available'); + } + return process.env.SIGSTORE_ID_TOKEN; +} diff --git a/node_modules/sigstore/dist/sigstore-utils.js b/node_modules/sigstore/dist/sigstore-utils.js index f11cf8c13cc45..79918a806b17d 100644 --- a/node_modules/sigstore/dist/sigstore-utils.js +++ b/node_modules/sigstore/dist/sigstore-utils.js @@ -1,4 +1,27 @@ "use strict"; +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; Object.defineProperty(exports, "__esModule", { value: true }); exports.createRekorEntry = exports.createDSSEEnvelope = void 0; /* @@ -16,16 +39,10 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ -const sigstore_1 = require("./sigstore"); -const tlog_1 = require("./tlog"); +const config_1 = require("./config"); const signature_1 = require("./types/signature"); -const sigstore_2 = require("./types/sigstore"); +const sigstore = __importStar(require("./types/sigstore")); const util_1 = require("./util"); -function createTLogClient(options) { - return new tlog_1.TLogClient({ - rekorBaseURL: options.rekorURL || sigstore_1.DEFAULT_REKOR_URL, - }); -} async function createDSSEEnvelope(payload, payloadType, options) { // Pre-authentication encoding to be signed const paeBuffer = util_1.dsse.preAuthEncoding(payloadType, payload); @@ -41,18 +58,18 @@ async function createDSSEEnvelope(payload, payloadType, options) { }, ], }; - return (0, sigstore_2.envelopeToJSON)(envelope); + return sigstore.Envelope.toJSON(envelope); } exports.createDSSEEnvelope = createDSSEEnvelope; // Accepts a signed DSSE envelope and a PEM-encoded public key to be added to the // transparency log. Returns a Sigstore bundle suitable for offline verification. async function createRekorEntry(dsseEnvelope, publicKey, options = {}) { - const envelope = (0, sigstore_2.envelopeFromJSON)(dsseEnvelope); - const tlog = createTLogClient(options); + const envelope = sigstore.Envelope.fromJSON(dsseEnvelope); + const tlog = (0, config_1.createTLogClient)(options); const sigMaterial = (0, signature_1.extractSignatureMaterial)(envelope, publicKey); const bundle = await tlog.createDSSEEntry(envelope, sigMaterial, { fetchOnConflict: true, }); - return (0, sigstore_2.bundleToJSON)(bundle); + return sigstore.Bundle.toJSON(bundle); } exports.createRekorEntry = createRekorEntry; diff --git a/node_modules/sigstore/dist/sigstore.js b/node_modules/sigstore/dist/sigstore.js index cf8c90c309148..e465f412e6374 100644 --- a/node_modules/sigstore/dist/sigstore.js +++ b/node_modules/sigstore/dist/sigstore.js @@ -22,11 +22,8 @@ var __importStar = (this && this.__importStar) || function (mod) { __setModuleDefault(result, mod); return result; }; -var __importDefault = (this && this.__importDefault) || function (mod) { - return (mod && mod.__esModule) ? mod : { "default": mod }; -}; Object.defineProperty(exports, "__esModule", { value: true }); -exports.verify = exports.attest = exports.sign = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.utils = void 0; +exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.verify = exports.attest = exports.sign = void 0; /* Copyright 2023 The Sigstore Authors. @@ -42,32 +39,15 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ -const ca_1 = require("./ca"); -const identity_1 = __importDefault(require("./identity")); +const config = __importStar(require("./config")); const sign_1 = require("./sign"); -const tlog_1 = require("./tlog"); const tuf = __importStar(require("./tuf")); const sigstore = __importStar(require("./types/sigstore")); -const util_1 = require("./util"); const verify_1 = require("./verify"); -exports.utils = __importStar(require("./sigstore-utils")); -exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev'; -exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev'; -function createCAClient(options) { - return new ca_1.CAClient({ - fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL, - }); -} -function createTLogClient(options) { - return new tlog_1.TLogClient({ - rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL, - }); -} -const tufCacheDir = util_1.appdata.appDataPath('sigstore-js'); async function sign(payload, options = {}) { - const ca = createCAClient(options); - const tlog = createTLogClient(options); - const idps = configureIdentityProviders(options); + const ca = config.createCAClient(options); + const tlog = config.createTLogClient(options); + const idps = config.identityProviders(options); const signer = new sign_1.Signer({ ca, tlog, @@ -78,9 +58,9 @@ async function sign(payload, options = {}) { } exports.sign = sign; async function attest(payload, payloadType, options = {}) { - const ca = createCAClient(options); - const tlog = createTLogClient(options); - const idps = configureIdentityProviders(options); + const ca = config.createCAClient(options); + const tlog = config.createTLogClient(options); + const idps = config.identityProviders(options); const signer = new sign_1.Signer({ ca, tlog, @@ -91,94 +71,27 @@ async function attest(payload, payloadType, options = {}) { } exports.attest = attest; async function verify(bundle, payload, options = {}) { - const trustedRoot = await tuf.getTrustedRoot(tufCacheDir, { + const trustedRoot = await tuf.getTrustedRoot({ mirrorURL: options.tufMirrorURL, rootPath: options.tufRootPath, + cachePath: options.tufCachePath, }); const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); const deserializedBundle = sigstore.bundleFromJSON(bundle); - const opts = collectArtifactVerificationOptions(options); + const opts = config.artifactVerificationOptions(options); return verifier.verify(deserializedBundle, opts, payload); } exports.verify = verify; -// Translates the IdenityProviderOptions into a list of Providers which -// should be queried to retrieve an identity token. -function configureIdentityProviders(options) { - const idps = []; - const token = options.identityToken; - // If an explicit identity token is provided, use that. Setup a dummy - // provider that just returns the token. Otherwise, setup the CI context - // provider and (optionally) the OAuth provider. - if (token) { - idps.push({ getToken: () => Promise.resolve(token) }); - } - else { - idps.push(identity_1.default.ciContextProvider()); - if (options.oidcIssuer && options.oidcClientID) { - idps.push(identity_1.default.oauthProvider({ - issuer: options.oidcIssuer, - clientID: options.oidcClientID, - clientSecret: options.oidcClientSecret, - redirectURL: options.oidcRedirectURL, - })); - } - } - return idps; -} -// Assembles the AtifactVerificationOptions from the supplied VerifyOptions. -function collectArtifactVerificationOptions(options) { - // The trusted signers are only used if the options contain a certificate - // issuer - let signers; - if (options.certificateIssuer) { - let san = undefined; - if (options.certificateIdentityEmail) { - san = { - type: sigstore.SubjectAlternativeNameType.EMAIL, - identity: { - $case: 'value', - value: options.certificateIdentityEmail, - }, - }; - } - else if (options.certificateIdentityURI) { - san = { - type: sigstore.SubjectAlternativeNameType.URI, - identity: { - $case: 'value', - value: options.certificateIdentityURI, - }, - }; - } - const oids = Object.entries(options.certificateOIDs || {}).map(([oid, value]) => ({ - oid: { id: oid.split('.').map((s) => parseInt(s, 10)) }, - value: Buffer.from(value), - })); - signers = { - $case: 'certificateIdentities', - certificateIdentities: { - identities: [ - { - issuer: options.certificateIssuer, - san: san, - oids: oids, - }, - ], - }, - }; - } - // Construct the artifact verification options w/ defaults - return { - ctlogOptions: { - disable: false, - threshold: options.ctLogThreshold || 1, - detachedSct: false, - }, - tlogOptions: { - disable: false, - threshold: options.tlogThreshold || 1, - performOnlineVerification: false, - }, - signers, - }; -} +const tufUtils = { + getTarget: (path, options = {}) => { + return tuf.getTarget(path, { + mirrorURL: options.tufMirrorURL, + rootPath: options.tufRootPath, + cachePath: options.tufCachePath, + }); + }, +}; +exports.tuf = tufUtils; +exports.utils = __importStar(require("./sigstore-utils")); +exports.DEFAULT_FULCIO_URL = config.DEFAULT_FULCIO_URL; +exports.DEFAULT_REKOR_URL = config.DEFAULT_REKOR_URL; diff --git a/node_modules/sigstore/dist/tlog/index.js b/node_modules/sigstore/dist/tlog/index.js index c2734808fd1d9..062b3b155702b 100644 --- a/node_modules/sigstore/dist/tlog/index.js +++ b/node_modules/sigstore/dist/tlog/index.js @@ -16,14 +16,13 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ -const client_1 = require("../client"); -const error_1 = require("../client/error"); -const error_2 = require("../error"); +const error_1 = require("../error"); +const external_1 = require("../external"); const sigstore_1 = require("../types/sigstore"); const format_1 = require("./format"); class TLogClient { constructor(options) { - this.rekor = new client_1.Rekor({ baseURL: options.rekorBaseURL }); + this.rekor = new external_1.Rekor({ baseURL: options.rekorBaseURL }); } async createMessageSignatureEntry(digest, sigMaterial, options = {}) { const proposedEntry = (0, format_1.toProposedHashedRekordEntry)(digest, sigMaterial); @@ -49,11 +48,11 @@ class TLogClient { entry = await this.rekor.getEntry(uuid); } catch (err) { - throw new error_2.InternalError('error fetching tlog entry', err); + throw new error_1.InternalError('error fetching tlog entry', err); } } else { - throw new error_2.InternalError('error creating tlog entry', err); + throw new error_1.InternalError('error creating tlog entry', err); } } return entry; @@ -61,7 +60,7 @@ class TLogClient { } exports.TLogClient = TLogClient; function entryExistsError(value) { - return (value instanceof error_1.HTTPError && + return (value instanceof external_1.HTTPError && value.statusCode === 409 && value.location !== undefined); } diff --git a/node_modules/sigstore/dist/tuf/index.js b/node_modules/sigstore/dist/tuf/index.js index 824bce9105ed8..89923d63fa657 100644 --- a/node_modules/sigstore/dist/tuf/index.js +++ b/node_modules/sigstore/dist/tuf/index.js @@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.getTrustedRoot = void 0; +exports.getTarget = exports.getTrustedRoot = void 0; /* Copyright 2023 The Sigstore Authors. @@ -46,20 +46,27 @@ const fs_1 = __importDefault(require("fs")); const path_1 = __importDefault(require("path")); const tuf_js_1 = require("tuf-js"); const sigstore = __importStar(require("../types/sigstore")); +const util_1 = require("../util"); const target_1 = require("./target"); const TRUSTED_ROOT_TARGET = 'trusted_root.json'; -const DEFAULT_MIRROR_URL = 'https://sigstore-tuf-root.storage.googleapis.com'; +const DEFAULT_CACHE_DIR = util_1.appdata.appDataPath('sigstore-js'); +const DEFAULT_MIRROR_URL = 'https://tuf-repo-cdn.sigstore.dev'; const DEFAULT_TUF_ROOT_PATH = '../../store/public-good-instance-root.json'; -async function getTrustedRoot(cachePath, options = {}) { +async function getTrustedRoot(options = {}) { + const trustedRoot = await getTarget(TRUSTED_ROOT_TARGET, options); + return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot)); +} +exports.getTrustedRoot = getTrustedRoot; +async function getTarget(targetName, options = {}) { + const cachePath = options.cachePath || DEFAULT_CACHE_DIR; const tufRootPath = options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH); const mirrorURL = options.mirrorURL || DEFAULT_MIRROR_URL; initTufCache(cachePath, tufRootPath); const remote = initRemoteConfig(cachePath, mirrorURL); const repoClient = initClient(cachePath, remote); - const trustedRoot = await (0, target_1.getTarget)(repoClient, TRUSTED_ROOT_TARGET); - return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot)); + return (0, target_1.readTarget)(repoClient, targetName); } -exports.getTrustedRoot = getTrustedRoot; +exports.getTarget = getTarget; // Initializes the TUF cache directory structure including the initial // root.json file. If the cache directory does not exist, it will be // created. If the targets directory does not exist, it will be created. diff --git a/node_modules/sigstore/dist/tuf/target.js b/node_modules/sigstore/dist/tuf/target.js index ac708cdbcf1ce..d3625abe59d72 100644 --- a/node_modules/sigstore/dist/tuf/target.js +++ b/node_modules/sigstore/dist/tuf/target.js @@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.getTarget = void 0; +exports.readTarget = void 0; /* Copyright 2023 The Sigstore Authors. @@ -21,19 +21,24 @@ limitations under the License. */ const fs_1 = __importDefault(require("fs")); const error_1 = require("../error"); +// Downloads and returns the specified target from the provided TUF Updater. +async function readTarget(tuf, targetPath) { + const path = await getTargetPath(tuf, targetPath); + return new Promise((resolve, reject) => { + fs_1.default.readFile(path, 'utf-8', (err, data) => { + if (err) { + reject(new error_1.InternalError(`error reading target: ${err}`)); + } + else { + resolve(data); + } + }); + }); +} +exports.readTarget = readTarget; // Returns the local path to the specified target. If the target is not yet // cached locally, the provided TUF Updater will be used to download and // cache the target. -async function getTarget(tuf, targetPath) { - const path = await getTargetPath(tuf, targetPath); - try { - return fs_1.default.readFileSync(path, 'utf-8'); - } - catch (err) { - throw new error_1.InternalError(`error reading trusted root: ${err}`); - } -} -exports.getTarget = getTarget; async function getTargetPath(tuf, target) { let targetInfo; try { diff --git a/node_modules/sigstore/dist/types/sigstore/index.js b/node_modules/sigstore/dist/types/sigstore/index.js index 55df7e744de19..9fcdb42bdcf34 100644 --- a/node_modules/sigstore/dist/types/sigstore/index.js +++ b/node_modules/sigstore/dist/types/sigstore/index.js @@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) { for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p); }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.signingCertificate = exports.bundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.envelopeFromJSON = exports.envelopeToJSON = exports.bundleFromJSON = exports.bundleToJSON = void 0; +exports.signingCertificate = exports.bundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.bundleFromJSON = void 0; /* Copyright 2023 The Sigstore Authors. @@ -37,7 +37,6 @@ const validate_1 = require("./validate"); __exportStar(require("@sigstore/protobuf-specs"), exports); __exportStar(require("./serialized"), exports); __exportStar(require("./validate"), exports); -exports.bundleToJSON = protobuf_specs_1.Bundle.toJSON; // eslint-disable-next-line @typescript-eslint/no-explicit-any const bundleFromJSON = (obj) => { const bundle = protobuf_specs_1.Bundle.fromJSON(obj); @@ -45,8 +44,6 @@ const bundleFromJSON = (obj) => { return bundle; }; exports.bundleFromJSON = bundleFromJSON; -exports.envelopeToJSON = protobuf_specs_1.Envelope.toJSON; -exports.envelopeFromJSON = protobuf_specs_1.Envelope.fromJSON; const BUNDLE_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1'; // Type guard for narrowing a Bundle to a BundleWithVerificationMaterial function isBundleWithVerificationMaterial(bundle) { diff --git a/node_modules/sigstore/dist/x509/ext.js b/node_modules/sigstore/dist/x509/ext.js index caed59247ea4b..c1743dce5556d 100644 --- a/node_modules/sigstore/dist/x509/ext.js +++ b/node_modules/sigstore/dist/x509/ext.js @@ -34,6 +34,9 @@ class x509Extension { get value() { return this.extnValueObj.value; } + get valueObj() { + return this.extnValueObj; + } get extnValueObj() { // The extnValue field will be the last element of the extension sequence return this.root.subs[this.root.subs.length - 1]; diff --git a/node_modules/sigstore/package.json b/node_modules/sigstore/package.json index 0ef3fe90f467e..8213554784230 100644 --- a/node_modules/sigstore/package.json +++ b/node_modules/sigstore/package.json @@ -1,6 +1,6 @@ { "name": "sigstore", - "version": "1.2.0", + "version": "1.3.0", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -38,6 +38,7 @@ "devDependencies": { "@changesets/cli": "^2.26.0", "@tsconfig/node14": "^1.0.3", + "@tufjs/repo-mock": "^1.1.0", "@types/jest": "^29.4.0", "@types/make-fetch-happen": "^10.0.0", "@types/node": "^18.6.5", @@ -56,7 +57,7 @@ "dependencies": { "@sigstore/protobuf-specs": "^0.1.0", "make-fetch-happen": "^11.0.1", - "tuf-js": "^1.0.0" + "tuf-js": "^1.1.3" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" diff --git a/node_modules/tuf-js/dist/updater.js b/node_modules/tuf-js/dist/updater.js index 7f8b6bedeedd3..68243e554facb 100644 --- a/node_modules/tuf-js/dist/updater.js +++ b/node_modules/tuf-js/dist/updater.js @@ -31,6 +31,7 @@ const config_1 = require("./config"); const error_1 = require("./error"); const fetcher_1 = require("./fetcher"); const store_1 = require("./store"); +const url = __importStar(require("./utils/url")); class Updater { constructor(options) { const { metadataDir, metadataBaseUrl, targetDir, targetBaseUrl, fetcher, config, } = options; @@ -75,12 +76,13 @@ class Updater { const consistentSnapshot = this.trustedSet.root.signed.consistentSnapshot; if (consistentSnapshot && this.config.prefixTargetsWithHash) { const hashes = Object.values(targetInfo.hashes); - const basename = path.basename(targetFilePath); - targetFilePath = `${hashes[0]}.${basename}`; + const { dir, base } = path.parse(targetFilePath); + const filename = `${hashes[0]}.${base}`; + targetFilePath = dir ? `${dir}/${filename}` : filename; } - const url = path.join(targetBaseUrl, targetFilePath); + const targetUrl = url.join(targetBaseUrl, targetFilePath); // Client workflow 5.7.3: download target file - await this.fetcher.downloadFile(url, targetInfo.length, async (fileName) => { + await this.fetcher.downloadFile(targetUrl, targetInfo.length, async (fileName) => { // Verify hashes and length of downloaded file await targetInfo.verify(fs.createReadStream(fileName)); // Copy file to target path @@ -116,10 +118,10 @@ class Updater { const lowerBound = rootVersion + 1; const upperBound = lowerBound + this.config.maxRootRotations; for (let version = lowerBound; version <= upperBound; version++) { - const url = path.join(this.metadataBaseUrl, `${version}.root.json`); + const rootUrl = url.join(this.metadataBaseUrl, `${version}.root.json`); try { // Client workflow 5.3.3: download new root metadata file - const bytesData = await this.fetcher.downloadBytes(url, this.config.rootMaxLength); + const bytesData = await this.fetcher.downloadBytes(rootUrl, this.config.rootMaxLength); // Client workflow 5.3.4 - 5.4.7 this.trustedSet.updateRoot(bytesData); // Client workflow 5.3.8: persist root metadata file @@ -142,9 +144,9 @@ class Updater { // continue } //Load from remote (whether local load succeeded or not) - const url = path.join(this.metadataBaseUrl, `timestamp.json`); + const timestampUrl = url.join(this.metadataBaseUrl, 'timestamp.json'); // Client workflow 5.4.1: download timestamp metadata file - const bytesData = await this.fetcher.downloadBytes(url, this.config.timestampMaxLength); + const bytesData = await this.fetcher.downloadBytes(timestampUrl, this.config.timestampMaxLength); try { // Client workflow 5.4.2 - 5.4.4 this.trustedSet.updateTimestamp(bytesData); @@ -178,10 +180,10 @@ class Updater { const version = this.trustedSet.root.signed.consistentSnapshot ? snapshotMeta.version : undefined; - const url = path.join(this.metadataBaseUrl, version ? `${version}.snapshot.json` : `snapshot.json`); + const snapshotUrl = url.join(this.metadataBaseUrl, version ? `${version}.snapshot.json` : 'snapshot.json'); try { // Client workflow 5.5.1: download snapshot metadata file - const bytesData = await this.fetcher.downloadBytes(url, maxLength); + const bytesData = await this.fetcher.downloadBytes(snapshotUrl, maxLength); // Client workflow 5.5.2 - 5.5.6 this.trustedSet.updateSnapshot(bytesData); // Client workflow 5.5.7: persist snapshot metadata file @@ -213,10 +215,10 @@ class Updater { const version = this.trustedSet.root.signed.consistentSnapshot ? metaInfo.version : undefined; - const url = path.join(this.metadataBaseUrl, version ? `${version}.${role}.json` : `${role}.json`); + const metadataUrl = url.join(this.metadataBaseUrl, version ? `${version}.${role}.json` : `${role}.json`); try { // Client workflow 5.6.1: download targets metadata file - const bytesData = await this.fetcher.downloadBytes(url, maxLength); + const bytesData = await this.fetcher.downloadBytes(metadataUrl, maxLength); // Client workflow 5.6.2 - 5.6.6 this.trustedSet.updateDelegatedTargets(bytesData, role, parentRole); // Client workflow 5.6.7: persist targets metadata file @@ -291,7 +293,9 @@ class Updater { if (!this.targetDir) { throw new error_1.ValueError('Target directory not set'); } - return path.join(this.targetDir, targetInfo.path); + // URL encode target path + const filePath = encodeURIComponent(targetInfo.path); + return path.join(this.targetDir, filePath); } async persistMetadata(metaDataName, bytesData) { try { diff --git a/node_modules/tuf-js/package.json b/node_modules/tuf-js/package.json index 4396e202369b8..84814cf0a2775 100644 --- a/node_modules/tuf-js/package.json +++ b/node_modules/tuf-js/package.json @@ -1,6 +1,6 @@ { "name": "tuf-js", - "version": "1.1.2", + "version": "1.1.4", "description": "JavaScript implementation of The Update Framework (TUF)", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -28,15 +28,15 @@ }, "homepage": "https://github.com/theupdateframework/tuf-js/tree/main/packages/client#readme", "devDependencies": { - "@tufjs/repo-mock": "1.0.1", + "@tufjs/repo-mock": "1.1.1", "@types/make-fetch-happen": "^10.0.1", - "@types/node": "^18.15.3", + "@types/node": "^18.15.11", "nock": "^13.2.9", - "typescript": "^4.9.5" + "typescript": "^5.0.4" }, "dependencies": { "make-fetch-happen": "^11.0.1", - "@tufjs/models": "1.0.1" + "@tufjs/models": "1.0.3" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" diff --git a/package-lock.json b/package-lock.json index b2d6d53235de6..28fa973b48520 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2532,13 +2532,23 @@ "integrity": "sha512-yOlFc+7UtL/89t2ZhjPvvB/DeAr3r+Dq58IgzsFkOAvVC6NMJXmCGjbptdXdR9qsX7pKcTL+s87FtYREi2dEEQ==", "dev": true }, + "node_modules/@tufjs/canonical-json": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@tufjs/canonical-json/-/canonical-json-1.0.0.tgz", + "integrity": "sha512-QTnf++uxunWvG2z3UFNzAoQPHxnSXOwtaI3iJ+AohhV+5vONuArPjJE7aPXPVXfXJsqrVbZBu9b81AJoSd09IQ==", + "inBundle": true, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, "node_modules/@tufjs/models": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/@tufjs/models/-/models-1.0.1.tgz", - "integrity": "sha512-AY0VoG/AXdlSOocuREfPoEW4SNhOPp/7fw6mpAxfVIny1uZ+0fEtMoCi7NhELSlqQIRLMu7RgfKhkxT+AJ+EXg==", + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/@tufjs/models/-/models-1.0.3.tgz", + "integrity": "sha512-mkFEqqRisi13DmR5pX4x+Zk97EiU8djTtpNW1GeuX410y/raAsq/T3ZCjwoRIZ8/cIBfW0olK/sywlAiWevDVw==", "inBundle": true, "dependencies": { - "minimatch": "^7.4.2" + "@tufjs/canonical-json": "1.0.0", + "minimatch": "^7.4.6" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" @@ -11215,14 +11225,14 @@ "inBundle": true }, "node_modules/sigstore": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.2.0.tgz", - "integrity": "sha512-Fr9+W1nkBSIZCkJQR7jDn/zI0UXNsVpp+7mDQkCnZOIxG9p6yNXBx9xntHsfUyYHE55XDkkVV3+rYbrkzAeesA==", + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.3.0.tgz", + "integrity": "sha512-dhdv+jOAi1RgLHw13lxumk3rlgZtumUz9QrCNPTx9MazUnUV3BfAb74oYAMPQQ7uaeogB5vTosbz3POzKbEHUQ==", "inBundle": true, "dependencies": { "@sigstore/protobuf-specs": "^0.1.0", "make-fetch-happen": "^11.0.1", - "tuf-js": "^1.0.0" + "tuf-js": "^1.1.3" }, "bin": { "sigstore": "bin/sigstore.js" @@ -14161,12 +14171,12 @@ } }, "node_modules/tuf-js": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/tuf-js/-/tuf-js-1.1.2.tgz", - "integrity": "sha512-gBfbnS6khluxjvoFCpRV0fhWT265xNfpiNXOcBX0Ze6HGbPhe93UG5V5DdKcgm/aXsMadnY76l/h6j63GmJS5g==", + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/tuf-js/-/tuf-js-1.1.4.tgz", + "integrity": "sha512-Lw2JRM3HTYhEtQJM2Th3aNCPbnXirtWMl065BawwmM2pX6XStH/ZO9e8T2hh0zk/HUa+1i6j+Lv6eDitKTau6A==", "inBundle": true, "dependencies": { - "@tufjs/models": "1.0.1", + "@tufjs/models": "1.0.3", "make-fetch-happen": "^11.0.1" }, "engines": {