deps: bump sigstore from 2.0.0 to 2.2.0 (#343)

Update `sigstore` to version 2.2.0. Leverages the new `tufForceCache` option in the sigstore `verify` function to make better use of the local TUF cache. Previously, the TUF cache would be refreshed with each invocation -- now the TUF cache will only be refreshed if the metadata files contained therein are expired. Eliminates one test case which is no longer relevant given the use of the `tufForceCache` option. Signed-off-by: Brian DeHamer <bdehamer@github.com>
npm · Jan 16, 2024 · 0a5920f · 0a5920f
1 parent 6fd23ad
commit 0a5920f
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 61 deletions.
diff --git a/lib/registry.js b/lib/registry.js
@@ -321,6 +321,7 @@ class RegistryFetcher extends Fetcher {
  // specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys`
  const options = {
  tufCachePath: this.tufCache,
+ tufForceCache: true,
  keySelector: publicKey ? () => publicKey.pemkey : undefined,
  }
  await sigstore.verify(bundle, options)

diff --git a/package.json b/package.json
@@ -59,7 +59,7 @@
  "promise-retry": "^2.0.1",
  "read-package-json": "^7.0.0",
  "read-package-json-fast": "^3.0.0",
- "sigstore": "^2.0.0",
+ "sigstore": "^2.2.0",
  "ssri": "^10.0.0",
  "tar": "^6.1.11"
  },

diff --git a/test/registry.js b/test/registry.js
@@ -552,66 +552,6 @@ t.test('verifyAttestations invalid signature', async t => {
  )
 })
 
-t.test('verifyAttestations errors when tuf update fails', async t => {
- tnock(t, 'https://registry.npmjs.org')
- .get('/sigstore')
- .reply(200, {
- _id: 'sigstore',
- _rev: 'deadbeef',
- name: 'sigstore',
- 'dist-tags': { latest: '0.4.0' },
- versions: {
- '0.4.0': {
- name: 'sigstore',
- version: '0.4.0',
- dist: {
- // eslint-disable-next-line max-len
- integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==',
- // eslint-disable-next-line max-len
- attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } },
- },
- },
- },
- })
-
- const fixture = fs.readFileSync(
- path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'),
- 'utf8'
- )
-
- tnock(t, 'https://tuf-repo-cdn.sigstore.dev')
- .get(/./) // match any path
- .reply(404)
-
- tnock(t, 'https://registry.npmjs.org')
- .get('/-/npm/v1/attestations/sigstore@0.4.0')
- .reply(200, JSON.parse(fixture))
-
- const f = new RegistryFetcher('sigstore@0.4.0', {
- registry: 'https://registry.npmjs.org',
- cache,
- verifyAttestations: true,
- [`//registry.npmjs.org/:_keys`]: [{
- expires: null,
- keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
- keytype: 'ecdsa-sha2-nistp256',
- scheme: 'ecdsa-sha2-nistp256',
- // eslint-disable-next-line max-len
- key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==',
- // eslint-disable-next-line max-len
- pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----',
- }],
- })
-
- return t.rejects(
- f.manifest(),
- /sigstore@0.4.0 failed to verify attestation: error refreshing TUF metadata/,
- {
- code: 'EATTESTATIONVERIFY',
- }
- )
-})
-
 t.test('verifyAttestations publish attestation for unknown public key', async t => {
  tnock(t, 'https://registry.npmjs.org')
  .get('/sigstore')