deps: sigstore@1.5.2

Author: wraithgar

node_modules/sigstore/dist/ca/index.js

@@ -6,13 +6,26 @@ const external_1 = require("../external");
 const format_1 = require("./format");
 class CAClient {
     constructor(options) {
-        this.fulcio = new external_1.Fulcio({ baseURL: options.fulcioBaseURL });
+        this.fulcio = new external_1.Fulcio({
+            baseURL: options.fulcioBaseURL,
+            retry: options.retry,
+            timeout: options.timeout,
+        });
     }
     async createSigningCertificate(identityToken, publicKey, challenge) {
         const request = (0, format_1.toCertificateRequest)(identityToken, publicKey, challenge);
         try {
-            const certificate = await this.fulcio.createSigningCertificate(request);
-            return certificate.signedCertificateEmbeddedSct.chain.certificates;
+            const resp = await this.fulcio.createSigningCertificate(request);
+            // Account for the fact that the response may contain either a
+            // signedCertificateEmbeddedSct or a signedCertificateDetachedSct.
+            const cert = resp.signedCertificateEmbeddedSct
+                ? resp.signedCertificateEmbeddedSct
+                : resp.signedCertificateDetachedSct;
+            // Return the first certificate in the chain, which is the signing
+            // certificate. Specifically not returning the rest of the chain to
+            // mitigate the risk of errors when verifying the certificate chain.
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            return cert.chain.certificates.slice(0, 1);
         }
         catch (err) {
             throw new error_1.InternalError({

node_modules/sigstore/dist/ca/verify/chain.js

@@ -19,12 +19,11 @@ limitations under the License.
 const error_1 = require("../../error");
 const cert_1 = require("../../x509/cert");
 const verify_1 = require("../../x509/verify");
-function verifyChain(bundleCerts, certificateAuthorities) {
-    const certs = parseCerts(bundleCerts);
-    const signingCert = certs[0];
+function verifyChain(certificate, certificateAuthorities) {
+    const untrustedCert = cert_1.x509Certificate.parse(certificate.rawBytes);
     // Filter the list of certificate authorities to those which are valid for the
     // signing certificate's notBefore date.
-    const validCAs = filterCertificateAuthorities(certificateAuthorities, signingCert.notBefore);
+    const validCAs = filterCertificateAuthorities(certificateAuthorities, untrustedCert.notBefore);
     if (validCAs.length === 0) {
         throw new error_1.VerificationError('No valid certificate authorities');
     }
@@ -34,9 +33,9 @@ function verifyChain(bundleCerts, certificateAuthorities) {
         const trustedCerts = parseCerts(ca.certChain?.certificates || []);
         try {
             trustedChain = (0, verify_1.verifyCertificateChain)({
+                untrustedCert,
                 trustedCerts,
-                certs,
-                validAt: signingCert.notBefore,
+                validAt: untrustedCert.notBefore,
             });
             return true;
         }

node_modules/sigstore/dist/ca/verify/index.js

@@ -6,8 +6,9 @@ const sct_1 = require("./sct");
 const signer_1 = require("./signer");
 function verifySigningCertificate(bundle, trustedRoot, options) {
     // Check that a trusted certificate chain can be found for the signing
-    // certificate in the bundle
-    const trustedChain = (0, chain_1.verifyChain)(bundle.verificationMaterial.content.x509CertificateChain.certificates, trustedRoot.certificateAuthorities);
+    // certificate in the bundle. Only the first certificate in the bundle's
+    // chain is used -- everything else must come from the trusted root.
+    const trustedChain = (0, chain_1.verifyChain)(bundle.verificationMaterial.content.x509CertificateChain.certificates[0], trustedRoot.certificateAuthorities);
     // Unless disabled, verify the SCTs in the signing certificate
     if (options.ctlogOptions.disable === false) {
         (0, sct_1.verifySCTs)(trustedChain, trustedRoot.ctlogs, options.ctlogOptions);

node_modules/sigstore/dist/config.js

@@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.identityProviders = exports.artifactVerificationOptions = exports.createTLogClient = exports.createCAClient = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0;
+exports.identityProviders = exports.artifactVerificationOptions = exports.createTSAClient = exports.createTLogClient = exports.createCAClient = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -45,21 +45,38 @@ limitations under the License.
 const ca_1 = require("./ca");
 const identity_1 = __importDefault(require("./identity"));
 const tlog_1 = require("./tlog");
+const tsa_1 = require("./tsa");
 const sigstore = __importStar(require("./types/sigstore"));
 exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev';
 exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev';
+exports.DEFAULT_RETRY = { retries: 2 };
+exports.DEFAULT_TIMEOUT = 5000;
 function createCAClient(options) {
     return new ca_1.CAClient({
         fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL,
+        retry: options.retry ?? exports.DEFAULT_RETRY,
+        timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
     });
 }
 exports.createCAClient = createCAClient;
 function createTLogClient(options) {
     return new tlog_1.TLogClient({
         rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL,
+        retry: options.retry ?? exports.DEFAULT_RETRY,
+        timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
     });
 }
 exports.createTLogClient = createTLogClient;
+function createTSAClient(options) {
+    return options.tsaServerURL
+        ? new tsa_1.TSAClient({
+            tsaBaseURL: options.tsaServerURL,
+            retry: options.retry ?? exports.DEFAULT_RETRY,
+            timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
+        })
+        : undefined;
+}
+exports.createTSAClient = createTSAClient;
 // Assembles the AtifactVerificationOptions from the supplied VerifyOptions.
 function artifactVerificationOptions(options) {
     // The trusted signers are only used if the options contain a certificate

node_modules/sigstore/dist/external/fulcio.js

@@ -28,8 +28,8 @@ const error_1 = require("./error");
 class Fulcio {
     constructor(options) {
         this.fetch = make_fetch_happen_1.default.defaults({
-            retry: { retries: 2 },
-            timeout: 5000,
+            retry: options.retry,
+            timeout: options.timeout,
             headers: {
                 'Content-Type': 'application/json',
                 'User-Agent': util_1.ua.getUserAgent(),

node_modules/sigstore/dist/external/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Rekor = exports.Fulcio = exports.HTTPError = void 0;
+exports.TimestampAuthority = exports.Rekor = exports.Fulcio = exports.HTTPError = void 0;
 /*
 Copyright 2022 The Sigstore Authors.
 
@@ -22,3 +22,5 @@ var fulcio_1 = require("./fulcio");
 Object.defineProperty(exports, "Fulcio", { enumerable: true, get: function () { return fulcio_1.Fulcio; } });
 var rekor_1 = require("./rekor");
 Object.defineProperty(exports, "Rekor", { enumerable: true, get: function () { return rekor_1.Rekor; } });
+var tsa_1 = require("./tsa");
+Object.defineProperty(exports, "TimestampAuthority", { enumerable: true, get: function () { return tsa_1.TimestampAuthority; } });

node_modules/sigstore/dist/external/rekor.js

@@ -28,8 +28,8 @@ const error_1 = require("./error");
 class Rekor {
     constructor(options) {
         this.fetch = make_fetch_happen_1.default.defaults({
-            retry: { retries: 2 },
-            timeout: 5000,
+            retry: options.retry,
+            timeout: options.timeout,
             headers: {
                 Accept: 'application/json',
                 'User-Agent': util_1.ua.getUserAgent(),

node_modules/sigstore/dist/external/tsa.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TimestampAuthority = void 0;
+/*
+Copyright 2023 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
+const util_1 = require("../util");
+const error_1 = require("./error");
+class TimestampAuthority {
+    constructor(options) {
+        this.fetch = make_fetch_happen_1.default.defaults({
+            retry: options.retry,
+            timeout: options.timeout,
+            headers: {
+                'Content-Type': 'application/json',
+                'User-Agent': util_1.ua.getUserAgent(),
+            },
+        });
+        this.baseUrl = options.baseURL;
+    }
+    async createTimestamp(request) {
+        const url = `${this.baseUrl}/api/v1/timestamp`;
+        const response = await this.fetch(url, {
+            method: 'POST',
+            body: JSON.stringify(request),
+        });
+        (0, error_1.checkStatus)(response);
+        return response.buffer();
+    }
+}
+exports.TimestampAuthority = TimestampAuthority;

node_modules/sigstore/dist/sign.js

@@ -1,22 +1,58 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Signer = void 0;
+const sigstore = __importStar(require("./types/sigstore"));
 const util_1 = require("./util");
 class Signer {
     constructor(options) {
         this.identityProviders = [];
         this.ca = options.ca;
         this.tlog = options.tlog;
+        this.tsa = options.tsa;
         this.identityProviders = options.identityProviders;
+        this.tlogUpload = options.tlogUpload ?? true;
         this.signer = options.signer || this.signWithEphemeralKey.bind(this);
     }
     async signBlob(payload) {
         // Get signature and verification material for payload
         const sigMaterial = await this.signer(payload);
         // Calculate artifact digest
         const digest = util_1.crypto.hash(payload);
-        // Create Rekor entry
-        return this.tlog.createMessageSignatureEntry(digest, sigMaterial);
+        // Create a Rekor entry (if tlogUpload is enabled)
+        const entry = this.tlogUpload
+            ? await this.tlog.createMessageSignatureEntry(digest, sigMaterial)
+            : undefined;
+        return sigstore.toMessageSignatureBundle({
+            digest,
+            signature: sigMaterial,
+            tlogEntry: entry,
+            timestamp: this.tsa
+                ? await this.tsa.createTimestamp(sigMaterial.signature)
+                : undefined,
+        });
     }
     async signAttestation(payload, payloadType) {
         // Pre-authentication encoding to be signed
@@ -33,7 +69,18 @@ class Signer {
                 },
             ],
         };
-        return this.tlog.createDSSEEntry(envelope, sigMaterial);
+        // Create a Rekor entry (if tlogUpload is enabled)
+        const entry = this.tlogUpload
+            ? await this.tlog.createDSSEEntry(envelope, sigMaterial)
+            : undefined;
+        return sigstore.toDSSEBundle({
+            envelope,
+            signature: sigMaterial,
+            tlogEntry: entry,
+            timestamp: this.tsa
+                ? await this.tsa.createTimestamp(sigMaterial.signature)
+                : undefined,
+        });
     }
     async signWithEphemeralKey(payload) {
         // Create emphemeral key pair

node_modules/sigstore/dist/sigstore-utils.js

@@ -67,9 +67,14 @@ async function createRekorEntry(dsseEnvelope, publicKey, options = {}) {
     const envelope = sigstore.Envelope.fromJSON(dsseEnvelope);
     const tlog = (0, config_1.createTLogClient)(options);
     const sigMaterial = (0, signature_1.extractSignatureMaterial)(envelope, publicKey);
-    const bundle = await tlog.createDSSEEntry(envelope, sigMaterial, {
+    const entry = await tlog.createDSSEEntry(envelope, sigMaterial, {
         fetchOnConflict: true,
     });
+    const bundle = sigstore.toDSSEBundle({
+        envelope,
+        signature: sigMaterial,
+        tlogEntry: entry,
+    });
     return sigstore.Bundle.toJSON(bundle);
 }
 exports.createRekorEntry = createRekorEntry;

node_modules/sigstore/dist/sigstore.js

@@ -52,6 +52,7 @@ async function sign(payload, options = {}) {
         ca,
         tlog,
         identityProviders: idps,
+        tlogUpload: options.tlogUpload,
     });
     const bundle = await signer.signBlob(payload);
     return sigstore.Bundle.toJSON(bundle);
@@ -60,11 +61,14 @@ exports.sign = sign;
 async function attest(payload, payloadType, options = {}) {
     const ca = config.createCAClient(options);
     const tlog = config.createTLogClient(options);
+    const tsa = config.createTSAClient(options);
     const idps = config.identityProviders(options);
     const signer = new sign_1.Signer({
         ca,
         tlog,
+        tsa,
         identityProviders: idps,
+        tlogUpload: options.tlogUpload,
     });
     const bundle = await signer.signAttestation(payload, payloadType);
     return sigstore.Bundle.toJSON(bundle);
@@ -75,6 +79,8 @@ async function verify(bundle, payload, options = {}) {
         mirrorURL: options.tufMirrorURL,
         rootPath: options.tufRootPath,
         cachePath: options.tufCachePath,
+        retry: options.retry ?? config.DEFAULT_RETRY,
+        timeout: options.timeout ?? config.DEFAULT_TIMEOUT,
     });
     const verifier = new verify_1.Verifier(trustedRoot, options.keySelector);
     const deserializedBundle = sigstore.bundleFromJSON(bundle);
@@ -83,12 +89,21 @@ async function verify(bundle, payload, options = {}) {
 }
 exports.verify = verify;
 const tufUtils = {
-    getTarget: (path, options = {}) => {
-        return tuf.getTarget(path, {
+    client: (options = {}) => {
+        const t = new tuf.TUFClient({
             mirrorURL: options.tufMirrorURL,
             rootPath: options.tufRootPath,
             cachePath: options.tufCachePath,
+            retry: options.retry ?? config.DEFAULT_RETRY,
+            timeout: options.timeout ?? config.DEFAULT_TIMEOUT,
         });
+        return t.refresh().then(() => t);
+    },
+    /*
+     * @deprecated Use tufUtils.client instead.
+     */
+    getTarget: (path, options = {}) => {
+        return tufUtils.client(options).then((t) => t.getTarget(path));
     },
 };
 exports.tuf = tufUtils;

node_modules/sigstore/dist/tlog/index.js

@@ -18,21 +18,22 @@ limitations under the License.
 */
 const error_1 = require("../error");
 const external_1 = require("../external");
-const sigstore_1 = require("../types/sigstore");
 const format_1 = require("./format");
 class TLogClient {
     constructor(options) {
-        this.rekor = new external_1.Rekor({ baseURL: options.rekorBaseURL });
+        this.rekor = new external_1.Rekor({
+            baseURL: options.rekorBaseURL,
+            retry: options.retry,
+            timeout: options.timeout,
+        });
     }
     async createMessageSignatureEntry(digest, sigMaterial, options = {}) {
         const proposedEntry = (0, format_1.toProposedHashedRekordEntry)(digest, sigMaterial);
-        const entry = await this.createEntry(proposedEntry, options.fetchOnConflict);
-        return sigstore_1.bundle.toMessageSignatureBundle(digest, sigMaterial, entry);
+        return this.createEntry(proposedEntry, options.fetchOnConflict);
     }
     async createDSSEEntry(envelope, sigMaterial, options = {}) {
         const proposedEntry = (0, format_1.toProposedIntotoEntry)(envelope, sigMaterial);
-        const entry = await this.createEntry(proposedEntry, options.fetchOnConflict);
-        return sigstore_1.bundle.toDSSEBundle(envelope, sigMaterial, entry);
+        return this.createEntry(proposedEntry, options.fetchOnConflict);
     }
     async createEntry(proposedEntry, fetchOnConflict = false) {
         let entry;