cernont/pyrofetes-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avancement planning

Browse Source
This commit is contained in:
timothe
2026-05-26 11:58:39 +02:00
parent 619a2b240a
commit 150b97cd2e
4892 changed files with 99214 additions and 429382 deletions
Download Patch File Download Diff File Expand all files Collapse all files
node_modules/@sigstore/bundle/README.md
Generated Vendored
+1 -1
View File
@@ -10,7 +10,7 @@ A JavaScript library for working with the Sigstore bundle format.
## Prerequisites
- Node.js version >= 18.17.0
- Node.js version ^20.17.0 || >=22.9.0
## Installation
node_modules/@sigstore/bundle/package.json
Generated Vendored
+3 -3
View File
@@ -1,6 +1,6 @@
{
"name": "@sigstore/bundle",
"version": "3.1.0",
"version": "4.0.0",
"description": "Sigstore bundle type",
"main": "dist/index.js",
"types": "dist/index.d.ts",
@@ -27,9 +27,9 @@
"provenance": true
},
"dependencies": {
"@sigstore/protobuf-specs": "^0.4.0"
"@sigstore/protobuf-specs": "^0.5.0"
},
"engines": {
"node": "^18.17.0 || >=20.5.0"
"node": "^20.17.0 || >=22.9.0"
}
}
node_modules/@sigstore/core/README.md
Generated Vendored
+1 -1
View File
@@ -4,7 +4,7 @@ Base library for [Sigstore][1] JavaScript packages.
## Prerequisites
- Node.js version >= 18.17.0
- Node.js version ^20.17.0 || >=22.9.0
[1]: https://www.sigstore.dev
node_modules/@sigstore/core/dist/asn1/obj.d.ts
Generated Vendored
+3 -3
View File
@@ -2,9 +2,9 @@ import { ASN1Tag } from './tag';
export declare class ASN1Obj {
readonly tag: ASN1Tag;
readonly subs: ASN1Obj[];
readonly value: Buffer;
constructor(tag: ASN1Tag, value: Buffer, subs: ASN1Obj[]);
static parseBuffer(buf: Buffer): ASN1Obj;
readonly value: Buffer<ArrayBufferLike>;
constructor(tag: ASN1Tag, value: Buffer<ArrayBufferLike>, subs: ASN1Obj[]);
static parseBuffer(buf: Buffer<ArrayBuffer>): ASN1Obj;
toDER(): Buffer;
toBoolean(): boolean;
toInteger(): bigint;
node_modules/@sigstore/core/dist/asn1/obj.js
Generated Vendored
+3
View File
@@ -22,6 +22,9 @@ const length_1 = require("./length");
const parse_1 = require("./parse");
const tag_1 = require("./tag");
class ASN1Obj {
tag;
subs;
value;
constructor(tag, value, subs) {
this.tag = tag;
this.value = value;
node_modules/@sigstore/core/dist/asn1/tag.js
Generated Vendored
+3
View File
@@ -37,6 +37,9 @@ const TAG_CLASS = {
};
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-encoded-tag-bytes
class ASN1Tag {
number;
constructed;
class;
constructor(enc) {
// Bits 0 through 4 are the tag number
this.number = enc & 0x1f;
node_modules/@sigstore/core/dist/crypto.js
Generated Vendored
+10 -1
View File
@@ -25,7 +25,16 @@ limitations under the License.
const crypto_1 = __importDefault(require("crypto"));
function createPublicKey(key, type = 'spki') {
if (typeof key === 'string') {
return crypto_1.default.createPublicKey(key);
if (key.startsWith('-----')) {
return crypto_1.default.createPublicKey(key);
}
else {
return crypto_1.default.createPublicKey({
key: Buffer.from(key, 'base64'),
format: 'der',
type: type,
});
}
}
else {
return crypto_1.default.createPublicKey({ key, format: 'der', type: type });
node_modules/@sigstore/core/dist/dsse.js
Generated Vendored
+7 -8
View File
@@ -19,12 +19,11 @@ limitations under the License.
const PAE_PREFIX = 'DSSEv1';
// DSSE Pre-Authentication Encoding
function preAuthEncoding(payloadType, payload) {
const prefix = [
PAE_PREFIX,
payloadType.length,
payloadType,
payload.length,
'',
].join(' ');
return Buffer.concat([Buffer.from(prefix, 'ascii'), payload]);
const typeBytes = Buffer.from(payloadType, 'utf-8');
return Buffer.concat([
Buffer.from(`${PAE_PREFIX} ${typeBytes.length} `, 'ascii'),
typeBytes,
Buffer.from(` ${payload.length} `, 'ascii'),
payload,
]);
}
node_modules/@sigstore/core/dist/index.js
Generated Vendored
+17 -7
View File
@@ -15,13 +15,23 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.X509SCTExtension = exports.X509Certificate = exports.EXTENSION_OID_SCT = exports.ByteStream = exports.RFC3161Timestamp = exports.pem = exports.json = exports.encoding = exports.dsse = exports.crypto = exports.ASN1Obj = void 0;
/*
node_modules/@sigstore/core/dist/oid.d.ts
Generated Vendored
+1
View File
@@ -1,2 +1,3 @@
export declare const ECDSA_SIGNATURE_ALGOS: Record<string, string>;
export declare const RSA_SIGNATURE_ALGOS: Record<string, string>;
export declare const SHA2_HASH_ALGOS: Record<string, string>;
node_modules/@sigstore/core/dist/oid.js
Generated Vendored
+7 -1
View File
@@ -1,12 +1,18 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.SHA2_HASH_ALGOS = exports.ECDSA_SIGNATURE_ALGOS = void 0;
exports.SHA2_HASH_ALGOS = exports.RSA_SIGNATURE_ALGOS = exports.ECDSA_SIGNATURE_ALGOS = void 0;
exports.ECDSA_SIGNATURE_ALGOS = {
'1.2.840.10045.4.3.1': 'sha224',
'1.2.840.10045.4.3.2': 'sha256',
'1.2.840.10045.4.3.3': 'sha384',
'1.2.840.10045.4.3.4': 'sha512',
};
exports.RSA_SIGNATURE_ALGOS = {
'1.2.840.113549.1.1.14': 'sha224',
'1.2.840.113549.1.1.11': 'sha256',
'1.2.840.113549.1.1.12': 'sha384',
'1.2.840.113549.1.1.13': 'sha512',
};
exports.SHA2_HASH_ALGOS = {
'2.16.840.1.101.3.4.2.1': 'sha256',
'2.16.840.1.101.3.4.2.2': 'sha384',
node_modules/@sigstore/core/dist/pem.d.ts
Generated Vendored
+1 -1
View File
@@ -1,2 +1,2 @@
export declare function toDER(certificate: string): Buffer;
export declare function toDER(certificate: string): Buffer<ArrayBuffer>;
export declare function fromDER(certificate: Buffer, type?: string): string;
node_modules/@sigstore/core/dist/rfc3161/timestamp.d.ts
Generated Vendored
+1 -1
View File
@@ -4,7 +4,7 @@ import { TSTInfo } from './tstinfo';
export declare class RFC3161Timestamp {
root: ASN1Obj;
constructor(asn1: ASN1Obj);
static parse(der: Buffer): RFC3161Timestamp;
static parse(der: Buffer<ArrayBuffer>): RFC3161Timestamp;
get status(): bigint;
get contentType(): string;
get eContentType(): string;
node_modules/@sigstore/core/dist/rfc3161/timestamp.js
Generated Vendored
+18 -7
View File
@@ -15,13 +15,23 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.RFC3161Timestamp = void 0;
/*
@@ -48,6 +58,7 @@ const OID_PKCS9_CONTENT_TYPE_SIGNED_DATA = '1.2.840.113549.1.7.2';
const OID_PKCS9_CONTENT_TYPE_TSTINFO = '1.2.840.113549.1.9.16.1.4';
const OID_PKCS9_MESSAGE_DIGEST_KEY = '1.2.840.113549.1.9.4';
class RFC3161Timestamp {
root;
constructor(asn1) {
this.root = asn1;
}
node_modules/@sigstore/core/dist/rfc3161/tstinfo.js
Generated Vendored
+18 -7
View File
@@ -15,19 +15,30 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.TSTInfo = void 0;
const crypto = __importStar(require("../crypto"));
const oid_1 = require("../oid");
const error_1 = require("./error");
class TSTInfo {
root;
constructor(asn1) {
this.root = asn1;
}
node_modules/@sigstore/core/dist/stream.d.ts
Generated Vendored
+1 -1
View File
@@ -3,7 +3,7 @@ export declare class ByteStream {
private buf;
private view;
private start;
constructor(buffer?: ArrayBuffer);
constructor(buffer?: Buffer<ArrayBufferLike>);
get buffer(): Buffer;
get length(): number;
get position(): number;
node_modules/@sigstore/core/dist/stream.js
Generated Vendored
+6 -4
View File
@@ -19,14 +19,17 @@ limitations under the License.
class StreamError extends Error {
}
class ByteStream {
static BLOCK_SIZE = 1024;
buf;
view;
start = 0;
constructor(buffer) {
this.start = 0;
if (buffer) {
this.buf = buffer;
this.view = Buffer.from(buffer);
}
else {
this.buf = new ArrayBuffer(0);
this.buf = Buffer.alloc(0);
this.view = Buffer.from(this.buf);
}
}
@@ -103,7 +106,7 @@ class ByteStream {
}
}
realloc(size) {
const newArray = new ArrayBuffer(size);
const newArray = Buffer.alloc(size);
const newView = Buffer.from(newArray);
// Copy the old buffer into the new one
newView.set(this.view);
@@ -112,4 +115,3 @@ class ByteStream {
}
}
exports.ByteStream = ByteStream;
ByteStream.BLOCK_SIZE = 1024;
node_modules/@sigstore/core/dist/x509/cert.d.ts
Generated Vendored
+1 -1
View File
@@ -4,7 +4,7 @@ export declare const EXTENSION_OID_SCT = "1.3.6.1.4.1.11129.2.4.2";
export declare class X509Certificate {
root: ASN1Obj;
constructor(asn1: ASN1Obj);
static parse(cert: Buffer | string): X509Certificate;
static parse(cert: Buffer<ArrayBuffer> | string): X509Certificate;
get tbsCertificate(): ASN1Obj;
get version(): string;
get serialNumber(): Buffer;
node_modules/@sigstore/core/dist/x509/cert.js
Generated Vendored
+22 -7
View File
@@ -15,13 +15,23 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.X509Certificate = exports.EXTENSION_OID_SCT = void 0;
/*
@@ -51,6 +61,7 @@ const EXTENSION_OID_BASIC_CONSTRAINTS = '2.5.29.19';
const EXTENSION_OID_AUTHORITY_KEY_ID = '2.5.29.35';
exports.EXTENSION_OID_SCT = '1.3.6.1.4.1.11129.2.4.2';
class X509Certificate {
root;
constructor(asn1) {
this.root = asn1;
}
@@ -89,6 +100,9 @@ class X509Certificate {
}
get signatureAlgorithm() {
const oid = this.signatureAlgorithmObj.subs[0].toOID();
if (oid_1.RSA_SIGNATURE_ALGOS[oid]) {
return oid_1.RSA_SIGNATURE_ALGOS[oid];
}
return oid_1.ECDSA_SIGNATURE_ALGOS[oid];
}
get signatureValue() {
@@ -136,6 +150,7 @@ class X509Certificate {
get isCA() {
const ca = this.extBasicConstraints?.isCA || false;
// If the KeyUsage extension is present, keyCertSign must be set
/* istanbul ignore else */
if (this.extKeyUsage) {
return ca && this.extKeyUsage.keyCertSign;
}
node_modules/@sigstore/core/dist/x509/ext.d.ts
Generated Vendored
+1 -1
View File
@@ -5,7 +5,7 @@ export declare class X509Extension {
constructor(asn1: ASN1Obj);
get oid(): string;
get critical(): boolean;
get value(): Buffer;
get value(): Buffer<ArrayBufferLike>;
get valueObj(): ASN1Obj;
protected get extnValueObj(): ASN1Obj;
}
node_modules/@sigstore/core/dist/x509/ext.js
Generated Vendored
+1
View File
@@ -5,6 +5,7 @@ const stream_1 = require("../stream");
const sct_1 = require("./sct");
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1
class X509Extension {
root;
constructor(asn1) {
this.root = asn1;
}
node_modules/@sigstore/core/dist/x509/sct.js
Generated Vendored
+24 -7
View File
@@ -15,13 +15,23 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.SignedCertificateTimestamp = void 0;
/*
@@ -42,6 +52,13 @@ limitations under the License.
const crypto = __importStar(require("../crypto"));
const stream_1 = require("../stream");
class SignedCertificateTimestamp {
version;
logID;
timestamp;
extensions;
hashAlgorithm;
signatureAlgorithm;
signature;
constructor(options) {
this.version = options.version;
this.logID = options.logID;
node_modules/@sigstore/core/package.json
Generated Vendored
+2 -2
View File
@@ -1,6 +1,6 @@
{
"name": "@sigstore/core",
"version": "2.0.0",
"version": "3.2.1",
"description": "Base library for Sigstore",
"main": "dist/index.js",
"types": "dist/index.d.ts",
@@ -26,6 +26,6 @@
"provenance": true
},
"engines": {
"node": "^18.17.0 || >=20.5.0"
"node": "^20.17.0 || >=22.9.0"
}
}
node_modules/@sigstore/protobuf-specs/dist/__generated__/envelope.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: envelope.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.Signature = exports.Envelope = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/events.d.ts
Generated Vendored
+2 -2
View File
@@ -11,7 +11,7 @@ export interface CloudEvent {
[key: string]: CloudEvent_CloudEventAttributeValue;
};
/** -- CloudEvent Data (Bytes, Text, or Proto) */
data?: {
data: {
$case: "binaryData";
binaryData: Buffer;
} | {
@@ -27,7 +27,7 @@ export interface CloudEvent_AttributesEntry {
value: CloudEvent_CloudEventAttributeValue | undefined;
}
export interface CloudEvent_CloudEventAttributeValue {
attr?: {
attr: {
$case: "ceBoolean";
ceBoolean: boolean;
} | {
node_modules/@sigstore/protobuf-specs/dist/__generated__/events.js
Generated Vendored
+4 -4
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: events.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.CloudEventBatch = exports.CloudEvent_CloudEventAttributeValue = exports.CloudEvent_AttributesEntry = exports.CloudEvent = void 0;
@@ -17,7 +17,7 @@ exports.CloudEvent = {
specVersion: isSet(object.specVersion) ? globalThis.String(object.specVersion) : "",
type: isSet(object.type) ? globalThis.String(object.type) : "",
attributes: isObject(object.attributes)
? Object.entries(object.attributes).reduce((acc, [key, value]) => {
? globalThis.Object.entries(object.attributes).reduce((acc, [key, value]) => {
acc[key] = exports.CloudEvent_CloudEventAttributeValue.fromJSON(value);
return acc;
}, {})
@@ -46,7 +46,7 @@ exports.CloudEvent = {
obj.type = message.type;
}
if (message.attributes) {
const entries = Object.entries(message.attributes);
const entries = globalThis.Object.entries(message.attributes);
if (entries.length > 0) {
obj.attributes = {};
entries.forEach(([k, v]) => {
node_modules/@sigstore/protobuf-specs/dist/__generated__/google/api/field_behavior.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: google/api/field_behavior.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.FieldBehavior = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/any.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: google/protobuf/any.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.Any = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/descriptor.d.ts
Generated Vendored
+57 -1
View File
@@ -22,6 +22,8 @@ export declare enum Edition {
*/
EDITION_2023 = 1000,
EDITION_2024 = 1001,
/** EDITION_UNSTABLE - A placeholder edition for developing and testing unscheduled features. */
EDITION_UNSTABLE = 9999,
/**
* EDITION_1_TEST_ONLY - Placeholder editions for testing feature resolution. These should not be
* used or relied on outside of tests.
@@ -40,6 +42,20 @@ export declare enum Edition {
}
export declare function editionFromJSON(object: any): Edition;
export declare function editionToJSON(object: Edition): string;
/**
* Describes the 'visibility' of a symbol with respect to the proto import
* system. Symbols can only be imported when the visibility rules do not prevent
* it (ex: local symbols cannot be imported). Visibility modifiers can only set
* on `message` and `enum` as they are the only types available to be referenced
* from other files.
*/
export declare enum SymbolVisibility {
VISIBILITY_UNSET = 0,
VISIBILITY_LOCAL = 1,
VISIBILITY_EXPORT = 2
}
export declare function symbolVisibilityFromJSON(object: any): SymbolVisibility;
export declare function symbolVisibilityToJSON(object: SymbolVisibility): string;
/**
* The protocol compiler can output a FileDescriptorSet containing the .proto
* files it parses.
@@ -62,6 +78,11 @@ export interface FileDescriptorProto {
* For Google-internal migration only. Do not use.
*/
weakDependency: number[];
/**
* Names of files imported by this file purely for the purpose of providing
* option extensions. These are excluded from the dependency list above.
*/
optionDependency: string[];
/** All top-level definitions in this file. */
messageType: DescriptorProto[];
enumType: EnumDescriptorProto[];
@@ -109,6 +130,8 @@ export interface DescriptorProto {
* A given name may only be reserved once.
*/
reservedName: string[];
/** Support for `export` and `local` keywords on enums. */
visibility?: SymbolVisibility | undefined;
}
export interface DescriptorProto_ExtensionRange {
/** Inclusive. */
@@ -327,6 +350,8 @@ export interface EnumDescriptorProto {
* be reserved once.
*/
reservedName: string[];
/** Support for `export` and `local` keywords on enums. */
visibility?: SymbolVisibility | undefined;
}
/**
* Range of reserved numeric values. Reserved values may not be used by
@@ -667,7 +692,12 @@ export interface FieldOptions {
* is a formalization for deprecating fields.
*/
deprecated?: boolean | undefined;
/** For Google-internal migration only. Do not use. */
/**
* DEPRECATED. DO NOT USE!
* For Google-internal migration only. Do not use.
*
* @deprecated
*/
weak?: boolean | undefined;
/**
* Indicate that the field value should not be printed out when using debug
@@ -770,6 +800,11 @@ export interface FieldOptions_FeatureSupport {
* not be able to override it.
*/
editionRemoved?: Edition | undefined;
/**
* The removal error text if this feature is used after the edition it was
* removed in.
*/
removalError?: string | undefined;
}
export interface OneofOptions {
/**
@@ -941,6 +976,7 @@ export interface FeatureSet {
messageEncoding?: FeatureSet_MessageEncoding | undefined;
jsonFormat?: FeatureSet_JsonFormat | undefined;
enforceNamingStyle?: FeatureSet_EnforceNamingStyle | undefined;
defaultSymbolVisibility?: FeatureSet_VisibilityFeature_DefaultSymbolVisibility | undefined;
}
export declare enum FeatureSet_FieldPresence {
FIELD_PRESENCE_UNKNOWN = 0,
@@ -992,6 +1028,25 @@ export declare enum FeatureSet_EnforceNamingStyle {
}
export declare function featureSet_EnforceNamingStyleFromJSON(object: any): FeatureSet_EnforceNamingStyle;
export declare function featureSet_EnforceNamingStyleToJSON(object: FeatureSet_EnforceNamingStyle): string;
export interface FeatureSet_VisibilityFeature {
}
export declare enum FeatureSet_VisibilityFeature_DefaultSymbolVisibility {
DEFAULT_SYMBOL_VISIBILITY_UNKNOWN = 0,
/** EXPORT_ALL - Default pre-EDITION_2024, all UNSET visibility are export. */
EXPORT_ALL = 1,
/** EXPORT_TOP_LEVEL - All top-level symbols default to export, nested default to local. */
EXPORT_TOP_LEVEL = 2,
/** LOCAL_ALL - All symbols default to local. */
LOCAL_ALL = 3,
/**
* STRICT - All symbols local by default. Nested types cannot be exported.
* With special case caveat for message { enum {} reserved 1 to max; }
* This is the recommended setting for new protos.
*/
STRICT = 4
}
export declare function featureSet_VisibilityFeature_DefaultSymbolVisibilityFromJSON(object: any): FeatureSet_VisibilityFeature_DefaultSymbolVisibility;
export declare function featureSet_VisibilityFeature_DefaultSymbolVisibilityToJSON(object: FeatureSet_VisibilityFeature_DefaultSymbolVisibility): string;
/**
* A compiled specification for the defaults of a set of features. These
* messages are generated from FeatureSet extensions and can be used to seed
@@ -1238,6 +1293,7 @@ export declare const MethodOptions: MessageFns<MethodOptions>;
export declare const UninterpretedOption: MessageFns<UninterpretedOption>;
export declare const UninterpretedOption_NamePart: MessageFns<UninterpretedOption_NamePart>;
export declare const FeatureSet: MessageFns<FeatureSet>;
export declare const FeatureSet_VisibilityFeature: MessageFns<FeatureSet_VisibilityFeature>;
export declare const FeatureSetDefaults: MessageFns<FeatureSetDefaults>;
export declare const FeatureSetDefaults_FeatureSetEditionDefault: MessageFns<FeatureSetDefaults_FeatureSetEditionDefault>;
export declare const SourceCodeInfo: MessageFns<SourceCodeInfo>;
node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/descriptor.js
Generated Vendored
+141 -4
View File
@@ -1,14 +1,16 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: google/protobuf/descriptor.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.GeneratedCodeInfo = exports.SourceCodeInfo_Location = exports.SourceCodeInfo = exports.FeatureSetDefaults_FeatureSetEditionDefault = exports.FeatureSetDefaults = exports.FeatureSet = exports.UninterpretedOption_NamePart = exports.UninterpretedOption = exports.MethodOptions = exports.ServiceOptions = exports.EnumValueOptions = exports.EnumOptions = exports.OneofOptions = exports.FieldOptions_FeatureSupport = exports.FieldOptions_EditionDefault = exports.FieldOptions = exports.MessageOptions = exports.FileOptions = exports.MethodDescriptorProto = exports.ServiceDescriptorProto = exports.EnumValueDescriptorProto = exports.EnumDescriptorProto_EnumReservedRange = exports.EnumDescriptorProto = exports.OneofDescriptorProto = exports.FieldDescriptorProto = exports.ExtensionRangeOptions_Declaration = exports.ExtensionRangeOptions = exports.DescriptorProto_ReservedRange = exports.DescriptorProto_ExtensionRange = exports.DescriptorProto = exports.FileDescriptorProto = exports.FileDescriptorSet = exports.GeneratedCodeInfo_Annotation_Semantic = exports.FeatureSet_EnforceNamingStyle = exports.FeatureSet_JsonFormat = exports.FeatureSet_MessageEncoding = exports.FeatureSet_Utf8Validation = exports.FeatureSet_RepeatedFieldEncoding = exports.FeatureSet_EnumType = exports.FeatureSet_FieldPresence = exports.MethodOptions_IdempotencyLevel = exports.FieldOptions_OptionTargetType = exports.FieldOptions_OptionRetention = exports.FieldOptions_JSType = exports.FieldOptions_CType = exports.FileOptions_OptimizeMode = exports.FieldDescriptorProto_Label = exports.FieldDescriptorProto_Type = exports.ExtensionRangeOptions_VerificationState = exports.Edition = void 0;
exports.GeneratedCodeInfo_Annotation = void 0;
exports.FeatureSetDefaults_FeatureSetEditionDefault = exports.FeatureSetDefaults = exports.FeatureSet_VisibilityFeature = exports.FeatureSet = exports.UninterpretedOption_NamePart = exports.UninterpretedOption = exports.MethodOptions = exports.ServiceOptions = exports.EnumValueOptions = exports.EnumOptions = exports.OneofOptions = exports.FieldOptions_FeatureSupport = exports.FieldOptions_EditionDefault = exports.FieldOptions = exports.MessageOptions = exports.FileOptions = exports.MethodDescriptorProto = exports.ServiceDescriptorProto = exports.EnumValueDescriptorProto = exports.EnumDescriptorProto_EnumReservedRange = exports.EnumDescriptorProto = exports.OneofDescriptorProto = exports.FieldDescriptorProto = exports.ExtensionRangeOptions_Declaration = exports.ExtensionRangeOptions = exports.DescriptorProto_ReservedRange = exports.DescriptorProto_ExtensionRange = exports.DescriptorProto = exports.FileDescriptorProto = exports.FileDescriptorSet = exports.GeneratedCodeInfo_Annotation_Semantic = exports.FeatureSet_VisibilityFeature_DefaultSymbolVisibility = exports.FeatureSet_EnforceNamingStyle = exports.FeatureSet_JsonFormat = exports.FeatureSet_MessageEncoding = exports.FeatureSet_Utf8Validation = exports.FeatureSet_RepeatedFieldEncoding = exports.FeatureSet_EnumType = exports.FeatureSet_FieldPresence = exports.MethodOptions_IdempotencyLevel = exports.FieldOptions_OptionTargetType = exports.FieldOptions_OptionRetention = exports.FieldOptions_JSType = exports.FieldOptions_CType = exports.FileOptions_OptimizeMode = exports.FieldDescriptorProto_Label = exports.FieldDescriptorProto_Type = exports.ExtensionRangeOptions_VerificationState = exports.SymbolVisibility = exports.Edition = void 0;
exports.GeneratedCodeInfo_Annotation = exports.GeneratedCodeInfo = exports.SourceCodeInfo_Location = exports.SourceCodeInfo = void 0;
exports.editionFromJSON = editionFromJSON;
exports.editionToJSON = editionToJSON;
exports.symbolVisibilityFromJSON = symbolVisibilityFromJSON;
exports.symbolVisibilityToJSON = symbolVisibilityToJSON;
exports.extensionRangeOptions_VerificationStateFromJSON = extensionRangeOptions_VerificationStateFromJSON;
exports.extensionRangeOptions_VerificationStateToJSON = extensionRangeOptions_VerificationStateToJSON;
exports.fieldDescriptorProto_TypeFromJSON = fieldDescriptorProto_TypeFromJSON;
@@ -41,6 +43,8 @@ exports.featureSet_JsonFormatFromJSON = featureSet_JsonFormatFromJSON;
exports.featureSet_JsonFormatToJSON = featureSet_JsonFormatToJSON;
exports.featureSet_EnforceNamingStyleFromJSON = featureSet_EnforceNamingStyleFromJSON;
exports.featureSet_EnforceNamingStyleToJSON = featureSet_EnforceNamingStyleToJSON;
exports.featureSet_VisibilityFeature_DefaultSymbolVisibilityFromJSON = featureSet_VisibilityFeature_DefaultSymbolVisibilityFromJSON;
exports.featureSet_VisibilityFeature_DefaultSymbolVisibilityToJSON = featureSet_VisibilityFeature_DefaultSymbolVisibilityToJSON;
exports.generatedCodeInfo_Annotation_SemanticFromJSON = generatedCodeInfo_Annotation_SemanticFromJSON;
exports.generatedCodeInfo_Annotation_SemanticToJSON = generatedCodeInfo_Annotation_SemanticToJSON;
/* eslint-disable */
@@ -69,6 +73,8 @@ var Edition;
*/
Edition[Edition["EDITION_2023"] = 1000] = "EDITION_2023";
Edition[Edition["EDITION_2024"] = 1001] = "EDITION_2024";
/** EDITION_UNSTABLE - A placeholder edition for developing and testing unscheduled features. */
Edition[Edition["EDITION_UNSTABLE"] = 9999] = "EDITION_UNSTABLE";
/**
* EDITION_1_TEST_ONLY - Placeholder editions for testing feature resolution. These should not be
* used or relied on outside of tests.
@@ -105,6 +111,9 @@ function editionFromJSON(object) {
case 1001:
case "EDITION_2024":
return Edition.EDITION_2024;
case 9999:
case "EDITION_UNSTABLE":
return Edition.EDITION_UNSTABLE;
case 1:
case "EDITION_1_TEST_ONLY":
return Edition.EDITION_1_TEST_ONLY;
@@ -141,6 +150,8 @@ function editionToJSON(object) {
return "EDITION_2023";
case Edition.EDITION_2024:
return "EDITION_2024";
case Edition.EDITION_UNSTABLE:
return "EDITION_UNSTABLE";
case Edition.EDITION_1_TEST_ONLY:
return "EDITION_1_TEST_ONLY";
case Edition.EDITION_2_TEST_ONLY:
@@ -157,6 +168,46 @@ function editionToJSON(object) {
throw new globalThis.Error("Unrecognized enum value " + object + " for enum Edition");
}
}
/**
* Describes the 'visibility' of a symbol with respect to the proto import
* system. Symbols can only be imported when the visibility rules do not prevent
* it (ex: local symbols cannot be imported). Visibility modifiers can only set
* on `message` and `enum` as they are the only types available to be referenced
* from other files.
*/
var SymbolVisibility;
(function (SymbolVisibility) {
SymbolVisibility[SymbolVisibility["VISIBILITY_UNSET"] = 0] = "VISIBILITY_UNSET";
SymbolVisibility[SymbolVisibility["VISIBILITY_LOCAL"] = 1] = "VISIBILITY_LOCAL";
SymbolVisibility[SymbolVisibility["VISIBILITY_EXPORT"] = 2] = "VISIBILITY_EXPORT";
})(SymbolVisibility || (exports.SymbolVisibility = SymbolVisibility = {}));
function symbolVisibilityFromJSON(object) {
switch (object) {
case 0:
case "VISIBILITY_UNSET":
return SymbolVisibility.VISIBILITY_UNSET;
case 1:
case "VISIBILITY_LOCAL":
return SymbolVisibility.VISIBILITY_LOCAL;
case 2:
case "VISIBILITY_EXPORT":
return SymbolVisibility.VISIBILITY_EXPORT;
default:
throw new globalThis.Error("Unrecognized enum value " + object + " for enum SymbolVisibility");
}
}
function symbolVisibilityToJSON(object) {
switch (object) {
case SymbolVisibility.VISIBILITY_UNSET:
return "VISIBILITY_UNSET";
case SymbolVisibility.VISIBILITY_LOCAL:
return "VISIBILITY_LOCAL";
case SymbolVisibility.VISIBILITY_EXPORT:
return "VISIBILITY_EXPORT";
default:
throw new globalThis.Error("Unrecognized enum value " + object + " for enum SymbolVisibility");
}
}
/** The verification state of the extension range. */
var ExtensionRangeOptions_VerificationState;
(function (ExtensionRangeOptions_VerificationState) {
@@ -877,6 +928,59 @@ function featureSet_EnforceNamingStyleToJSON(object) {
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FeatureSet_EnforceNamingStyle");
}
}
var FeatureSet_VisibilityFeature_DefaultSymbolVisibility;
(function (FeatureSet_VisibilityFeature_DefaultSymbolVisibility) {
FeatureSet_VisibilityFeature_DefaultSymbolVisibility[FeatureSet_VisibilityFeature_DefaultSymbolVisibility["DEFAULT_SYMBOL_VISIBILITY_UNKNOWN"] = 0] = "DEFAULT_SYMBOL_VISIBILITY_UNKNOWN";
/** EXPORT_ALL - Default pre-EDITION_2024, all UNSET visibility are export. */
FeatureSet_VisibilityFeature_DefaultSymbolVisibility[FeatureSet_VisibilityFeature_DefaultSymbolVisibility["EXPORT_ALL"] = 1] = "EXPORT_ALL";
/** EXPORT_TOP_LEVEL - All top-level symbols default to export, nested default to local. */
FeatureSet_VisibilityFeature_DefaultSymbolVisibility[FeatureSet_VisibilityFeature_DefaultSymbolVisibility["EXPORT_TOP_LEVEL"] = 2] = "EXPORT_TOP_LEVEL";
/** LOCAL_ALL - All symbols default to local. */
FeatureSet_VisibilityFeature_DefaultSymbolVisibility[FeatureSet_VisibilityFeature_DefaultSymbolVisibility["LOCAL_ALL"] = 3] = "LOCAL_ALL";
/**
* STRICT - All symbols local by default. Nested types cannot be exported.
* With special case caveat for message { enum {} reserved 1 to max; }
* This is the recommended setting for new protos.
*/
FeatureSet_VisibilityFeature_DefaultSymbolVisibility[FeatureSet_VisibilityFeature_DefaultSymbolVisibility["STRICT"] = 4] = "STRICT";
})(FeatureSet_VisibilityFeature_DefaultSymbolVisibility || (exports.FeatureSet_VisibilityFeature_DefaultSymbolVisibility = FeatureSet_VisibilityFeature_DefaultSymbolVisibility = {}));
function featureSet_VisibilityFeature_DefaultSymbolVisibilityFromJSON(object) {
switch (object) {
case 0:
case "DEFAULT_SYMBOL_VISIBILITY_UNKNOWN":
return FeatureSet_VisibilityFeature_DefaultSymbolVisibility.DEFAULT_SYMBOL_VISIBILITY_UNKNOWN;
case 1:
case "EXPORT_ALL":
return FeatureSet_VisibilityFeature_DefaultSymbolVisibility.EXPORT_ALL;
case 2:
case "EXPORT_TOP_LEVEL":
return FeatureSet_VisibilityFeature_DefaultSymbolVisibility.EXPORT_TOP_LEVEL;
case 3:
case "LOCAL_ALL":
return FeatureSet_VisibilityFeature_DefaultSymbolVisibility.LOCAL_ALL;
case 4:
case "STRICT":
return FeatureSet_VisibilityFeature_DefaultSymbolVisibility.STRICT;
default:
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FeatureSet_VisibilityFeature_DefaultSymbolVisibility");
}
}
function featureSet_VisibilityFeature_DefaultSymbolVisibilityToJSON(object) {
switch (object) {
case FeatureSet_VisibilityFeature_DefaultSymbolVisibility.DEFAULT_SYMBOL_VISIBILITY_UNKNOWN:
return "DEFAULT_SYMBOL_VISIBILITY_UNKNOWN";
case FeatureSet_VisibilityFeature_DefaultSymbolVisibility.EXPORT_ALL:
return "EXPORT_ALL";
case FeatureSet_VisibilityFeature_DefaultSymbolVisibility.EXPORT_TOP_LEVEL:
return "EXPORT_TOP_LEVEL";
case FeatureSet_VisibilityFeature_DefaultSymbolVisibility.LOCAL_ALL:
return "LOCAL_ALL";
case FeatureSet_VisibilityFeature_DefaultSymbolVisibility.STRICT:
return "STRICT";
default:
throw new globalThis.Error("Unrecognized enum value " + object + " for enum FeatureSet_VisibilityFeature_DefaultSymbolVisibility");
}
}
/**
* Represents the identified object's effect on the element in the original
* .proto file.
@@ -945,6 +1049,9 @@ exports.FileDescriptorProto = {
weakDependency: globalThis.Array.isArray(object?.weakDependency)
? object.weakDependency.map((e) => globalThis.Number(e))
: [],
optionDependency: globalThis.Array.isArray(object?.optionDependency)
? object.optionDependency.map((e) => globalThis.String(e))
: [],
messageType: globalThis.Array.isArray(object?.messageType)
? object.messageType.map((e) => exports.DescriptorProto.fromJSON(e))
: [],
@@ -980,6 +1087,9 @@ exports.FileDescriptorProto = {
if (message.weakDependency?.length) {
obj.weakDependency = message.weakDependency.map((e) => Math.round(e));
}
if (message.optionDependency?.length) {
obj.optionDependency = message.optionDependency;
}
if (message.messageType?.length) {
obj.messageType = message.messageType.map((e) => exports.DescriptorProto.toJSON(e));
}
@@ -1036,6 +1146,7 @@ exports.DescriptorProto = {
reservedName: globalThis.Array.isArray(object?.reservedName)
? object.reservedName.map((e) => globalThis.String(e))
: [],
visibility: isSet(object.visibility) ? symbolVisibilityFromJSON(object.visibility) : 0,
};
},
toJSON(message) {
@@ -1070,6 +1181,9 @@ exports.DescriptorProto = {
if (message.reservedName?.length) {
obj.reservedName = message.reservedName;
}
if (message.visibility !== undefined && message.visibility !== 0) {
obj.visibility = symbolVisibilityToJSON(message.visibility);
}
return obj;
},
};
@@ -1261,6 +1375,7 @@ exports.EnumDescriptorProto = {
reservedName: globalThis.Array.isArray(object?.reservedName)
? object.reservedName.map((e) => globalThis.String(e))
: [],
visibility: isSet(object.visibility) ? symbolVisibilityFromJSON(object.visibility) : 0,
};
},
toJSON(message) {
@@ -1280,6 +1395,9 @@ exports.EnumDescriptorProto = {
if (message.reservedName?.length) {
obj.reservedName = message.reservedName;
}
if (message.visibility !== undefined && message.visibility !== 0) {
obj.visibility = symbolVisibilityToJSON(message.visibility);
}
return obj;
},
};
@@ -1624,6 +1742,7 @@ exports.FieldOptions_FeatureSupport = {
editionDeprecated: isSet(object.editionDeprecated) ? editionFromJSON(object.editionDeprecated) : 0,
deprecationWarning: isSet(object.deprecationWarning) ? globalThis.String(object.deprecationWarning) : "",
editionRemoved: isSet(object.editionRemoved) ? editionFromJSON(object.editionRemoved) : 0,
removalError: isSet(object.removalError) ? globalThis.String(object.removalError) : "",
};
},
toJSON(message) {
@@ -1640,6 +1759,9 @@ exports.FieldOptions_FeatureSupport = {
if (message.editionRemoved !== undefined && message.editionRemoved !== 0) {
obj.editionRemoved = editionToJSON(message.editionRemoved);
}
if (message.removalError !== undefined && message.removalError !== "") {
obj.removalError = message.removalError;
}
return obj;
},
};
@@ -1857,6 +1979,9 @@ exports.FeatureSet = {
enforceNamingStyle: isSet(object.enforceNamingStyle)
? featureSet_EnforceNamingStyleFromJSON(object.enforceNamingStyle)
: 0,
defaultSymbolVisibility: isSet(object.defaultSymbolVisibility)
? featureSet_VisibilityFeature_DefaultSymbolVisibilityFromJSON(object.defaultSymbolVisibility)
: 0,
};
},
toJSON(message) {
@@ -1882,6 +2007,18 @@ exports.FeatureSet = {
if (message.enforceNamingStyle !== undefined && message.enforceNamingStyle !== 0) {
obj.enforceNamingStyle = featureSet_EnforceNamingStyleToJSON(message.enforceNamingStyle);
}
if (message.defaultSymbolVisibility !== undefined && message.defaultSymbolVisibility !== 0) {
obj.defaultSymbolVisibility = featureSet_VisibilityFeature_DefaultSymbolVisibilityToJSON(message.defaultSymbolVisibility);
}
return obj;
},
};
exports.FeatureSet_VisibilityFeature = {
fromJSON(_) {
return {};
},
toJSON(_) {
const obj = {};
return obj;
},
};
node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/timestamp.d.ts
Generated Vendored
+9 -8
View File
@@ -71,8 +71,8 @@
* {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
* seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
* are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
* is required. A proto3 JSON serializer should always use UTC (as indicated by
* "Z") when printing the Timestamp type and a proto3 JSON parser should be
* is required. A ProtoJSON serializer should always use UTC (as indicated by
* "Z") when printing the Timestamp type and a ProtoJSON parser should be
* able to accept both UTC and other timezones (as indicated by an offset).
*
* For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
@@ -91,15 +91,16 @@
*/
export interface Timestamp {
/**
* Represents seconds of UTC time since Unix epoch
* 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
* 9999-12-31T23:59:59Z inclusive.
* Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must
* be between -62135596800 and 253402300799 inclusive (which corresponds to
* 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
*/
seconds: string;
/**
* Non-negative fractions of a second at nanosecond resolution. Negative
* second values with fractions must still have non-negative nanos values
* that count forward in time. Must be from 0 to 999,999,999
* Non-negative fractions of a second at nanosecond resolution. This field is
* the nanosecond portion of the duration, not an alternative to seconds.
* Negative second values with fractions must still have non-negative nanos
* values that count forward in time. Must be between 0 and 999,999,999
* inclusive.
*/
nanos: number;
node_modules/@sigstore/protobuf-specs/dist/__generated__/google/protobuf/timestamp.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: google/protobuf/timestamp.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.Timestamp = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/rekor/v2/dsse.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: rekor/v2/dsse.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.DSSELogEntryV002 = exports.DSSERequestV002 = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/rekor/v2/entry.d.ts
Generated Vendored
+2 -2
View File
@@ -15,7 +15,7 @@ export interface Entry {
}
/** Spec contains one of the Rekor entry types. */
export interface Spec {
spec?: {
spec: {
$case: "hashedRekordV002";
hashedRekordV002: HashedRekordLogEntryV002;
} | {
@@ -25,7 +25,7 @@ export interface Spec {
}
/** Create a new HashedRekord or DSSE */
export interface CreateEntryRequest {
spec?: {
spec: {
$case: "hashedRekordRequestV002";
hashedRekordRequestV002: HashedRekordRequestV002;
} | {
node_modules/@sigstore/protobuf-specs/dist/__generated__/rekor/v2/entry.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: rekor/v2/entry.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.CreateEntryRequest = exports.Spec = exports.Entry = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/rekor/v2/hashedrekord.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: rekor/v2/hashedrekord.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.HashedRekordLogEntryV002 = exports.HashedRekordRequestV002 = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/rekor/v2/verifier.d.ts
Generated Vendored
+1 -1
View File
@@ -6,7 +6,7 @@ export interface PublicKey {
}
/** Either a public key or a X.509 cerificiate with an embedded public key */
export interface Verifier {
verifier?: //
verifier: //
/** DER-encoded public key. Encoding method is specified by the key_details attribute */
{
$case: "publicKey";
node_modules/@sigstore/protobuf-specs/dist/__generated__/rekor/v2/verifier.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: rekor/v2/verifier.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.Signature = exports.Verifier = exports.PublicKey = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_bundle.d.ts
Generated Vendored
+2 -2
View File
@@ -63,7 +63,7 @@ export interface VerificationMaterial {
* When used in a `0.3` bundle with the PGI and "keyless" signing,
* form (3) MUST be used.
*/
content?: {
content: {
$case: "publicKey";
publicKey: PublicKeyIdentifier;
} | {
@@ -112,7 +112,7 @@ export interface Bundle {
* DSSE envelope.
*/
verificationMaterial: VerificationMaterial | undefined;
content?: {
content: {
$case: "messageSignature";
messageSignature: MessageSignature;
} | //
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_bundle.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: sigstore_bundle.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.Bundle = exports.VerificationMaterial = exports.TimestampVerificationData = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_common.d.ts
Generated Vendored
+21 -10
View File
@@ -12,7 +12,17 @@ export declare enum HashAlgorithm {
SHA2_256 = 1,
SHA2_384 = 2,
SHA2_512 = 3,
/**
* SHA3_256 - Used for LMS
*
* @deprecated
*/
SHA3_256 = 4,
/**
* SHA3_384 - Used for LMS
*
* @deprecated
*/
SHA3_384 = 5
}
export declare function hashAlgorithmFromJSON(object: any): HashAlgorithm;
@@ -88,9 +98,7 @@ export declare enum PublicKeyDetails {
* LMS_SHA256 - LMS and LM-OTS
*
* These algorithms are deprecated and should not be used.
* Keys and signatures MAY be used by private Sigstore
* deployments, but will not be supported by the public
* good instance.
* There are no plans to support SLH-DSA at this time.
*
* USER WARNING: LMS and LM-OTS are both stateful signature schemes.
* Using them correctly requires discretion and careful consideration
@@ -106,20 +114,23 @@ export declare enum PublicKeyDetails {
/** @deprecated */
LMOTS_SHA256 = 15,
/**
* ML_DSA_65 - ML-DSA
* ML_DSA_44 - ML-DSA
*
* These ML_DSA_65 and ML-DSA_87 algorithms are the pure variants that
* take data to sign rather than the prehash variants (HashML-DSA), which
* take digests. While considered quantum-resistant, their usage
* These ML_DSA_44, ML_DSA_65 and ML-DSA_87 algorithms are the pure variants
* that take data to sign rather than the prehash variants (HashML-DSA), which
* take digests. While considered quantum-resistant, their usage
* involves tradeoffs in that signatures and keys are much larger, and
* this makes deployments more costly.
*
* USER WARNING: ML_DSA_65 and ML_DSA_87 are experimental algorithms.
* USER WARNING: ML_DSA_44, ML_DSA_65 and ML_DSA_87 are experimental algorithms.
* In the future they MAY be used by private Sigstore deployments, but
* they are not yet fully functional. This warning will be removed when
* they are not yet fully functional. This warning will be removed when
* these algorithms are widely supported by Sigstore clients and servers,
* but care should still be taken for production environments.
*
* See NIST FIPS 204, RFC 9881 for algorithm identifiers
*/
ML_DSA_44 = 23,
ML_DSA_65 = 21,
ML_DSA_87 = 22
}
@@ -231,7 +242,7 @@ export interface X509Certificate {
}
export interface SubjectAlternativeName {
type: SubjectAlternativeNameType;
identity?: //
identity: //
/**
* A regular expression describing the expected value for
* the SAN.
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_common.js
Generated Vendored
+27 -11
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: sigstore_common.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.TimeRange = exports.X509CertificateChain = exports.SubjectAlternativeName = exports.X509Certificate = exports.DistinguishedName = exports.ObjectIdentifierValuePair = exports.ObjectIdentifier = exports.PublicKeyIdentifier = exports.PublicKey = exports.RFC3161SignedTimestamp = exports.LogId = exports.MessageSignature = exports.HashOutput = exports.SubjectAlternativeNameType = exports.PublicKeyDetails = exports.HashAlgorithm = void 0;
@@ -29,7 +29,17 @@ var HashAlgorithm;
HashAlgorithm[HashAlgorithm["SHA2_256"] = 1] = "SHA2_256";
HashAlgorithm[HashAlgorithm["SHA2_384"] = 2] = "SHA2_384";
HashAlgorithm[HashAlgorithm["SHA2_512"] = 3] = "SHA2_512";
/**
* SHA3_256 - Used for LMS
*
* @deprecated
*/
HashAlgorithm[HashAlgorithm["SHA3_256"] = 4] = "SHA3_256";
/**
* SHA3_384 - Used for LMS
*
* @deprecated
*/
HashAlgorithm[HashAlgorithm["SHA3_384"] = 5] = "SHA3_384";
})(HashAlgorithm || (exports.HashAlgorithm = HashAlgorithm = {}));
function hashAlgorithmFromJSON(object) {
@@ -146,9 +156,7 @@ var PublicKeyDetails;
* LMS_SHA256 - LMS and LM-OTS
*
* These algorithms are deprecated and should not be used.
* Keys and signatures MAY be used by private Sigstore
* deployments, but will not be supported by the public
* good instance.
* There are no plans to support SLH-DSA at this time.
*
* USER WARNING: LMS and LM-OTS are both stateful signature schemes.
* Using them correctly requires discretion and careful consideration
@@ -164,20 +172,23 @@ var PublicKeyDetails;
/** @deprecated */
PublicKeyDetails[PublicKeyDetails["LMOTS_SHA256"] = 15] = "LMOTS_SHA256";
/**
* ML_DSA_65 - ML-DSA
* ML_DSA_44 - ML-DSA
*
* These ML_DSA_65 and ML-DSA_87 algorithms are the pure variants that
* take data to sign rather than the prehash variants (HashML-DSA), which
* take digests. While considered quantum-resistant, their usage
* These ML_DSA_44, ML_DSA_65 and ML-DSA_87 algorithms are the pure variants
* that take data to sign rather than the prehash variants (HashML-DSA), which
* take digests. While considered quantum-resistant, their usage
* involves tradeoffs in that signatures and keys are much larger, and
* this makes deployments more costly.
*
* USER WARNING: ML_DSA_65 and ML_DSA_87 are experimental algorithms.
* USER WARNING: ML_DSA_44, ML_DSA_65 and ML_DSA_87 are experimental algorithms.
* In the future they MAY be used by private Sigstore deployments, but
* they are not yet fully functional. This warning will be removed when
* they are not yet fully functional. This warning will be removed when
* these algorithms are widely supported by Sigstore clients and servers,
* but care should still be taken for production environments.
*
* See NIST FIPS 204, RFC 9881 for algorithm identifiers
*/
PublicKeyDetails[PublicKeyDetails["ML_DSA_44"] = 23] = "ML_DSA_44";
PublicKeyDetails[PublicKeyDetails["ML_DSA_65"] = 21] = "ML_DSA_65";
PublicKeyDetails[PublicKeyDetails["ML_DSA_87"] = 22] = "ML_DSA_87";
})(PublicKeyDetails || (exports.PublicKeyDetails = PublicKeyDetails = {}));
@@ -246,6 +257,9 @@ function publicKeyDetailsFromJSON(object) {
case 15:
case "LMOTS_SHA256":
return PublicKeyDetails.LMOTS_SHA256;
case 23:
case "ML_DSA_44":
return PublicKeyDetails.ML_DSA_44;
case 21:
case "ML_DSA_65":
return PublicKeyDetails.ML_DSA_65;
@@ -300,6 +314,8 @@ function publicKeyDetailsToJSON(object) {
return "LMS_SHA256";
case PublicKeyDetails.LMOTS_SHA256:
return "LMOTS_SHA256";
case PublicKeyDetails.ML_DSA_44:
return "ML_DSA_44";
case PublicKeyDetails.ML_DSA_65:
return "ML_DSA_65";
case PublicKeyDetails.ML_DSA_87:
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_rekor.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: sigstore_rekor.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.TransparencyLogEntry = exports.InclusionPromise = exports.InclusionProof = exports.Checkpoint = exports.KindVersion = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.d.ts
Generated Vendored
+21 -18
View File
@@ -50,23 +50,25 @@ export interface TransparencyLogInstance {
*/
publicKey: PublicKey | undefined;
/**
* The unique identifier for this transparency log.
* The identifier for this transparency log.
* Represented as the SHA-256 hash of the log's public key,
* calculated over the DER encoding of the key represented as
* SubjectPublicKeyInfo.
* See https://www.rfc-editor.org/rfc/rfc6962#section-3.2
* MUST set checkpoint_key_id if multiple logs use the same
* signing key.
* Deprecated: Use checkpoint_key_id instead, since log_id is not
* For Rekor v2 instances, log_id and checkpoint_key_id will be set
* to the same value.
* It is recommended to use checkpoint_key_id instead, since log_id is not
* guaranteed to be unique across multiple deployments. Clients
* must use the key name and key ID from a checkpoint to determine
* the correct TransparencyLogInstance to verify a proof.
*
* @deprecated
* must use the key name and key ID, as defined by the signed-note spec
* linked below, from a checkpoint to determine the correct
* TransparencyLogInstance to verify a proof.
* log_id will eventually be deprecated in favor of checkpoint_id.
*/
logId: LogId | undefined;
/**
* The unique identifier for the log, used in the checkpoint.
* Only supported for TrustedRoot media types matching or greater than
* application/vnd.dev.sigstore.trustedroot.v0.2+json
* Its calculation is described in
* https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures
* SHOULD be set for all logs. When not set, clients MUST use log_id.
@@ -93,6 +95,8 @@ export interface TransparencyLogInstance {
/**
* The name of the operator of this log deployment. Operator MUST be
* formatted as a scheme-less URI, e.g. sigstore.dev
* Only supported for TrustedRoot media types matching or greater than
* application/vnd.dev.sigstore.trustedroot.v0.2+json
* This MUST be used when there are multiple transparency log instances
* to determine if log proof verification meets a specified threshold,
* e.g. two proofs from log deployments operated by the same operator
@@ -163,13 +167,10 @@ export interface CertificateAuthority {
* previously used instance -- otherwise signatures made in the past cannot
* be verified.
*
* All the listed instances SHOULD be sorted by the 'valid_for' in ascending
* order, that is, the oldest instance first. Only the last instance is
* allowed to have their 'end' timestamp unset. All previous instances MUST
* have a closed interval of validity. The last instance MAY have a closed
* interval. Clients MUST accept instances that overlaps in time, if not
* clients may experience problems during rotations of verification
* materials.
* All the listed instances SHOULD be sorted by the 'valid_for.start'
* in ascending order, that is, the oldest instance first. Clients
* MUST accept instances that overlaps in time, if not clients may
* experience problems during rotations of verification materials.
*
* To be able to manage planned rotations of either transparency logs or
* certificate authorities, clienst MUST accept lists of instances where
@@ -180,10 +181,12 @@ export interface CertificateAuthority {
*/
export interface TrustedRoot {
/**
* MUST be application/vnd.dev.sigstore.trustedroot.v0.1+json
* MUST be application/vnd.dev.sigstore.trustedroot.v0.2+json
* when encoded as JSON.
* Clients MUST be able to process and parse content with the media
* type defined in the old format:
* Clients MAY choose to also support
* application/vnd.dev.sigstore.trustedroot.v0.1+json
* Clients MAY process and parse content with the media type defined
* in the old format:
* application/vnd.dev.sigstore.trustedroot+json;version=0.1
*/
mediaType: string;
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_trustroot.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: sigstore_trustroot.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.ClientTrustConfig = exports.ServiceConfiguration = exports.Service = exports.SigningConfig = exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = exports.ServiceSelector = void 0;
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_verification.d.ts
Generated Vendored
+2 -2
View File
@@ -29,7 +29,7 @@ export interface ArtifactVerificationOptions {
* is an error. If at least one provided identity is found as a
* signer, the verification is considered successful.
*/
signers?: {
signers: {
$case: "certificateIdentities";
certificateIdentities: CertificateIdentities;
} | //
@@ -127,7 +127,7 @@ export interface ArtifactVerificationOptions_ObserverTimestampOptions {
disable: boolean;
}
export interface Artifact {
data?: //
data: //
/** Location of the artifact */
{
$case: "artifactUri";
node_modules/@sigstore/protobuf-specs/dist/__generated__/sigstore_verification.js
Generated Vendored
+2 -2
View File
@@ -1,8 +1,8 @@
"use strict";
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.7.0
// protoc v6.30.2
// protoc-gen-ts_proto v2.11.5
// protoc v7.34.1
// source: sigstore_verification.proto
Object.defineProperty(exports, "__esModule", { value: true });
exports.Input = exports.Artifact = exports.ArtifactVerificationOptions_ObserverTimestampOptions = exports.ArtifactVerificationOptions_TlogIntegratedTimestampOptions = exports.ArtifactVerificationOptions_TimestampAuthorityOptions = exports.ArtifactVerificationOptions_CtlogOptions = exports.ArtifactVerificationOptions_TlogOptions = exports.ArtifactVerificationOptions = exports.PublicKeyIdentities = exports.CertificateIdentities = exports.CertificateIdentity = void 0;
node_modules/@sigstore/protobuf-specs/package.json
Generated Vendored
+5 -1
View File
@@ -1,9 +1,13 @@
{
"name": "@sigstore/protobuf-specs",
"version": "0.4.3",
"version": "0.5.1",
"description": "code-signing for npm packages",
"main": "dist/index.js",
"types": "dist/index.d.ts",
"exports": {
".": "./dist/index.js",
"./rekor/v2": "./dist/rekor/v2/index.js"
},
"scripts": {
"build": "tsc"
},
node_modules/@sigstore/sign/README.md
Generated Vendored
+1 -1
View File
@@ -13,7 +13,7 @@ A library for generating [Sigstore][1] signatures.
## Prerequisites
- Node.js version >= 18.17.0
- Node.js version ^20.17.0 || >=22.9.0
## Installation
node_modules/@sigstore/sign/dist/bundler/base.js
Generated Vendored
+2
View File
@@ -6,6 +6,8 @@ exports.BaseBundleBuilder = void 0;
// Subclasses must implement the `package` method to assemble a valid bundle
// with the generated signature and verification material.
class BaseBundleBuilder {
signer;
witnesses;
constructor(options) {
this.signer = options.signer;
this.witnesses = options.witnesses;
node_modules/@sigstore/sign/dist/bundler/dsse.js
Generated Vendored
+1
View File
@@ -21,6 +21,7 @@ const base_1 = require("./base");
const bundle_1 = require("./bundle");
// BundleBuilder implementation for DSSE wrapped attestations
class DSSEBundleBuilder extends base_1.BaseBundleBuilder {
certificateChain;
constructor(options) {
super(options);
this.certificateChain = options.certificateChain ?? false;
node_modules/@sigstore/sign/dist/error.js
Generated Vendored
+2
View File
@@ -19,6 +19,8 @@ exports.InternalError = void 0;
exports.internalError = internalError;
const error_1 = require("./external/error");
class InternalError extends Error {
code;
cause;
constructor({ code, message, cause, }) {
super(message);
this.name = this.constructor.name;
node_modules/@sigstore/sign/dist/external/error.js
Generated Vendored
+2
View File
@@ -17,6 +17,8 @@ limitations under the License.
Object.defineProperty(exports, "__esModule", { value: true });
exports.HTTPError = void 0;
class HTTPError extends Error {
statusCode;
location;
constructor({ status, message, location, }) {
super(`(${status}) ${message}`);
this.statusCode = status;
node_modules/@sigstore/sign/dist/external/fetch.js
Generated Vendored
+2 -2
View File
@@ -19,15 +19,15 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const promise_retry_1 = require("@gar/promise-retry");
const http2_1 = require("http2");
const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
const proc_log_1 = require("proc-log");
const promise_retry_1 = __importDefault(require("promise-retry"));
const util_1 = require("../util");
const error_1 = require("./error");
const { HTTP2_HEADER_LOCATION, HTTP2_HEADER_CONTENT_TYPE, HTTP2_HEADER_USER_AGENT, HTTP_STATUS_INTERNAL_SERVER_ERROR, HTTP_STATUS_TOO_MANY_REQUESTS, HTTP_STATUS_REQUEST_TIMEOUT, } = http2_1.constants;
async function fetchWithRetry(url, options) {
return (0, promise_retry_1.default)(async (retry, attemptNum) => {
return (0, promise_retry_1.promiseRetry)(async (retry, attemptNum) => {
const method = options.method || 'POST';
const headers = {
[HTTP2_HEADER_USER_AGENT]: util_1.ua.getUserAgent(),
node_modules/@sigstore/sign/dist/external/fulcio.js
Generated Vendored
+1
View File
@@ -21,6 +21,7 @@ const fetch_1 = require("./fetch");
* Fulcio API client.
*/
class Fulcio {
options;
constructor(options) {
this.options = options;
}
node_modules/@sigstore/sign/dist/external/rekor.js
Generated Vendored
+1
View File
@@ -21,6 +21,7 @@ const fetch_1 = require("./fetch");
* Rekor API client.
*/
class Rekor {
options;
constructor(options) {
this.options = options;
}
node_modules/@sigstore/sign/dist/external/tsa.js
Generated Vendored
+7 -1
View File
@@ -18,12 +18,18 @@ limitations under the License.
*/
const fetch_1 = require("./fetch");
class TimestampAuthority {
options;
constructor(options) {
this.options = options;
}
async createTimestamp(request) {
const { baseURL, timeout, retry } = this.options;
const url = `${baseURL}/api/v1/timestamp`;
// Account for the fact that the TSA URL may already include the full
// path if the client was initalized from a `SigningConfig` service entry
// (which always uses the full URL).
const url = new URL(baseURL).pathname === '/'
? `${baseURL}/api/v1/timestamp`
: baseURL;
const response = await (0, fetch_1.fetchWithRetry)(url, {
headers: {
'Content-Type': 'application/json',
node_modules/@sigstore/sign/dist/identity/ci.js
Generated Vendored
+1
View File
@@ -28,6 +28,7 @@ const providers = [getGHAToken, getEnv];
* one that resolves.
*/
class CIContextProvider {
audience;
/* istanbul ignore next */
constructor(audience = 'sigstore') {
this.audience = audience;
node_modules/@sigstore/sign/dist/index.d.ts
Generated Vendored
+1
View File
@@ -1,6 +1,7 @@
export type { Bundle } from '@sigstore/bundle';
export { DSSEBundleBuilder, MessageSignatureBundleBuilder } from './bundler';
export type { Artifact, BundleBuilder, BundleBuilderOptions } from './bundler';
export { bundleBuilderFromSigningConfig } from './config';
export { InternalError } from './error';
export { CIContextProvider } from './identity';
export type { IdentityProvider } from './identity';
node_modules/@sigstore/sign/dist/index.js
Generated Vendored
+3 -1
View File
@@ -1,9 +1,11 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TSAWitness = exports.RekorWitness = exports.DEFAULT_REKOR_URL = exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = exports.CIContextProvider = exports.InternalError = exports.MessageSignatureBundleBuilder = exports.DSSEBundleBuilder = void 0;
exports.TSAWitness = exports.RekorWitness = exports.DEFAULT_REKOR_URL = exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = exports.CIContextProvider = exports.InternalError = exports.bundleBuilderFromSigningConfig = exports.MessageSignatureBundleBuilder = exports.DSSEBundleBuilder = void 0;
var bundler_1 = require("./bundler");
Object.defineProperty(exports, "DSSEBundleBuilder", { enumerable: true, get: function () { return bundler_1.DSSEBundleBuilder; } });
Object.defineProperty(exports, "MessageSignatureBundleBuilder", { enumerable: true, get: function () { return bundler_1.MessageSignatureBundleBuilder; } });
var config_1 = require("./config");
Object.defineProperty(exports, "bundleBuilderFromSigningConfig", { enumerable: true, get: function () { return config_1.bundleBuilderFromSigningConfig; } });
var error_1 = require("./error");
Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return error_1.InternalError; } });
var identity_1 = require("./identity");
node_modules/@sigstore/sign/dist/signer/fulcio/ca.js
Generated Vendored
+1
View File
@@ -19,6 +19,7 @@ limitations under the License.
const error_1 = require("../../error");
const fulcio_1 = require("../../external/fulcio");
class CAClient {
fulcio;
constructor(options) {
this.fulcio = new fulcio_1.Fulcio({
baseURL: options.fulcioBaseURL,
node_modules/@sigstore/sign/dist/signer/fulcio/ephemeral.js
Generated Vendored
+4 -6
View File
@@ -1,7 +1,4 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.EphemeralSigner = void 0;
/*
@@ -19,20 +16,21 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const crypto_1 = __importDefault(require("crypto"));
const crypto_1 = require("crypto");
const EC_KEYPAIR_TYPE = 'ec';
const P256_CURVE = 'P-256';
// Signer implementation which uses an ephemeral keypair to sign artifacts.
// The private key lives only in memory and is tied to the lifetime of the
// EphemeralSigner instance.
class EphemeralSigner {
keypair;
constructor() {
this.keypair = crypto_1.default.generateKeyPairSync(EC_KEYPAIR_TYPE, {
this.keypair = (0, crypto_1.generateKeyPairSync)(EC_KEYPAIR_TYPE, {
namedCurve: P256_CURVE,
});
}
async sign(data) {
const signature = crypto_1.default.sign(null, data, this.keypair.privateKey);
const signature = (0, crypto_1.sign)('sha256', data, this.keypair.privateKey);
const publicKey = this.keypair.publicKey
.export({ format: 'pem', type: 'spki' })
.toString('ascii');
node_modules/@sigstore/sign/dist/signer/fulcio/index.js
Generated Vendored
+3
View File
@@ -26,6 +26,9 @@ exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev';
// Must be instantiated with an identity provider which can provide a JWT
// which represents the identity to be bound to the signing certificate.
class FulcioSigner {
ca;
identityProvider;
keyHolder;
constructor(options) {
this.ca = new ca_1.CAClient({
...options,
node_modules/@sigstore/sign/dist/util/oidc.js
Generated Vendored
+11 -6
View File
@@ -20,11 +20,16 @@ const core_1 = require("@sigstore/core");
function extractJWTSubject(jwt) {
const parts = jwt.split('.', 3);
const payload = JSON.parse(core_1.encoding.base64Decode(parts[1]));
switch (payload.iss) {
case 'https://accounts.google.com':
case 'https://oauth2.sigstore.dev/auth':
return payload.email;
default:
return payload.sub;
if (payload.email) {
if (!payload.email_verified) {
throw new Error('JWT email not verified by issuer');
}
return payload.email;
}
if (payload.sub) {
return payload.sub;
}
else {
throw new Error('JWT subject not found');
}
}
node_modules/@sigstore/sign/dist/witness/tlog/client.d.ts
Generated Vendored
+13
View File
@@ -1,3 +1,5 @@
import type { TransparencyLogEntry } from '@sigstore/bundle';
import type { CreateEntryRequest } from '@sigstore/protobuf-specs/rekor/v2';
import type { Entry, ProposedEntry } from '../../external/rekor';
import type { FetchOptions } from '../../types/fetch';
export type { Entry, ProposedEntry };
@@ -14,3 +16,14 @@ export declare class TLogClient implements TLog {
constructor(options: TLogClientOptions);
createEntry(proposedEntry: ProposedEntry): Promise<Entry>;
}
export interface TLogV2 {
createEntry: (createEntryRequest: CreateEntryRequest) => Promise<TransparencyLogEntry>;
}
export type TLogV2ClientOptions = {
rekorBaseURL: string;
} & FetchOptions;
export declare class TLogV2Client implements TLogV2 {
private rekor;
constructor(options: TLogV2ClientOptions);
createEntry(createEntryRequest: CreateEntryRequest): Promise<TransparencyLogEntry>;
}
node_modules/@sigstore/sign/dist/witness/tlog/client.js
Generated Vendored
+33 -2
View File
@@ -1,8 +1,8 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TLogClient = void 0;
exports.TLogV2Client = exports.TLogClient = void 0;
/*
Copyright 2023 The Sigstore Authors.
Copyright 2025 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -19,7 +19,10 @@ limitations under the License.
const error_1 = require("../../error");
const error_2 = require("../../external/error");
const rekor_1 = require("../../external/rekor");
const rekor_v2_1 = require("../../external/rekor-v2");
class TLogClient {
rekor;
fetchOnConflict;
constructor(options) {
this.fetchOnConflict = options.fetchOnConflict ?? false;
this.rekor = new rekor_1.Rekor({
@@ -59,3 +62,31 @@ function entryExistsError(value) {
value.statusCode === 409 &&
value.location !== undefined);
}
class TLogV2Client {
rekor;
constructor(options) {
this.rekor = new rekor_v2_1.RekorV2({
baseURL: options.rekorBaseURL,
retry: options.retry,
timeout: options.timeout,
});
}
async createEntry(createEntryRequest) {
let entry;
try {
entry = await this.rekor.createEntry(createEntryRequest);
}
catch (err) {
(0, error_1.internalError)(err, 'TLOG_CREATE_ENTRY_ERROR', 'error creating tlog entry');
}
if (entry.logId === undefined || entry.kindVersion === undefined) {
(0, error_1.internalError)(new Error('invalid tlog entry'), 'TLOG_CREATE_ENTRY_ERROR', 'error creating tlog entry');
}
return {
...entry,
logId: entry.logId,
kindVersion: entry.kindVersion,
};
}
}
exports.TLogV2Client = TLogV2Client;
node_modules/@sigstore/sign/dist/witness/tlog/entry.d.ts
Generated Vendored
+2
View File
@@ -1,3 +1,5 @@
import type { CreateEntryRequest } from '@sigstore/protobuf-specs/rekor/v2';
import type { ProposedEntry } from '../../external/rekor';
import type { SignatureBundle } from '../witness';
export declare function toProposedEntry(content: SignatureBundle, publicKey: string, entryType?: 'dsse' | 'intoto'): ProposedEntry;
export declare function toCreateEntryRequest(content: SignatureBundle, publicKey: string): CreateEntryRequest;
node_modules/@sigstore/sign/dist/witness/tlog/entry.js
Generated Vendored
+58 -1
View File
@@ -1,8 +1,9 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.toProposedEntry = toProposedEntry;
exports.toCreateEntryRequest = toCreateEntryRequest;
/*
Copyright 2023 The Sigstore Authors.
Copyright 2025 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -17,6 +18,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
const bundle_1 = require("@sigstore/bundle");
const protobuf_specs_1 = require("@sigstore/protobuf-specs");
const util_1 = require("../../util");
const SHA256_ALGORITHM = 'sha256';
function toProposedEntry(content, publicKey,
@@ -138,3 +140,58 @@ function calculateDSSEHash(envelope, publicKey) {
.digest(SHA256_ALGORITHM, util_1.json.canonicalize(dsse))
.toString('hex');
}
function toCreateEntryRequest(content, publicKey) {
switch (content.$case) {
case 'dsseEnvelope':
return toCreateEntryRequestDSSE(content.dsseEnvelope, publicKey);
case 'messageSignature':
return toCreateEntryRequestMessageSignature(content.messageSignature, publicKey);
}
}
function toCreateEntryRequestDSSE(envelope, publicKey) {
return {
spec: {
$case: 'dsseRequestV002',
dsseRequestV002: {
envelope: envelope,
verifiers: [
{
// TODO: We need to add support of passing the key details in the
// signature bundle. For now we're hardcoding the key details here.
keyDetails: protobuf_specs_1.PublicKeyDetails.PKIX_ECDSA_P256_SHA_256,
verifier: {
$case: 'x509Certificate',
x509Certificate: {
rawBytes: util_1.pem.toDER(publicKey),
},
},
},
],
},
},
};
}
function toCreateEntryRequestMessageSignature(messageSignature, publicKey) {
return {
spec: {
$case: 'hashedRekordRequestV002',
hashedRekordRequestV002: {
digest: messageSignature.messageDigest.digest,
signature: {
content: messageSignature.signature,
verifier: {
// TODO: We need to add support of passing the key details in the
// signature bundle. For now we're hardcoding the key details here.
keyDetails: protobuf_specs_1.PublicKeyDetails.PKIX_ECDSA_P256_SHA_256,
verifier: {
$case: 'x509Certificate',
x509Certificate: {
rawBytes: util_1.pem.toDER(publicKey),
},
},
},
},
},
},
};
}
node_modules/@sigstore/sign/dist/witness/tlog/index.d.ts
Generated Vendored
+4 -1
View File
@@ -7,10 +7,13 @@ type TransparencyLogEntries = {
};
export type RekorWitnessOptions = Partial<TLogClientOptions> & {
entryType?: 'dsse' | 'intoto';
majorApiVersion?: number;
};
export declare class RekorWitness implements Witness {
private tlog;
private tlogV1;
private tlogV2;
private entryType?;
private majorApiVersion;
constructor(options: RekorWitnessOptions);
testify(content: SignatureBundle, publicKey: string): Promise<TransparencyLogEntries>;
}
node_modules/@sigstore/sign/dist/witness/tlog/index.js
Generated Vendored
+23 -8
View File
@@ -2,7 +2,7 @@
Object.defineProperty(exports, "__esModule", { value: true });
exports.RekorWitness = exports.DEFAULT_REKOR_URL = void 0;
/*
Copyright 2023 The Sigstore Authors.
Copyright 2025 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -21,17 +21,34 @@ const client_1 = require("./client");
const entry_1 = require("./entry");
exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev';
class RekorWitness {
tlogV1;
tlogV2;
entryType;
majorApiVersion;
constructor(options) {
this.entryType = options.entryType;
this.tlog = new client_1.TLogClient({
this.majorApiVersion = options.majorApiVersion || 1;
this.tlogV1 = new client_1.TLogClient({
...options,
rekorBaseURL: options.rekorBaseURL || /* istanbul ignore next */ exports.DEFAULT_REKOR_URL,
});
this.tlogV2 = new client_1.TLogV2Client({
...options,
rekorBaseURL: options.rekorBaseURL || /* istanbul ignore next */ exports.DEFAULT_REKOR_URL,
});
}
async testify(content, publicKey) {
const proposedEntry = (0, entry_1.toProposedEntry)(content, publicKey, this.entryType);
const entry = await this.tlog.createEntry(proposedEntry);
return toTransparencyLogEntry(entry);
let tlogEntry;
if (this.majorApiVersion === 2) {
const request = (0, entry_1.toCreateEntryRequest)(content, publicKey);
tlogEntry = await this.tlogV2.createEntry(request);
}
else {
const proposedEntry = (0, entry_1.toProposedEntry)(content, publicKey, this.entryType);
const entry = await this.tlogV1.createEntry(proposedEntry);
tlogEntry = toTransparencyLogEntry(entry);
}
return { tlogEntries: [tlogEntry] };
}
}
exports.RekorWitness = RekorWitness;
@@ -60,9 +77,7 @@ function toTransparencyLogEntry(entry) {
inclusionProof: proof,
canonicalizedBody: Buffer.from(entry.body, 'base64'),
};
return {
tlogEntries: [tlogEntry],
};
return tlogEntry;
}
function inclusionPromise(promise) {
return {
node_modules/@sigstore/sign/dist/witness/tsa/client.js
Generated Vendored
+1
View File
@@ -21,6 +21,7 @@ const tsa_1 = require("../../external/tsa");
const util_1 = require("../../util");
const SHA256_ALGORITHM = 'sha256';
class TSAClient {
tsa;
constructor(options) {
this.tsa = new tsa_1.TimestampAuthority({
baseURL: options.tsaBaseURL,
node_modules/@sigstore/sign/dist/witness/tsa/index.js
Generated Vendored
+1
View File
@@ -18,6 +18,7 @@ limitations under the License.
*/
const client_1 = require("./client");
class TSAWitness {
tsa;
constructor(options) {
this.tsa = new client_1.TSAClient({
tsaBaseURL: options.tsaBaseURL,
node_modules/@sigstore/sign/package.json
Generated Vendored
+11 -12
View File
@@ -1,6 +1,6 @@
{
"name": "@sigstore/sign",
"version": "3.1.0",
"version": "4.1.1",
"description": "Sigstore signing library",
"main": "dist/index.js",
"types": "dist/index.d.ts",
@@ -27,20 +27,19 @@
},
"devDependencies": {
"@sigstore/jest": "^0.0.0",
"@sigstore/mock": "^0.10.0",
"@sigstore/rekor-types": "^3.0.0",
"@types/make-fetch-happen": "^10.0.4",
"@types/promise-retry": "^1.1.6"
"@sigstore/mock": "^0.12.0",
"@sigstore/rekor-types": "^4.0.0",
"@types/make-fetch-happen": "^10.0.4"
},
"dependencies": {
"@sigstore/bundle": "^3.1.0",
"@sigstore/core": "^2.0.0",
"@sigstore/protobuf-specs": "^0.4.0",
"make-fetch-happen": "^14.0.2",
"proc-log": "^5.0.0",
"promise-retry": "^2.0.1"
"@sigstore/bundle": "^4.0.0",
"@sigstore/core": "^3.2.0",
"@sigstore/protobuf-specs": "^0.5.0",
"make-fetch-happen": "^15.0.4",
"proc-log": "^6.1.0",
"@gar/promise-retry": "^1.0.2"
},
"engines": {
"node": "^18.17.0 || >=20.5.0"
"node": "^20.17.0 || >=22.9.0"
}
}
node_modules/@sigstore/tuf/README.md
Generated Vendored
+1 -1
View File
@@ -12,7 +12,7 @@ repository.
## Prerequisites
- Node.js version >= 18.17.0
- Node.js version ^20.17.0 || >=22.9.0
## Installation
node_modules/@sigstore/tuf/dist/client.js
Generated Vendored
+5
View File
@@ -23,9 +23,11 @@ const fs_1 = __importDefault(require("fs"));
const path_1 = __importDefault(require("path"));
const tuf_js_1 = require("tuf-js");
const _1 = require(".");
const package_json_1 = require("../package.json");
const target_1 = require("./target");
const TARGETS_DIR_NAME = 'targets';
class TUFClient {
updater;
constructor(options) {
const url = new URL(options.mirrorURL);
const repoName = encodeURIComponent(url.host + url.pathname.replace(/\/$/, ''));
@@ -63,6 +65,7 @@ function initTufCache(cachePath) {
if (!fs_1.default.existsSync(cachePath)) {
fs_1.default.mkdirSync(cachePath, { recursive: true });
}
/* istanbul ignore else */
if (!fs_1.default.existsSync(targetsPath)) {
fs_1.default.mkdirSync(targetsPath);
}
@@ -74,6 +77,7 @@ function seedCache({ cachePath, mirrorURL, tufRootPath, forceInit, }) {
const cachedRootPath = path_1.default.join(cachePath, 'root.json');
// If the root.json file does not exist (or we're forcing re-initialization),
// populate it either from the supplied rootPath or from one of the repo seeds.
/* istanbul ignore else */
if (!fs_1.default.existsSync(cachedRootPath) || forceInit) {
if (tufRootPath) {
fs_1.default.copyFileSync(tufRootPath, cachedRootPath);
@@ -99,6 +103,7 @@ function initClient(options) {
const config = {
fetchTimeout: options.timeout,
fetchRetry: options.retry,
userAgent: `${encodeURIComponent(package_json_1.name)}/${package_json_1.version}`,
};
return new tuf_js_1.Updater({
metadataBaseUrl: options.mirrorURL,
node_modules/@sigstore/tuf/dist/error.js
Generated Vendored
+2
View File
@@ -2,6 +2,8 @@
Object.defineProperty(exports, "__esModule", { value: true });
exports.TUFError = void 0;
class TUFError extends Error {
code;
cause;
constructor({ code, message, cause, }) {
super(message);
this.code = code;
node_modules/@sigstore/tuf/package.json
Generated Vendored
+5 -5
View File
@@ -1,6 +1,6 @@
{
"name": "@sigstore/tuf",
"version": "3.1.1",
"version": "4.0.2",
"description": "Client for the Sigstore TUF repository",
"main": "dist/index.js",
"types": "dist/index.d.ts",
@@ -28,14 +28,14 @@
},
"devDependencies": {
"@sigstore/jest": "^0.0.0",
"@tufjs/repo-mock": "^3.0.1",
"@tufjs/repo-mock": "^4.0.1",
"@types/make-fetch-happen": "^10.0.4"
},
"dependencies": {
"@sigstore/protobuf-specs": "^0.4.1",
"tuf-js": "^3.0.1"
"@sigstore/protobuf-specs": "^0.5.0",
"tuf-js": "^4.1.0"
},
"engines": {
"node": "^18.17.0 || >=20.5.0"
"node": "^20.17.0 || >=22.9.0"
}
}
node_modules/@sigstore/tuf/seeds.json
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
node_modules/@sigstore/verify/README.md
Generated Vendored
+1 -1
View File
@@ -4,6 +4,6 @@ A library for verifying [Sigstore][1] signatures.
## Prerequisites
- Node.js version >= 18.17.0
- Node.js version ^20.17.0 || >=22.9.0
[1]: https://www.sigstore.dev
node_modules/@sigstore/verify/dist/bundle/dsse.js
Generated Vendored
+1
View File
@@ -18,6 +18,7 @@ limitations under the License.
*/
const core_1 = require("@sigstore/core");
class DSSESignatureContent {
env;
constructor(env) {
this.env = env;
}
node_modules/@sigstore/verify/dist/bundle/index.js
Generated Vendored
+10 -8
View File
@@ -9,15 +9,17 @@ function toSignedEntity(bundle, artifact) {
const { tlogEntries, timestampVerificationData } = bundle.verificationMaterial;
const timestamps = [];
for (const entry of tlogEntries) {
timestamps.push({
$case: 'transparency-log',
tlogEntry: entry,
});
if (entry.integratedTime && entry.integratedTime !== '0') {
timestamps.push({
$case: 'transparency-log',
tlogEntry: entry,
});
}
}
for (const ts of timestampVerificationData?.rfc3161Timestamps ?? []) {
timestamps.push({
$case: 'timestamp-authority',
timestamp: core_1.RFC3161Timestamp.parse(ts.signedTimestamp),
timestamp: core_1.RFC3161Timestamp.parse(Buffer.from(ts.signedTimestamp)),
});
}
return {
@@ -45,13 +47,13 @@ function key(bundle) {
case 'x509CertificateChain':
return {
$case: 'certificate',
certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.x509CertificateChain
.certificates[0].rawBytes),
certificate: core_1.X509Certificate.parse(Buffer.from(bundle.verificationMaterial.content.x509CertificateChain
.certificates[0].rawBytes)),
};
case 'certificate':
return {
$case: 'certificate',
certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.certificate.rawBytes),
certificate: core_1.X509Certificate.parse(Buffer.from(bundle.verificationMaterial.content.certificate.rawBytes)),
};
}
}
node_modules/@sigstore/verify/dist/bundle/message.d.ts
Generated Vendored
+1
View File
@@ -5,6 +5,7 @@ export declare class MessageSignatureContent implements SignatureContent {
readonly signature: Buffer;
private readonly messageDigest;
private readonly artifact;
private readonly hashAlgorithm;
constructor(messageSignature: MessageSignature, artifact: Buffer);
compareSignature(signature: Buffer): boolean;
compareDigest(digest: Buffer): boolean;
node_modules/@sigstore/verify/dist/bundle/message.js
Generated Vendored
+19 -1
View File
@@ -17,11 +17,29 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const protobuf_specs_1 = require("@sigstore/protobuf-specs");
// Map from the Sigstore protobuf HashAlgorithm enum to
// the string values used by the Node.js crypto module.
const HASH_ALGORITHM_MAP = {
[protobuf_specs_1.HashAlgorithm.HASH_ALGORITHM_UNSPECIFIED]: 'sha256',
[protobuf_specs_1.HashAlgorithm.SHA2_256]: 'sha256',
[protobuf_specs_1.HashAlgorithm.SHA2_384]: 'sha384',
[protobuf_specs_1.HashAlgorithm.SHA2_512]: 'sha512',
[protobuf_specs_1.HashAlgorithm.SHA3_256]: 'sha3-256',
[protobuf_specs_1.HashAlgorithm.SHA3_384]: 'sha3-384',
};
class MessageSignatureContent {
signature;
messageDigest;
artifact;
hashAlgorithm;
constructor(messageSignature, artifact) {
this.signature = messageSignature.signature;
this.messageDigest = messageSignature.messageDigest.digest;
this.artifact = artifact;
this.hashAlgorithm =
HASH_ALGORITHM_MAP[messageSignature.messageDigest.algorithm] ??
/* istanbul ignore next */ 'sha256';
}
compareSignature(signature) {
return core_1.crypto.bufferEqual(signature, this.signature);
@@ -30,7 +48,7 @@ class MessageSignatureContent {
return core_1.crypto.bufferEqual(digest, this.messageDigest);
}
verifySignature(key) {
return core_1.crypto.verify(this.artifact, key, this.signature);
return core_1.crypto.verify(this.artifact, key, this.signature, this.hashAlgorithm);
}
}
exports.MessageSignatureContent = MessageSignatureContent;
node_modules/@sigstore/verify/dist/error.d.ts
Generated Vendored
+1 -1
View File
@@ -7,7 +7,7 @@ declare class BaseError<T extends string> extends Error {
cause?: any;
});
}
type VerificationErrorCode = 'NOT_IMPLEMENTED_ERROR' | 'TLOG_INCLUSION_PROOF_ERROR' | 'TLOG_INCLUSION_PROMISE_ERROR' | 'TLOG_MISSING_INCLUSION_ERROR' | 'TLOG_BODY_ERROR' | 'CERTIFICATE_ERROR' | 'PUBLIC_KEY_ERROR' | 'SIGNATURE_ERROR' | 'TIMESTAMP_ERROR';
type VerificationErrorCode = 'NOT_IMPLEMENTED_ERROR' | 'TLOG_ERROR' | 'TLOG_INCLUSION_PROOF_ERROR' | 'TLOG_INCLUSION_PROMISE_ERROR' | 'TLOG_MISSING_INCLUSION_ERROR' | 'TLOG_BODY_ERROR' | 'CERTIFICATE_ERROR' | 'PUBLIC_KEY_ERROR' | 'SIGNATURE_ERROR' | 'TIMESTAMP_ERROR';
export declare class VerificationError extends BaseError<VerificationErrorCode> {
}
type PolicyErrorCode = 'UNTRUSTED_SIGNER_ERROR';
node_modules/@sigstore/verify/dist/error.js
Generated Vendored
+2
View File
@@ -17,6 +17,8 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
class BaseError extends Error {
code;
cause; /* eslint-disable-line @typescript-eslint/no-explicit-any */
constructor({ code, message, cause, }) {
super(message);
this.code = code;
node_modules/@sigstore/verify/dist/index.d.ts
Generated Vendored
+1
View File
@@ -3,3 +3,4 @@ export { PolicyError, VerificationError } from './error';
export { KeyFinderFunc, TrustMaterial, toTrustMaterial } from './trust';
export { Verifier, VerifierOptions } from './verifier';
export type { SignedEntity, Signer, VerificationPolicy } from './shared.types';
export type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
node_modules/@sigstore/verify/dist/key/certificate.js
Generated Vendored
+5
View File
@@ -32,6 +32,10 @@ function verifyCertificateChain(timestamp, leaf, certificateAuthorities) {
});
}
class CertificateChainVerifier {
untrustedCert;
trustedCerts;
localCerts;
timestamp;
constructor(opts) {
this.untrustedCert = opts.untrustedCert;
this.trustedCerts = opts.trustedCerts;
@@ -123,6 +127,7 @@ class CertificateChainVerifier {
// or issuer/subject. Potential issuers are added to the result array.
this.localCerts.forEach((possibleIssuer) => {
if (keyIdentifier) {
/* istanbul ignore else */
if (possibleIssuer.extSubjectKeyID) {
if (possibleIssuer.extSubjectKeyID.keyIdentifier.equals(keyIdentifier)) {
issuers.push(possibleIssuer);
node_modules/@sigstore/verify/dist/key/index.js
Generated Vendored
+8
View File
@@ -56,9 +56,17 @@ function getSigner(cert) {
else {
issuer = cert.extension(OID_FULCIO_ISSUER_V1)?.value.toString('ascii');
}
const oids = cert.extensions.map((ext) => {
const oid = ext.subs[0].toOID();
return {
oid: { id: oid.split('.').map(Number) },
value: ext.subs[ext.subs.length - 1].value,
};
});
const identity = {
extensions: { issuer },
subjectAlternativeName: cert.subjectAltName,
oids,
};
return {
key: core_1.crypto.createPublicKey(cert.publicKey),
node_modules/@sigstore/verify/dist/policy.d.ts
Generated Vendored
+2
View File
@@ -1,3 +1,5 @@
import { CertificateExtensions } from './shared.types';
import type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
export declare function verifySubjectAlternativeName(policyIdentity: string, signerIdentity: string | undefined): void;
export declare function verifyExtensions(policyExtensions: CertificateExtensions, signerExtensions?: CertificateExtensions): void;
export declare function verifyOIDs(policyOIDs: ObjectIdentifierValuePair[], signerOIDs?: ObjectIdentifierValuePair[]): void;
node_modules/@sigstore/verify/dist/policy.js
Generated Vendored
+26
View File
@@ -2,7 +2,12 @@
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifySubjectAlternativeName = verifySubjectAlternativeName;
exports.verifyExtensions = verifyExtensions;
exports.verifyOIDs = verifyOIDs;
const error_1 = require("./error");
// Verifies that the signer's SAN matches the policy identity. The
// policyIdentity is treated as a JavaScript regular expression pattern and
// tested against the full signerIdentity string. For exact matching, use
// anchored patterns (e.g. '^user@example\\.com$').
function verifySubjectAlternativeName(policyIdentity, signerIdentity) {
if (signerIdentity === undefined || !signerIdentity.match(policyIdentity)) {
throw new error_1.PolicyError({
@@ -22,3 +27,24 @@ function verifyExtensions(policyExtensions, signerExtensions = {}) {
}
}
}
function verifyOIDs(policyOIDs, signerOIDs = []) {
for (const policyOID of policyOIDs) {
const match = signerOIDs.find((signerOID) => oidEquals(policyOID.oid?.id, signerOID.oid?.id) &&
policyOID.value.equals(signerOID.value));
if (!match) {
/* istanbul ignore next */
const oid = policyOID.oid?.id.join('.') ?? '<unknown>';
throw new error_1.PolicyError({
code: 'UNTRUSTED_SIGNER_ERROR',
message: `invalid certificate extension - missing OID ${oid}`,
});
}
}
}
function oidEquals(a, b) {
/* istanbul ignore if */
if (a === undefined || b === undefined) {
return false;
}
return a.length === b.length && a.every((v, i) => v === b[i]);
}
node_modules/@sigstore/verify/dist/shared.types.d.ts
Generated Vendored
+2
View File
@@ -1,5 +1,6 @@
import type { TransparencyLogEntry } from '@sigstore/bundle';
import type { RFC3161Timestamp, X509Certificate, crypto } from '@sigstore/core';
import type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
export type CertificateExtensionName = 'issuer';
export type CertificateExtensions = {
[key in CertificateExtensionName]?: string;
@@ -7,6 +8,7 @@ export type CertificateExtensions = {
export type CertificateIdentity = {
subjectAlternativeName?: string;
extensions?: CertificateExtensions;
oids?: ObjectIdentifierValuePair[];
};
export type VerificationPolicy = CertificateIdentity;
export type Signer = {
node_modules/@sigstore/verify/dist/timestamp/checkpoint.d.ts
Generated Vendored
-3
View File
@@ -1,3 +0,0 @@
import { TLogAuthority } from '../trust';
import type { TLogEntryWithInclusionProof } from '@sigstore/bundle';
export declare function verifyCheckpoint(entry: TLogEntryWithInclusionProof, tlogs: TLogAuthority[]): void;
node_modules/@sigstore/verify/dist/timestamp/checkpoint.js
Generated Vendored
-157
View File
@@ -1,157 +0,0 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyCheckpoint = verifyCheckpoint;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const trust_1 = require("../trust");
// Separator between the note and the signatures in a checkpoint
const CHECKPOINT_SEPARATOR = '\n\n';
// Checkpoint signatures are of the following form:
// " <identity> <key_hint+signature_bytes>\n"
// where:
// - the prefix is an emdash (U+2014).
// - <identity> gives a human-readable representation of the signing ID.
// - <key_hint+signature_bytes> is the first 4 bytes of the SHA256 hash of the
// associated public key followed by the signature bytes.
const SIGNATURE_REGEX = /\u2014 (\S+) (\S+)\n/g;
// Verifies the checkpoint value in the given tlog entry. There are two steps
// to the verification:
// 1. Verify that all signatures in the checkpoint can be verified against a
// trusted public key
// 2. Verify that the root hash in the checkpoint matches the root hash in the
// inclusion proof
// See: https://github.com/transparency-dev/formats/blob/main/log/README.md
function verifyCheckpoint(entry, tlogs) {
// Filter tlog instances to just those which were valid at the time of the
// entry
const validTLogs = (0, trust_1.filterTLogAuthorities)(tlogs, {
targetDate: new Date(Number(entry.integratedTime) * 1000),
});
const inclusionProof = entry.inclusionProof;
const signedNote = SignedNote.fromString(inclusionProof.checkpoint.envelope);
const checkpoint = LogCheckpoint.fromString(signedNote.note);
// Verify that the signatures in the checkpoint are all valid
if (!verifySignedNote(signedNote, validTLogs)) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'invalid checkpoint signature',
});
}
// Verify that the root hash from the checkpoint matches the root hash in the
// inclusion proof
if (!core_1.crypto.bufferEqual(checkpoint.logHash, inclusionProof.rootHash)) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'root hash mismatch',
});
}
}
// Verifies the signatures in the SignedNote. For each signature, the
// corresponding transparency log is looked up by the key hint and the
// signature is verified against the public key in the transparency log.
// Throws an error if any of the signatures are invalid.
function verifySignedNote(signedNote, tlogs) {
const data = Buffer.from(signedNote.note, 'utf-8');
return signedNote.signatures.every((signature) => {
// Find the transparency log instance with the matching key hint
const tlog = tlogs.find((tlog) => core_1.crypto.bufferEqual(tlog.logID.subarray(0, 4), signature.keyHint));
if (!tlog) {
return false;
}
return core_1.crypto.verify(data, tlog.publicKey, signature.signature);
});
}
// SignedNote represents a signed note from a transparency log checkpoint. Consists
// of a body (or note) and one more signatures calculated over the body. See
// https://github.com/transparency-dev/formats/blob/main/log/README.md#signed-envelope
class SignedNote {
constructor(note, signatures) {
this.note = note;
this.signatures = signatures;
}
// Deserialize a SignedNote from a string
static fromString(envelope) {
if (!envelope.includes(CHECKPOINT_SEPARATOR)) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'missing checkpoint separator',
});
}
// Split the note into the header and the data portions at the separator
const split = envelope.indexOf(CHECKPOINT_SEPARATOR);
const header = envelope.slice(0, split + 1);
const data = envelope.slice(split + CHECKPOINT_SEPARATOR.length);
// Find all the signature lines in the data portion
const matches = data.matchAll(SIGNATURE_REGEX);
// Parse each of the matched signature lines into the name and signature.
// The first four bytes of the signature are the key hint (should match the
// first four bytes of the log ID), and the rest is the signature itself.
const signatures = Array.from(matches, (match) => {
const [, name, signature] = match;
const sigBytes = Buffer.from(signature, 'base64');
if (sigBytes.length < 5) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'malformed checkpoint signature',
});
}
return {
name,
keyHint: sigBytes.subarray(0, 4),
signature: sigBytes.subarray(4),
};
});
if (signatures.length === 0) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'no signatures found in checkpoint',
});
}
return new SignedNote(header, signatures);
}
}
// LogCheckpoint represents a transparency log checkpoint. Consists of the
// following:
// - origin: the name of the transparency log
// - logSize: the size of the log at the time of the checkpoint
// - logHash: the root hash of the log at the time of the checkpoint
// - rest: the rest of the checkpoint body, which is a list of log entries
// See:
// https://github.com/transparency-dev/formats/blob/main/log/README.md#checkpoint-body
class LogCheckpoint {
constructor(origin, logSize, logHash, rest) {
this.origin = origin;
this.logSize = logSize;
this.logHash = logHash;
this.rest = rest;
}
static fromString(note) {
const lines = note.trimEnd().split('\n');
if (lines.length < 3) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'too few lines in checkpoint header',
});
}
const origin = lines[0];
const logSize = BigInt(lines[1]);
const rootHash = Buffer.from(lines[2], 'base64');
const rest = lines.slice(3);
return new LogCheckpoint(origin, logSize, rootHash, rest);
}
}
node_modules/@sigstore/verify/dist/timestamp/index.d.ts
Generated Vendored
+3 -3
View File
@@ -1,11 +1,11 @@
import { RFC3161Timestamp } from '@sigstore/core';
import type { TransparencyLogEntry } from '@sigstore/bundle';
import type { CertAuthority, TLogAuthority } from '../trust';
import type { CertAuthority } from '../trust';
export type TimestampType = 'transparency-log' | 'timestamp-authority';
export type TimestampVerificationResult = {
type: TimestampType;
logID: Buffer;
timestamp: Date;
};
export declare function verifyTSATimestamp(timestamp: RFC3161Timestamp, data: Buffer, timestampAuthorities: CertAuthority[]): TimestampVerificationResult;
export declare function verifyTLogTimestamp(entry: TransparencyLogEntry, tlogAuthorities: TLogAuthority[]): TimestampVerificationResult;
export declare function getTSATimestamp(timestamp: RFC3161Timestamp, data: Buffer, timestampAuthorities: CertAuthority[]): TimestampVerificationResult;
export declare function getTLogTimestamp(entry: TransparencyLogEntry): TimestampVerificationResult | undefined;
node_modules/@sigstore/verify/dist/timestamp/index.js
Generated Vendored
+7 -29
View File
@@ -1,13 +1,9 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTSATimestamp = verifyTSATimestamp;
exports.verifyTLogTimestamp = verifyTLogTimestamp;
const error_1 = require("../error");
const checkpoint_1 = require("./checkpoint");
const merkle_1 = require("./merkle");
const set_1 = require("./set");
exports.getTSATimestamp = getTSATimestamp;
exports.getTLogTimestamp = getTLogTimestamp;
const tsa_1 = require("./tsa");
function verifyTSATimestamp(timestamp, data, timestampAuthorities) {
function getTSATimestamp(timestamp, data, timestampAuthorities) {
(0, tsa_1.verifyRFC3161Timestamp)(timestamp, data, timestampAuthorities);
return {
type: 'timestamp-authority',
@@ -15,22 +11,10 @@ function verifyTSATimestamp(timestamp, data, timestampAuthorities) {
timestamp: timestamp.signingTime,
};
}
function verifyTLogTimestamp(entry, tlogAuthorities) {
let inclusionVerified = false;
if (isTLogEntryWithInclusionPromise(entry)) {
(0, set_1.verifyTLogSET)(entry, tlogAuthorities);
inclusionVerified = true;
}
if (isTLogEntryWithInclusionProof(entry)) {
(0, merkle_1.verifyMerkleInclusion)(entry);
(0, checkpoint_1.verifyCheckpoint)(entry, tlogAuthorities);
inclusionVerified = true;
}
if (!inclusionVerified) {
throw new error_1.VerificationError({
code: 'TLOG_MISSING_INCLUSION_ERROR',
message: 'inclusion could not be verified',
});
function getTLogTimestamp(entry) {
// Only entries with an inclusion promise provide a verifiable timestamp
if (!entry.inclusionPromise) {
return undefined;
}
return {
type: 'transparency-log',
@@ -38,9 +22,3 @@ function verifyTLogTimestamp(entry, tlogAuthorities) {
timestamp: new Date(Number(entry.integratedTime) * 1000),
};
}
function isTLogEntryWithInclusionPromise(entry) {
return entry.inclusionPromise !== undefined;
}
function isTLogEntryWithInclusionProof(entry) {
return entry.inclusionProof !== undefined;
}
node_modules/@sigstore/verify/dist/timestamp/merkle.d.ts
Generated Vendored
-2
View File
@@ -1,2 +0,0 @@
import type { TLogEntryWithInclusionProof } from '@sigstore/bundle';
export declare function verifyMerkleInclusion(entry: TLogEntryWithInclusionProof): void;
node_modules/@sigstore/verify/dist/timestamp/merkle.js
Generated Vendored
-104
View File
@@ -1,104 +0,0 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyMerkleInclusion = verifyMerkleInclusion;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const RFC6962_LEAF_HASH_PREFIX = Buffer.from([0x00]);
const RFC6962_NODE_HASH_PREFIX = Buffer.from([0x01]);
function verifyMerkleInclusion(entry) {
const inclusionProof = entry.inclusionProof;
const logIndex = BigInt(inclusionProof.logIndex);
const treeSize = BigInt(inclusionProof.treeSize);
if (logIndex < 0n || logIndex >= treeSize) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: `invalid index: ${logIndex}`,
});
}
// Figure out which subset of hashes corresponds to the inner and border
// nodes
const { inner, border } = decompInclProof(logIndex, treeSize);
if (inclusionProof.hashes.length !== inner + border) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'invalid hash count',
});
}
const innerHashes = inclusionProof.hashes.slice(0, inner);
const borderHashes = inclusionProof.hashes.slice(inner);
// The entry's hash is the leaf hash
const leafHash = hashLeaf(entry.canonicalizedBody);
// Chain the hashes belonging to the inner and border portions
const calculatedHash = chainBorderRight(chainInner(leafHash, innerHashes, logIndex), borderHashes);
// Calculated hash should match the root hash in the inclusion proof
if (!core_1.crypto.bufferEqual(calculatedHash, inclusionProof.rootHash)) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'calculated root hash does not match inclusion proof',
});
}
}
// Breaks down inclusion proof for a leaf at the specified index in a tree of
// the specified size. The split point is where paths to the index leaf and
// the (size - 1) leaf diverge. Returns lengths of the bottom and upper proof
// parts.
function decompInclProof(index, size) {
const inner = innerProofSize(index, size);
const border = onesCount(index >> BigInt(inner));
return { inner, border };
}
// Computes a subtree hash for a node on or below the tree's right border.
// Assumes the provided proof hashes are ordered from lower to higher levels
// and seed is the initial hash of the node specified by the index.
function chainInner(seed, hashes, index) {
return hashes.reduce((acc, h, i) => {
if ((index >> BigInt(i)) & BigInt(1)) {
return hashChildren(h, acc);
}
else {
return hashChildren(acc, h);
}
}, seed);
}
// Computes a subtree hash for nodes along the tree's right border.
function chainBorderRight(seed, hashes) {
return hashes.reduce((acc, h) => hashChildren(h, acc), seed);
}
function innerProofSize(index, size) {
return bitLength(index ^ (size - BigInt(1)));
}
// Counts the number of ones in the binary representation of the given number.
// https://en.wikipedia.org/wiki/Hamming_weight
function onesCount(num) {
return num.toString(2).split('1').length - 1;
}
// Returns the number of bits necessary to represent an integer in binary.
function bitLength(n) {
if (n === 0n) {
return 0;
}
return n.toString(2).length;
}
// Hashing logic according to RFC6962.
// https://datatracker.ietf.org/doc/html/rfc6962#section-2
function hashChildren(left, right) {
return core_1.crypto.digest('sha256', RFC6962_NODE_HASH_PREFIX, left, right);
}
function hashLeaf(leaf) {
return core_1.crypto.digest('sha256', RFC6962_LEAF_HASH_PREFIX, leaf);
}
node_modules/@sigstore/verify/dist/timestamp/set.d.ts
Generated Vendored
-3
View File
@@ -1,3 +0,0 @@
import { TLogAuthority } from '../trust';
import type { TLogEntryWithInclusionPromise } from '@sigstore/bundle';
export declare function verifyTLogSET(entry: TLogEntryWithInclusionPromise, tlogs: TLogAuthority[]): void;
node_modules/@sigstore/verify/dist/timestamp/set.js
Generated Vendored
-60
View File
@@ -1,60 +0,0 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTLogSET = verifyTLogSET;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const trust_1 = require("../trust");
// Verifies the SET for the given entry against the list of trusted
// transparency logs. Returns true if the SET can be verified against at least
// one of the trusted logs; otherwise, returns false.
function verifyTLogSET(entry, tlogs) {
// Filter the list of tlog instances to only those which might be able to
// verify the SET
const validTLogs = (0, trust_1.filterTLogAuthorities)(tlogs, {
logID: entry.logId.keyId,
targetDate: new Date(Number(entry.integratedTime) * 1000),
});
// Check to see if we can verify the SET against any of the valid tlogs
const verified = validTLogs.some((tlog) => {
// Re-create the original Rekor verification payload
const payload = toVerificationPayload(entry);
// Canonicalize the payload and turn into a buffer for verification
const data = Buffer.from(core_1.json.canonicalize(payload), 'utf8');
// Extract the SET from the tlog entry
const signature = entry.inclusionPromise.signedEntryTimestamp;
return core_1.crypto.verify(data, tlog.publicKey, signature);
});
if (!verified) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROMISE_ERROR',
message: 'inclusion promise could not be verified',
});
}
}
// Returns a properly formatted "VerificationPayload" for one of the
// transaction log entires in the given bundle which can be used for SET
// verification.
function toVerificationPayload(entry) {
const { integratedTime, logIndex, logId, canonicalizedBody } = entry;
return {
body: canonicalizedBody.toString('base64'),
integratedTime: Number(integratedTime),
logIndex: Number(logIndex),
logID: logId.keyId.toString('hex'),
};
}
node_modules/@sigstore/verify/dist/tlog/dsse.d.ts
Generated Vendored
+3
View File
@@ -1,3 +1,6 @@
import type { Entry } from '@sigstore/protobuf-specs/rekor/v2';
import type { ProposedDSSEEntry } from '@sigstore/rekor-types';
import type { SignatureContent } from '../shared.types';
export declare const DSSE_API_VERSION_V1 = "0.0.1";
export declare function verifyDSSETLogBody(tlogEntry: ProposedDSSEEntry, content: SignatureContent): void;
export declare function verifyDSSETLogBodyV2(tlogEntry: Entry, content: SignatureContent): void;

Some files were not shown because too many files have changed in this diff Show More