feat(planning): grille hebdomadaire complète avec API et filtres

- Connexion API via proxy Angular (résolution CORS, base path /api) - Import CSS ng-zorro global pour les modales et composants - Filtres Camion/Show câblés sur l'affichage de la grille - Camions affichés via TrucksService (linkés au show du même créneau) - Panneau de détails : spectacles + camions du jour sélectionné - Modale de création de spectacle stylisée avec fond et centrage - Positionnement précis des events à la minute dans leur créneau - Auto-scroll vers l'heure courante au chargement - Ligne "maintenant" sur la colonne du jour actuel - Régénération des services OpenAPI (nouveaux noms de types) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-27 20:36:03 +02:00
parent 150b97cd2e
commit 654b297e2e
3131 changed files with 149304 additions and 104334 deletions
@@ -4,6 +4,6 @@ A library for verifying [Sigstore][1] signatures.

 ## Prerequisites

- Node.js version ^20.17.0 || >=22.9.0
+- Node.js version >= 18.17.0

 [1]: https://www.sigstore.dev
@@ -18,7 +18,6 @@ limitations under the License.
 */
 const core_1 = require("@sigstore/core");
 class DSSESignatureContent {
-    env;
    constructor(env) {
        this.env = env;
    }
@@ -9,17 +9,15 @@ function toSignedEntity(bundle, artifact) {
    const { tlogEntries, timestampVerificationData } = bundle.verificationMaterial;
    const timestamps = [];
    for (const entry of tlogEntries) {
-        if (entry.integratedTime && entry.integratedTime !== '0') {
-            timestamps.push({
-                $case: 'transparency-log',
-                tlogEntry: entry,
-            });
-        }
+        timestamps.push({
+            $case: 'transparency-log',
+            tlogEntry: entry,
+        });
    }
    for (const ts of timestampVerificationData?.rfc3161Timestamps ?? []) {
        timestamps.push({
            $case: 'timestamp-authority',
-            timestamp: core_1.RFC3161Timestamp.parse(Buffer.from(ts.signedTimestamp)),
+            timestamp: core_1.RFC3161Timestamp.parse(ts.signedTimestamp),
        });
    }
    return {
@@ -47,13 +45,13 @@ function key(bundle) {
        case 'x509CertificateChain':
            return {
                $case: 'certificate',
-                certificate: core_1.X509Certificate.parse(Buffer.from(bundle.verificationMaterial.content.x509CertificateChain
-                    .certificates[0].rawBytes)),
+                certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.x509CertificateChain
+                    .certificates[0].rawBytes),
            };
        case 'certificate':
            return {
                $case: 'certificate',
-                certificate: core_1.X509Certificate.parse(Buffer.from(bundle.verificationMaterial.content.certificate.rawBytes)),
+                certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.certificate.rawBytes),
            };
    }
 }
@@ -5,7 +5,6 @@ export declare class MessageSignatureContent implements SignatureContent {
    readonly signature: Buffer;
    private readonly messageDigest;
    private readonly artifact;
-    private readonly hashAlgorithm;
    constructor(messageSignature: MessageSignature, artifact: Buffer);
    compareSignature(signature: Buffer): boolean;
    compareDigest(digest: Buffer): boolean;
@@ -17,29 +17,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 const core_1 = require("@sigstore/core");
-const protobuf_specs_1 = require("@sigstore/protobuf-specs");
-// Map from the Sigstore protobuf HashAlgorithm enum to
-// the string values used by the Node.js crypto module.
-const HASH_ALGORITHM_MAP = {
-    [protobuf_specs_1.HashAlgorithm.HASH_ALGORITHM_UNSPECIFIED]: 'sha256',
-    [protobuf_specs_1.HashAlgorithm.SHA2_256]: 'sha256',
-    [protobuf_specs_1.HashAlgorithm.SHA2_384]: 'sha384',
-    [protobuf_specs_1.HashAlgorithm.SHA2_512]: 'sha512',
-    [protobuf_specs_1.HashAlgorithm.SHA3_256]: 'sha3-256',
-    [protobuf_specs_1.HashAlgorithm.SHA3_384]: 'sha3-384',
-};
 class MessageSignatureContent {
-    signature;
-    messageDigest;
-    artifact;
-    hashAlgorithm;
    constructor(messageSignature, artifact) {
        this.signature = messageSignature.signature;
        this.messageDigest = messageSignature.messageDigest.digest;
        this.artifact = artifact;
-        this.hashAlgorithm =
-            HASH_ALGORITHM_MAP[messageSignature.messageDigest.algorithm] ??
-                /* istanbul ignore next */ 'sha256';
    }
    compareSignature(signature) {
        return core_1.crypto.bufferEqual(signature, this.signature);
@@ -48,7 +30,7 @@ class MessageSignatureContent {
        return core_1.crypto.bufferEqual(digest, this.messageDigest);
    }
    verifySignature(key) {
-        return core_1.crypto.verify(this.artifact, key, this.signature, this.hashAlgorithm);
+        return core_1.crypto.verify(this.artifact, key, this.signature);
    }
 }
 exports.MessageSignatureContent = MessageSignatureContent;
@@ -7,7 +7,7 @@ declare class BaseError<T extends string> extends Error {
        cause?: any;
    });
 }
-type VerificationErrorCode = 'NOT_IMPLEMENTED_ERROR' | 'TLOG_ERROR' | 'TLOG_INCLUSION_PROOF_ERROR' | 'TLOG_INCLUSION_PROMISE_ERROR' | 'TLOG_MISSING_INCLUSION_ERROR' | 'TLOG_BODY_ERROR' | 'CERTIFICATE_ERROR' | 'PUBLIC_KEY_ERROR' | 'SIGNATURE_ERROR' | 'TIMESTAMP_ERROR';
+type VerificationErrorCode = 'NOT_IMPLEMENTED_ERROR' | 'TLOG_INCLUSION_PROOF_ERROR' | 'TLOG_INCLUSION_PROMISE_ERROR' | 'TLOG_MISSING_INCLUSION_ERROR' | 'TLOG_BODY_ERROR' | 'CERTIFICATE_ERROR' | 'PUBLIC_KEY_ERROR' | 'SIGNATURE_ERROR' | 'TIMESTAMP_ERROR';
 export declare class VerificationError extends BaseError<VerificationErrorCode> {
 }
 type PolicyErrorCode = 'UNTRUSTED_SIGNER_ERROR';
@@ -17,8 +17,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 class BaseError extends Error {
-    code;
-    cause; /* eslint-disable-line @typescript-eslint/no-explicit-any */
    constructor({ code, message, cause, }) {
        super(message);
        this.code = code;
@@ -3,4 +3,3 @@ export { PolicyError, VerificationError } from './error';
 export { KeyFinderFunc, TrustMaterial, toTrustMaterial } from './trust';
 export { Verifier, VerifierOptions } from './verifier';
 export type { SignedEntity, Signer, VerificationPolicy } from './shared.types';
-export type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
@@ -32,10 +32,6 @@ function verifyCertificateChain(timestamp, leaf, certificateAuthorities) {
    });
 }
 class CertificateChainVerifier {
-    untrustedCert;
-    trustedCerts;
-    localCerts;
-    timestamp;
    constructor(opts) {
        this.untrustedCert = opts.untrustedCert;
        this.trustedCerts = opts.trustedCerts;
@@ -127,7 +123,6 @@ class CertificateChainVerifier {
        // or issuer/subject. Potential issuers are added to the result array.
        this.localCerts.forEach((possibleIssuer) => {
            if (keyIdentifier) {
-                /* istanbul ignore else */
                if (possibleIssuer.extSubjectKeyID) {
                    if (possibleIssuer.extSubjectKeyID.keyIdentifier.equals(keyIdentifier)) {
                        issuers.push(possibleIssuer);
@@ -56,17 +56,9 @@ function getSigner(cert) {
    else {
        issuer = cert.extension(OID_FULCIO_ISSUER_V1)?.value.toString('ascii');
    }
-    const oids = cert.extensions.map((ext) => {
-        const oid = ext.subs[0].toOID();
-        return {
-            oid: { id: oid.split('.').map(Number) },
-            value: ext.subs[ext.subs.length - 1].value,
-        };
-    });
    const identity = {
        extensions: { issuer },
        subjectAlternativeName: cert.subjectAltName,
-        oids,
    };
    return {
        key: core_1.crypto.createPublicKey(cert.publicKey),
@@ -1,5 +1,3 @@
 import { CertificateExtensions } from './shared.types';
-import type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
 export declare function verifySubjectAlternativeName(policyIdentity: string, signerIdentity: string | undefined): void;
 export declare function verifyExtensions(policyExtensions: CertificateExtensions, signerExtensions?: CertificateExtensions): void;
-export declare function verifyOIDs(policyOIDs: ObjectIdentifierValuePair[], signerOIDs?: ObjectIdentifierValuePair[]): void;
@@ -2,12 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifySubjectAlternativeName = verifySubjectAlternativeName;
 exports.verifyExtensions = verifyExtensions;
-exports.verifyOIDs = verifyOIDs;
 const error_1 = require("./error");
-// Verifies that the signer's SAN matches the policy identity. The
-// policyIdentity is treated as a JavaScript regular expression pattern and
-// tested against the full signerIdentity string. For exact matching, use
-// anchored patterns (e.g. '^user@example\\.com$').
 function verifySubjectAlternativeName(policyIdentity, signerIdentity) {
    if (signerIdentity === undefined || !signerIdentity.match(policyIdentity)) {
        throw new error_1.PolicyError({
@@ -27,24 +22,3 @@ function verifyExtensions(policyExtensions, signerExtensions = {}) {
        }
    }
 }
-function verifyOIDs(policyOIDs, signerOIDs = []) {
-    for (const policyOID of policyOIDs) {
-        const match = signerOIDs.find((signerOID) => oidEquals(policyOID.oid?.id, signerOID.oid?.id) &&
-            policyOID.value.equals(signerOID.value));
-        if (!match) {
-            /* istanbul ignore next */
-            const oid = policyOID.oid?.id.join('.') ?? '<unknown>';
-            throw new error_1.PolicyError({
-                code: 'UNTRUSTED_SIGNER_ERROR',
-                message: `invalid certificate extension - missing OID ${oid}`,
-            });
-        }
-    }
-}
-function oidEquals(a, b) {
-    /* istanbul ignore if */
-    if (a === undefined || b === undefined) {
-        return false;
-    }
-    return a.length === b.length && a.every((v, i) => v === b[i]);
-}
@@ -1,6 +1,5 @@
 import type { TransparencyLogEntry } from '@sigstore/bundle';
 import type { RFC3161Timestamp, X509Certificate, crypto } from '@sigstore/core';
-import type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
 export type CertificateExtensionName = 'issuer';
 export type CertificateExtensions = {
    [key in CertificateExtensionName]?: string;
@@ -8,7 +7,6 @@ export type CertificateExtensions = {
 export type CertificateIdentity = {
    subjectAlternativeName?: string;
    extensions?: CertificateExtensions;
-    oids?: ObjectIdentifierValuePair[];
 };
 export type VerificationPolicy = CertificateIdentity;
 export type Signer = {
@@ -1,11 +1,11 @@
 import { RFC3161Timestamp } from '@sigstore/core';
 import type { TransparencyLogEntry } from '@sigstore/bundle';
-import type { CertAuthority } from '../trust';
+import type { CertAuthority, TLogAuthority } from '../trust';
 export type TimestampType = 'transparency-log' | 'timestamp-authority';
 export type TimestampVerificationResult = {
    type: TimestampType;
    logID: Buffer;
    timestamp: Date;
 };
-export declare function getTSATimestamp(timestamp: RFC3161Timestamp, data: Buffer, timestampAuthorities: CertAuthority[]): TimestampVerificationResult;
-export declare function getTLogTimestamp(entry: TransparencyLogEntry): TimestampVerificationResult | undefined;
+export declare function verifyTSATimestamp(timestamp: RFC3161Timestamp, data: Buffer, timestampAuthorities: CertAuthority[]): TimestampVerificationResult;
+export declare function verifyTLogTimestamp(entry: TransparencyLogEntry, tlogAuthorities: TLogAuthority[]): TimestampVerificationResult;
@@ -1,9 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getTSATimestamp = getTSATimestamp;
-exports.getTLogTimestamp = getTLogTimestamp;
+exports.verifyTSATimestamp = verifyTSATimestamp;
+exports.verifyTLogTimestamp = verifyTLogTimestamp;
+const error_1 = require("../error");
+const checkpoint_1 = require("./checkpoint");
+const merkle_1 = require("./merkle");
+const set_1 = require("./set");
 const tsa_1 = require("./tsa");
-function getTSATimestamp(timestamp, data, timestampAuthorities) {
+function verifyTSATimestamp(timestamp, data, timestampAuthorities) {
    (0, tsa_1.verifyRFC3161Timestamp)(timestamp, data, timestampAuthorities);
    return {
        type: 'timestamp-authority',
@@ -11,10 +15,22 @@ function getTSATimestamp(timestamp, data, timestampAuthorities) {
        timestamp: timestamp.signingTime,
    };
 }
-function getTLogTimestamp(entry) {
-    // Only entries with an inclusion promise provide a verifiable timestamp
-    if (!entry.inclusionPromise) {
-        return undefined;
+function verifyTLogTimestamp(entry, tlogAuthorities) {
+    let inclusionVerified = false;
+    if (isTLogEntryWithInclusionPromise(entry)) {
+        (0, set_1.verifyTLogSET)(entry, tlogAuthorities);
+        inclusionVerified = true;
+    }
+    if (isTLogEntryWithInclusionProof(entry)) {
+        (0, merkle_1.verifyMerkleInclusion)(entry);
+        (0, checkpoint_1.verifyCheckpoint)(entry, tlogAuthorities);
+        inclusionVerified = true;
+    }
+    if (!inclusionVerified) {
+        throw new error_1.VerificationError({
+            code: 'TLOG_MISSING_INCLUSION_ERROR',
+            message: 'inclusion could not be verified',
+        });
    }
    return {
        type: 'transparency-log',
@@ -22,3 +38,9 @@ function getTLogTimestamp(entry) {
        timestamp: new Date(Number(entry.integratedTime) * 1000),
    };
 }
+function isTLogEntryWithInclusionPromise(entry) {
+    return entry.inclusionPromise !== undefined;
+}
+function isTLogEntryWithInclusionProof(entry) {
+    return entry.inclusionProof !== undefined;
+}
@@ -1,6 +1,3 @@
-import type { Entry } from '@sigstore/protobuf-specs/rekor/v2';
 import type { ProposedDSSEEntry } from '@sigstore/rekor-types';
 import type { SignatureContent } from '../shared.types';
-export declare const DSSE_API_VERSION_V1 = "0.0.1";
 export declare function verifyDSSETLogBody(tlogEntry: ProposedDSSEEntry, content: SignatureContent): void;
-export declare function verifyDSSETLogBodyV2(tlogEntry: Entry, content: SignatureContent): void;
@@ -1,10 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DSSE_API_VERSION_V1 = void 0;
 exports.verifyDSSETLogBody = verifyDSSETLogBody;
-exports.verifyDSSETLogBodyV2 = verifyDSSETLogBodyV2;
 /*
-Copyright 2025 The Sigstore Authors.
+Copyright 2023 The Sigstore Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,11 +17,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 const error_1 = require("../error");
-exports.DSSE_API_VERSION_V1 = '0.0.1';
-// Compare the given dsse tlog entry to the given bundle
+// Compare the given intoto tlog entry to the given bundle
 function verifyDSSETLogBody(tlogEntry, content) {
    switch (tlogEntry.apiVersion) {
-        case exports.DSSE_API_VERSION_V1:
+        case '0.0.1':
            return verifyDSSE001TLogBody(tlogEntry, content);
        default:
            throw new error_1.VerificationError({
@@ -32,26 +29,6 @@ function verifyDSSETLogBody(tlogEntry, content) {
            });
    }
 }
-// Compare the given dsse tlog entry to the given bundle. This function is
-// specifically for Rekor V2 entries.
-function verifyDSSETLogBodyV2(tlogEntry, content) {
-    const spec = tlogEntry.spec?.spec;
-    if (!spec) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_BODY_ERROR',
-            message: `missing dsse spec`,
-        });
-    }
-    switch (spec.$case) {
-        case 'dsseV002':
-            return verifyDSSE002TLogBody(spec.dsseV002, content);
-        default:
-            throw new error_1.VerificationError({
-                code: 'TLOG_BODY_ERROR',
-                message: `unsupported version: ${spec.$case}`,
-            });
-    }
-}
 // Compare the given dsse v0.0.1 tlog entry to the given DSSE envelope.
 function verifyDSSE001TLogBody(tlogEntry, content) {
    // Ensure the bundle's DSSE only contains a single signature
@@ -78,29 +55,3 @@ function verifyDSSE001TLogBody(tlogEntry, content) {
        });
    }
 }
-// Compare the given dsse v0.0.2 tlog entry to the given DSSE envelope.
-function verifyDSSE002TLogBody(spec, content) {
-    // Ensure the bundle's DSSE only contains a single signature
-    if (spec.signatures?.length !== 1) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_BODY_ERROR',
-            message: 'signature count mismatch',
-        });
-    }
-    const tlogSig = spec.signatures[0].content;
-    // Ensure that the signature in the bundle's DSSE matches tlog entry
-    if (!content.compareSignature(tlogSig))
-        throw new error_1.VerificationError({
-            code: 'TLOG_BODY_ERROR',
-            message: 'tlog entry signature mismatch',
-        });
-    // Ensure the digest of the bundle's DSSE payload matches the digest in the
-    // tlog entry
-    const tlogHash = spec.payloadHash?.digest || Buffer.from('');
-    if (!content.compareDigest(tlogHash)) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_BODY_ERROR',
-            message: 'DSSE payload hash mismatch',
-        });
-    }
-}
@@ -1,6 +1,3 @@
-import { Entry } from '@sigstore/protobuf-specs/rekor/v2';
 import type { ProposedHashedRekordEntry } from '@sigstore/rekor-types';
 import type { SignatureContent } from '../shared.types';
-export declare const HASHEDREKORD_API_VERSION_V1 = "0.0.1";
 export declare function verifyHashedRekordTLogBody(tlogEntry: ProposedHashedRekordEntry, content: SignatureContent): void;
-export declare function verifyHashedRekordTLogBodyV2(tlogEntry: Entry, content: SignatureContent): void;
@@ -1,10 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HASHEDREKORD_API_VERSION_V1 = void 0;
 exports.verifyHashedRekordTLogBody = verifyHashedRekordTLogBody;
-exports.verifyHashedRekordTLogBodyV2 = verifyHashedRekordTLogBodyV2;
 /*
-Copyright 2025 The Sigstore Authors.
+Copyright 2023 The Sigstore Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,11 +17,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 const error_1 = require("../error");
-exports.HASHEDREKORD_API_VERSION_V1 = '0.0.1';
 // Compare the given hashedrekord tlog entry to the given bundle
 function verifyHashedRekordTLogBody(tlogEntry, content) {
    switch (tlogEntry.apiVersion) {
-        case exports.HASHEDREKORD_API_VERSION_V1:
+        case '0.0.1':
            return verifyHashedrekord001TLogBody(tlogEntry, content);
        default:
            throw new error_1.VerificationError({
@@ -32,26 +29,6 @@ function verifyHashedRekordTLogBody(tlogEntry, content) {
            });
    }
 }
-// Compare the given hashedrekor tlog entry to the given bundle. This function is
-// specifically for Rekor V2 entries.
-function verifyHashedRekordTLogBodyV2(tlogEntry, content) {
-    const spec = tlogEntry.spec?.spec;
-    if (!spec) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_BODY_ERROR',
-            message: `missing dsse spec`,
-        });
-    }
-    switch (spec.$case) {
-        case 'hashedRekordV002':
-            return verifyHashedrekord002TLogBody(spec.hashedRekordV002, content);
-        default:
-            throw new error_1.VerificationError({
-                code: 'TLOG_BODY_ERROR',
-                message: `unsupported version: ${spec.$case}`,
-            });
-    }
-}
 // Compare the given hashedrekord v0.0.1 tlog entry to the given message
 // signature
 function verifyHashedrekord001TLogBody(tlogEntry, content) {
@@ -72,23 +49,3 @@ function verifyHashedrekord001TLogBody(tlogEntry, content) {
        });
    }
 }
-// Compare the given hashedrekord v0.0.2 tlog entry to the given message
-// signature
-function verifyHashedrekord002TLogBody(spec, content) {
-    // Ensure that the bundles message signature matches the tlog entry
-    const tlogSig = spec.signature?.content || Buffer.from('');
-    if (!content.compareSignature(tlogSig)) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_BODY_ERROR',
-            message: 'signature mismatch',
-        });
-    }
-    // Ensure that the bundle's message digest matches the tlog entry
-    const tlogHash = spec.data?.digest || Buffer.from('');
-    if (!content.compareDigest(tlogHash)) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_BODY_ERROR',
-            message: 'digest mismatch',
-        });
-    }
-}
@@ -1,5 +1,3 @@
 import type { TransparencyLogEntry } from '@sigstore/bundle';
 import type { SignatureContent } from '../shared.types';
-import { TLogAuthority } from '../trust';
 export declare function verifyTLogBody(entry: TransparencyLogEntry, sigContent: SignatureContent): void;
-export declare function verifyTLogInclusion(entry: TransparencyLogEntry, tlogAuthorities: TLogAuthority[]): void;
@@ -1,7 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyTLogBody = verifyTLogBody;
-exports.verifyTLogInclusion = verifyTLogInclusion;
 /*
 Copyright 2023 The Sigstore Authors.

@@ -17,46 +16,27 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-const v2_1 = require("@sigstore/protobuf-specs/rekor/v2");
 const error_1 = require("../error");
 const dsse_1 = require("./dsse");
 const hashedrekord_1 = require("./hashedrekord");
 const intoto_1 = require("./intoto");
-const checkpoint_1 = require("./checkpoint");
-const merkle_1 = require("./merkle");
-const set_1 = require("./set");
 // Verifies that the given tlog entry matches the supplied signature content.
 function verifyTLogBody(entry, sigContent) {
    const { kind, version } = entry.kindVersion;
    const body = JSON.parse(entry.canonicalizedBody.toString('utf8'));
-    // validate body
    if (kind !== body.kind || version !== body.apiVersion) {
        throw new error_1.VerificationError({
            code: 'TLOG_BODY_ERROR',
            message: `kind/version mismatch - expected: ${kind}/${version}, received: ${body.kind}/${body.apiVersion}`,
        });
    }
-    switch (kind) {
+    switch (body.kind) {
        case 'dsse':
-            // Rekor V1 and V2 use incompatible types so we need to branch here based on version
-            if (version == dsse_1.DSSE_API_VERSION_V1) {
-                return (0, dsse_1.verifyDSSETLogBody)(body, sigContent);
-            }
-            else {
-                const entryRekorV2 = v2_1.Entry.fromJSON(body);
-                return (0, dsse_1.verifyDSSETLogBodyV2)(entryRekorV2, sigContent);
-            }
+            return (0, dsse_1.verifyDSSETLogBody)(body, sigContent);
        case 'intoto':
            return (0, intoto_1.verifyIntotoTLogBody)(body, sigContent);
        case 'hashedrekord':
-            // Rekor V1 and V2 use incompatible types so we need to branch here based on version
-            if (version == hashedrekord_1.HASHEDREKORD_API_VERSION_V1) {
-                return (0, hashedrekord_1.verifyHashedRekordTLogBody)(body, sigContent);
-            }
-            else {
-                const entryRekorV2 = v2_1.Entry.fromJSON(body);
-                return (0, hashedrekord_1.verifyHashedRekordTLogBodyV2)(entryRekorV2, sigContent);
-            }
+            return (0, hashedrekord_1.verifyHashedRekordTLogBody)(body, sigContent);
        /* istanbul ignore next */
        default:
            throw new error_1.VerificationError({
@@ -65,28 +45,3 @@ function verifyTLogBody(entry, sigContent) {
            });
    }
 }
-function verifyTLogInclusion(entry, tlogAuthorities) {
-    let inclusionVerified = false;
-    if (isTLogEntryWithInclusionPromise(entry)) {
-        (0, set_1.verifyTLogSET)(entry, tlogAuthorities);
-        inclusionVerified = true;
-    }
-    if (isTLogEntryWithInclusionProof(entry)) {
-        const checkpoint = (0, checkpoint_1.verifyCheckpoint)(entry, tlogAuthorities);
-        (0, merkle_1.verifyMerkleInclusion)(entry, checkpoint);
-        inclusionVerified = true;
-    }
-    if (!inclusionVerified) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_MISSING_INCLUSION_ERROR',
-            message: 'inclusion could not be verified',
-        });
-    }
-    return;
-}
-function isTLogEntryWithInclusionPromise(entry) {
-    return entry.inclusionPromise !== undefined;
-}
-function isTLogEntryWithInclusionProof(entry) {
-    return entry.inclusionProof !== undefined;
-}
@@ -44,12 +44,8 @@ function createTLogAuthority(tlogInstance) {
        keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256
        ? 'pkcs1'
        : 'spki';
-    /* istanbul ignore next */
    return {
-        baseURL: tlogInstance.baseUrl,
-        logID: tlogInstance.checkpointKeyId
-            ? tlogInstance.checkpointKeyId.keyId
-            : tlogInstance.logId.keyId,
+        logID: tlogInstance.logId.keyId,
        publicKey: core_1.crypto.createPublicKey(tlogInstance.publicKey.rawBytes, keyType),
        validFor: {
            start: tlogInstance.publicKey.validFor?.start || BEGINNING_OF_TIME,
@@ -61,7 +57,7 @@ function createCertAuthority(ca) {
    /* istanbul ignore next */
    return {
        certChain: ca.certChain.certificates.map((cert) => {
-            return core_1.X509Certificate.parse(Buffer.from(cert.rawBytes));
+            return core_1.X509Certificate.parse(cert.rawBytes);
        }),
        validFor: {
            start: ca.validFor?.start || BEGINNING_OF_TIME,
@@ -1,7 +1,6 @@
 import type { X509Certificate, crypto } from '@sigstore/core';
 export type TLogAuthority = {
    logID: Buffer;
-    baseURL: string;
    publicKey: crypto.KeyObject;
    validFor: {
        start: Date;
@@ -1,23 +1,10 @@
 import type { SignedEntity, Signer, VerificationPolicy } from './shared.types';
 import type { TrustMaterial } from './trust';
-/**
- * Configuration options for the verifier.
- *
- * @public
- */
-export interface VerifierOptions {
-    /** Minimum number of transparency log entries required for verification */
+export type VerifierOptions = {
    tlogThreshold?: number;
-    /** Minimum number of certificate transparency log entries required */
    ctlogThreshold?: number;
-    /**
-     * Minimum number of timestamp authority timestamps required for verification
-     * @deprecated Use timestampThreshold instead
-     */
    tsaThreshold?: number;
-    /** Minimum number of timestamps required for verification */
-    timestampThreshold?: number;
-}
+};
 export declare class Verifier {
    private trustMaterial;
    private options;
@@ -23,15 +23,12 @@ const policy_1 = require("./policy");
 const timestamp_1 = require("./timestamp");
 const tlog_1 = require("./tlog");
 class Verifier {
-    trustMaterial;
-    options;
    constructor(trustMaterial, options = {}) {
        this.trustMaterial = trustMaterial;
        this.options = {
            ctlogThreshold: options.ctlogThreshold ?? 1,
            tlogThreshold: options.tlogThreshold ?? 1,
-            timestampThreshold: options.timestampThreshold ?? options.tsaThreshold ?? 1,
-            tsaThreshold: 0,
+            tsaThreshold: options.tsaThreshold ?? 0,
        };
    }
    verify(entity, policy) {
@@ -46,22 +43,18 @@ class Verifier {
    }
    // Checks that all of the timestamps in the entity are valid and returns them
    verifyTimestamps(entity) {
-        const timestamps = [];
-        for (const timestamp of entity.timestamps) {
+        let tlogCount = 0;
+        let tsaCount = 0;
+        const timestamps = entity.timestamps.map((timestamp) => {
            switch (timestamp.$case) {
                case 'timestamp-authority':
-                    timestamps.push((0, timestamp_1.getTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities));
-                    break;
-                case 'transparency-log': {
-                    const result = (0, timestamp_1.getTLogTimestamp)(timestamp.tlogEntry);
-                    /* istanbul ignore else */
-                    if (result) {
-                        timestamps.push(result);
-                    }
-                    break;
-                }
+                    tsaCount++;
+                    return (0, timestamp_1.verifyTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities);
+                case 'transparency-log':
+                    tlogCount++;
+                    return (0, timestamp_1.verifyTLogTimestamp)(timestamp.tlogEntry, this.trustMaterial.tlogs);
            }
-        }
+        });
        // Check for duplicate timestamps
        if (containsDupes(timestamps)) {
            throw new error_1.VerificationError({
@@ -69,10 +62,16 @@ class Verifier {
                message: 'duplicate timestamp',
            });
        }
-        if (timestamps.length < this.options.timestampThreshold) {
+        if (tlogCount < this.options.tlogThreshold) {
            throw new error_1.VerificationError({
                code: 'TIMESTAMP_ERROR',
-                message: `expected ${this.options.timestampThreshold} timestamps, got ${timestamps.length}`,
+                message: `expected ${this.options.tlogThreshold} tlog timestamps, got ${tlogCount}`,
+            });
+        }
+        if (tsaCount < this.options.tsaThreshold) {
+            throw new error_1.VerificationError({
+                code: 'TIMESTAMP_ERROR',
+                message: `expected ${this.options.tsaThreshold} tsa timestamps, got ${tsaCount}`,
            });
        }
        return timestamps.map((t) => t.timestamp);
@@ -105,18 +104,7 @@ class Verifier {
    }
    // Checks that the tlog entries are valid for the supplied content
    verifyTLogs({ signature: content, tlogEntries }) {
-        let tlogCount = 0;
-        tlogEntries.forEach((entry) => {
-            tlogCount++;
-            (0, tlog_1.verifyTLogInclusion)(entry, this.trustMaterial.tlogs);
-            (0, tlog_1.verifyTLogBody)(entry, content);
-        });
-        if (tlogCount < this.options.tlogThreshold) {
-            throw new error_1.VerificationError({
-                code: 'TLOG_ERROR',
-                message: `expected ${this.options.tlogThreshold} tlog entries, got ${tlogCount}`,
-            });
-        }
+        tlogEntries.forEach((entry) => (0, tlog_1.verifyTLogBody)(entry, content));
    }
    // Checks that the signature is valid for the supplied content
    verifySignature(entity, signer) {
@@ -129,20 +117,13 @@ class Verifier {
    }
    verifyPolicy(policy, identity) {
        // Check the subject alternative name of the signer matches the policy
-        /* istanbul ignore else */
        if (policy.subjectAlternativeName) {
            (0, policy_1.verifySubjectAlternativeName)(policy.subjectAlternativeName, identity.subjectAlternativeName);
        }
        // Check that the extensions of the signer match the policy
-        /* istanbul ignore else */
        if (policy.extensions) {
            (0, policy_1.verifyExtensions)(policy.extensions, identity.extensions);
        }
-        // Check that the OIDs of the signer match the policy
-        /* istanbul ignore if */
-        if (policy.oids) {
-            (0, policy_1.verifyOIDs)(policy.oids, identity.oids);
-        }
    }
 }
 exports.Verifier = Verifier;
@@ -1,6 +1,6 @@
 {
  "name": "@sigstore/verify",
-  "version": "3.1.1",
+  "version": "2.1.1",
  "description": "Verification of Sigstore signatures",
  "main": "dist/index.js",
  "types": "dist/index.d.ts",
@@ -26,11 +26,11 @@
    "provenance": true
  },
  "dependencies": {
-    "@sigstore/protobuf-specs": "^0.5.0",
-    "@sigstore/bundle": "^4.0.0",
-    "@sigstore/core": "^3.2.1"
+    "@sigstore/protobuf-specs": "^0.4.1",
+    "@sigstore/bundle": "^3.1.0",
+    "@sigstore/core": "^2.0.0"
  },
  "engines": {
-    "node": "^20.17.0 || >=22.9.0"
+    "node": "^18.17.0 || >=20.5.0"
  }
 }