init

node_modules/@sigstore/verify/dist/bundle/dsse.d.ts

@@ -0,0 +1,12 @@
+import { crypto } from '@sigstore/core';
+import type { Envelope } from '@sigstore/bundle';
+import type { SignatureContent } from '../shared.types';
+export declare class DSSESignatureContent implements SignatureContent {
+    private readonly env;
+    constructor(env: Envelope);
+    compareDigest(digest: Buffer): boolean;
+    compareSignature(signature: Buffer): boolean;
+    verifySignature(key: crypto.KeyObject): boolean;
+    get signature(): Buffer;
+    private get preAuthEncoding();
+}

node_modules/@sigstore/verify/dist/bundle/dsse.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DSSESignatureContent = void 0;
+/*
+Copyright 2023 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const core_1 = require("@sigstore/core");
+class DSSESignatureContent {
+    constructor(env) {
+        this.env = env;
+    }
+    compareDigest(digest) {
+        return core_1.crypto.bufferEqual(digest, core_1.crypto.digest('sha256', this.env.payload));
+    }
+    compareSignature(signature) {
+        return core_1.crypto.bufferEqual(signature, this.signature);
+    }
+    verifySignature(key) {
+        return core_1.crypto.verify(this.preAuthEncoding, key, this.signature);
+    }
+    get signature() {
+        return this.env.signatures.length > 0
+            ? this.env.signatures[0].sig
+            : Buffer.from('');
+    }
+    // DSSE Pre-Authentication Encoding
+    get preAuthEncoding() {
+        return core_1.dsse.preAuthEncoding(this.env.payloadType, this.env.payload);
+    }
+}
+exports.DSSESignatureContent = DSSESignatureContent;

node_modules/@sigstore/verify/dist/bundle/index.d.ts

@@ -0,0 +1,4 @@
+import { Bundle } from '@sigstore/bundle';
+import type { SignatureContent, SignedEntity } from '../shared.types';
+export declare function toSignedEntity(bundle: Bundle, artifact?: Buffer): SignedEntity;
+export declare function signatureContent(bundle: Bundle, artifact?: Buffer): SignatureContent;

node_modules/@sigstore/verify/dist/bundle/index.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toSignedEntity = toSignedEntity;
+exports.signatureContent = signatureContent;
+const core_1 = require("@sigstore/core");
+const dsse_1 = require("./dsse");
+const message_1 = require("./message");
+function toSignedEntity(bundle, artifact) {
+    const { tlogEntries, timestampVerificationData } = bundle.verificationMaterial;
+    const timestamps = [];
+    for (const entry of tlogEntries) {
+        timestamps.push({
+            $case: 'transparency-log',
+            tlogEntry: entry,
+        });
+    }
+    for (const ts of timestampVerificationData?.rfc3161Timestamps ?? []) {
+        timestamps.push({
+            $case: 'timestamp-authority',
+            timestamp: core_1.RFC3161Timestamp.parse(ts.signedTimestamp),
+        });
+    }
+    return {
+        signature: signatureContent(bundle, artifact),
+        key: key(bundle),
+        tlogEntries,
+        timestamps,
+    };
+}
+function signatureContent(bundle, artifact) {
+    switch (bundle.content.$case) {
+        case 'dsseEnvelope':
+            return new dsse_1.DSSESignatureContent(bundle.content.dsseEnvelope);
+        case 'messageSignature':
+            return new message_1.MessageSignatureContent(bundle.content.messageSignature, artifact);
+    }
+}
+function key(bundle) {
+    switch (bundle.verificationMaterial.content.$case) {
+        case 'publicKey':
+            return {
+                $case: 'public-key',
+                hint: bundle.verificationMaterial.content.publicKey.hint,
+            };
+        case 'x509CertificateChain':
+            return {
+                $case: 'certificate',
+                certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.x509CertificateChain
+                    .certificates[0].rawBytes),
+            };
+        case 'certificate':
+            return {
+                $case: 'certificate',
+                certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.certificate.rawBytes),
+            };
+    }
+}

node_modules/@sigstore/verify/dist/bundle/message.d.ts

@@ -0,0 +1,12 @@
+import { crypto } from '@sigstore/core';
+import type { MessageSignature } from '@sigstore/bundle';
+import type { SignatureContent } from '../shared.types';
+export declare class MessageSignatureContent implements SignatureContent {
+    readonly signature: Buffer;
+    private readonly messageDigest;
+    private readonly artifact;
+    constructor(messageSignature: MessageSignature, artifact: Buffer);
+    compareSignature(signature: Buffer): boolean;
+    compareDigest(digest: Buffer): boolean;
+    verifySignature(key: crypto.KeyObject): boolean;
+}

node_modules/@sigstore/verify/dist/bundle/message.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MessageSignatureContent = void 0;
+/*
+Copyright 2023 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const core_1 = require("@sigstore/core");
+class MessageSignatureContent {
+    constructor(messageSignature, artifact) {
+        this.signature = messageSignature.signature;
+        this.messageDigest = messageSignature.messageDigest.digest;
+        this.artifact = artifact;
+    }
+    compareSignature(signature) {
+        return core_1.crypto.bufferEqual(signature, this.signature);
+    }
+    compareDigest(digest) {
+        return core_1.crypto.bufferEqual(digest, this.messageDigest);
+    }
+    verifySignature(key) {
+        return core_1.crypto.verify(this.artifact, key, this.signature);
+    }
+}
+exports.MessageSignatureContent = MessageSignatureContent;