batuhan-basoglu/Kargi-Sitesi
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Deployed the page to Github Pages.

Browse source
This commit is contained in:
Batuhan Berk Başoğlu 2024-11-03 21:30:09 -05:00
parent 1d79754e93
commit 2c89899458
Signed by: batuhan-basoglu
SSH key fingerprint: SHA256:kEsnuHX+qbwhxSAXPUQ4ox535wFHu/hIRaa53FzxRpo
62797 changed files with 6551425 additions and 15279 deletions
Download patch file Download diff file Expand all files Collapse all files

202
node_modules/@sigstore/sign/LICENSE generated vendored Normal file
View file

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2023 The Sigstore Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

185
node_modules/@sigstore/sign/README.md generated vendored Normal file
View file

@ -0,0 +1,185 @@
# @sigstore/sign · [![npm version](https://img.shields.io/npm/v/@sigstore/sign.svg?style=flat)](https://www.npmjs.com/package/@sigstore/sign) [![CI Status](https://github.com/sigstore/sigstore-js/workflows/CI/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/ci.yml) [![Smoke Test Status](https://github.com/sigstore/sigstore-js/workflows/smoke-test/badge.svg)](https://github.com/sigstore/sigstore-js/actions/workflows/smoke-test.yml)
A library for generating [Sigstore][1] signatures.
## Features
- Support for keyless signature generation with [Fulcio][2]-issued signing
certificates
- Support for ambient OIDC credential detection in CI/CD environments
- Support for recording signatures to the [Rekor][3] transparency log
- Support for requesting timestamped countersignature from a [Timestamp
Authority][4]
## Prerequisites
- Node.js version >= 16.14.0
## Installation
```
npm install @sigstore/sign
```
## Overview
This library provides the building blocks for composing custom Sigstore signing
workflows.
### BundleBuilder
The top-level component is the `BundleBuilder` which has responsibility for
taking some artifact and returning a [Sigstore bundle][5] containing the
signature for that artifact and the various materials necessary to verify that
signature.
```typescript
interface BundleBuilder {
create: (artifact: Artifact) => Promise<Bundle>;
}
```
The artifact to be signed is simply an array of bytes and an optional mimetype.
The type is necessary when the signature is packaged as a [DSSE][6] envelope.
```typescript
type Artifact = {
data: Buffer;
type?: string;
};
```
There are two `BundleBuilder` implementations provided as part of this package:
- [`DSSEBundleBuilder`](./src/bundler/dsse.ts) - Combines the verification material and
artifact signature into a [`dsse_envelope`][7] -style Sigstore bundle
- [`MessageBundleBuilder`](./src/bundler/message.ts) - Combines the verification
material and artifact signature into a [`message_signature`][8]-style Sigstore
bundle.
### Signer
Every `BundleBuilder` must be instantiated with a `Signer` implementation. The
`Signer` is responsible for taking a `Buffer` and returning an `Signature`.
```typescript
interface Signer {
sign: (data: Buffer) => Promise<Signature>;
}
```
The returned `Signature` contains a signature and the public key which can be
used to verify that signature -- the key may either take the form of a x509
certificate or public key.
```typescript
type Signature = {
signature: Buffer;
key: KeyMaterial;
};
type KeyMaterial =
| {
$case: 'x509Certificate';
certificate: string;
}
| {
$case: 'publicKey';
publicKey: string;
hint?: string;
};
```
This package provides the [`FulcioSigner`](./src/signer/fulcio/index.ts)
which implements the `Signer` interface and signs the artifact with an
ephemeral keypair. It will also retrieve an OIDC token from the configured
`IdentityProvider` and then request a signing certificate from Fulcio which binds
the ephemeral key to the identity embedded in the token. This signing
certificate is returned as part of the `Signature`.
### Witness
The `BundleBuilder` may also be configured with zero-or-more `Witness`
instances. Each `Witness` receives the artifact signature and the public key
and returns an `VerificationMaterial` which represents some sort of
counter-signature for the artifact's signature.
```typescript
interface Witness {
testify: (
signature: SignatureBundle,
publicKey: string
) => Promise<VerificationMaterial>;
}
```
The returned `VerificationMaterial` may contain either Rekor transparency log
entries or RFC3161 timestamps.
```typescript
type VerificationMaterial = {
tlogEntries?: TransparencyLogEntry[];
rfc3161Timestamps?: RFC3161SignedTimestamp[];
};
```
The entries in the returned `VerificationMaterial` are automatically added to
the Sigstore `Bundle` by the `BundleBuilder`.
The package provides two different `Witness` implementations:
- [`RekorWitness`](./src/witness/tlog/index.ts) - Adds an entry to the Rekor
transparency log and returns a `TransparencyLogEntry` to be included in the
`Bundle`
- [`TSAWitness`](./src/witness/tsa/index.ts) - Requests an RFC3161 timestamp
over the artifact signature and returns an `RFC3161SignedTimestamp` to be
included in the `Bundle`
## Usage Example
```typescript
const {
CIContextProvider,
DSSEBundleBuilder,
FulcioSigner,
RekorWitness,
TSAWitness,
} = require('@sigstore/sign');
// Set-up the signer
const signer = new FulcioSigner({
fulcioBaseURL: 'https://fulcio.sigstore.dev',
identityProvider: new CIContextProvider('sigstore'),
});
// Set-up the witnesses
const rekorWitness = new RekorWitness({
rekorBaseURL: 'https://rekor.sigstore.dev',
});
const tsaWitness = new TSAWitness({
tsaBaseURL: 'https://tsa.github.com',
});
// Instantiate a bundle builder
const bundler = new DSSEBundleBuilder({
signer,
witnesses: [rekorWitness, tsaWitness],
});
// Sign a thing
const artifact = {
type: 'text/plain',
data: Buffer.from('something to be signed'),
};
const bundle = await bundler.create(artifact);
```
[1]: https://www.sigstore.dev
[2]: https://github.com/sigstore/fulcio
[3]: https://github.com/sigstore/rekor
[4]: https://github.com/sigstore/timestamp-authority
[5]: https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
[6]: https://github.com/secure-systems-lab/dsse
[7]: https://github.com/sigstore/protobuf-specs/blob/5ef54068bb534152474c5685f5cd248f38549fbd/protos/sigstore_bundle.proto#L80
[8]: https://github.com/sigstore/protobuf-specs/blob/5ef54068bb534152474c5685f5cd248f38549fbd/protos/sigstore_bundle.proto#L74

23
node_modules/@sigstore/sign/dist/bundler/base.d.ts generated vendored Normal file
View file

@ -0,0 +1,23 @@
/// <reference types="node" />
import type { Bundle } from '@sigstore/bundle';
import type { Signature, Signer } from '../signer';
import type { Witness } from '../witness';
export interface BundleBuilderOptions {
signer: Signer;
witnesses: Witness[];
}
export interface Artifact {
data: Buffer;
type?: string;
}
export interface BundleBuilder {
create: (artifact: Artifact) => Promise<Bundle>;
}
export declare abstract class BaseBundleBuilder<T extends Bundle> implements BundleBuilder {
protected signer: Signer;
private witnesses;
constructor(options: BundleBuilderOptions);
create(artifact: Artifact): Promise<T>;
protected prepare(artifact: Artifact): Promise<Buffer>;
protected abstract package(artifact: Artifact, signature: Signature): Promise<T>;
}

50
node_modules/@sigstore/sign/dist/bundler/base.js generated vendored Normal file
View file

@ -0,0 +1,50 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.BaseBundleBuilder = void 0;
// BaseBundleBuilder is a base class for BundleBuilder implementations. It
// provides a the basic wokflow for signing and witnessing an artifact.
// Subclasses must implement the `package` method to assemble a valid bundle
// with the generated signature and verification material.
class BaseBundleBuilder {
constructor(options) {
this.signer = options.signer;
this.witnesses = options.witnesses;
}
// Executes the signing/witnessing process for the given artifact.
async create(artifact) {
const signature = await this.prepare(artifact).then((blob) => this.signer.sign(blob));
const bundle = await this.package(artifact, signature);
// Invoke all of the witnesses in parallel
const verificationMaterials = await Promise.all(this.witnesses.map((witness) => witness.testify(bundle.content, publicKey(signature.key))));
// Collect the verification material from all of the witnesses
const tlogEntryList = [];
const timestampList = [];
verificationMaterials.forEach(({ tlogEntries, rfc3161Timestamps }) => {
tlogEntryList.push(...(tlogEntries ?? []));
timestampList.push(...(rfc3161Timestamps ?? []));
});
// Merge the collected verification material into the bundle
bundle.verificationMaterial.tlogEntries = tlogEntryList;
bundle.verificationMaterial.timestampVerificationData = {
rfc3161Timestamps: timestampList,
};
return bundle;
}
// Override this function to apply any pre-signing transformations to the
// artifact. The returned buffer will be signed by the signer. The default
// implementation simply returns the artifact data.
async prepare(artifact) {
return artifact.data;
}
}
exports.BaseBundleBuilder = BaseBundleBuilder;
// Extracts the public key from a KeyMaterial. Returns either the public key
// or the certificate, depending on the type of key material.
function publicKey(key) {
switch (key.$case) {
case 'publicKey':
return key.publicKey;
case 'x509Certificate':
return key.certificate;
}
}

5
node_modules/@sigstore/sign/dist/bundler/bundle.d.ts generated vendored Normal file
View file

@ -0,0 +1,5 @@
import * as sigstore from '@sigstore/bundle';
import type { Signature } from '../signer';
import type { Artifact } from './base';
export declare function toMessageSignatureBundle(artifact: Artifact, signature: Signature): sigstore.BundleWithMessageSignature;
export declare function toDSSEBundle(artifact: Required<Artifact>, signature: Signature, singleCertificate?: boolean): sigstore.BundleWithDsseEnvelope;

71
node_modules/@sigstore/sign/dist/bundler/bundle.js generated vendored Normal file
View file

@ -0,0 +1,71 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.toDSSEBundle = exports.toMessageSignatureBundle = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const sigstore = __importStar(require("@sigstore/bundle"));
const util_1 = require("../util");
// Helper functions for assembling the parts of a Sigstore bundle
// Message signature bundle - $case: 'messageSignature'
function toMessageSignatureBundle(artifact, signature) {
const digest = util_1.crypto.hash(artifact.data);
return sigstore.toMessageSignatureBundle({
digest,
signature: signature.signature,
certificate: signature.key.$case === 'x509Certificate'
? util_1.pem.toDER(signature.key.certificate)
: undefined,
keyHint: signature.key.$case === 'publicKey' ? signature.key.hint : undefined,
});
}
exports.toMessageSignatureBundle = toMessageSignatureBundle;
// DSSE envelope bundle - $case: 'dsseEnvelope'
function toDSSEBundle(artifact, signature, singleCertificate) {
return sigstore.toDSSEBundle({
artifact: artifact.data,
artifactType: artifact.type,
signature: signature.signature,
certificate: signature.key.$case === 'x509Certificate'
? util_1.pem.toDER(signature.key.certificate)
: undefined,
keyHint: signature.key.$case === 'publicKey' ? signature.key.hint : undefined,
singleCertificate,
});
}
exports.toDSSEBundle = toDSSEBundle;

14
node_modules/@sigstore/sign/dist/bundler/dsse.d.ts generated vendored Normal file
View file

@ -0,0 +1,14 @@
/// <reference types="node" />
import { Artifact, BaseBundleBuilder, BundleBuilderOptions } from './base';
import type { BundleWithDsseEnvelope } from '@sigstore/bundle';
import type { Signature } from '../signer';
type DSSEBundleBuilderOptions = BundleBuilderOptions & {
singleCertificate?: boolean;
};
export declare class DSSEBundleBuilder extends BaseBundleBuilder<BundleWithDsseEnvelope> {
private singleCertificate?;
constructor(options: DSSEBundleBuilderOptions);
protected prepare(artifact: Artifact): Promise<Buffer>;
protected package(artifact: Artifact, signature: Signature): Promise<BundleWithDsseEnvelope>;
}
export {};

46
node_modules/@sigstore/sign/dist/bundler/dsse.js generated vendored Normal file
View file

@ -0,0 +1,46 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.DSSEBundleBuilder = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const util_1 = require("../util");
const base_1 = require("./base");
const bundle_1 = require("./bundle");
// BundleBuilder implementation for DSSE wrapped attestations
class DSSEBundleBuilder extends base_1.BaseBundleBuilder {
constructor(options) {
super(options);
this.singleCertificate = options.singleCertificate ?? false;
}
// DSSE requires the artifact to be pre-encoded with the payload type
// before the signature is generated.
async prepare(artifact) {
const a = artifactDefaults(artifact);
return util_1.dsse.preAuthEncoding(a.type, a.data);
}
// Packages the artifact and signature into a DSSE bundle
async package(artifact, signature) {
return (0, bundle_1.toDSSEBundle)(artifactDefaults(artifact), signature, this.singleCertificate);
}
}
exports.DSSEBundleBuilder = DSSEBundleBuilder;
// Defaults the artifact type to an empty string if not provided
function artifactDefaults(artifact) {
return {
...artifact,
type: artifact.type ?? '',
};
}

3
node_modules/@sigstore/sign/dist/bundler/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,3 @@
export type { Artifact, BundleBuilder, BundleBuilderOptions } from './base';
export { DSSEBundleBuilder } from './dsse';
export { MessageSignatureBundleBuilder } from './message';

7
node_modules/@sigstore/sign/dist/bundler/index.js generated vendored Normal file
View file

@ -0,0 +1,7 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.MessageSignatureBundleBuilder = exports.DSSEBundleBuilder = void 0;
var dsse_1 = require("./dsse");
Object.defineProperty(exports, "DSSEBundleBuilder", { enumerable: true, get: function () { return dsse_1.DSSEBundleBuilder; } });
var message_1 = require("./message");
Object.defineProperty(exports, "MessageSignatureBundleBuilder", { enumerable: true, get: function () { return message_1.MessageSignatureBundleBuilder; } });

7
node_modules/@sigstore/sign/dist/bundler/message.d.ts generated vendored Normal file
View file

@ -0,0 +1,7 @@
import { Artifact, BaseBundleBuilder, BundleBuilderOptions } from './base';
import type { BundleWithMessageSignature } from '@sigstore/bundle';
import type { Signature } from '../signer';
export declare class MessageSignatureBundleBuilder extends BaseBundleBuilder<BundleWithMessageSignature> {
constructor(options: BundleBuilderOptions);
protected package(artifact: Artifact, signature: Signature): Promise<BundleWithMessageSignature>;
}

30
node_modules/@sigstore/sign/dist/bundler/message.js generated vendored Normal file
View file

@ -0,0 +1,30 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.MessageSignatureBundleBuilder = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const base_1 = require("./base");
const bundle_1 = require("./bundle");
// BundleBuilder implementation for raw message signatures
class MessageSignatureBundleBuilder extends base_1.BaseBundleBuilder {
constructor(options) {
super(options);
}
async package(artifact, signature) {
return (0, bundle_1.toMessageSignatureBundle)(artifact, signature);
}
}
exports.MessageSignatureBundleBuilder = MessageSignatureBundleBuilder;

12
node_modules/@sigstore/sign/dist/error.d.ts generated vendored Normal file
View file

@ -0,0 +1,12 @@
type InternalErrorCode = 'TLOG_FETCH_ENTRY_ERROR' | 'TLOG_CREATE_ENTRY_ERROR' | 'CA_CREATE_SIGNING_CERTIFICATE_ERROR' | 'TSA_CREATE_TIMESTAMP_ERROR' | 'IDENTITY_TOKEN_READ_ERROR' | 'IDENTITY_TOKEN_PARSE_ERROR';
export declare class InternalError extends Error {
code: InternalErrorCode;
cause: any | undefined;
constructor({ code, message, cause, }: {
code: InternalErrorCode;
message: string;
cause?: any;
});
}
export declare function internalError(err: unknown, code: InternalErrorCode, message: string): never;
export {};

39
node_modules/@sigstore/sign/dist/error.js generated vendored Normal file
View file

@ -0,0 +1,39 @@
"use strict";
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.internalError = exports.InternalError = void 0;
const error_1 = require("./external/error");
class InternalError extends Error {
constructor({ code, message, cause, }) {
super(message);
this.name = this.constructor.name;
this.cause = cause;
this.code = code;
}
}
exports.InternalError = InternalError;
function internalError(err, code, message) {
if (err instanceof error_1.HTTPError) {
message += ` - ${err.message}`;
}
throw new InternalError({
code: code,
message: message,
cause: err,
});
}
exports.internalError = internalError;

9
node_modules/@sigstore/sign/dist/external/error.d.ts generated vendored Normal file
View file

@ -0,0 +1,9 @@
export declare class HTTPError extends Error {
statusCode: number;
location?: string;
constructor({ status, message, location, }: {
status: number;
message: string;
location?: string;
});
}

26
node_modules/@sigstore/sign/dist/external/error.js generated vendored Normal file
View file

@ -0,0 +1,26 @@
"use strict";
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.HTTPError = void 0;
class HTTPError extends Error {
constructor({ status, message, location, }) {
super(`(${status}) ${message}`);
this.statusCode = status;
this.location = location;
}
}
exports.HTTPError = HTTPError;

4
node_modules/@sigstore/sign/dist/external/fetch.d.ts generated vendored Normal file
View file

@ -0,0 +1,4 @@
import fetch, { FetchOptions } from 'make-fetch-happen';
type Response = Awaited<ReturnType<typeof fetch>>;
export declare function fetchWithRetry(url: string, options: FetchOptions): Promise<Response>;
export {};

99
node_modules/@sigstore/sign/dist/external/fetch.js generated vendored Normal file
View file

@ -0,0 +1,99 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.fetchWithRetry = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const http2_1 = require("http2");
const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
const proc_log_1 = require("proc-log");
const promise_retry_1 = __importDefault(require("promise-retry"));
const util_1 = require("../util");
const error_1 = require("./error");
const { HTTP2_HEADER_LOCATION, HTTP2_HEADER_CONTENT_TYPE, HTTP2_HEADER_USER_AGENT, HTTP_STATUS_INTERNAL_SERVER_ERROR, HTTP_STATUS_TOO_MANY_REQUESTS, HTTP_STATUS_REQUEST_TIMEOUT, } = http2_1.constants;
async function fetchWithRetry(url, options) {
return (0, promise_retry_1.default)(async (retry, attemptNum) => {
const method = options.method || 'POST';
const headers = {
[HTTP2_HEADER_USER_AGENT]: util_1.ua.getUserAgent(),
...options.headers,
};
const response = await (0, make_fetch_happen_1.default)(url, {
method,
headers,
body: options.body,
timeout: options.timeout,
retry: false, // We're handling retries ourselves
}).catch((reason) => {
proc_log_1.log.http('fetch', `${method} ${url} attempt ${attemptNum} failed with ${reason}`);
return retry(reason);
});
if (response.ok) {
return response;
}
else {
const error = await errorFromResponse(response);
proc_log_1.log.http('fetch', `${method} ${url} attempt ${attemptNum} failed with ${response.status}`);
if (retryable(response.status)) {
return retry(error);
}
else {
throw error;
}
}
}, retryOpts(options.retry));
}
exports.fetchWithRetry = fetchWithRetry;
// Translate a Response into an HTTPError instance. This will attempt to parse
// the response body for a message, but will default to the statusText if none
// is found.
const errorFromResponse = async (response) => {
let message = response.statusText;
const location = response.headers?.get(HTTP2_HEADER_LOCATION) || undefined;
const contentType = response.headers?.get(HTTP2_HEADER_CONTENT_TYPE);
// If response type is JSON, try to parse the body for a message
if (contentType?.includes('application/json')) {
try {
const body = await response.json();
message = body.message || message;
}
catch (e) {
// ignore
}
}
return new error_1.HTTPError({
status: response.status,
message: message,
location: location,
});
};
// Determine if a status code is retryable. This includes 5xx errors, 408, and
// 429.
const retryable = (status) => [HTTP_STATUS_REQUEST_TIMEOUT, HTTP_STATUS_TOO_MANY_REQUESTS].includes(status) || status >= HTTP_STATUS_INTERNAL_SERVER_ERROR;
// Normalize the retry options to the format expected by promise-retry
const retryOpts = (retry) => {
if (typeof retry === 'boolean') {
return { retries: retry ? 1 : 0 };
}
else if (typeof retry === 'number') {
return { retries: retry };
}
else {
return { retries: 0, ...retry };
}
};

37
node_modules/@sigstore/sign/dist/external/fulcio.d.ts generated vendored Normal file
View file

@ -0,0 +1,37 @@
import type { FetchOptions } from '../types/fetch';
export type FulcioOptions = {
baseURL: string;
} & FetchOptions;
export interface SigningCertificateRequest {
credentials: {
oidcIdentityToken: string;
};
publicKeyRequest: {
publicKey: {
algorithm: string;
content: string;
};
proofOfPossession: string;
};
}
export interface SigningCertificateResponse {
signedCertificateEmbeddedSct?: {
chain: {
certificates: string[];
};
};
signedCertificateDetachedSct?: {
chain: {
certificates: string[];
};
signedCertificateTimestamp: string;
};
}
/**
* Fulcio API client.
*/
export declare class Fulcio {
private options;
constructor(options: FulcioOptions);
createSigningCertificate(request: SigningCertificateRequest): Promise<SigningCertificateResponse>;
}

41
node_modules/@sigstore/sign/dist/external/fulcio.js generated vendored Normal file
View file

@ -0,0 +1,41 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.Fulcio = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const fetch_1 = require("./fetch");
/**
* Fulcio API client.
*/
class Fulcio {
constructor(options) {
this.options = options;
}
async createSigningCertificate(request) {
const { baseURL, retry, timeout } = this.options;
const url = `${baseURL}/api/v2/signingCert`;
const response = await (0, fetch_1.fetchWithRetry)(url, {
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(request),
timeout,
retry,
});
return response.json();
}
}
exports.Fulcio = Fulcio;

28
node_modules/@sigstore/sign/dist/external/rekor.d.ts generated vendored Normal file
View file

@ -0,0 +1,28 @@
import type { LogEntry, ProposedDSSEEntry, ProposedEntry, ProposedHashedRekordEntry, ProposedIntotoEntry } from '@sigstore/rekor-types';
import type { FetchOptions } from '../types/fetch';
export type { ProposedDSSEEntry, ProposedEntry, ProposedHashedRekordEntry, ProposedIntotoEntry, };
export type Entry = {
uuid: string;
} & LogEntry[string];
export type RekorOptions = {
baseURL: string;
} & FetchOptions;
/**
* Rekor API client.
*/
export declare class Rekor {
private options;
constructor(options: RekorOptions);
/**
* Create a new entry in the Rekor log.
* @param propsedEntry {ProposedEntry} Data to create a new entry
* @returns {Promise<Entry>} The created entry
*/
createEntry(propsedEntry: ProposedEntry): Promise<Entry>;
/**
* Get an entry from the Rekor log.
* @param uuid {string} The UUID of the entry to retrieve
* @returns {Promise<Entry>} The retrieved entry
*/
getEntry(uuid: string): Promise<Entry>;
}

80
node_modules/@sigstore/sign/dist/external/rekor.js generated vendored Normal file
View file

@ -0,0 +1,80 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.Rekor = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const fetch_1 = require("./fetch");
/**
* Rekor API client.
*/
class Rekor {
constructor(options) {
this.options = options;
}
/**
* Create a new entry in the Rekor log.
* @param propsedEntry {ProposedEntry} Data to create a new entry
* @returns {Promise<Entry>} The created entry
*/
async createEntry(propsedEntry) {
const { baseURL, timeout, retry } = this.options;
const url = `${baseURL}/api/v1/log/entries`;
const response = await (0, fetch_1.fetchWithRetry)(url, {
headers: {
'Content-Type': 'application/json',
Accept: 'application/json',
},
body: JSON.stringify(propsedEntry),
timeout,
retry,
});
const data = await response.json();
return entryFromResponse(data);
}
/**
* Get an entry from the Rekor log.
* @param uuid {string} The UUID of the entry to retrieve
* @returns {Promise<Entry>} The retrieved entry
*/
async getEntry(uuid) {
const { baseURL, timeout, retry } = this.options;
const url = `${baseURL}/api/v1/log/entries/${uuid}`;
const response = await (0, fetch_1.fetchWithRetry)(url, {
method: 'GET',
headers: {
Accept: 'application/json',
},
timeout,
retry,
});
const data = await response.json();
return entryFromResponse(data);
}
}
exports.Rekor = Rekor;
// Unpack the response from the Rekor API into a more convenient format.
function entryFromResponse(data) {
const entries = Object.entries(data);
if (entries.length != 1) {
throw new Error('Received multiple entries in Rekor response');
}
// Grab UUID and entry data from the response
const [uuid, entry] = entries[0];
return {
...entry,
uuid,
};
}

17
node_modules/@sigstore/sign/dist/external/tsa.d.ts generated vendored Normal file
View file

@ -0,0 +1,17 @@
/// <reference types="node" />
import type { FetchOptions } from '../types/fetch';
export interface TimestampRequest {
artifactHash: string;
hashAlgorithm: string;
certificates?: boolean;
nonce?: number;
tsaPolicyOID?: string;
}
export type TimestampAuthorityOptions = {
baseURL: string;
} & FetchOptions;
export declare class TimestampAuthority {
private options;
constructor(options: TimestampAuthorityOptions);
createTimestamp(request: TimestampRequest): Promise<Buffer>;
}

38
node_modules/@sigstore/sign/dist/external/tsa.js generated vendored Normal file
View file

@ -0,0 +1,38 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TimestampAuthority = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const fetch_1 = require("./fetch");
class TimestampAuthority {
constructor(options) {
this.options = options;
}
async createTimestamp(request) {
const { baseURL, timeout, retry } = this.options;
const url = `${baseURL}/api/v1/timestamp`;
const response = await (0, fetch_1.fetchWithRetry)(url, {
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(request),
timeout,
retry,
});
return response.buffer();
}
}
exports.TimestampAuthority = TimestampAuthority;

11
node_modules/@sigstore/sign/dist/identity/ci.d.ts generated vendored Normal file
View file

@ -0,0 +1,11 @@
import type { IdentityProvider } from './provider';
/**
* CIContextProvider is a composite identity provider which will iterate
* over all of the CI-specific providers and return the token from the first
* one that resolves.
*/
export declare class CIContextProvider implements IdentityProvider {
private audience;
constructor(audience?: string);
getToken(): Promise<string>;
}

73
node_modules/@sigstore/sign/dist/identity/ci.js generated vendored Normal file
View file

@ -0,0 +1,73 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.CIContextProvider = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
// Collection of all the CI-specific providers we have implemented
const providers = [getGHAToken, getEnv];
/**
* CIContextProvider is a composite identity provider which will iterate
* over all of the CI-specific providers and return the token from the first
* one that resolves.
*/
class CIContextProvider {
/* istanbul ignore next */
constructor(audience = 'sigstore') {
this.audience = audience;
}
// Invoke all registered ProviderFuncs and return the value of whichever one
// resolves first.
async getToken() {
return Promise.any(providers.map((getToken) => getToken(this.audience))).catch(() => Promise.reject('CI: no tokens available'));
}
}
exports.CIContextProvider = CIContextProvider;
/**
* getGHAToken can retrieve an OIDC token when running in a GitHub Actions
* workflow
*/
async function getGHAToken(audience) {
// Check to see if we're running in GitHub Actions
if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL ||
!process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN) {
return Promise.reject('no token available');
}
// Construct URL to request token w/ appropriate audience
const url = new URL(process.env.ACTIONS_ID_TOKEN_REQUEST_URL);
url.searchParams.append('audience', audience);
const response = await (0, make_fetch_happen_1.default)(url.href, {
retry: 2,
headers: {
Accept: 'application/json',
Authorization: `Bearer ${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN}`,
},
});
return response.json().then((data) => data.value);
}
/**
* getEnv can retrieve an OIDC token from an environment variable.
* This matches the behavior of https://github.com/sigstore/cosign/tree/main/pkg/providers/envvar
*/
async function getEnv() {
if (!process.env.SIGSTORE_ID_TOKEN) {
return Promise.reject('no token available');
}
return process.env.SIGSTORE_ID_TOKEN;
}

2
node_modules/@sigstore/sign/dist/identity/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,2 @@
export { CIContextProvider } from './ci';
export type { IdentityProvider } from './provider';

20
node_modules/@sigstore/sign/dist/identity/index.js generated vendored Normal file
View file

@ -0,0 +1,20 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.CIContextProvider = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
var ci_1 = require("./ci");
Object.defineProperty(exports, "CIContextProvider", { enumerable: true, get: function () { return ci_1.CIContextProvider; } });

3
node_modules/@sigstore/sign/dist/identity/provider.d.ts generated vendored Normal file
View file

@ -0,0 +1,3 @@
export interface IdentityProvider {
getToken: () => Promise<string>;
}

2
node_modules/@sigstore/sign/dist/identity/provider.js generated vendored Normal file
View file

@ -0,0 +1,2 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });

10
node_modules/@sigstore/sign/dist/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,10 @@
export type { Bundle } from '@sigstore/bundle';
export { DSSEBundleBuilder, MessageSignatureBundleBuilder } from './bundler';
export type { Artifact, BundleBuilder, BundleBuilderOptions } from './bundler';
export { InternalError } from './error';
export { CIContextProvider } from './identity';
export type { IdentityProvider } from './identity';
export { DEFAULT_FULCIO_URL, FulcioSigner } from './signer';
export type { FulcioSignerOptions, Signature, Signer } from './signer';
export { DEFAULT_REKOR_URL, RekorWitness, TSAWitness } from './witness';
export type { RekorWitnessOptions, SignatureBundle, TSAWitnessOptions, VerificationMaterial, Witness, } from './witness';

17
node_modules/@sigstore/sign/dist/index.js generated vendored Normal file
View file

@ -0,0 +1,17 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TSAWitness = exports.RekorWitness = exports.DEFAULT_REKOR_URL = exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = exports.CIContextProvider = exports.InternalError = exports.MessageSignatureBundleBuilder = exports.DSSEBundleBuilder = void 0;
var bundler_1 = require("./bundler");
Object.defineProperty(exports, "DSSEBundleBuilder", { enumerable: true, get: function () { return bundler_1.DSSEBundleBuilder; } });
Object.defineProperty(exports, "MessageSignatureBundleBuilder", { enumerable: true, get: function () { return bundler_1.MessageSignatureBundleBuilder; } });
var error_1 = require("./error");
Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return error_1.InternalError; } });
var identity_1 = require("./identity");
Object.defineProperty(exports, "CIContextProvider", { enumerable: true, get: function () { return identity_1.CIContextProvider; } });
var signer_1 = require("./signer");
Object.defineProperty(exports, "DEFAULT_FULCIO_URL", { enumerable: true, get: function () { return signer_1.DEFAULT_FULCIO_URL; } });
Object.defineProperty(exports, "FulcioSigner", { enumerable: true, get: function () { return signer_1.FulcioSigner; } });
var witness_1 = require("./witness");
Object.defineProperty(exports, "DEFAULT_REKOR_URL", { enumerable: true, get: function () { return witness_1.DEFAULT_REKOR_URL; } });
Object.defineProperty(exports, "RekorWitness", { enumerable: true, get: function () { return witness_1.RekorWitness; } });
Object.defineProperty(exports, "TSAWitness", { enumerable: true, get: function () { return witness_1.TSAWitness; } });

13
node_modules/@sigstore/sign/dist/signer/fulcio/ca.d.ts generated vendored Normal file
View file

@ -0,0 +1,13 @@
/// <reference types="node" />
import type { FetchOptions } from '../../types/fetch';
export interface CA {
createSigningCertificate: (identityToken: string, publicKey: string, challenge: Buffer) => Promise<string[]>;
}
export type CAClientOptions = {
fulcioBaseURL: string;
} & FetchOptions;
export declare class CAClient implements CA {
private fulcio;
constructor(options: CAClientOptions);
createSigningCertificate(identityToken: string, publicKey: string, challenge: Buffer): Promise<string[]>;
}

60
node_modules/@sigstore/sign/dist/signer/fulcio/ca.js generated vendored Normal file
View file

@ -0,0 +1,60 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.CAClient = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../../error");
const fulcio_1 = require("../../external/fulcio");
class CAClient {
constructor(options) {
this.fulcio = new fulcio_1.Fulcio({
baseURL: options.fulcioBaseURL,
retry: options.retry,
timeout: options.timeout,
});
}
async createSigningCertificate(identityToken, publicKey, challenge) {
const request = toCertificateRequest(identityToken, publicKey, challenge);
try {
const resp = await this.fulcio.createSigningCertificate(request);
// Account for the fact that the response may contain either a
// signedCertificateEmbeddedSct or a signedCertificateDetachedSct.
const cert = resp.signedCertificateEmbeddedSct
? resp.signedCertificateEmbeddedSct
: resp.signedCertificateDetachedSct;
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
return cert.chain.certificates;
}
catch (err) {
(0, error_1.internalError)(err, 'CA_CREATE_SIGNING_CERTIFICATE_ERROR', 'error creating signing certificate');
}
}
}
exports.CAClient = CAClient;
function toCertificateRequest(identityToken, publicKey, challenge) {
return {
credentials: {
oidcIdentityToken: identityToken,
},
publicKeyRequest: {
publicKey: {
algorithm: 'ECDSA',
content: publicKey,
},
proofOfPossession: challenge.toString('base64'),
},
};
}

7
node_modules/@sigstore/sign/dist/signer/fulcio/ephemeral.d.ts generated vendored Normal file
View file

@ -0,0 +1,7 @@
/// <reference types="node" />
import type { Signature, Signer } from '../signer';
export declare class EphemeralSigner implements Signer {
private keypair;
constructor();
sign(data: Buffer): Promise<Signature>;
}

45
node_modules/@sigstore/sign/dist/signer/fulcio/ephemeral.js generated vendored Normal file
View file

@ -0,0 +1,45 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.EphemeralSigner = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const crypto_1 = __importDefault(require("crypto"));
const EC_KEYPAIR_TYPE = 'ec';
const P256_CURVE = 'P-256';
// Signer implementation which uses an ephemeral keypair to sign artifacts.
// The private key lives only in memory and is tied to the lifetime of the
// EphemeralSigner instance.
class EphemeralSigner {
constructor() {
this.keypair = crypto_1.default.generateKeyPairSync(EC_KEYPAIR_TYPE, {
namedCurve: P256_CURVE,
});
}
async sign(data) {
const signature = crypto_1.default.sign(null, data, this.keypair.privateKey);
const publicKey = this.keypair.publicKey
.export({ format: 'pem', type: 'spki' })
.toString('ascii');
return {
signature: signature,
key: { $case: 'publicKey', publicKey },
};
}
}
exports.EphemeralSigner = EphemeralSigner;

17
node_modules/@sigstore/sign/dist/signer/fulcio/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,17 @@
/// <reference types="node" />
import { CAClientOptions } from './ca';
import type { IdentityProvider } from '../../identity';
import type { Signature, Signer } from '../signer';
export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev";
export type FulcioSignerOptions = {
identityProvider: IdentityProvider;
keyHolder?: Signer;
} & Partial<CAClientOptions>;
export declare class FulcioSigner implements Signer {
private ca;
private identityProvider;
private keyHolder;
constructor(options: FulcioSignerOptions);
sign(data: Buffer): Promise<Signature>;
private getIdentityToken;
}

87
node_modules/@sigstore/sign/dist/signer/fulcio/index.js generated vendored Normal file
View file

@ -0,0 +1,87 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../../error");
const util_1 = require("../../util");
const ca_1 = require("./ca");
const ephemeral_1 = require("./ephemeral");
exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev';
// Signer implementation which can be used to decorate another signer
// with a Fulcio-issued signing certificate for the signer's public key.
// Must be instantiated with an identity provider which can provide a JWT
// which represents the identity to be bound to the signing certificate.
class FulcioSigner {
constructor(options) {
this.ca = new ca_1.CAClient({
...options,
fulcioBaseURL: options.fulcioBaseURL || /* istanbul ignore next */ exports.DEFAULT_FULCIO_URL,
});
this.identityProvider = options.identityProvider;
this.keyHolder = options.keyHolder || new ephemeral_1.EphemeralSigner();
}
async sign(data) {
// Retrieve identity token from the supplied identity provider
const identityToken = await this.getIdentityToken();
// Extract challenge claim from OIDC token
let subject;
try {
subject = util_1.oidc.extractJWTSubject(identityToken);
}
catch (err) {
throw new error_1.InternalError({
code: 'IDENTITY_TOKEN_PARSE_ERROR',
message: `invalid identity token: ${identityToken}`,
cause: err,
});
}
// Construct challenge value by signing the subject claim
const challenge = await this.keyHolder.sign(Buffer.from(subject));
if (challenge.key.$case !== 'publicKey') {
throw new error_1.InternalError({
code: 'CA_CREATE_SIGNING_CERTIFICATE_ERROR',
message: 'unexpected format for signing key',
});
}
// Create signing certificate
const certificates = await this.ca.createSigningCertificate(identityToken, challenge.key.publicKey, challenge.signature);
// Generate artifact signature
const signature = await this.keyHolder.sign(data);
// Specifically returning only the first certificate in the chain
// as the key.
return {
signature: signature.signature,
key: {
$case: 'x509Certificate',
certificate: certificates[0],
},
};
}
async getIdentityToken() {
try {
return await this.identityProvider.getToken();
}
catch (err) {
throw new error_1.InternalError({
code: 'IDENTITY_TOKEN_READ_ERROR',
message: 'error retrieving identity token',
cause: err,
});
}
}
}
exports.FulcioSigner = FulcioSigner;

2
node_modules/@sigstore/sign/dist/signer/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,2 @@
export { DEFAULT_FULCIO_URL, FulcioSigner, FulcioSignerOptions, } from './fulcio';
export type { KeyMaterial, Signature, Signer } from './signer';

22
node_modules/@sigstore/sign/dist/signer/index.js generated vendored Normal file
View file

@ -0,0 +1,22 @@
"use strict";
/* istanbul ignore file */
Object.defineProperty(exports, "__esModule", { value: true });
exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
var fulcio_1 = require("./fulcio");
Object.defineProperty(exports, "DEFAULT_FULCIO_URL", { enumerable: true, get: function () { return fulcio_1.DEFAULT_FULCIO_URL; } });
Object.defineProperty(exports, "FulcioSigner", { enumerable: true, get: function () { return fulcio_1.FulcioSigner; } });

16
node_modules/@sigstore/sign/dist/signer/signer.d.ts generated vendored Normal file
View file

@ -0,0 +1,16 @@
/// <reference types="node" />
export type KeyMaterial = {
$case: 'x509Certificate';
certificate: string;
} | {
$case: 'publicKey';
publicKey: string;
hint?: string;
};
export type Signature = {
signature: Buffer;
key: KeyMaterial;
};
export interface Signer {
sign: (data: Buffer) => Promise<Signature>;
}

17
node_modules/@sigstore/sign/dist/signer/signer.js generated vendored Normal file
View file

@ -0,0 +1,17 @@
"use strict";
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Object.defineProperty(exports, "__esModule", { value: true });

6
node_modules/@sigstore/sign/dist/types/fetch.d.ts generated vendored Normal file
View file

@ -0,0 +1,6 @@
import type { MakeFetchHappenOptions } from 'make-fetch-happen';
export type Retry = MakeFetchHappenOptions['retry'];
export type FetchOptions = {
retry?: Retry;
timeout?: number | undefined;
};

2
node_modules/@sigstore/sign/dist/types/fetch.js generated vendored Normal file
View file

@ -0,0 +1,2 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });

3
node_modules/@sigstore/sign/dist/util/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,3 @@
export { crypto, dsse, encoding, json, pem } from '@sigstore/core';
export * as oidc from './oidc';
export * as ua from './ua';

49
node_modules/@sigstore/sign/dist/util/index.js generated vendored Normal file
View file

@ -0,0 +1,49 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.ua = exports.oidc = exports.pem = exports.json = exports.encoding = exports.dsse = exports.crypto = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
var core_1 = require("@sigstore/core");
Object.defineProperty(exports, "crypto", { enumerable: true, get: function () { return core_1.crypto; } });
Object.defineProperty(exports, "dsse", { enumerable: true, get: function () { return core_1.dsse; } });
Object.defineProperty(exports, "encoding", { enumerable: true, get: function () { return core_1.encoding; } });
Object.defineProperty(exports, "json", { enumerable: true, get: function () { return core_1.json; } });
Object.defineProperty(exports, "pem", { enumerable: true, get: function () { return core_1.pem; } });
exports.oidc = __importStar(require("./oidc"));
exports.ua = __importStar(require("./ua"));

1
node_modules/@sigstore/sign/dist/util/oidc.d.ts generated vendored Normal file
View file

@ -0,0 +1 @@
export declare function extractJWTSubject(jwt: string): string;

31
node_modules/@sigstore/sign/dist/util/oidc.js generated vendored Normal file
View file

@ -0,0 +1,31 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.extractJWTSubject = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
function extractJWTSubject(jwt) {
const parts = jwt.split('.', 3);
const payload = JSON.parse(core_1.encoding.base64Decode(parts[1]));
switch (payload.iss) {
case 'https://accounts.google.com':
case 'https://oauth2.sigstore.dev/auth':
return payload.email;
default:
return payload.sub;
}
}
exports.extractJWTSubject = extractJWTSubject;

1
node_modules/@sigstore/sign/dist/util/ua.d.ts generated vendored Normal file
View file

@ -0,0 +1 @@
export declare const getUserAgent: () => string;

33
node_modules/@sigstore/sign/dist/util/ua.js generated vendored Normal file
View file

@ -0,0 +1,33 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getUserAgent = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const os_1 = __importDefault(require("os"));
// Format User-Agent: <product> / <product-version> (<platform>)
// source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
const getUserAgent = () => {
// eslint-disable-next-line @typescript-eslint/no-var-requires
const packageVersion = require('../../package.json').version;
const nodeVersion = process.version;
const platformName = os_1.default.platform();
const archName = os_1.default.arch();
return `sigstore-js/${packageVersion} (Node ${nodeVersion}) (${platformName}/${archName})`;
};
exports.getUserAgent = getUserAgent;

3
node_modules/@sigstore/sign/dist/witness/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,3 @@
export { DEFAULT_REKOR_URL, RekorWitness, RekorWitnessOptions } from './tlog';
export { TSAWitness, TSAWitnessOptions } from './tsa';
export type { SignatureBundle, VerificationMaterial, Witness } from './witness';

24
node_modules/@sigstore/sign/dist/witness/index.js generated vendored Normal file
View file

@ -0,0 +1,24 @@
"use strict";
/* istanbul ignore file */
Object.defineProperty(exports, "__esModule", { value: true });
exports.TSAWitness = exports.RekorWitness = exports.DEFAULT_REKOR_URL = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
var tlog_1 = require("./tlog");
Object.defineProperty(exports, "DEFAULT_REKOR_URL", { enumerable: true, get: function () { return tlog_1.DEFAULT_REKOR_URL; } });
Object.defineProperty(exports, "RekorWitness", { enumerable: true, get: function () { return tlog_1.RekorWitness; } });
var tsa_1 = require("./tsa");
Object.defineProperty(exports, "TSAWitness", { enumerable: true, get: function () { return tsa_1.TSAWitness; } });

16
node_modules/@sigstore/sign/dist/witness/tlog/client.d.ts generated vendored Normal file
View file

@ -0,0 +1,16 @@
import type { Entry, ProposedEntry } from '../../external/rekor';
import type { FetchOptions } from '../../types/fetch';
export type { Entry, ProposedEntry };
export interface TLog {
createEntry: (proposedEntry: ProposedEntry) => Promise<Entry>;
}
export type TLogClientOptions = {
rekorBaseURL: string;
fetchOnConflict?: boolean;
} & FetchOptions;
export declare class TLogClient implements TLog {
private rekor;
private fetchOnConflict;
constructor(options: TLogClientOptions);
createEntry(proposedEntry: ProposedEntry): Promise<Entry>;
}

61
node_modules/@sigstore/sign/dist/witness/tlog/client.js generated vendored Normal file
View file

@ -0,0 +1,61 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TLogClient = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../../error");
const error_2 = require("../../external/error");
const rekor_1 = require("../../external/rekor");
class TLogClient {
constructor(options) {
this.fetchOnConflict = options.fetchOnConflict ?? false;
this.rekor = new rekor_1.Rekor({
baseURL: options.rekorBaseURL,
retry: options.retry,
timeout: options.timeout,
});
}
async createEntry(proposedEntry) {
let entry;
try {
entry = await this.rekor.createEntry(proposedEntry);
}
catch (err) {
// If the entry already exists, fetch it (if enabled)
if (entryExistsError(err) && this.fetchOnConflict) {
// Grab the UUID of the existing entry from the location header
/* istanbul ignore next */
const uuid = err.location.split('/').pop() || '';
try {
entry = await this.rekor.getEntry(uuid);
}
catch (err) {
(0, error_1.internalError)(err, 'TLOG_FETCH_ENTRY_ERROR', 'error fetching tlog entry');
}
}
else {
(0, error_1.internalError)(err, 'TLOG_CREATE_ENTRY_ERROR', 'error creating tlog entry');
}
}
return entry;
}
}
exports.TLogClient = TLogClient;
function entryExistsError(value) {
return (value instanceof error_2.HTTPError &&
value.statusCode === 409 &&
value.location !== undefined);
}

3
node_modules/@sigstore/sign/dist/witness/tlog/entry.d.ts generated vendored Normal file
View file

@ -0,0 +1,3 @@
import type { ProposedEntry } from '../../external/rekor';
import type { SignatureBundle } from '../witness';
export declare function toProposedEntry(content: SignatureBundle, publicKey: string, entryType?: 'dsse' | 'intoto'): ProposedEntry;

136
node_modules/@sigstore/sign/dist/witness/tlog/entry.js generated vendored Normal file
View file

@ -0,0 +1,136 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.toProposedEntry = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const bundle_1 = require("@sigstore/bundle");
const util_1 = require("../../util");
function toProposedEntry(content, publicKey,
// TODO: Remove this parameter once have completely switched to 'dsse' entries
entryType = 'intoto') {
switch (content.$case) {
case 'dsseEnvelope':
// TODO: Remove this conditional once have completely switched to 'dsse' entries
if (entryType === 'dsse') {
return toProposedDSSEEntry(content.dsseEnvelope, publicKey);
}
return toProposedIntotoEntry(content.dsseEnvelope, publicKey);
case 'messageSignature':
return toProposedHashedRekordEntry(content.messageSignature, publicKey);
}
}
exports.toProposedEntry = toProposedEntry;
// Returns a properly formatted Rekor "hashedrekord" entry for the given digest
// and signature
function toProposedHashedRekordEntry(messageSignature, publicKey) {
const hexDigest = messageSignature.messageDigest.digest.toString('hex');
const b64Signature = messageSignature.signature.toString('base64');
const b64Key = util_1.encoding.base64Encode(publicKey);
return {
apiVersion: '0.0.1',
kind: 'hashedrekord',
spec: {
data: {
hash: {
algorithm: 'sha256',
value: hexDigest,
},
},
signature: {
content: b64Signature,
publicKey: {
content: b64Key,
},
},
},
};
}
// Returns a properly formatted Rekor "dsse" entry for the given DSSE envelope
// and signature
function toProposedDSSEEntry(envelope, publicKey) {
const envelopeJSON = JSON.stringify((0, bundle_1.envelopeToJSON)(envelope));
const encodedKey = util_1.encoding.base64Encode(publicKey);
return {
apiVersion: '0.0.1',
kind: 'dsse',
spec: {
proposedContent: {
envelope: envelopeJSON,
verifiers: [encodedKey],
},
},
};
}
// Returns a properly formatted Rekor "intoto" entry for the given DSSE
// envelope and signature
function toProposedIntotoEntry(envelope, publicKey) {
// Calculate the value for the payloadHash field in the Rekor entry
const payloadHash = util_1.crypto.hash(envelope.payload).toString('hex');
// Calculate the value for the hash field in the Rekor entry
const envelopeHash = calculateDSSEHash(envelope, publicKey);
// Collect values for re-creating the DSSE envelope.
// Double-encode payload and signature cause that's what Rekor expects
const payload = util_1.encoding.base64Encode(envelope.payload.toString('base64'));
const sig = util_1.encoding.base64Encode(envelope.signatures[0].sig.toString('base64'));
const keyid = envelope.signatures[0].keyid;
const encodedKey = util_1.encoding.base64Encode(publicKey);
// Create the envelope portion of the entry. Note the inclusion of the
// publicKey in the signature struct is not a standard part of a DSSE
// envelope, but is required by Rekor.
const dsse = {
payloadType: envelope.payloadType,
payload: payload,
signatures: [{ sig, publicKey: encodedKey }],
};
// If the keyid is an empty string, Rekor seems to remove it altogether. We
// need to do the same here so that we can properly recreate the entry for
// verification.
if (keyid.length > 0) {
dsse.signatures[0].keyid = keyid;
}
return {
apiVersion: '0.0.2',
kind: 'intoto',
spec: {
content: {
envelope: dsse,
hash: { algorithm: 'sha256', value: envelopeHash },
payloadHash: { algorithm: 'sha256', value: payloadHash },
},
},
};
}
// Calculates the hash of a DSSE envelope for inclusion in a Rekor entry.
// There is no standard way to do this, so the scheme we're using as as
// follows:
// * payload is base64 encoded
// * signature is base64 encoded (only the first signature is used)
// * keyid is included ONLY if it is NOT an empty string
// * The resulting JSON is canonicalized and hashed to a hex string
function calculateDSSEHash(envelope, publicKey) {
const dsse = {
payloadType: envelope.payloadType,
payload: envelope.payload.toString('base64'),
signatures: [
{ sig: envelope.signatures[0].sig.toString('base64'), publicKey },
],
};
// If the keyid is an empty string, Rekor seems to remove it altogether.
if (envelope.signatures[0].keyid.length > 0) {
dsse.signatures[0].keyid = envelope.signatures[0].keyid;
}
return util_1.crypto.hash(util_1.json.canonicalize(dsse)).toString('hex');
}

17
node_modules/@sigstore/sign/dist/witness/tlog/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,17 @@
import { TLogClientOptions } from './client';
import type { TransparencyLogEntry } from '@sigstore/bundle';
import type { SignatureBundle, Witness } from '../witness';
export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev";
type TransparencyLogEntries = {
tlogEntries: TransparencyLogEntry[];
};
export type RekorWitnessOptions = Partial<TLogClientOptions> & {
entryType?: 'dsse' | 'intoto';
};
export declare class RekorWitness implements Witness {
private tlog;
private entryType?;
constructor(options: RekorWitnessOptions);
testify(content: SignatureBundle, publicKey: string): Promise<TransparencyLogEntries>;
}
export {};

82
node_modules/@sigstore/sign/dist/witness/tlog/index.js generated vendored Normal file
View file

@ -0,0 +1,82 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.RekorWitness = exports.DEFAULT_REKOR_URL = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const util_1 = require("../../util");
const client_1 = require("./client");
const entry_1 = require("./entry");
exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev';
class RekorWitness {
constructor(options) {
this.entryType = options.entryType;
this.tlog = new client_1.TLogClient({
...options,
rekorBaseURL: options.rekorBaseURL || /* istanbul ignore next */ exports.DEFAULT_REKOR_URL,
});
}
async testify(content, publicKey) {
const proposedEntry = (0, entry_1.toProposedEntry)(content, publicKey, this.entryType);
const entry = await this.tlog.createEntry(proposedEntry);
return toTransparencyLogEntry(entry);
}
}
exports.RekorWitness = RekorWitness;
function toTransparencyLogEntry(entry) {
const logID = Buffer.from(entry.logID, 'hex');
// Parse entry body so we can extract the kind and version.
const bodyJSON = util_1.encoding.base64Decode(entry.body);
const entryBody = JSON.parse(bodyJSON);
const promise = entry?.verification?.signedEntryTimestamp
? inclusionPromise(entry.verification.signedEntryTimestamp)
: undefined;
const proof = entry?.verification?.inclusionProof
? inclusionProof(entry.verification.inclusionProof)
: undefined;
const tlogEntry = {
logIndex: entry.logIndex.toString(),
logId: {
keyId: logID,
},
integratedTime: entry.integratedTime.toString(),
kindVersion: {
kind: entryBody.kind,
version: entryBody.apiVersion,
},
inclusionPromise: promise,
inclusionProof: proof,
canonicalizedBody: Buffer.from(entry.body, 'base64'),
};
return {
tlogEntries: [tlogEntry],
};
}
function inclusionPromise(promise) {
return {
signedEntryTimestamp: Buffer.from(promise, 'base64'),
};
}
function inclusionProof(proof) {
return {
logIndex: proof.logIndex.toString(),
treeSize: proof.treeSize.toString(),
rootHash: Buffer.from(proof.rootHash, 'hex'),
hashes: proof.hashes.map((h) => Buffer.from(h, 'hex')),
checkpoint: {
envelope: proof.checkpoint,
},
};
}

13
node_modules/@sigstore/sign/dist/witness/tsa/client.d.ts generated vendored Normal file
View file

@ -0,0 +1,13 @@
/// <reference types="node" />
import type { FetchOptions } from '../../types/fetch';
export interface TSA {
createTimestamp: (signature: Buffer) => Promise<Buffer>;
}
export type TSAClientOptions = {
tsaBaseURL: string;
} & FetchOptions;
export declare class TSAClient implements TSA {
private tsa;
constructor(options: TSAClientOptions);
createTimestamp(signature: Buffer): Promise<Buffer>;
}

43
node_modules/@sigstore/sign/dist/witness/tsa/client.js generated vendored Normal file
View file

@ -0,0 +1,43 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TSAClient = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../../error");
const tsa_1 = require("../../external/tsa");
const util_1 = require("../../util");
class TSAClient {
constructor(options) {
this.tsa = new tsa_1.TimestampAuthority({
baseURL: options.tsaBaseURL,
retry: options.retry,
timeout: options.timeout,
});
}
async createTimestamp(signature) {
const request = {
artifactHash: util_1.crypto.hash(signature).toString('base64'),
hashAlgorithm: 'sha256',
};
try {
return await this.tsa.createTimestamp(request);
}
catch (err) {
(0, error_1.internalError)(err, 'TSA_CREATE_TIMESTAMP_ERROR', 'error creating timestamp');
}
}
}
exports.TSAClient = TSAClient;

13
node_modules/@sigstore/sign/dist/witness/tsa/index.d.ts generated vendored Normal file
View file

@ -0,0 +1,13 @@
import { TSAClientOptions } from './client';
import type { RFC3161SignedTimestamp } from '@sigstore/bundle';
import type { SignatureBundle, Witness } from '../witness';
type RFC3161SignedTimestamps = {
rfc3161Timestamps: RFC3161SignedTimestamp[];
};
export type TSAWitnessOptions = TSAClientOptions;
export declare class TSAWitness implements Witness {
private tsa;
constructor(options: TSAWitnessOptions);
testify(content: SignatureBundle): Promise<RFC3161SignedTimestamps>;
}
export {};

44
node_modules/@sigstore/sign/dist/witness/tsa/index.js generated vendored Normal file
View file

@ -0,0 +1,44 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TSAWitness = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const client_1 = require("./client");
class TSAWitness {
constructor(options) {
this.tsa = new client_1.TSAClient({
tsaBaseURL: options.tsaBaseURL,
retry: options.retry,
timeout: options.timeout,
});
}
async testify(content) {
const signature = extractSignature(content);
const timestamp = await this.tsa.createTimestamp(signature);
return {
rfc3161Timestamps: [{ signedTimestamp: timestamp }],
};
}
}
exports.TSAWitness = TSAWitness;
function extractSignature(content) {
switch (content.$case) {
case 'dsseEnvelope':
return content.dsseEnvelope.signatures[0].sig;
case 'messageSignature':
return content.messageSignature.signature;
}
}

9
node_modules/@sigstore/sign/dist/witness/witness.d.ts generated vendored Normal file
View file

@ -0,0 +1,9 @@
import type { Bundle, RFC3161SignedTimestamp, TransparencyLogEntry } from '@sigstore/bundle';
export type SignatureBundle = Bundle['content'];
export type VerificationMaterial = {
tlogEntries?: TransparencyLogEntry[];
rfc3161Timestamps?: RFC3161SignedTimestamp[];
};
export interface Witness {
testify: (signature: SignatureBundle, publicKey: string) => Promise<VerificationMaterial>;
}

2
node_modules/@sigstore/sign/dist/witness/witness.js generated vendored Normal file
View file

@ -0,0 +1,2 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });

46
node_modules/@sigstore/sign/package.json generated vendored Normal file
View file

@ -0,0 +1,46 @@
{
"name": "@sigstore/sign",
"version": "2.3.2",
"description": "Sigstore signing library",
"main": "dist/index.js",
"types": "dist/index.d.ts",
"scripts": {
"clean": "shx rm -rf dist *.tsbuildinfo",
"build": "tsc --build",
"test": "jest"
},
"files": [
"dist"
],
"author": "bdehamer@github.com",
"license": "Apache-2.0",
"repository": {
"type": "git",
"url": "git+https://github.com/sigstore/sigstore-js.git"
},
"bugs": {
"url": "https://github.com/sigstore/sigstore-js/issues"
},
"homepage": "https://github.com/sigstore/sigstore-js/tree/main/packages/sign#readme",
"publishConfig": {
"provenance": true
},
"devDependencies": {
"@sigstore/jest": "^0.0.0",
"@sigstore/mock": "^0.7.4",
"@sigstore/rekor-types": "^2.0.0",
"@types/make-fetch-happen": "^10.0.4",
"@types/promise-retry": "^1.1.6"
},
"dependencies": {
"@sigstore/bundle": "^2.3.2",
"@sigstore/core": "^1.0.0",
"@sigstore/protobuf-specs": "^0.3.2",
"make-fetch-happen": "^13.0.1",
"proc-log": "^4.2.0",
"promise-retry": "^2.0.1"
},
"engines": {
"node": "^16.14.0 || >=18.0.0"
}
}