Deployed the page to Github Pages.

node_modules/@sigstore/sign/dist/signer/fulcio/ca.d.ts

@@ -0,0 +1,13 @@
+/// <reference types="node" />
+import type { FetchOptions } from '../../types/fetch';
+export interface CA {
+    createSigningCertificate: (identityToken: string, publicKey: string, challenge: Buffer) => Promise<string[]>;
+}
+export type CAClientOptions = {
+    fulcioBaseURL: string;
+} & FetchOptions;
+export declare class CAClient implements CA {
+    private fulcio;
+    constructor(options: CAClientOptions);
+    createSigningCertificate(identityToken: string, publicKey: string, challenge: Buffer): Promise<string[]>;
+}

node_modules/@sigstore/sign/dist/signer/fulcio/ca.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CAClient = void 0;
+/*
+Copyright 2023 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const error_1 = require("../../error");
+const fulcio_1 = require("../../external/fulcio");
+class CAClient {
+    constructor(options) {
+        this.fulcio = new fulcio_1.Fulcio({
+            baseURL: options.fulcioBaseURL,
+            retry: options.retry,
+            timeout: options.timeout,
+        });
+    }
+    async createSigningCertificate(identityToken, publicKey, challenge) {
+        const request = toCertificateRequest(identityToken, publicKey, challenge);
+        try {
+            const resp = await this.fulcio.createSigningCertificate(request);
+            // Account for the fact that the response may contain either a
+            // signedCertificateEmbeddedSct or a signedCertificateDetachedSct.
+            const cert = resp.signedCertificateEmbeddedSct
+                ? resp.signedCertificateEmbeddedSct
+                : resp.signedCertificateDetachedSct;
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            return cert.chain.certificates;
+        }
+        catch (err) {
+            (0, error_1.internalError)(err, 'CA_CREATE_SIGNING_CERTIFICATE_ERROR', 'error creating signing certificate');
+        }
+    }
+}
+exports.CAClient = CAClient;
+function toCertificateRequest(identityToken, publicKey, challenge) {
+    return {
+        credentials: {
+            oidcIdentityToken: identityToken,
+        },
+        publicKeyRequest: {
+            publicKey: {
+                algorithm: 'ECDSA',
+                content: publicKey,
+            },
+            proofOfPossession: challenge.toString('base64'),
+        },
+    };
+}

node_modules/@sigstore/sign/dist/signer/fulcio/ephemeral.d.ts

@@ -0,0 +1,7 @@
+/// <reference types="node" />
+import type { Signature, Signer } from '../signer';
+export declare class EphemeralSigner implements Signer {
+    private keypair;
+    constructor();
+    sign(data: Buffer): Promise<Signature>;
+}

node_modules/@sigstore/sign/dist/signer/fulcio/ephemeral.js

@@ -0,0 +1,45 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EphemeralSigner = void 0;
+/*
+Copyright 2023 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const crypto_1 = __importDefault(require("crypto"));
+const EC_KEYPAIR_TYPE = 'ec';
+const P256_CURVE = 'P-256';
+// Signer implementation which uses an ephemeral keypair to sign artifacts.
+// The private key lives only in memory and is tied to the lifetime of the
+// EphemeralSigner instance.
+class EphemeralSigner {
+    constructor() {
+        this.keypair = crypto_1.default.generateKeyPairSync(EC_KEYPAIR_TYPE, {
+            namedCurve: P256_CURVE,
+        });
+    }
+    async sign(data) {
+        const signature = crypto_1.default.sign(null, data, this.keypair.privateKey);
+        const publicKey = this.keypair.publicKey
+            .export({ format: 'pem', type: 'spki' })
+            .toString('ascii');
+        return {
+            signature: signature,
+            key: { $case: 'publicKey', publicKey },
+        };
+    }
+}
+exports.EphemeralSigner = EphemeralSigner;

node_modules/@sigstore/sign/dist/signer/fulcio/index.d.ts

@@ -0,0 +1,17 @@
+/// <reference types="node" />
+import { CAClientOptions } from './ca';
+import type { IdentityProvider } from '../../identity';
+import type { Signature, Signer } from '../signer';
+export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev";
+export type FulcioSignerOptions = {
+    identityProvider: IdentityProvider;
+    keyHolder?: Signer;
+} & Partial<CAClientOptions>;
+export declare class FulcioSigner implements Signer {
+    private ca;
+    private identityProvider;
+    private keyHolder;
+    constructor(options: FulcioSignerOptions);
+    sign(data: Buffer): Promise<Signature>;
+    private getIdentityToken;
+}

node_modules/@sigstore/sign/dist/signer/fulcio/index.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = void 0;
+/*
+Copyright 2023 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const error_1 = require("../../error");
+const util_1 = require("../../util");
+const ca_1 = require("./ca");
+const ephemeral_1 = require("./ephemeral");
+exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev';
+// Signer implementation which can be used to decorate another signer
+// with a Fulcio-issued signing certificate for the signer's public key.
+// Must be instantiated with an identity provider which can provide a JWT
+// which represents the identity to be bound to the signing certificate.
+class FulcioSigner {
+    constructor(options) {
+        this.ca = new ca_1.CAClient({
+            ...options,
+            fulcioBaseURL: options.fulcioBaseURL || /* istanbul ignore next */ exports.DEFAULT_FULCIO_URL,
+        });
+        this.identityProvider = options.identityProvider;
+        this.keyHolder = options.keyHolder || new ephemeral_1.EphemeralSigner();
+    }
+    async sign(data) {
+        // Retrieve identity token from the supplied identity provider
+        const identityToken = await this.getIdentityToken();
+        // Extract challenge claim from OIDC token
+        let subject;
+        try {
+            subject = util_1.oidc.extractJWTSubject(identityToken);
+        }
+        catch (err) {
+            throw new error_1.InternalError({
+                code: 'IDENTITY_TOKEN_PARSE_ERROR',
+                message: `invalid identity token: ${identityToken}`,
+                cause: err,
+            });
+        }
+        // Construct challenge value by signing the subject claim
+        const challenge = await this.keyHolder.sign(Buffer.from(subject));
+        if (challenge.key.$case !== 'publicKey') {
+            throw new error_1.InternalError({
+                code: 'CA_CREATE_SIGNING_CERTIFICATE_ERROR',
+                message: 'unexpected format for signing key',
+            });
+        }
+        // Create signing certificate
+        const certificates = await this.ca.createSigningCertificate(identityToken, challenge.key.publicKey, challenge.signature);
+        // Generate artifact signature
+        const signature = await this.keyHolder.sign(data);
+        // Specifically returning only the first certificate in the chain
+        // as the key.
+        return {
+            signature: signature.signature,
+            key: {
+                $case: 'x509Certificate',
+                certificate: certificates[0],
+            },
+        };
+    }
+    async getIdentityToken() {
+        try {
+            return await this.identityProvider.getToken();
+        }
+        catch (err) {
+            throw new error_1.InternalError({
+                code: 'IDENTITY_TOKEN_READ_ERROR',
+                message: 'error retrieving identity token',
+                cause: err,
+            });
+        }
+    }
+}
+exports.FulcioSigner = FulcioSigner;