deps: @sigstore/sign@4.1.0

Author: wraithgar

node_modules/.gitignore

@@ -30,9 +30,6 @@
 !/@sigstore/core
 !/@sigstore/protobuf-specs
 !/@sigstore/sign
-!/@sigstore/sign/node_modules/
-/@sigstore/sign/node_modules/*
-!/@sigstore/sign/node_modules/proc-log
 !/@sigstore/tuf
 !/@sigstore/verify
 !/@tufjs/

node_modules/@sigstore/sign/dist/bundler/base.js

@@ -6,6 +6,8 @@ exports.BaseBundleBuilder = void 0;
 // Subclasses must implement the `package` method to assemble a valid bundle
 // with the generated signature and verification material.
 class BaseBundleBuilder {
+    signer;
+    witnesses;
     constructor(options) {
         this.signer = options.signer;
         this.witnesses = options.witnesses;

node_modules/@sigstore/sign/dist/bundler/dsse.js

@@ -21,6 +21,7 @@ const base_1 = require("./base");
 const bundle_1 = require("./bundle");
 // BundleBuilder implementation for DSSE wrapped attestations
 class DSSEBundleBuilder extends base_1.BaseBundleBuilder {
+    certificateChain;
     constructor(options) {
         super(options);
         this.certificateChain = options.certificateChain ?? false;

node_modules/@sigstore/sign/dist/config.js

@@ -0,0 +1,143 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bundleBuilderFromSigningConfig = bundleBuilderFromSigningConfig;
+/*
+Copyright 2025 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const protobuf_specs_1 = require("@sigstore/protobuf-specs");
+const dsse_1 = require("./bundler/dsse");
+const message_1 = require("./bundler/message");
+const signer_1 = require("./signer");
+const witness_1 = require("./witness");
+const MAX_CA_API_VERSION = 1;
+const MAX_TLOG_API_VERSION = 2;
+const MAX_TSA_API_VERSION = 1;
+const DEFAULT_TIMEOUT = 5000;
+const DEFAULT_REKORV2_TIMEOUT = 20000;
+const DEFAULT_RETRY = { retries: 2 };
+// Creates a BundleBuilder based on the provided SigningConfig
+function bundleBuilderFromSigningConfig(options) {
+    const { signingConfig, identityProvider, bundleType } = options;
+    const fetchOptions = options.fetchOptions || {
+        timeout: DEFAULT_TIMEOUT,
+        retry: DEFAULT_RETRY,
+    };
+    const signer = fulcioSignerFromConfig(signingConfig, identityProvider, fetchOptions);
+    const witnesses = witnessesFromConfig(signingConfig, fetchOptions);
+    switch (bundleType) {
+        case 'messageSignature':
+            return new message_1.MessageSignatureBundleBuilder({ signer, witnesses });
+        case 'dsseEnvelope':
+            return new dsse_1.DSSEBundleBuilder({ signer, witnesses });
+    }
+}
+function fulcioSignerFromConfig(signingConfig, identityProvider, fetchOptions) {
+    const service = certAuthorityService(signingConfig);
+    return new signer_1.FulcioSigner({
+        fulcioBaseURL: service.url,
+        identityProvider: identityProvider,
+        timeout: fetchOptions.timeout,
+        retry: fetchOptions.retry,
+    });
+}
+function witnessesFromConfig(signingConfig, fetchOptions) {
+    const witnesses = [];
+    if (signingConfig.rekorTlogConfig) {
+        if (signingConfig.rekorTlogConfig.selector !== protobuf_specs_1.ServiceSelector.ANY) {
+            throw new Error('Unsupported Rekor TLog selector in signing configuration');
+        }
+        const tlog = tlogService(signingConfig);
+        witnesses.push(new witness_1.RekorWitness({
+            rekorBaseURL: tlog.url,
+            majorApiVersion: tlog.majorApiVersion,
+            retry: fetchOptions.retry,
+            timeout: 
+            // Ensure Rekor V2 has at least a 20 second timeout
+            tlog.majorApiVersion === 1
+                ? fetchOptions.timeout
+                : Math.min(fetchOptions.timeout ||
+                    /* istanbul ignore next */ DEFAULT_TIMEOUT, DEFAULT_REKORV2_TIMEOUT),
+        }));
+    }
+    if (signingConfig.tsaConfig) {
+        if (signingConfig.tsaConfig.selector !== protobuf_specs_1.ServiceSelector.ANY) {
+            throw new Error('Unsupported TSA selector in signing configuration');
+        }
+        const tsa = tsaService(signingConfig);
+        witnesses.push(new witness_1.TSAWitness({
+            tsaBaseURL: tsa.url,
+            retry: fetchOptions.retry,
+            timeout: fetchOptions.timeout,
+        }));
+    }
+    return witnesses;
+}
+// Returns the first valid CA service from the signing configuration
+function certAuthorityService(signingConfig) {
+    const compatibleCAs = filterServicesByMaxAPIVersion(signingConfig.caUrls, MAX_CA_API_VERSION);
+    const sortedCAs = sortServicesByStartDate(compatibleCAs);
+    if (sortedCAs.length === 0) {
+        throw new Error('No valid CA services found in signing configuration');
+    }
+    return sortedCAs[0];
+}
+// Returns the first valid TLog service from the signing configuration
+function tlogService(signingConfig) {
+    const compatibleTLogs = filterServicesByMaxAPIVersion(signingConfig.rekorTlogUrls, MAX_TLOG_API_VERSION);
+    const sortedTLogs = sortServicesByStartDate(compatibleTLogs);
+    if (sortedTLogs.length === 0) {
+        throw new Error('No valid TLogs found in signing configuration');
+    }
+    return sortedTLogs[0];
+}
+// Returns the first valid TSA service from the signing configuration
+function tsaService(signingConfig) {
+    const compatibleTSAs = filterServicesByMaxAPIVersion(signingConfig.tsaUrls, MAX_TSA_API_VERSION);
+    const sortedTSAs = sortServicesByStartDate(compatibleTSAs);
+    if (sortedTSAs.length === 0) {
+        throw new Error('No valid TSAs found in signing configuration');
+    }
+    return sortedTSAs[0];
+}
+// Returns the services sorted by start date (most recent first), filtering out
+// any services that have an end date in the past
+function sortServicesByStartDate(services) {
+    const now = new Date();
+    // Filter out any services that have an end date in the past
+    const validServices = services.filter((service) => {
+        // If there's no end date, the service is still valid
+        if (!service.validFor?.end) {
+            return true;
+        }
+        // Keep services whose end date is in the future or present
+        return service.validFor.end >= now;
+    });
+    return validServices.sort((a, b) => {
+        /* istanbul ignore next */
+        const aStart = a.validFor?.start?.getTime() ?? 0;
+        /* istanbul ignore next */
+        const bStart = b.validFor?.start?.getTime() ?? 0;
+        // Sort descending (most recent first)
+        return bStart - aStart;
+    });
+}
+// Returns a filtered list of services whose major API version is less than or
+// equal to the specified version
+function filterServicesByMaxAPIVersion(services, apiVersion) {
+    // Filter out any services with a major API version greater than the specified version
+    return services.filter((service) => {
+        return service.majorApiVersion <= apiVersion;
+    });
+}

node_modules/@sigstore/sign/dist/error.js

@@ -19,6 +19,8 @@ exports.InternalError = void 0;
 exports.internalError = internalError;
 const error_1 = require("./external/error");
 class InternalError extends Error {
+    code;
+    cause;
     constructor({ code, message, cause, }) {
         super(message);
         this.name = this.constructor.name;

node_modules/@sigstore/sign/dist/external/error.js

@@ -17,6 +17,8 @@ limitations under the License.
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.HTTPError = void 0;
 class HTTPError extends Error {
+    statusCode;
+    location;
     constructor({ status, message, location, }) {
         super(`(${status}) ${message}`);
         this.statusCode = status;

node_modules/@sigstore/sign/dist/external/fulcio.js

@@ -21,6 +21,7 @@ const fetch_1 = require("./fetch");
  * Fulcio API client.
  */
 class Fulcio {
+    options;
     constructor(options) {
         this.options = options;
     }

node_modules/@sigstore/sign/dist/external/rekor-v2.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RekorV2 = void 0;
+/*
+Copyright 2025 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const fetch_1 = require("./fetch");
+const protobuf_specs_1 = require("@sigstore/protobuf-specs");
+const v2_1 = require("@sigstore/protobuf-specs/rekor/v2");
+/**
+ * Rekor API client.
+ */
+class RekorV2 {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    async createEntry(proposedEntry) {
+        const { baseURL, timeout, retry } = this.options;
+        const url = `${baseURL}/api/v2/log/entries`;
+        const response = await (0, fetch_1.fetchWithRetry)(url, {
+            headers: {
+                'Content-Type': 'application/json',
+                Accept: 'application/json',
+            },
+            body: JSON.stringify(v2_1.CreateEntryRequest.toJSON(proposedEntry)),
+            timeout,
+            retry,
+        });
+        return response.json().then((data) => protobuf_specs_1.TransparencyLogEntry.fromJSON(data));
+    }
+}
+exports.RekorV2 = RekorV2;

node_modules/@sigstore/sign/dist/external/rekor.js

@@ -21,6 +21,7 @@ const fetch_1 = require("./fetch");
  * Rekor API client.
  */
 class Rekor {
+    options;
     constructor(options) {
         this.options = options;
     }

node_modules/@sigstore/sign/dist/external/tsa.js

@@ -18,12 +18,18 @@ limitations under the License.
 */
 const fetch_1 = require("./fetch");
 class TimestampAuthority {
+    options;
     constructor(options) {
         this.options = options;
     }
     async createTimestamp(request) {
         const { baseURL, timeout, retry } = this.options;
-        const url = `${baseURL}/api/v1/timestamp`;
+        // Account for the fact that the TSA URL may already include the full
+        // path if the client was initalized from a `SigningConfig` service entry
+        // (which always uses the full URL).
+        const url = new URL(baseURL).pathname === '/'
+            ? `${baseURL}/api/v1/timestamp`
+            : baseURL;
         const response = await (0, fetch_1.fetchWithRetry)(url, {
             headers: {
                 'Content-Type': 'application/json',