deps: @sigstore/verify@3.1.0

Author: wraithgar

node_modules/@sigstore/verify/dist/bundle/dsse.js

@@ -18,6 +18,7 @@ limitations under the License.
 */
 const core_1 = require("@sigstore/core");
 class DSSESignatureContent {
+    env;
     constructor(env) {
         this.env = env;
     }

node_modules/@sigstore/verify/dist/bundle/index.js

@@ -9,15 +9,17 @@ function toSignedEntity(bundle, artifact) {
     const { tlogEntries, timestampVerificationData } = bundle.verificationMaterial;
     const timestamps = [];
     for (const entry of tlogEntries) {
-        timestamps.push({
-            $case: 'transparency-log',
-            tlogEntry: entry,
-        });
+        if (entry.integratedTime && entry.integratedTime !== '0') {
+            timestamps.push({
+                $case: 'transparency-log',
+                tlogEntry: entry,
+            });
+        }
     }
     for (const ts of timestampVerificationData?.rfc3161Timestamps ?? []) {
         timestamps.push({
             $case: 'timestamp-authority',
-            timestamp: core_1.RFC3161Timestamp.parse(ts.signedTimestamp),
+            timestamp: core_1.RFC3161Timestamp.parse(Buffer.from(ts.signedTimestamp)),
         });
     }
     return {
@@ -45,13 +47,13 @@ function key(bundle) {
         case 'x509CertificateChain':
             return {
                 $case: 'certificate',
-                certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.x509CertificateChain
-                    .certificates[0].rawBytes),
+                certificate: core_1.X509Certificate.parse(Buffer.from(bundle.verificationMaterial.content.x509CertificateChain
+                    .certificates[0].rawBytes)),
             };
         case 'certificate':
             return {
                 $case: 'certificate',
-                certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.certificate.rawBytes),
+                certificate: core_1.X509Certificate.parse(Buffer.from(bundle.verificationMaterial.content.certificate.rawBytes)),
             };
     }
 }

node_modules/@sigstore/verify/dist/bundle/message.js

@@ -17,11 +17,29 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 const core_1 = require("@sigstore/core");
+const protobuf_specs_1 = require("@sigstore/protobuf-specs");
+// Map from the Sigstore protobuf HashAlgorithm enum to
+// the string values used by the Node.js crypto module.
+const HASH_ALGORITHM_MAP = {
+    [protobuf_specs_1.HashAlgorithm.HASH_ALGORITHM_UNSPECIFIED]: 'sha256',
+    [protobuf_specs_1.HashAlgorithm.SHA2_256]: 'sha256',
+    [protobuf_specs_1.HashAlgorithm.SHA2_384]: 'sha384',
+    [protobuf_specs_1.HashAlgorithm.SHA2_512]: 'sha512',
+    [protobuf_specs_1.HashAlgorithm.SHA3_256]: 'sha3-256',
+    [protobuf_specs_1.HashAlgorithm.SHA3_384]: 'sha3-384',
+};
 class MessageSignatureContent {
+    signature;
+    messageDigest;
+    artifact;
+    hashAlgorithm;
     constructor(messageSignature, artifact) {
         this.signature = messageSignature.signature;
         this.messageDigest = messageSignature.messageDigest.digest;
         this.artifact = artifact;
+        this.hashAlgorithm =
+            HASH_ALGORITHM_MAP[messageSignature.messageDigest.algorithm] ??
+                /* istanbul ignore next */ 'sha256';
     }
     compareSignature(signature) {
         return core_1.crypto.bufferEqual(signature, this.signature);
@@ -30,7 +48,7 @@ class MessageSignatureContent {
         return core_1.crypto.bufferEqual(digest, this.messageDigest);
     }
     verifySignature(key) {
-        return core_1.crypto.verify(this.artifact, key, this.signature);
+        return core_1.crypto.verify(this.artifact, key, this.signature, this.hashAlgorithm);
     }
 }
 exports.MessageSignatureContent = MessageSignatureContent;

node_modules/@sigstore/verify/dist/error.js

@@ -17,6 +17,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 class BaseError extends Error {
+    code;
+    cause; /* eslint-disable-line @typescript-eslint/no-explicit-any */
     constructor({ code, message, cause, }) {
         super(message);
         this.code = code;

node_modules/@sigstore/verify/dist/key/certificate.js

@@ -32,6 +32,10 @@ function verifyCertificateChain(timestamp, leaf, certificateAuthorities) {
     });
 }
 class CertificateChainVerifier {
+    untrustedCert;
+    trustedCerts;
+    localCerts;
+    timestamp;
     constructor(opts) {
         this.untrustedCert = opts.untrustedCert;
         this.trustedCerts = opts.trustedCerts;

node_modules/@sigstore/verify/dist/timestamp/index.js

@@ -1,46 +1,20 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyTSATimestamp = verifyTSATimestamp;
-exports.verifyTLogTimestamp = verifyTLogTimestamp;
-const error_1 = require("../error");
-const checkpoint_1 = require("./checkpoint");
-const merkle_1 = require("./merkle");
-const set_1 = require("./set");
+exports.getTSATimestamp = getTSATimestamp;
+exports.getTLogTimestamp = getTLogTimestamp;
 const tsa_1 = require("./tsa");
-function verifyTSATimestamp(timestamp, data, timestampAuthorities) {
+function getTSATimestamp(timestamp, data, timestampAuthorities) {
     (0, tsa_1.verifyRFC3161Timestamp)(timestamp, data, timestampAuthorities);
     return {
         type: 'timestamp-authority',
         logID: timestamp.signerSerialNumber,
         timestamp: timestamp.signingTime,
     };
 }
-function verifyTLogTimestamp(entry, tlogAuthorities) {
-    let inclusionVerified = false;
-    if (isTLogEntryWithInclusionPromise(entry)) {
-        (0, set_1.verifyTLogSET)(entry, tlogAuthorities);
-        inclusionVerified = true;
-    }
-    if (isTLogEntryWithInclusionProof(entry)) {
-        (0, merkle_1.verifyMerkleInclusion)(entry);
-        (0, checkpoint_1.verifyCheckpoint)(entry, tlogAuthorities);
-        inclusionVerified = true;
-    }
-    if (!inclusionVerified) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_MISSING_INCLUSION_ERROR',
-            message: 'inclusion could not be verified',
-        });
-    }
+function getTLogTimestamp(entry) {
     return {
         type: 'transparency-log',
         logID: entry.logId.keyId,
         timestamp: new Date(Number(entry.integratedTime) * 1000),
     };
 }
-function isTLogEntryWithInclusionPromise(entry) {
-    return entry.inclusionPromise !== undefined;
-}
-function isTLogEntryWithInclusionProof(entry) {
-    return entry.inclusionProof !== undefined;
-}

…tore/verify/dist/timestamp/checkpoint.js …@sigstore/verify/dist/tlog/checkpoint.jsnode_modules/@sigstore/verify/dist/timestamp/checkpoint.js renamed to node_modules/@sigstore/verify/dist/tlog/checkpoint.js node_modules/@sigstore/verify/dist/timestamp/checkpoint.js renamed to node_modules/@sigstore/verify/dist/tlog/checkpoint.js

@@ -1,8 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.LogCheckpoint = void 0;
 exports.verifyCheckpoint = verifyCheckpoint;
 /*
-Copyright 2023 The Sigstore Authors.
+Copyright 2025 The Sigstore Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,7 +19,6 @@ limitations under the License.
 */
 const core_1 = require("@sigstore/core");
 const error_1 = require("../error");
-const trust_1 = require("../trust");
 // Separator between the note and the signatures in a checkpoint
 const CHECKPOINT_SEPARATOR = '\n\n';
 // Checkpoint signatures are of the following form:
@@ -37,39 +37,29 @@ const SIGNATURE_REGEX = /\u2014 (\S+) (\S+)\n/g;
 //    inclusion proof
 // See: https://github.com/transparency-dev/formats/blob/main/log/README.md
 function verifyCheckpoint(entry, tlogs) {
-    // Filter tlog instances to just those which were valid at the time of the
-    // entry
-    const validTLogs = (0, trust_1.filterTLogAuthorities)(tlogs, {
-        targetDate: new Date(Number(entry.integratedTime) * 1000),
-    });
     const inclusionProof = entry.inclusionProof;
     const signedNote = SignedNote.fromString(inclusionProof.checkpoint.envelope);
     const checkpoint = LogCheckpoint.fromString(signedNote.note);
     // Verify that the signatures in the checkpoint are all valid
-    if (!verifySignedNote(signedNote, validTLogs)) {
+    if (!verifySignedNote(signedNote, tlogs)) {
         throw new error_1.VerificationError({
             code: 'TLOG_INCLUSION_PROOF_ERROR',
             message: 'invalid checkpoint signature',
         });
     }
-    // Verify that the root hash from the checkpoint matches the root hash in the
-    // inclusion proof
-    if (!core_1.crypto.bufferEqual(checkpoint.logHash, inclusionProof.rootHash)) {
-        throw new error_1.VerificationError({
-            code: 'TLOG_INCLUSION_PROOF_ERROR',
-            message: 'root hash mismatch',
-        });
-    }
+    return checkpoint;
 }
 // Verifies the signatures in the SignedNote. For each signature, the
 // corresponding transparency log is looked up by the key hint and the
 // signature is verified against the public key in the transparency log.
 // Throws an error if any of the signatures are invalid.
 function verifySignedNote(signedNote, tlogs) {
     const data = Buffer.from(signedNote.note, 'utf-8');
-    return signedNote.signatures.every((signature) => {
+    return signedNote.signatures.some((signature) => {
         // Find the transparency log instance with the matching key hint
-        const tlog = tlogs.find((tlog) => core_1.crypto.bufferEqual(tlog.logID.subarray(0, 4), signature.keyHint));
+        const tlog = tlogs.find((tlog) => core_1.crypto.bufferEqual(tlog.logID.subarray(0, 4), signature.keyHint) &&
+            tlog.baseURL.match(signature.name) // Match the name to the base URL of the tlog
+        );
         if (!tlog) {
             return false;
         }
@@ -80,6 +70,8 @@ function verifySignedNote(signedNote, tlogs) {
 // of a body (or note) and one more signatures calculated over the body. See
 // https://github.com/transparency-dev/formats/blob/main/log/README.md#signed-envelope
 class SignedNote {
+    note;
+    signatures;
     constructor(note, signatures) {
         this.note = note;
         this.signatures = signatures;
@@ -134,6 +126,10 @@ class SignedNote {
 // See:
 // https://github.com/transparency-dev/formats/blob/main/log/README.md#checkpoint-body
 class LogCheckpoint {
+    origin;
+    logSize;
+    logHash;
+    rest;
     constructor(origin, logSize, logHash, rest) {
         this.origin = origin;
         this.logSize = logSize;
@@ -155,3 +151,4 @@ class LogCheckpoint {
         return new LogCheckpoint(origin, logSize, rootHash, rest);
     }
 }
+exports.LogCheckpoint = LogCheckpoint;

node_modules/@sigstore/verify/dist/tlog/dsse.js

@@ -1,8 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.DSSE_API_VERSION_V1 = void 0;
 exports.verifyDSSETLogBody = verifyDSSETLogBody;
+exports.verifyDSSETLogBodyV2 = verifyDSSETLogBodyV2;
 /*
-Copyright 2023 The Sigstore Authors.
+Copyright 2025 The Sigstore Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,10 +19,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 const error_1 = require("../error");
-// Compare the given intoto tlog entry to the given bundle
+exports.DSSE_API_VERSION_V1 = '0.0.1';
+// Compare the given dsse tlog entry to the given bundle
 function verifyDSSETLogBody(tlogEntry, content) {
     switch (tlogEntry.apiVersion) {
-        case '0.0.1':
+        case exports.DSSE_API_VERSION_V1:
             return verifyDSSE001TLogBody(tlogEntry, content);
         default:
             throw new error_1.VerificationError({
@@ -29,6 +32,26 @@ function verifyDSSETLogBody(tlogEntry, content) {
             });
     }
 }
+// Compare the given dsse tlog entry to the given bundle. This function is
+// specifically for Rekor V2 entries.
+function verifyDSSETLogBodyV2(tlogEntry, content) {
+    const spec = tlogEntry.spec?.spec;
+    if (!spec) {
+        throw new error_1.VerificationError({
+            code: 'TLOG_BODY_ERROR',
+            message: `missing dsse spec`,
+        });
+    }
+    switch (spec.$case) {
+        case 'dsseV002':
+            return verifyDSSE002TLogBody(spec.dsseV002, content);
+        default:
+            throw new error_1.VerificationError({
+                code: 'TLOG_BODY_ERROR',
+                message: `unsupported version: ${spec.$case}`,
+            });
+    }
+}
 // Compare the given dsse v0.0.1 tlog entry to the given DSSE envelope.
 function verifyDSSE001TLogBody(tlogEntry, content) {
     // Ensure the bundle's DSSE only contains a single signature
@@ -55,3 +78,29 @@ function verifyDSSE001TLogBody(tlogEntry, content) {
         });
     }
 }
+// Compare the given dsse v0.0.2 tlog entry to the given DSSE envelope.
+function verifyDSSE002TLogBody(spec, content) {
+    // Ensure the bundle's DSSE only contains a single signature
+    if (spec.signatures?.length !== 1) {
+        throw new error_1.VerificationError({
+            code: 'TLOG_BODY_ERROR',
+            message: 'signature count mismatch',
+        });
+    }
+    const tlogSig = spec.signatures[0].content;
+    // Ensure that the signature in the bundle's DSSE matches tlog entry
+    if (!content.compareSignature(tlogSig))
+        throw new error_1.VerificationError({
+            code: 'TLOG_BODY_ERROR',
+            message: 'tlog entry signature mismatch',
+        });
+    // Ensure the digest of the bundle's DSSE payload matches the digest in the
+    // tlog entry
+    const tlogHash = spec.payloadHash?.digest || Buffer.from('');
+    if (!content.compareDigest(tlogHash)) {
+        throw new error_1.VerificationError({
+            code: 'TLOG_BODY_ERROR',
+            message: 'DSSE payload hash mismatch',
+        });
+    }
+}