1"use strict"; 2var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { 3 if (k2 === undefined) k2 = k; 4 var desc = Object.getOwnPropertyDescriptor(m, k); 5 if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { 6 desc = { enumerable: true, get: function() { return m[k]; } }; 7 } 8 Object.defineProperty(o, k2, desc); 9}) : (function(o, m, k, k2) { 10 if (k2 === undefined) k2 = k; 11 o[k2] = m[k]; 12})); 13var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { 14 Object.defineProperty(o, "default", { enumerable: true, value: v }); 15}) : function(o, v) { 16 o["default"] = v; 17}); 18var __importStar = (this && this.__importStar) || function (mod) { 19 if (mod && mod.__esModule) return mod; 20 var result = {}; 21 if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); 22 __setModuleDefault(result, mod); 23 return result; 24}; 25Object.defineProperty(exports, "__esModule", { value: true }); 26exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0; 27/* 28Copyright 2023 The Sigstore Authors. 29 30Licensed under the Apache License, Version 2.0 (the "License"); 31you may not use this file except in compliance with the License. 32You may obtain a copy of the License at 33 34 http://www.apache.org/licenses/LICENSE-2.0 35 36Unless required by applicable law or agreed to in writing, software 37distributed under the License is distributed on an "AS IS" BASIS, 38WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 39See the License for the specific language governing permissions and 40limitations under the License. 41*/ 42const tuf = __importStar(require("@sigstore/tuf")); 43const config = __importStar(require("./config")); 44const sign_1 = require("./sign"); 45const sigstore = __importStar(require("./types/sigstore")); 46const verify_1 = require("./verify"); 47async function sign(payload, options = {}) { 48 const ca = config.createCAClient(options); 49 const tlog = config.createTLogClient(options); 50 const idps = config.identityProviders(options); 51 const signer = new sign_1.Signer({ 52 ca, 53 tlog, 54 identityProviders: options.identityProvider 55 ? [options.identityProvider] 56 : idps, 57 tlogUpload: options.tlogUpload, 58 }); 59 const bundle = await signer.signBlob(payload); 60 return sigstore.bundleToJSON(bundle); 61} 62exports.sign = sign; 63async function attest(payload, payloadType, options = {}) { 64 const ca = config.createCAClient(options); 65 const tlog = config.createTLogClient(options); 66 const tsa = config.createTSAClient(options); 67 const idps = config.identityProviders(options); 68 const signer = new sign_1.Signer({ 69 ca, 70 tlog, 71 tsa, 72 identityProviders: options.identityProvider 73 ? [options.identityProvider] 74 : idps, 75 tlogUpload: options.tlogUpload, 76 }); 77 const bundle = await signer.signAttestation(payload, payloadType); 78 return sigstore.bundleToJSON(bundle); 79} 80exports.attest = attest; 81async function verify(bundle, payload, options = {}) { 82 const trustedRoot = await tuf.getTrustedRoot({ 83 mirrorURL: options.tufMirrorURL, 84 rootPath: options.tufRootPath, 85 cachePath: options.tufCachePath, 86 retry: options.retry ?? config.DEFAULT_RETRY, 87 timeout: options.timeout ?? config.DEFAULT_TIMEOUT, 88 }); 89 const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); 90 const deserializedBundle = sigstore.bundleFromJSON(bundle); 91 const opts = config.artifactVerificationOptions(options); 92 return verifier.verify(deserializedBundle, opts, payload); 93} 94exports.verify = verify; 95async function createVerifier(options) { 96 const trustedRoot = await tuf.getTrustedRoot({ 97 mirrorURL: options.tufMirrorURL, 98 rootPath: options.tufRootPath, 99 cachePath: options.tufCachePath, 100 retry: options.retry ?? config.DEFAULT_RETRY, 101 timeout: options.timeout ?? config.DEFAULT_TIMEOUT, 102 }); 103 const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); 104 const verifyOpts = config.artifactVerificationOptions(options); 105 return { 106 verify: (bundle) => { 107 const deserializedBundle = sigstore.bundleFromJSON(bundle); 108 return verifier.verify(deserializedBundle, verifyOpts); 109 }, 110 }; 111} 112exports.createVerifier = createVerifier; 113const tufUtils = { 114 client: (options = {}) => { 115 return tuf.initTUF({ 116 mirrorURL: options.tufMirrorURL, 117 rootPath: options.tufRootPath, 118 cachePath: options.tufCachePath, 119 retry: options.retry, 120 timeout: options.timeout, 121 }); 122 }, 123 /* 124 * @deprecated Use tufUtils.client instead. 125 */ 126 getTarget: (path, options = {}) => { 127 return tuf 128 .initTUF({ 129 mirrorURL: options.tufMirrorURL, 130 rootPath: options.tufRootPath, 131 cachePath: options.tufCachePath, 132 retry: options.retry, 133 timeout: options.timeout, 134 }) 135 .then((t) => t.getTarget(path)); 136 }, 137}; 138exports.tuf = tufUtils; 139var error_1 = require("./error"); 140Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return error_1.InternalError; } }); 141Object.defineProperty(exports, "PolicyError", { enumerable: true, get: function () { return error_1.PolicyError; } }); 142Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return error_1.ValidationError; } }); 143Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return error_1.VerificationError; } }); 144exports.utils = __importStar(require("./sigstore-utils")); 145exports.DEFAULT_FULCIO_URL = config.DEFAULT_FULCIO_URL; 146exports.DEFAULT_REKOR_URL = config.DEFAULT_REKOR_URL; 147