Skip to content

Commit d9b1540

Browse files
bdehamerbdehamer
authoredJul 11, 2023
integrate @sigstore/bundle into client (#601)
Signed-off-by: Brian DeHamer <bdehamer@github.com>
·
sigstore@3.1.0@sigstore/bundle@1.0.0
1 parent 2a5f500 commit d9b1540

30 files changed

+326
-1198
lines changed
 

‎.changeset/twelve-balloons-work.md

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'sigstore': minor
3+
---
4+
5+
Integrate @sigstore/bundle package

‎package-lock.json

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎packages/client/package.json

+1
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
"@types/make-fetch-happen": "^10.0.0"
3737
},
3838
"dependencies": {
39+
"@sigstore/bundle": "^0.0.0",
3940
"@sigstore/protobuf-specs": "^0.1.0",
4041
"@sigstore/tuf": "^1.0.1",
4142
"make-fetch-happen": "^11.0.1"

‎packages/client/src/__tests__/ca/verify/index.test.ts

+2-3
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1313
See the License for the specific language governing permissions and
1414
limitations under the License.
1515
*/
16+
import { bundleFromJSON, BundleWithCertificateChain } from '@sigstore/bundle';
1617
import { verifySigningCertificate } from '../../../ca/verify';
1718
import * as sigstore from '../../../types/sigstore';
1819
import bundles from '../../__fixtures__/bundles/';
@@ -21,9 +22,7 @@ import { trustedRoot } from '../../__fixtures__/trust';
2122
describe('verifySigningCertificate', () => {
2223
// Temporary until we reconsole bundle formats
2324
const bundleJSON = bundles.dsse.valid.withSigningCert;
24-
const bundle = sigstore.bundleFromJSON(
25-
bundleJSON
26-
) as sigstore.BundleWithCertificateChain;
25+
const bundle = bundleFromJSON(bundleJSON) as BundleWithCertificateChain;
2726

2827
const ctlogOptions: sigstore.ArtifactVerificationOptions_CtlogOptions = {
2928
disable: false,

‎packages/client/src/__tests__/sigstore.test.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
1414
limitations under the License.
1515
*/
1616
/* eslint-disable @typescript-eslint/no-non-null-assertion */
17+
import type { SerializedBundle } from '@sigstore/bundle';
1718
import {
1819
Bundle,
1920
HashAlgorithm,
@@ -28,7 +29,6 @@ import mocktuf, { Target } from '@tufjs/repo-mock';
2829
import { PolicyError, VerificationError } from '../error';
2930
import { Signer } from '../sign';
3031
import { attest, createVerifier, sign, tuf, verify } from '../sigstore';
31-
import { SerializedBundle } from '../types/sigstore';
3232
import bundles from './__fixtures__/bundles';
3333
import { trustedRoot } from './__fixtures__/trust';
3434

‎packages/client/src/__tests__/tlog/verify/body.test.ts

+23-33
Original file line numberDiff line numberDiff line change
@@ -13,55 +13,53 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1313
See the License for the specific language governing permissions and
1414
limitations under the License.
1515
*/
16+
import { bundleFromJSON, TransparencyLogEntry } from '@sigstore/bundle';
1617
import { verifyTLogBody } from '../../../tlog/verify/body';
17-
import * as sigstore from '../../../types/sigstore';
1818
import bundles from '../../__fixtures__/bundles';
1919

2020
describe('verifyTLogBody', () => {
2121
describe('when a message signature bundle is provided', () => {
2222
describe('when everything is valid', () => {
23-
const bundle = sigstore.bundleFromJSON(
24-
bundles.signature.valid.withSigningCert
25-
);
23+
const bundle = bundleFromJSON(bundles.signature.valid.withSigningCert);
2624

2725
const tlogEntry = bundle.verificationMaterial
28-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
26+
?.tlogEntries[0] as TransparencyLogEntry;
2927

3028
it('returns true', () => {
3129
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(true);
3230
});
3331
});
3432

3533
describe('when the signature does NOT match the value in the tlog entry', () => {
36-
const bundle = sigstore.bundleFromJSON(
34+
const bundle = bundleFromJSON(
3735
bundles.signature.invalid.tlogIncorrectSigInBody
3836
);
3937
const tlogEntry = bundle.verificationMaterial
40-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
38+
?.tlogEntries[0] as TransparencyLogEntry;
4139

4240
it('returns false', () => {
4341
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
4442
});
4543
});
4644

4745
describe('when the digest does NOT match the value in the tlog entry', () => {
48-
const bundle = sigstore.bundleFromJSON(
46+
const bundle = bundleFromJSON(
4947
bundles.signature.invalid.tlogIncorrectDigestInBody
5048
);
5149
const tlogEntry = bundle.verificationMaterial
52-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
50+
?.tlogEntries[0] as TransparencyLogEntry;
5351

5452
it('returns false', () => {
5553
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
5654
});
5755
});
5856

5957
describe('when there is a version mismatch between the tlog entry and the body', () => {
60-
const bundle = sigstore.bundleFromJSON(
58+
const bundle = bundleFromJSON(
6159
bundles.signature.invalid.tlogVersionMismatch
6260
);
6361
const tlogEntry = bundle.verificationMaterial
64-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
62+
?.tlogEntries[0] as TransparencyLogEntry;
6563

6664
it('returns false', () => {
6765
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
@@ -71,69 +69,63 @@ describe('verifyTLogBody', () => {
7169

7270
describe('when a DSSE Bundle is provided', () => {
7371
describe('when everything is valid', () => {
74-
const bundle = sigstore.bundleFromJSON(
75-
bundles.dsse.valid.withSigningCert
76-
);
72+
const bundle = bundleFromJSON(bundles.dsse.valid.withSigningCert);
7773
const tlogEntry = bundle.verificationMaterial
78-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
74+
?.tlogEntries[0] as TransparencyLogEntry;
7975

8076
it('returns true', () => {
8177
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(true);
8278
});
8379
});
8480

8581
describe('when the payload hash does NOT match the value in the intoto entry', () => {
86-
const bundle = sigstore.bundleFromJSON(bundles.dsse.invalid.badSignature);
82+
const bundle = bundleFromJSON(bundles.dsse.invalid.badSignature);
8783
const tlogEntry = bundle.verificationMaterial
88-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
84+
?.tlogEntries[0] as TransparencyLogEntry;
8985

9086
it('returns false', () => {
9187
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
9288
});
9389
});
9490

9591
describe('when the signature does NOT match the value in the intoto entry', () => {
96-
const bundle = sigstore.bundleFromJSON(
92+
const bundle = bundleFromJSON(
9793
bundles.dsse.invalid.tlogIncorrectSigInBody
9894
);
9995
const tlogEntry = bundle.verificationMaterial
100-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
96+
?.tlogEntries[0] as TransparencyLogEntry;
10197

10298
it('returns false', () => {
10399
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
104100
});
105101
});
106102

107103
describe('when the tlog entry version is unsupported', () => {
108-
const bundle = sigstore.bundleFromJSON(
104+
const bundle = bundleFromJSON(
109105
bundles.dsse.invalid.tlogUnsupportedVersion
110106
);
111107
const tlogEntry = bundle.verificationMaterial
112-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
108+
?.tlogEntries[0] as TransparencyLogEntry;
113109

114110
it('returns false', () => {
115111
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
116112
});
117113
});
118114

119115
describe('when the signature count does NOT match the intoto entry', () => {
120-
const bundle = sigstore.bundleFromJSON(
121-
bundles.dsse.invalid.tlogTooManySigsInBody
122-
);
116+
const bundle = bundleFromJSON(bundles.dsse.invalid.tlogTooManySigsInBody);
123117
const tlogEntry = bundle.verificationMaterial
124-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
118+
?.tlogEntries[0] as TransparencyLogEntry;
125119

126120
it('returns false', () => {
127121
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
128122
});
129123
});
130124

131125
describe('when there is a version mismatch between the tlog entry and the body', () => {
132-
const bundle = sigstore.bundleFromJSON(
133-
bundles.dsse.invalid.tlogVersionMismatch
134-
);
126+
const bundle = bundleFromJSON(bundles.dsse.invalid.tlogVersionMismatch);
135127
const tlogEntry = bundle.verificationMaterial
136-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
128+
?.tlogEntries[0] as TransparencyLogEntry;
137129

138130
it('returns false', () => {
139131
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
@@ -143,11 +135,9 @@ describe('verifyTLogBody', () => {
143135

144136
describe('when a DSSE Bundle w/ dsse tlog entry is provided', () => {
145137
describe('when everything is valid', () => {
146-
const bundle = sigstore.bundleFromJSON(
147-
bundles.dsse.valid.withDSSETLogEntry
148-
);
138+
const bundle = bundleFromJSON(bundles.dsse.valid.withDSSETLogEntry);
149139
const tlogEntry = bundle.verificationMaterial
150-
?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
140+
?.tlogEntries[0] as TransparencyLogEntry;
151141

152142
it('returns true', () => {
153143
expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(true);

0 commit comments

Comments
 (0)
Please sign in to comment.