Skip to content

Commit

Permalink
deps: bump sigstore from 2.0.0 to 2.2.0 (#343)
Browse files Browse the repository at this point in the history
Update `sigstore` to version 2.2.0.

Leverages the new `tufForceCache` option in the sigstore `verify`
function to make better use of the local TUF cache. Previously, the TUF
cache would be refreshed with each invocation -- now the TUF cache will
only be refreshed if the metadata files contained therein are expired.

Eliminates one test case which is no longer relevant given the use of
the `tufForceCache` option.

Signed-off-by: Brian DeHamer <[email protected]>
  • Loading branch information
bdehamer authored Jan 16, 2024
1 parent 6fd23ad commit 0a5920f
Show file tree
Hide file tree
Showing 3 changed files with 2 additions and 61 deletions.
1 change: 1 addition & 0 deletions lib/registry.js
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,7 @@ class RegistryFetcher extends Fetcher {
// specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys`
const options = {
tufCachePath: this.tufCache,
tufForceCache: true,
keySelector: publicKey ? () => publicKey.pemkey : undefined,
}
await sigstore.verify(bundle, options)
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"promise-retry": "^2.0.1",
"read-package-json": "^7.0.0",
"read-package-json-fast": "^3.0.0",
"sigstore": "^2.0.0",
"sigstore": "^2.2.0",
"ssri": "^10.0.0",
"tar": "^6.1.11"
},
Expand Down
60 changes: 0 additions & 60 deletions test/registry.js
Original file line number Diff line number Diff line change
Expand Up @@ -552,66 +552,6 @@ t.test('verifyAttestations invalid signature', async t => {
)
})

t.test('verifyAttestations errors when tuf update fails', async t => {
tnock(t, 'https://registry.npmjs.org')
.get('/sigstore')
.reply(200, {
_id: 'sigstore',
_rev: 'deadbeef',
name: 'sigstore',
'dist-tags': { latest: '0.4.0' },
versions: {
'0.4.0': {
name: 'sigstore',
version: '0.4.0',
dist: {
// eslint-disable-next-line max-len
integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==',
// eslint-disable-next-line max-len
attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/[email protected]', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } },
},
},
},
})

const fixture = fs.readFileSync(
path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'),
'utf8'
)

tnock(t, 'https://tuf-repo-cdn.sigstore.dev')
.get(/./) // match any path
.reply(404)

tnock(t, 'https://registry.npmjs.org')
.get('/-/npm/v1/attestations/[email protected]')
.reply(200, JSON.parse(fixture))

const f = new RegistryFetcher('[email protected]', {
registry: 'https://registry.npmjs.org',
cache,
verifyAttestations: true,
[`//registry.npmjs.org/:_keys`]: [{
expires: null,
keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
keytype: 'ecdsa-sha2-nistp256',
scheme: 'ecdsa-sha2-nistp256',
// eslint-disable-next-line max-len
key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==',
// eslint-disable-next-line max-len
pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----',
}],
})

return t.rejects(
f.manifest(),
/[email protected] failed to verify attestation: error refreshing TUF metadata/,
{
code: 'EATTESTATIONVERIFY',
}
)
})

t.test('verifyAttestations publish attestation for unknown public key', async t => {
tnock(t, 'https://registry.npmjs.org')
.get('/sigstore')
Expand Down

0 comments on commit 0a5920f

Please sign in to comment.