-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
deps: bump sigstore from 2.0.0 to 2.2.0 (#343)
Update `sigstore` to version 2.2.0. Leverages the new `tufForceCache` option in the sigstore `verify` function to make better use of the local TUF cache. Previously, the TUF cache would be refreshed with each invocation -- now the TUF cache will only be refreshed if the metadata files contained therein are expired. Eliminates one test case which is no longer relevant given the use of the `tufForceCache` option. Signed-off-by: Brian DeHamer <[email protected]>
- Loading branch information
Showing
3 changed files
with
2 additions
and
61 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -552,66 +552,6 @@ t.test('verifyAttestations invalid signature', async t => { | |
) | ||
}) | ||
|
||
t.test('verifyAttestations errors when tuf update fails', async t => { | ||
tnock(t, 'https://registry.npmjs.org') | ||
.get('/sigstore') | ||
.reply(200, { | ||
_id: 'sigstore', | ||
_rev: 'deadbeef', | ||
name: 'sigstore', | ||
'dist-tags': { latest: '0.4.0' }, | ||
versions: { | ||
'0.4.0': { | ||
name: 'sigstore', | ||
version: '0.4.0', | ||
dist: { | ||
// eslint-disable-next-line max-len | ||
integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', | ||
// eslint-disable-next-line max-len | ||
attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/[email protected]', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, | ||
}, | ||
}, | ||
}, | ||
}) | ||
|
||
const fixture = fs.readFileSync( | ||
path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'), | ||
'utf8' | ||
) | ||
|
||
tnock(t, 'https://tuf-repo-cdn.sigstore.dev') | ||
.get(/./) // match any path | ||
.reply(404) | ||
|
||
tnock(t, 'https://registry.npmjs.org') | ||
.get('/-/npm/v1/attestations/[email protected]') | ||
.reply(200, JSON.parse(fixture)) | ||
|
||
const f = new RegistryFetcher('[email protected]', { | ||
registry: 'https://registry.npmjs.org', | ||
cache, | ||
verifyAttestations: true, | ||
[`//registry.npmjs.org/:_keys`]: [{ | ||
expires: null, | ||
keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', | ||
keytype: 'ecdsa-sha2-nistp256', | ||
scheme: 'ecdsa-sha2-nistp256', | ||
// eslint-disable-next-line max-len | ||
key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', | ||
// eslint-disable-next-line max-len | ||
pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', | ||
}], | ||
}) | ||
|
||
return t.rejects( | ||
f.manifest(), | ||
/[email protected] failed to verify attestation: error refreshing TUF metadata/, | ||
{ | ||
code: 'EATTESTATIONVERIFY', | ||
} | ||
) | ||
}) | ||
|
||
t.test('verifyAttestations publish attestation for unknown public key', async t => { | ||
tnock(t, 'https://registry.npmjs.org') | ||
.get('/sigstore') | ||
|