Revert "bump @sigstore/sign from 2.3.2 to 3.0.0"

This reverts commit c6c5ef6b8e.
2024-10-15 18:47:19 +00:00 · 2024-10-15 18:47:19 +00:00 · 19806ac731
parent eb8c672aad
commit 19806ac731
3 changed files with 656 additions and 707 deletions
--- a/packages/attest/package-lock.json
+++ b/packages/attest/package-lock.json
--- a/packages/attest/package.json
+++ b/packages/attest/package.json
@ -35,8 +35,8 @@
    "url": "https://github.com/actions/toolkit/issues"
  },
  "devDependencies": {
-    "@sigstore/mock": "^0.8.0",
+    "@sigstore/mock": "^0.7.4",
-    "@sigstore/rekor-types": "^3.0.0",
+    "@sigstore/rekor-types": "^2.0.0",
    "@types/jsonwebtoken": "^9.0.6",
    "nock": "^13.5.1",
    "undici": "^5.28.4"
@ -46,8 +46,8 @@
    "@actions/github": "^6.0.0",
    "@actions/http-client": "^2.2.3",
    "@octokit/plugin-retry": "^6.0.1",
-    "@sigstore/bundle": "^3.0.0",
+    "@sigstore/bundle": "^2.3.2",
-    "@sigstore/sign": "^3.0.0",
+    "@sigstore/sign": "^2.3.2",
    "jose": "^5.2.3"
  },
  "overrides": {
--- a/packages/attest/src/sign.ts
+++ b/packages/attest/src/sign.ts
@ -86,6 +86,7 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
    witnesses.push(
      new RekorWitness({
        rekorBaseURL: opts.rekorURL,
        entryType: 'dsse',
        fetchOnConflict: true,
        timeout,
        retry
@ -105,5 +106,5 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
  // Build the bundle with the singleCertificate option which will
  // trigger the creation of v0.3 DSSE bundles
-  return new DSSEBundleBuilder({signer, witnesses})
+  return new DSSEBundleBuilder({signer, witnesses, singleCertificate: true})
 }