1
0
Fork 0

generate v0.3 bundles in attest package

Signed-off-by: Brian DeHamer <bdehamer@github.com>
pull/1701/head
Brian DeHamer 2024-04-03 12:12:26 -07:00
parent 59e9d284e9
commit f8d95a85df
No known key found for this signature in database
6 changed files with 48 additions and 43 deletions

View File

@ -1,5 +1,11 @@
# @actions/attest Releases # @actions/attest Releases
### 1.2.0
- Generate attestations using the v0.3 Sigstore bundle format.
- Bump @sigstore/bundle from 2.2.0 to 2.3.0.
- Bump @sigstore/sign from 2.2.3 to 2.3.0.
### 1.1.0 ### 1.1.0
- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement. - Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement.

View File

@ -64,13 +64,11 @@ describe('signProvenance', () => {
expect(att).toBeDefined() expect(att).toBeDefined()
expect(att.mediaType).toEqual( expect(att.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2' 'application/vnd.dev.sigstore.bundle.v0.3+json'
) )
expect(att.content.$case).toEqual('dsseEnvelope') expect(att.content.$case).toEqual('dsseEnvelope')
expect(att.verificationMaterial.content.$case).toEqual( expect(att.verificationMaterial.content.$case).toEqual('certificate')
'x509CertificateChain'
)
expect(att.verificationMaterial.tlogEntries).toHaveLength(1) expect(att.verificationMaterial.tlogEntries).toHaveLength(1)
expect( expect(
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
@ -89,13 +87,11 @@ describe('signProvenance', () => {
expect(att).toBeDefined() expect(att).toBeDefined()
expect(att.mediaType).toEqual( expect(att.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2' 'application/vnd.dev.sigstore.bundle.v0.3+json'
) )
expect(att.content.$case).toEqual('dsseEnvelope') expect(att.content.$case).toEqual('dsseEnvelope')
expect(att.verificationMaterial.content.$case).toEqual( expect(att.verificationMaterial.content.$case).toEqual('certificate')
'x509CertificateChain'
)
expect(att.verificationMaterial.tlogEntries).toHaveLength(0) expect(att.verificationMaterial.tlogEntries).toHaveLength(0)
expect( expect(
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps

View File

@ -1,19 +1,19 @@
{ {
"name": "@actions/attest", "name": "@actions/attest",
"version": "1.0.0", "version": "1.2.0",
"lockfileVersion": 2, "lockfileVersion": 2,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "@actions/attest", "name": "@actions/attest",
"version": "1.0.0", "version": "1.2.0",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@actions/github": "^6.0.0", "@actions/github": "^6.0.0",
"@actions/http-client": "^2.2.1", "@actions/http-client": "^2.2.1",
"@sigstore/bundle": "^2.2.0", "@sigstore/bundle": "^2.3.0",
"@sigstore/sign": "^2.2.3", "@sigstore/sign": "^2.3.0",
"jsonwebtoken": "^9.0.2", "jsonwebtoken": "^9.0.2",
"jwks-rsa": "^3.1.0", "jwks-rsa": "^3.1.0",
"make-fetch-happen": "^13.0.0" "make-fetch-happen": "^13.0.0"
@ -408,11 +408,11 @@
} }
}, },
"node_modules/@sigstore/bundle": { "node_modules/@sigstore/bundle": {
"version": "2.2.0", "version": "2.3.0",
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.2.0.tgz", "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.0.tgz",
"integrity": "sha512-5VI58qgNs76RDrwXNhpmyN/jKpq9evV/7f1XrcqcAfvxDl5SeVY/I5Rmfe96ULAV7/FK5dge9RBKGBJPhL1WsQ==", "integrity": "sha512-MU3XYHkOvKEFnuUtcAtVh0s4RTemRyi1NN87+v9fAL0qR9JZuK/nF27YJ79wjPvvi1W9sz3qc7cTgshH5tji6Q==",
"dependencies": { "dependencies": {
"@sigstore/protobuf-specs": "^0.3.0" "@sigstore/protobuf-specs": "^0.3.1"
}, },
"engines": { "engines": {
"node": "^16.14.0 || >=18.0.0" "node": "^16.14.0 || >=18.0.0"
@ -448,11 +448,11 @@
} }
}, },
"node_modules/@sigstore/protobuf-specs": { "node_modules/@sigstore/protobuf-specs": {
"version": "0.3.0", "version": "0.3.1",
"resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.0.tgz", "resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.1.tgz",
"integrity": "sha512-zxiQ66JFOjVvP9hbhGj/F/qNdsZfkGb/dVXSanNRNuAzMlr4MC95voPUBX8//ZNnmv3uSYzdfR/JSkrgvZTGxA==", "integrity": "sha512-aIL8Z9NsMr3C64jyQzE0XlkEyBLpgEJJFDHLVVStkFV5Q3Il/r/YtY6NJWKQ4cy4AE7spP1IX5Jq7VCAxHHMfQ==",
"engines": { "engines": {
"node": "^14.17.0 || ^16.13.0 || >=18.0.0" "node": "^16.14.0 || >=18.0.0"
} }
}, },
"node_modules/@sigstore/rekor-types": { "node_modules/@sigstore/rekor-types": {
@ -465,13 +465,13 @@
} }
}, },
"node_modules/@sigstore/sign": { "node_modules/@sigstore/sign": {
"version": "2.2.3", "version": "2.3.0",
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.2.3.tgz", "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.0.tgz",
"integrity": "sha512-LqlA+ffyN02yC7RKszCdMTS6bldZnIodiox+IkT8B2f8oRYXCB3LQ9roXeiEL21m64CVH1wyveYAORfD65WoSw==", "integrity": "sha512-tsAyV6FC3R3pHmKS880IXcDJuiFJiKITO1jxR1qbplcsBkZLBmjrEw5GbC7ikD6f5RU1hr7WnmxB/2kKc1qUWQ==",
"dependencies": { "dependencies": {
"@sigstore/bundle": "^2.2.0", "@sigstore/bundle": "^2.3.0",
"@sigstore/core": "^1.0.0", "@sigstore/core": "^1.0.0",
"@sigstore/protobuf-specs": "^0.3.0", "@sigstore/protobuf-specs": "^0.3.1",
"make-fetch-happen": "^13.0.0" "make-fetch-happen": "^13.0.0"
}, },
"engines": { "engines": {
@ -2324,11 +2324,11 @@
"optional": true "optional": true
}, },
"@sigstore/bundle": { "@sigstore/bundle": {
"version": "2.2.0", "version": "2.3.0",
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.2.0.tgz", "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.0.tgz",
"integrity": "sha512-5VI58qgNs76RDrwXNhpmyN/jKpq9evV/7f1XrcqcAfvxDl5SeVY/I5Rmfe96ULAV7/FK5dge9RBKGBJPhL1WsQ==", "integrity": "sha512-MU3XYHkOvKEFnuUtcAtVh0s4RTemRyi1NN87+v9fAL0qR9JZuK/nF27YJ79wjPvvi1W9sz3qc7cTgshH5tji6Q==",
"requires": { "requires": {
"@sigstore/protobuf-specs": "^0.3.0" "@sigstore/protobuf-specs": "^0.3.1"
} }
}, },
"@sigstore/core": { "@sigstore/core": {
@ -2355,9 +2355,9 @@
} }
}, },
"@sigstore/protobuf-specs": { "@sigstore/protobuf-specs": {
"version": "0.3.0", "version": "0.3.1",
"resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.0.tgz", "resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.1.tgz",
"integrity": "sha512-zxiQ66JFOjVvP9hbhGj/F/qNdsZfkGb/dVXSanNRNuAzMlr4MC95voPUBX8//ZNnmv3uSYzdfR/JSkrgvZTGxA==" "integrity": "sha512-aIL8Z9NsMr3C64jyQzE0XlkEyBLpgEJJFDHLVVStkFV5Q3Il/r/YtY6NJWKQ4cy4AE7spP1IX5Jq7VCAxHHMfQ=="
}, },
"@sigstore/rekor-types": { "@sigstore/rekor-types": {
"version": "2.0.0", "version": "2.0.0",
@ -2366,13 +2366,13 @@
"dev": true "dev": true
}, },
"@sigstore/sign": { "@sigstore/sign": {
"version": "2.2.3", "version": "2.3.0",
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.2.3.tgz", "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.0.tgz",
"integrity": "sha512-LqlA+ffyN02yC7RKszCdMTS6bldZnIodiox+IkT8B2f8oRYXCB3LQ9roXeiEL21m64CVH1wyveYAORfD65WoSw==", "integrity": "sha512-tsAyV6FC3R3pHmKS880IXcDJuiFJiKITO1jxR1qbplcsBkZLBmjrEw5GbC7ikD6f5RU1hr7WnmxB/2kKc1qUWQ==",
"requires": { "requires": {
"@sigstore/bundle": "^2.2.0", "@sigstore/bundle": "^2.3.0",
"@sigstore/core": "^1.0.0", "@sigstore/core": "^1.0.0",
"@sigstore/protobuf-specs": "^0.3.0", "@sigstore/protobuf-specs": "^0.3.1",
"make-fetch-happen": "^13.0.0" "make-fetch-happen": "^13.0.0"
} }
}, },

View File

@ -1,6 +1,6 @@
{ {
"name": "@actions/attest", "name": "@actions/attest",
"version": "1.1.0", "version": "1.2.0",
"description": "Actions attestation lib", "description": "Actions attestation lib",
"keywords": [ "keywords": [
"github", "github",
@ -46,8 +46,8 @@
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@actions/github": "^6.0.0", "@actions/github": "^6.0.0",
"@actions/http-client": "^2.2.1", "@actions/http-client": "^2.2.1",
"@sigstore/bundle": "^2.2.0", "@sigstore/bundle": "^2.3.0",
"@sigstore/sign": "^2.2.3", "@sigstore/sign": "^2.3.0",
"jsonwebtoken": "^9.0.2", "jsonwebtoken": "^9.0.2",
"jwks-rsa": "^3.1.0", "jwks-rsa": "^3.1.0",
"make-fetch-happen": "^13.0.0" "make-fetch-happen": "^13.0.0"

View File

@ -1,10 +1,11 @@
import {Bundle, bundleToJSON} from '@sigstore/bundle' import {bundleToJSON} from '@sigstore/bundle'
import {X509Certificate} from 'crypto' import {X509Certificate} from 'crypto'
import {SigstoreInstance, signingEndpoints} from './endpoints' import {SigstoreInstance, signingEndpoints} from './endpoints'
import {buildIntotoStatement} from './intoto' import {buildIntotoStatement} from './intoto'
import {Payload, signPayload} from './sign' import {Payload, signPayload} from './sign'
import {writeAttestation} from './store' import {writeAttestation} from './store'
import type {Bundle} from '@sigstore/sign'
import type {Attestation, Predicate, Subject} from './shared.types' import type {Attestation, Predicate, Subject} from './shared.types'
const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json' const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'

View File

@ -1,5 +1,5 @@
import {Bundle} from '@sigstore/bundle'
import { import {
Bundle,
BundleBuilder, BundleBuilder,
CIContextProvider, CIContextProvider,
DSSEBundleBuilder, DSSEBundleBuilder,
@ -103,5 +103,7 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
) )
} }
return new DSSEBundleBuilder({signer, witnesses}) // Build the bundle with the singleCertificate option which will
// trigger the creation of v0.3 DSSE bundles
return new DSSEBundleBuilder({signer, witnesses, singleCertificate: true})
} }