UNPKG

sigstore-npm-signer

Version:

Sign and verify npm packages using Sigstore

codeteck.github.io/sigstore-npm-signer

codeteck/sigstore-npm-signer

49 lines 1.84 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.signPackage = signPackage; exports.attachSignature = attachSignature; const sign_1 = require("@sigstore/sign"); const bundle_1 = require("@sigstore/bundle"); const crypto_1 = require("crypto"); const promises_1 = require("fs/promises"); const config_1 = require("./config"); /** * Signs a package tarball using Sigstore */ async function signPackage(options) { const config = await (0, config_1.loadConfig)(); // Read and hash the tarball const tarballContent = await (0, promises_1.readFile)(options.tarballPath); const hash = (0, crypto_1.createHash)('sha256').update(tarballContent).digest('hex'); // Create Fulcio signer const signer = new sign_1.FulcioSigner({ fulcioBaseURL: options.fulcioUrl || config.fulcioUrl || 'https://fulcio.sigstore.dev', identityProvider: new sign_1.CIContextProvider('sigstore-npm-signer'), }); // Create Rekor witness const rekorWitness = new sign_1.RekorWitness({ rekorBaseURL: options.rekorUrl || config.rekorUrl || 'https://rekor.sigstore.dev', }); // Create and build the signature bundle const bundleBuilder = new sign_1.MessageSignatureBundleBuilder({ signer, witnesses: [rekorWitness] }); const bundle = await bundleBuilder.create({ data: Buffer.from(hash), type: 'application/x.npm+sha256' }); // Return the serialized bundle const signature = JSON.stringify((0, bundle_1.bundleToJSON)(bundle)); return signature; } /** * Attaches a signature to the package metadata */ async function attachSignature(packageJson, signature) { if (!packageJson.sigstore) { packageJson.sigstore = {}; } packageJson.sigstore.signature = signature; } //# sourceMappingURL=publish.js.map