sigstore-npm-signer/dist/lib/verify.js

Sign and verify npm packages using Sigstore

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyPackage = verifyPackage;
const bundle_1 = require("@sigstore/bundle");
const promises_1 = require("fs/promises");
const crypto_1 = require("crypto");
const config_1 = require("./config");
/**
 * Verifies a package signature using Sigstore
 * @throws {Error} If verification fails or is not enforced
 */
async function verifyPackage(options) {
    const config = await (0, config_1.loadConfig)();
    // Skip verification if not enforced
    if (!config.enforceVerification) {
        return;
    }
    const signature = options.packageJson?.sigstore?.signature;
    if (!signature) {
        throw new Error('Package signature not found');
    }
    // Read and hash the tarball
    const tarballContent = await (0, promises_1.readFile)(options.tarballPath);
    const hash = (0, crypto_1.createHash)('sha256').update(tarballContent).digest('hex');
    try {
        // Parse the bundle from JSON
        const bundle = (0, bundle_1.bundleFromJSON)(JSON.parse(signature));
        // For now, we'll just validate the bundle structure
        // In a real implementation, we would verify the signature against the hash
        // using the appropriate verification logic from @sigstore/sign
        // This is a placeholder for actual verification
        if (!bundle) {
            throw new Error('Invalid signature bundle');
        }
    }
    catch (error) {
        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
        throw new Error(`Signature verification failed: ${errorMessage}`);
    }
}
//# sourceMappingURL=verify.js.map