deps: bump sigstore from 1.3.0 to 2.0.0

Signed-off-by: Brian DeHamer <bdehamer@github.com>
npm · Aug 18, 2023 · c3b892d · c3b892d
1 parent c75d7d5
commit c3b892d
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 13 deletions.
diff --git a/lib/registry.js b/lib/registry.js
@@ -8,7 +8,7 @@ const pickManifest = require('npm-pick-manifest')
 const ssri = require('ssri')
 const crypto = require('crypto')
 const npa = require('npm-package-arg')
-const { sigstore } = require('sigstore')
+const sigstore = require('sigstore')
 
 // Corgis are cute. 🐕🐶
 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
@@ -299,7 +299,7 @@ class RegistryFetcher extends Fetcher {
                 tufCachePath: this.tufCache,
                 keySelector: publicKey ? () => publicKey.pemkey : undefined,
               }
-              await sigstore.verify(bundle, null, options)
+              await sigstore.verify(bundle, options)
             } catch (e) {
               throw Object.assign(new Error(
                 `${mani._id} failed to verify attestation: ${e.message}`

diff --git a/package.json b/package.json
@@ -59,7 +59,7 @@
     "promise-retry": "^2.0.1",
     "read-package-json": "^7.0.0",
     "read-package-json-fast": "^3.0.0",
-    "sigstore": "^1.3.0",
+    "sigstore": "^2.0.0",
     "ssri": "^10.0.0",
     "tar": "^6.1.11"
   },

diff --git a/test/registry.js b/test/registry.js
@@ -3,16 +3,14 @@ const t = require('tap')
 const RegistryFetcher = require('../lib/registry.js')
 const MockedRegistryFetcher = t.mock('../lib/registry.js', {
   sigstore: {
-    sigstore: {
-      verify: async (bundle, data, options) => {
-        options.keySelector && options.keySelector()
-        if (bundle.dsseEnvelope.payloadType === 'tlog-entry-mismatch') {
-          throw new Error('bundle content and tlog entry do not match')
-        }
-        if (bundle.dsseEnvelope.signatures[0].sig === 'invalid-signature') {
-          throw new Error('artifact signature verification failed')
-        }
-      },
+    verify: async (bundle, options) => {
+      options.keySelector && options.keySelector()
+      if (bundle.dsseEnvelope.payloadType === 'tlog-entry-mismatch') {
+        throw new Error('bundle content and tlog entry do not match')
+      }
+      if (bundle.dsseEnvelope.signatures[0].sig === 'invalid-signature') {
+        throw new Error('artifact signature verification failed')
+      }
     },
   },
 })