remove sigstore-utils from public interface of client package (#684)

* remove sigstore-utils from public interface

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* remove custom signer option from client package (#686)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* fix merge conflict

Signed-off-by: Brian DeHamer <bdehamer@github.com>

---------

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.changeset/olive-brooms-mate.md

@@ -0,0 +1,5 @@
+---
+'sigstore': major
+---
+
+Removes `signer` from the options for the `sign` and `attest` functions (see the `@sigstore/sign` package if you require something other than Fulcio-style keyless signing)

.changeset/unlucky-berries-exist.md

@@ -0,0 +1,5 @@
+---
+'sigstore': major
+---
+
+Remove `sigstore-utils` object from public interface

packages/client/README.md

@@ -195,12 +195,6 @@ Verifies the signature in the supplied bundle.
   * `keySelector` `<Function>`: Callback invoked to retrieve the public key (as either `string` or `Buffer`) necessary to verify the bundle signature. Not used when the signature was generated from a Fulcio-issued signing certificate.
     * `hint` `<String>`: The hint from the bundle used to identify the the signing key.
 
-### utils
-
-The `utils` object contains a few internal utility functions. These are exposed
-to support the needs of specific `sigstore-js` consumers but should **NOT** be
-considered part of the stable public interface.
-
 ## Credential Sources
 
 ### GitHub Actions

packages/client/src/__tests__/config.test.ts

@@ -28,29 +28,18 @@ describe('createBundleBuilder', () => {
   describe('when the bundleType is messageSignature', () => {
     const bundleType = 'messageSignature';
 
-    describe('when a custom signer is provided', () => {
-      const options = { signer: jest.fn() };
-
+    describe('when a hard-coded OIDC token is provided', () => {
+      const options = { identityToken: 'abc' };
       it('returns a MessageSignatureBundleBuilder', () => {
         const bundler = createBundleBuilder(bundleType, options);
         expect(bundler).toBeInstanceOf(MessageSignatureBundleBuilder);
       });
     });
 
-    describe('when a custom signer is NOT provided', () => {
-      describe('when a hard-coded OIDC token is provided', () => {
-        const options = { identityToken: 'abc' };
-        it('returns a MessageSignatureBundleBuilder', () => {
-          const bundler = createBundleBuilder(bundleType, options);
-          expect(bundler).toBeInstanceOf(MessageSignatureBundleBuilder);
-        });
-      });
-
-      describe('when no OIDC token is provided', () => {
-        it('returns a MessageSignatureBundleBuilder', () => {
-          const bundler = createBundleBuilder(bundleType, {});
-          expect(bundler).toBeInstanceOf(MessageSignatureBundleBuilder);
-        });
+    describe('when no OIDC token is provided', () => {
+      it('returns a MessageSignatureBundleBuilder', () => {
+        const bundler = createBundleBuilder(bundleType, {});
+        expect(bundler).toBeInstanceOf(MessageSignatureBundleBuilder);
       });
     });
 

packages/client/src/__tests__/index.test.ts

@@ -50,12 +50,6 @@ describe('sigstore', () => {
     expect(sigstore.createVerifier).toBeInstanceOf(Function);
   });
 
-  it('exports sigstore utils', () => {
-    expect(sigstore.utils).toBeDefined();
-    expect(sigstore.utils.createDSSEEnvelope).toBeInstanceOf(Function);
-    expect(sigstore.utils.createRekorEntry).toBeInstanceOf(Function);
-  });
-
   it('exports errors', () => {
     expect(sigstore.InternalError).toBeInstanceOf(Object);
     expect(sigstore.PolicyError).toBeInstanceOf(Object);

packages/client/src/config.ts

@@ -26,7 +26,6 @@ import {
   TSAWitness,
   Witness,
 } from '@sigstore/sign';
-import { CallbackSigner, SignerFunc } from './types/signature';
 import * as sigstore from './types/sigstore';
 
 import type { FetchOptions, Retry } from './types/fetch';
@@ -43,7 +42,6 @@ export type SignOptions = {
   identityProvider?: IdentityProvider;
   identityToken?: string;
   rekorURL?: string;
-  signer?: SignerFunc;
   tlogUpload?: boolean;
   tsaServerURL?: string;
 } & FetchOptions;
@@ -96,21 +94,14 @@ export function createBundleBuilder(
   }
 }
 
-// Instantiate a signer based on the supplied options. If a signer function is
-// provided, use that. Otherwise, if a Fulcio URL is provided, use the Fulcio
-// signer. Otherwise, throw an error.
+// Instantiate the FulcioSigner based on the supplied options.
 function initSigner(options: SignOptions): Signer {
-  if (isCallbackSignerEnabled(options)) {
-    return new CallbackSigner(options);
-  } else {
-    return new FulcioSigner({
-      fulcioBaseURL: options.fulcioURL || DEFAULT_FULCIO_URL,
-      identityProvider:
-        options.identityProvider || initIdentityProvider(options),
-      retry: options.retry ?? DEFAULT_RETRY,
-      timeout: options.timeout ?? DEFAULT_TIMEOUT,
-    });
-  }
+  return new FulcioSigner({
+    fulcioBaseURL: options.fulcioURL || DEFAULT_FULCIO_URL,
+    identityProvider: options.identityProvider || initIdentityProvider(options),
+    retry: options.retry ?? DEFAULT_RETRY,
+    timeout: options.timeout ?? DEFAULT_TIMEOUT,
+  });
 }
 
 // Instantiate an identity provider based on the supplied options. If an
@@ -154,13 +145,6 @@ function initWitnesses(options: SignOptions): Witness[] {
   return witnesses;
 }
 
-// Type assertion to ensure that the signer is enabled
-function isCallbackSignerEnabled(
-  options: SignOptions
-): options is SignOptions & { signer: SignerFunc } {
-  return options.signer !== undefined;
-}
-
 // Type assertion to ensure that Rekor is enabled
 function isRekorEnabled(
   options: SignOptions

packages/client/src/error.ts

@@ -53,9 +53,3 @@ type InternalErrorCode =
   | 'TUF_READ_TARGET_ERROR';
 
 export class InternalError extends ErrorWithCode<InternalErrorCode> {}
-
-type SignatureErrorCode =
-  | 'MISSING_SIGNATURE_ERROR'
-  | 'MISSING_PUBLIC_KEY_ERROR';
-
-export class SignatureError extends ErrorWithCode<SignatureErrorCode> {}