integrate @sigstore/bundle into client (#601)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
sigstore · Jul 11, 2023 · d9b1540 · d9b1540
1 parent 2a5f500
commit d9b1540
Show file tree

Hide file tree

Showing 30 changed files with 326 additions and 1,198 deletions.
diff --git a/.changeset/twelve-balloons-work.md b/.changeset/twelve-balloons-work.md
@@ -0,0 +1,5 @@
+---
+'sigstore': minor
+---
+
+Integrate @sigstore/bundle package
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/client/package.json b/packages/client/package.json
@@ -36,6 +36,7 @@
     "@types/make-fetch-happen": "^10.0.0"
   },
   "dependencies": {
+    "@sigstore/bundle": "^0.0.0",
     "@sigstore/protobuf-specs": "^0.1.0",
     "@sigstore/tuf": "^1.0.1",
     "make-fetch-happen": "^11.0.1"

diff --git a/packages/client/src/__tests__/ca/verify/index.test.ts b/packages/client/src/__tests__/ca/verify/index.test.ts
@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+import { bundleFromJSON, BundleWithCertificateChain } from '@sigstore/bundle';
 import { verifySigningCertificate } from '../../../ca/verify';
 import * as sigstore from '../../../types/sigstore';
 import bundles from '../../__fixtures__/bundles/';
@@ -21,9 +22,7 @@ import { trustedRoot } from '../../__fixtures__/trust';
 describe('verifySigningCertificate', () => {
   // Temporary until we reconsole bundle formats
   const bundleJSON = bundles.dsse.valid.withSigningCert;
-  const bundle = sigstore.bundleFromJSON(
-    bundleJSON
-  ) as sigstore.BundleWithCertificateChain;
+  const bundle = bundleFromJSON(bundleJSON) as BundleWithCertificateChain;
 
   const ctlogOptions: sigstore.ArtifactVerificationOptions_CtlogOptions = {
     disable: false,

diff --git a/packages/client/src/__tests__/sigstore.test.ts b/packages/client/src/__tests__/sigstore.test.ts
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
+import type { SerializedBundle } from '@sigstore/bundle';
 import {
   Bundle,
   HashAlgorithm,
@@ -28,7 +29,6 @@ import mocktuf, { Target } from '@tufjs/repo-mock';
 import { PolicyError, VerificationError } from '../error';
 import { Signer } from '../sign';
 import { attest, createVerifier, sign, tuf, verify } from '../sigstore';
-import { SerializedBundle } from '../types/sigstore';
 import bundles from './__fixtures__/bundles';
 import { trustedRoot } from './__fixtures__/trust';
 

diff --git a/packages/client/src/__tests__/tlog/verify/body.test.ts b/packages/client/src/__tests__/tlog/verify/body.test.ts
@@ -13,55 +13,53 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+import { bundleFromJSON, TransparencyLogEntry } from '@sigstore/bundle';
 import { verifyTLogBody } from '../../../tlog/verify/body';
-import * as sigstore from '../../../types/sigstore';
 import bundles from '../../__fixtures__/bundles';
 
 describe('verifyTLogBody', () => {
   describe('when a message signature bundle is provided', () => {
     describe('when everything is valid', () => {
-      const bundle = sigstore.bundleFromJSON(
-        bundles.signature.valid.withSigningCert
-      );
+      const bundle = bundleFromJSON(bundles.signature.valid.withSigningCert);
 
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns true', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(true);
       });
     });
 
     describe('when the signature does NOT match the value in the tlog entry', () => {
-      const bundle = sigstore.bundleFromJSON(
+      const bundle = bundleFromJSON(
         bundles.signature.invalid.tlogIncorrectSigInBody
       );
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns false', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
       });
     });
 
     describe('when the digest does NOT match the value in the tlog entry', () => {
-      const bundle = sigstore.bundleFromJSON(
+      const bundle = bundleFromJSON(
         bundles.signature.invalid.tlogIncorrectDigestInBody
       );
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns false', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
       });
     });
 
     describe('when there is a version mismatch between the tlog entry and the body', () => {
-      const bundle = sigstore.bundleFromJSON(
+      const bundle = bundleFromJSON(
         bundles.signature.invalid.tlogVersionMismatch
       );
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns false', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
@@ -71,69 +69,63 @@ describe('verifyTLogBody', () => {
 
   describe('when a DSSE Bundle is provided', () => {
     describe('when everything is valid', () => {
-      const bundle = sigstore.bundleFromJSON(
-        bundles.dsse.valid.withSigningCert
-      );
+      const bundle = bundleFromJSON(bundles.dsse.valid.withSigningCert);
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns true', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(true);
       });
     });
 
     describe('when the payload hash does NOT match the value in the intoto entry', () => {
-      const bundle = sigstore.bundleFromJSON(bundles.dsse.invalid.badSignature);
+      const bundle = bundleFromJSON(bundles.dsse.invalid.badSignature);
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns false', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
       });
     });
 
     describe('when the signature does NOT match the value in the intoto entry', () => {
-      const bundle = sigstore.bundleFromJSON(
+      const bundle = bundleFromJSON(
         bundles.dsse.invalid.tlogIncorrectSigInBody
       );
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns false', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
       });
     });
 
     describe('when the tlog entry version is unsupported', () => {
-      const bundle = sigstore.bundleFromJSON(
+      const bundle = bundleFromJSON(
         bundles.dsse.invalid.tlogUnsupportedVersion
       );
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns false', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
       });
     });
 
     describe('when the signature count does NOT match the intoto entry', () => {
-      const bundle = sigstore.bundleFromJSON(
-        bundles.dsse.invalid.tlogTooManySigsInBody
-      );
+      const bundle = bundleFromJSON(bundles.dsse.invalid.tlogTooManySigsInBody);
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns false', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
       });
     });
 
     describe('when there is a version mismatch between the tlog entry and the body', () => {
-      const bundle = sigstore.bundleFromJSON(
-        bundles.dsse.invalid.tlogVersionMismatch
-      );
+      const bundle = bundleFromJSON(bundles.dsse.invalid.tlogVersionMismatch);
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns false', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(false);
@@ -143,11 +135,9 @@ describe('verifyTLogBody', () => {
 
   describe('when a DSSE Bundle w/ dsse tlog entry is provided', () => {
     describe('when everything is valid', () => {
-      const bundle = sigstore.bundleFromJSON(
-        bundles.dsse.valid.withDSSETLogEntry
-      );
+      const bundle = bundleFromJSON(bundles.dsse.valid.withDSSETLogEntry);
       const tlogEntry = bundle.verificationMaterial
-        ?.tlogEntries[0] as sigstore.VerifiableTransparencyLogEntry;
+        ?.tlogEntries[0] as TransparencyLogEntry;
 
       it('returns true', () => {
         expect(verifyTLogBody(tlogEntry, bundle.content)).toBe(true);