From 2916b725c3c2bdd661874ad1c54eefd10398bc46 Mon Sep 17 00:00:00 2001 From: Philip Harrison Date: Wed, 8 Feb 2023 12:28:32 +0000 Subject: [PATCH] feat: verifyAttestations to registry.manifest Add support for verifying sigstore attestations when fetching the registry.manifest. This will be ased in CLI as part of `audit signatures`. RFC: https://github.com/npm/rfcs/pull/626 Signed-off-by: Philip Harrison Co-authored-by: Brian DeHamer Signed-off-by: Philip Harrison --- README.md | 4 +- lib/registry.js | 113 +++ .../sigstore/invalid-attestations.json | 98 +++ .../malformed-subject-attestations.json | 98 +++ .../mismatched-keyid-attestations.json | 98 +++ ...ismatched-subject-digest-attestations.json | 98 +++ .../mismatched-subject-name-attestations.json | 98 +++ .../sigstore/no-keyid-attestations.json | 98 +++ .../sigstore/unsupported-attestations.json | 98 +++ .../fixtures/sigstore/valid-attestations.json | 98 +++ test/registry.js | 832 +++++++++++++++++- 11 files changed, 1730 insertions(+), 3 deletions(-) create mode 100644 test/fixtures/sigstore/invalid-attestations.json create mode 100644 test/fixtures/sigstore/malformed-subject-attestations.json create mode 100644 test/fixtures/sigstore/mismatched-keyid-attestations.json create mode 100644 test/fixtures/sigstore/mismatched-subject-digest-attestations.json create mode 100644 test/fixtures/sigstore/mismatched-subject-name-attestations.json create mode 100644 test/fixtures/sigstore/no-keyid-attestations.json create mode 100644 test/fixtures/sigstore/unsupported-attestations.json create mode 100644 test/fixtures/sigstore/valid-attestations.json diff --git a/README.md b/README.md index 75581c85..64480b25 100644 --- a/README.md +++ b/README.md @@ -172,7 +172,9 @@ resolved, and other properties, as they are determined. integrity signature of a manifest, if present. There must be a configured `_keys` entry in the config that is scoped to the registry the manifest is being fetched from. - +* `verifyAttestations` A boolean that will make pacote verify Sigstore + attestations, if present. There must be a configured `_keys` entry in the + config that is scoped to the registry the manifest is being fetched from. ### Advanced API diff --git a/lib/registry.js b/lib/registry.js index c4c9df8e..625bedc9 100644 --- a/lib/registry.js +++ b/lib/registry.js @@ -7,6 +7,8 @@ const rpj = require('read-package-json-fast') const pickManifest = require('npm-pick-manifest') const ssri = require('ssri') const crypto = require('crypto') +const npa = require('npm-package-arg') +const { sigstore } = require('sigstore') // Corgis are cute. 🐕🐶 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*' @@ -203,7 +205,118 @@ class RegistryFetcher extends Fetcher { mani._signatures = dist.signatures } } + + if (dist.attestations) { + if (this.opts.verifyAttestations) { + // Always fetch attestations from the current registry host + const attestationsPath = new URL(dist.attestations.url).pathname + const attestationsUrl = removeTrailingSlashes(this.registry) + attestationsPath + const res = await fetch(attestationsUrl, { + ...this.opts, + // disable integrity check for attestations json payload, we check the + // integrity in the verification steps below + integrity: null, + }) + const { attestations } = await res.json() + const bundles = attestations.map(({ predicateType, bundle }) => { + const statement = JSON.parse( + Buffer.from(bundle.dsseEnvelope.payload, 'base64').toString('utf8') + ) + const keyid = bundle.dsseEnvelope.signatures[0].keyid + const signature = bundle.dsseEnvelope.signatures[0].sig + + return { + predicateType, + bundle, + statement, + keyid, + signature, + } + }) + + const attestationKeyIds = bundles.map((b) => b.keyid).filter((k) => !!k) + const attestationRegistryKeys = (this.registryKeys || []) + .filter(key => attestationKeyIds.includes(key.keyid)) + if (!attestationRegistryKeys.length) { + throw Object.assign(new Error( + `${mani._id} has attestations but no corresponding public key(s) can be found` + ), { code: 'EMISSINGSIGNATUREKEY' }) + } + + for (const { predicateType, bundle, keyid, signature, statement } of bundles) { + const publicKey = attestationRegistryKeys.find(key => key.keyid === keyid) + // Publish attestations have a keyid set and a valid public key must be found + if (keyid) { + if (!publicKey) { + throw Object.assign(new Error( + `${mani._id} has attestations with keyid: ${keyid} ` + + 'but no corresponding public key can be found' + ), { code: 'EMISSINGSIGNATUREKEY' }) + } + + const validPublicKey = + !publicKey.expires || (Date.parse(publicKey.expires) > Date.now()) + if (!validPublicKey) { + throw Object.assign(new Error( + `${mani._id} has attestations with keyid: ${keyid} ` + + `but the corresponding public key has expired ${publicKey.expires}` + ), { code: 'EEXPIREDSIGNATUREKEY' }) + } + } + + const subject = { + name: statement.subject[0].name, + sha512: statement.subject[0].digest.sha512, + } + + // Only type 'version' can be turned into a PURL + const purl = this.spec.type === 'version' ? npa.toPurl(this.spec) : this.spec + // Verify the statement subject matches the package, version + if (subject.name !== purl) { + throw Object.assign(new Error( + `${mani._id} package name and version (PURL): ${purl} ` + + `doesn't match what was signed: ${subject.name}` + ), { code: 'EATTESTATIONSUBJECT' }) + } + + // Verify the statement subject matches the tarball integrity + const integrityHexDigest = ssri.parse(this.integrity).hexDigest() + if (subject.sha512 !== integrityHexDigest) { + throw Object.assign(new Error( + `${mani._id} package integrity (hex digest): ` + + `${integrityHexDigest} ` + + `doesn't match what was signed: ${subject.sha512}` + ), { code: 'EATTESTATIONSUBJECT' }) + } + + try { + // Provenance attestations are signed with a signing certificate + // (including the key) so we don't need to return a public key. + // + // Publish attestations are signed with a keyid so we need to + // specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys` + const options = { keySelector: publicKey ? () => publicKey.pemkey : undefined } + await sigstore.verify(bundle, null, options) + } catch (e) { + throw Object.assign(new Error( + `${mani._id} failed to verify attestation: ${e.message}` + ), { + code: 'EATTESTATIONVERIFY', + predicateType, + keyid, + signature, + resolved: mani._resolved, + integrity: mani._integrity, + }) + } + } + mani._attestations = dist.attestations + } else { + mani._attestations = dist.attestations + } + } } + this.package = mani return this.package } diff --git a/test/fixtures/sigstore/invalid-attestations.json b/test/fixtures/sigstore/invalid-attestations.json new file mode 100644 index 00000000..1552f448 --- /dev/null +++ b/test/fixtures/sigstore/invalid-attestations.json @@ -0,0 +1,98 @@ +{ + "attestations": [ + { + "predicateType": "https://slsa.dev/provenance/v0.2", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDnDCCAyKgAwIBAgIUEg2LbBC+v12QtPBt2jawiYrF33UwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMTExMTczMTUyWhcNMjMwMTExMTc0MTUyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscmo8xVdr+olWHVVpTlLdKdTwTDvNpINwLXi6W2OlPwTkMbJj0zCpO99heNH4ZxF1+NmO6NyjcbynKjf/GPUV6OCAkEwggI9MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdsZZ492PIgVwGjT/q8AwgHhDkj4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZAYDVR0RAQH/BFowWIZWaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMwFQYKKwYBBAGDvzABBAQHcHVibGlzaDAiBgorBgEEAYO/MAEFBBRzaWdzdG9yZS9zaWdzdG9yZS1qczAeBgorBgEEAYO/MAEGBBByZWZzL3RhZ3MvdjAuNC4wMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGFoeNlfwAABAMARzBFAiBqYOxNKEMS4gXVBqU3Mr/w+yYXYtZDYa6daYOZJZB++wIhANat2b2mVTeHERPyhATU/Z8HOfC6iqY/IwiXnwWKsp9xMAoGCCqGSM49BAMDA2gAMGUCMQD5OzgtStQId/HNXGwVM1Ydjux8x2d4cr7tzWreGSbMUJhRuVlJliOdJKsu8ufHQfYCMC8M76uThWeCI2A5GndGj0TTaI1Cq92T8oXm5iHHFPxmvZtjXtnwCuGzLAKHILlmlg==" + }, + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "10960845", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458312", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQDzgIQqH7VfIGmZ3wQ7WQ5wnGnhZrv6/3Q90rOK2vsWrgIhAJUvX2WQ/BDp4oti3LEdFzG8KpJIU7sMfSRehK8BRQ+r" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJ1UkVORFFYbExaMEYzU1VKQlowbFZSV2N5VEdKQ1F5dDJNVEpSZEZCQ2RESnFZWGRwV1hKR016TlZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxVVJYaE5WR042VFZSVmVWZG9ZMDVOYWsxM1RWUkZlRTFVWXpCTlZGVjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWelkyMXZPSGhXWkhJcmIyeFhTRlpXY0ZSc1RHUkxaRlIzVkVSMlRuQkpUbmRNV0drS05sY3lUMnhRZDFSclRXSkthakI2UTNCUE9UbG9aVTVJTkZwNFJqRXJUbTFQTms1NWFtTmllVzVMYW1ZdlIxQlZWalpQUTBGclJYZG5aMGs1VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWa2MxcGFDalE1TWxCSloxWjNSMnBVTDNFNFFYZG5TR2hFYTJvMGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxcEJXVVJXVWpCU1FWRklMMEpHYjNkWFNWcFhZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wSXhXVzE0Y0dNeVozVmxWekZ6VVVoS2JGcHVUWFprUjBadUNtTjVPVEpOUXpRd1RHcEJkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQUtaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJWa0puYjNKQ1owVkZRVmxQTDAxQlJVTkNRV1I1V2xkNGJGbFlUbXhOUkZsSFEybHpSd3BCVVZGQ1p6YzRkMEZSVFVWTFJHaG9UVzFXYkUxdFdtdE5ha0pyV2tkRk1VOUhXbTFaVkZKb1QwZFJORTFFYUdoT2FsWnFXV3BHYkUxRVVUTk5WRVpxQ2sxRVRYZEdVVmxMUzNkWlFrSkJSMFIyZWtGQ1FrRlJTR05JVm1saVIyeDZZVVJCYVVKbmIzSkNaMFZGUVZsUEwwMUJSVVpDUWxKNllWZGtlbVJIT1hrS1dsTTVlbUZYWkhwa1J6bDVXbE14Y1dONlFXVkNaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk9RelIzVFVsSFN3cENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVDbWRET0hBM2J6UkJRVUZIUm05bFRteG1kMEZCUWtGTlFWSjZRa1pCYVVKeFdVOTRUa3RGVFZNMFoxaFdRbkZWTTAxeUwzY3JlVmxZV1hSYVJGbGhObVFLWVZsUFdrcGFRaXNyZDBsb1FVNWhkREppTW0xV1ZHVklSVkpRZVdoQlZGVXZXamhJVDJaRE5tbHhXUzlKZDJsWWJuZFhTM053T1hoTlFXOUhRME54UndwVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRU5VOTZaM1JUZEZGSlpDOUlUbGhIZDFaTk1WbGthblY0T0hneVpEUmpjamQwZWxkeVpVZFRZazFWU21oU0NuVldiRXBzYVU5a1NrdHpkVGgxWmtoUlpsbERUVU00VFRjMmRWUm9WMlZEU1RKQk5VZHVaRWRxTUZSVVlVa3hRM0U1TWxRNGIxaHROV2xJU0VaUWVHMEtkbHAwYWxoMGJuZERkVWQ2VEVGTFNFbE1iRzFzWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlJRMGxDYXpobFl6SXZSMjB5ZGxOSllWbHVWelZaZFdKc1RIaE1ZM1J4UmxkRWExVldRbWhSU0doWlltdFFRV2xDWWpGWE1Hd3ZVM2xvUkV3NGFGSnBZbUZrT1VNM1pqaHFkM2R3T1dkU1lVdDVZV2xZWkROQlNEaHZVVDA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjI1NTdhZGNjYjFiZGYxNjA2NzExYjkwM2UxYmRiOGMwMmFhNjE2MzM4YzY0NjM2NTdiYmQwM2ViYjRmNzQyMTEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1NjM0MjMyZmU2MTg4NWM0OTAyNGJmMWExMGJmZDNmYjljYzZhNmFjM2U5OTE1OGYxMjgzYmM0Yzk3MzEzYTAzIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MCIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjIuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvdGFncy92MC40LjAiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifSwiZW50cnlQb2ludCI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7IkdJVEhVQl9BQ1RPUl9JRCI6IjM5ODAyNyIsIkdJVEhVQl9FVkVOVF9OQU1FIjoicmVsZWFzZSIsIkdJVEhVQl9KT0IiOiJwdWJsaXNoIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfUkVGX1RZUEUiOiJ0YWciLCJHSVRIVUJfUkVQT1NJVE9SWSI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI0OTU1NzQ1NTUiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6IjcxMDk2MzUzIiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiIzODk1MTk3NzI1IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiI3IiwiR0lUSFVCX1NIQSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMiLCJHSVRIVUJfV09SS0ZMT1ciOiJwdWJsaXNoIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiOGEyZWUyZmQyMGRkYTU4ZmZhNGE4ZDgwOGE2NWNiMWUwNDcxMWMwMyIsIklNQUdFX09TIjoidWJ1bnR1MjIiLCJJTUFHRV9WRVJTSU9OIjoiMjAyMjEyMTIuMSIsIlJVTk5FUl9BUkNIIjoiWDY0IiwiUlVOTkVSX05BTUUiOiJIb3N0ZWQgQWdlbnQiLCJSVU5ORVJfT1MiOiJMaW51eCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiIzODk1MTk3NzI1LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifX1dfX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEQCIBk8ec2/Gm2vSIaYnW5YublLxLctqFWDkUVBhQHhYbkPAiBb1W0l/SyhDL8hRibad9C7f8jwwp9gRaKyaiXd3AH8oQ==", + "keyid": "" + } + ] + } + } + }, + { + "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "publicKey": { + "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + }, + "tlogEntries": [ + { + "logIndex": "10960848", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458314", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIEEIjIhzK2F4a9yt9peEarFYCBQETNkLAvHh4Q+suCbvAiAMOAoaKdW/+cU07wHSiG//gSJTeFDB30dl0dSx9dRG4g==" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxSUXk4elpVdHVjRVpwY1dkMlZGbElORmxDUlhZMU5sQnlXa2NyV1ZGcE5VaGFXVlZMWVZCamFUVXlTRUZKWjFwMU16QkxjRk4zUWxWTGFWcENTemc0TjNOUlFVcEdRV1pyZUVKQmVXWklURUZNU2psR05sb3diREE5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE0MzQ3ZjQxMjYwMTRiOTE3NDNkNjU5ZGNmY2ZkNmZiNjU4YTBmOWYzZDMxMGM1MDdmNWUzNWM3MGYwMGRjZGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NWE5MDU3MmQ3ZjUwODYyZDE4ZjdkYzljYjRlNTY2N2M4ZTMwYjZiN2VlZDk1MDVhYzMxZmE5NzIxOGMwYjA1In19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMC40LjAiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "invalid-signature", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ] + } + } + } + ] +} diff --git a/test/fixtures/sigstore/malformed-subject-attestations.json b/test/fixtures/sigstore/malformed-subject-attestations.json new file mode 100644 index 00000000..6c64a0e3 --- /dev/null +++ b/test/fixtures/sigstore/malformed-subject-attestations.json @@ -0,0 +1,98 @@ +{ + "attestations": [ + { + "predicateType": "https://slsa.dev/provenance/v0.2", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDnDCCAyKgAwIBAgIUEg2LbBC+v12QtPBt2jawiYrF33UwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMTExMTczMTUyWhcNMjMwMTExMTc0MTUyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscmo8xVdr+olWHVVpTlLdKdTwTDvNpINwLXi6W2OlPwTkMbJj0zCpO99heNH4ZxF1+NmO6NyjcbynKjf/GPUV6OCAkEwggI9MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdsZZ492PIgVwGjT/q8AwgHhDkj4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZAYDVR0RAQH/BFowWIZWaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMwFQYKKwYBBAGDvzABBAQHcHVibGlzaDAiBgorBgEEAYO/MAEFBBRzaWdzdG9yZS9zaWdzdG9yZS1qczAeBgorBgEEAYO/MAEGBBByZWZzL3RhZ3MvdjAuNC4wMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGFoeNlfwAABAMARzBFAiBqYOxNKEMS4gXVBqU3Mr/w+yYXYtZDYa6daYOZJZB++wIhANat2b2mVTeHERPyhATU/Z8HOfC6iqY/IwiXnwWKsp9xMAoGCCqGSM49BAMDA2gAMGUCMQD5OzgtStQId/HNXGwVM1Ydjux8x2d4cr7tzWreGSbMUJhRuVlJliOdJKsu8ufHQfYCMC8M76uThWeCI2A5GndGj0TTaI1Cq92T8oXm5iHHFPxmvZtjXtnwCuGzLAKHILlmlg==" + }, + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "10960845", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458312", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQDzgIQqH7VfIGmZ3wQ7WQ5wnGnhZrv6/3Q90rOK2vsWrgIhAJUvX2WQ/BDp4oti3LEdFzG8KpJIU7sMfSRehK8BRQ+r" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJ1UkVORFFYbExaMEYzU1VKQlowbFZSV2N5VEdKQ1F5dDJNVEpSZEZCQ2RESnFZWGRwV1hKR016TlZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxVVJYaE5WR042VFZSVmVWZG9ZMDVOYWsxM1RWUkZlRTFVWXpCTlZGVjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWelkyMXZPSGhXWkhJcmIyeFhTRlpXY0ZSc1RHUkxaRlIzVkVSMlRuQkpUbmRNV0drS05sY3lUMnhRZDFSclRXSkthakI2UTNCUE9UbG9aVTVJTkZwNFJqRXJUbTFQTms1NWFtTmllVzVMYW1ZdlIxQlZWalpQUTBGclJYZG5aMGs1VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWa2MxcGFDalE1TWxCSloxWjNSMnBVTDNFNFFYZG5TR2hFYTJvMGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxcEJXVVJXVWpCU1FWRklMMEpHYjNkWFNWcFhZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wSXhXVzE0Y0dNeVozVmxWekZ6VVVoS2JGcHVUWFprUjBadUNtTjVPVEpOUXpRd1RHcEJkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQUtaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJWa0puYjNKQ1owVkZRVmxQTDAxQlJVTkNRV1I1V2xkNGJGbFlUbXhOUkZsSFEybHpSd3BCVVZGQ1p6YzRkMEZSVFVWTFJHaG9UVzFXYkUxdFdtdE5ha0pyV2tkRk1VOUhXbTFaVkZKb1QwZFJORTFFYUdoT2FsWnFXV3BHYkUxRVVUTk5WRVpxQ2sxRVRYZEdVVmxMUzNkWlFrSkJSMFIyZWtGQ1FrRlJTR05JVm1saVIyeDZZVVJCYVVKbmIzSkNaMFZGUVZsUEwwMUJSVVpDUWxKNllWZGtlbVJIT1hrS1dsTTVlbUZYWkhwa1J6bDVXbE14Y1dONlFXVkNaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk9RelIzVFVsSFN3cENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVDbWRET0hBM2J6UkJRVUZIUm05bFRteG1kMEZCUWtGTlFWSjZRa1pCYVVKeFdVOTRUa3RGVFZNMFoxaFdRbkZWTTAxeUwzY3JlVmxZV1hSYVJGbGhObVFLWVZsUFdrcGFRaXNyZDBsb1FVNWhkREppTW0xV1ZHVklSVkpRZVdoQlZGVXZXamhJVDJaRE5tbHhXUzlKZDJsWWJuZFhTM053T1hoTlFXOUhRME54UndwVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRU5VOTZaM1JUZEZGSlpDOUlUbGhIZDFaTk1WbGthblY0T0hneVpEUmpjamQwZWxkeVpVZFRZazFWU21oU0NuVldiRXBzYVU5a1NrdHpkVGgxWmtoUlpsbERUVU00VFRjMmRWUm9WMlZEU1RKQk5VZHVaRWRxTUZSVVlVa3hRM0U1TWxRNGIxaHROV2xJU0VaUWVHMEtkbHAwYWxoMGJuZERkVWQ2VEVGTFNFbE1iRzFzWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlJRMGxDYXpobFl6SXZSMjB5ZGxOSllWbHVWelZaZFdKc1RIaE1ZM1J4UmxkRWExVldRbWhSU0doWlltdFFRV2xDWWpGWE1Hd3ZVM2xvUkV3NGFGSnBZbUZrT1VNM1pqaHFkM2R3T1dkU1lVdDVZV2xZWkROQlNEaHZVVDA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjI1NTdhZGNjYjFiZGYxNjA2NzExYjkwM2UxYmRiOGMwMmFhNjE2MzM4YzY0NjM2NTdiYmQwM2ViYjRmNzQyMTEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1NjM0MjMyZmU2MTg4NWM0OTAyNGJmMWExMGJmZDNmYjljYzZhNmFjM2U5OTE1OGYxMjgzYmM0Yzk3MzEzYTAzIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MCIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjIuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvdGFncy92MC40LjAiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifSwiZW50cnlQb2ludCI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7IkdJVEhVQl9BQ1RPUl9JRCI6IjM5ODAyNyIsIkdJVEhVQl9FVkVOVF9OQU1FIjoicmVsZWFzZSIsIkdJVEhVQl9KT0IiOiJwdWJsaXNoIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfUkVGX1RZUEUiOiJ0YWciLCJHSVRIVUJfUkVQT1NJVE9SWSI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI0OTU1NzQ1NTUiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6IjcxMDk2MzUzIiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiIzODk1MTk3NzI1IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiI3IiwiR0lUSFVCX1NIQSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMiLCJHSVRIVUJfV09SS0ZMT1ciOiJwdWJsaXNoIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiOGEyZWUyZmQyMGRkYTU4ZmZhNGE4ZDgwOGE2NWNiMWUwNDcxMWMwMyIsIklNQUdFX09TIjoidWJ1bnR1MjIiLCJJTUFHRV9WRVJTSU9OIjoiMjAyMjEyMTIuMSIsIlJVTk5FUl9BUkNIIjoiWDY0IiwiUlVOTkVSX05BTUUiOiJIb3N0ZWQgQWdlbnQiLCJSVU5ORVJfT1MiOiJMaW51eCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiIzODk1MTk3NzI1LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifX1dfX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEQCIBk8ec2/Gm2vSIaYnW5YublLxLctqFWDkUVBhQHhYbkPAiBb1W0l/SyhDL8hRibad9C7f8jwwp9gRaKyaiXd3AH8oQ==", + "keyid": "" + } + ] + } + } + }, + { + "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "publicKey": { + "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + }, + "tlogEntries": [ + { + "logIndex": "10960848", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458314", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIEEIjIhzK2F4a9yt9peEarFYCBQETNkLAvHh4Q+suCbvAiAMOAoaKdW/+cU07wHSiG//gSJTeFDB30dl0dSx9dRG4g==" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxSUXk4elpVdHVjRVpwY1dkMlZGbElORmxDUlhZMU5sQnlXa2NyV1ZGcE5VaGFXVlZMWVZCamFUVXlTRUZKWjFwMU16QkxjRk4zUWxWTGFWcENTemc0TjNOUlFVcEdRV1pyZUVKQmVXWklURUZNU2psR05sb3diREE5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE0MzQ3ZjQxMjYwMTRiOTE3NDNkNjU5ZGNmY2ZkNmZiNjU4YTBmOWYzZDMxMGM1MDdmNWUzNWM3MGYwMGRjZGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NWE5MDU3MmQ3ZjUwODYyZDE4ZjdkYzljYjRlNTY2N2M4ZTMwYjZiN2VlZDk1MDVhYzMxZmE5NzIxOGMwYjA1In19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIn1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9naXRodWIuY29tL25wbS9hdHRlc3RhdGlvbi90cmVlL21haW4vc3BlY3MvcHVibGlzaC92MC4xIiwicHJlZGljYXRlIjp7Im5hbWUiOiJzaWdzdG9yZSIsInZlcnNpb24iOiIwLjQuMCIsInJlZ2lzdHJ5IjoiaHR0cHM6Ly9yZWdpc3RyeS5ucG1qcy5vcmcifX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIQC/3eKnpFiqgvTYH4YBEv56PrZG+YQi5HZYUKaPci52HAIgZu30KpSwBUKiZBK887sQAJFAfkxBAyfHLALJ9F6Z0l0=", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ] + } + } + } + ] +} diff --git a/test/fixtures/sigstore/mismatched-keyid-attestations.json b/test/fixtures/sigstore/mismatched-keyid-attestations.json new file mode 100644 index 00000000..7de68ea4 --- /dev/null +++ b/test/fixtures/sigstore/mismatched-keyid-attestations.json @@ -0,0 +1,98 @@ +{ + "attestations": [ + { + "predicateType": "https://slsa.dev/provenance/v0.2", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDnDCCAyKgAwIBAgIUEg2LbBC+v12QtPBt2jawiYrF33UwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMTExMTczMTUyWhcNMjMwMTExMTc0MTUyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscmo8xVdr+olWHVVpTlLdKdTwTDvNpINwLXi6W2OlPwTkMbJj0zCpO99heNH4ZxF1+NmO6NyjcbynKjf/GPUV6OCAkEwggI9MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdsZZ492PIgVwGjT/q8AwgHhDkj4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZAYDVR0RAQH/BFowWIZWaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMwFQYKKwYBBAGDvzABBAQHcHVibGlzaDAiBgorBgEEAYO/MAEFBBRzaWdzdG9yZS9zaWdzdG9yZS1qczAeBgorBgEEAYO/MAEGBBByZWZzL3RhZ3MvdjAuNC4wMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGFoeNlfwAABAMARzBFAiBqYOxNKEMS4gXVBqU3Mr/w+yYXYtZDYa6daYOZJZB++wIhANat2b2mVTeHERPyhATU/Z8HOfC6iqY/IwiXnwWKsp9xMAoGCCqGSM49BAMDA2gAMGUCMQD5OzgtStQId/HNXGwVM1Ydjux8x2d4cr7tzWreGSbMUJhRuVlJliOdJKsu8ufHQfYCMC8M76uThWeCI2A5GndGj0TTaI1Cq92T8oXm5iHHFPxmvZtjXtnwCuGzLAKHILlmlg==" + }, + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "10960845", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458312", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQDzgIQqH7VfIGmZ3wQ7WQ5wnGnhZrv6/3Q90rOK2vsWrgIhAJUvX2WQ/BDp4oti3LEdFzG8KpJIU7sMfSRehK8BRQ+r" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJ1UkVORFFYbExaMEYzU1VKQlowbFZSV2N5VEdKQ1F5dDJNVEpSZEZCQ2RESnFZWGRwV1hKR016TlZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxVVJYaE5WR042VFZSVmVWZG9ZMDVOYWsxM1RWUkZlRTFVWXpCTlZGVjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWelkyMXZPSGhXWkhJcmIyeFhTRlpXY0ZSc1RHUkxaRlIzVkVSMlRuQkpUbmRNV0drS05sY3lUMnhRZDFSclRXSkthakI2UTNCUE9UbG9aVTVJTkZwNFJqRXJUbTFQTms1NWFtTmllVzVMYW1ZdlIxQlZWalpQUTBGclJYZG5aMGs1VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWa2MxcGFDalE1TWxCSloxWjNSMnBVTDNFNFFYZG5TR2hFYTJvMGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxcEJXVVJXVWpCU1FWRklMMEpHYjNkWFNWcFhZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wSXhXVzE0Y0dNeVozVmxWekZ6VVVoS2JGcHVUWFprUjBadUNtTjVPVEpOUXpRd1RHcEJkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQUtaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJWa0puYjNKQ1owVkZRVmxQTDAxQlJVTkNRV1I1V2xkNGJGbFlUbXhOUkZsSFEybHpSd3BCVVZGQ1p6YzRkMEZSVFVWTFJHaG9UVzFXYkUxdFdtdE5ha0pyV2tkRk1VOUhXbTFaVkZKb1QwZFJORTFFYUdoT2FsWnFXV3BHYkUxRVVUTk5WRVpxQ2sxRVRYZEdVVmxMUzNkWlFrSkJSMFIyZWtGQ1FrRlJTR05JVm1saVIyeDZZVVJCYVVKbmIzSkNaMFZGUVZsUEwwMUJSVVpDUWxKNllWZGtlbVJIT1hrS1dsTTVlbUZYWkhwa1J6bDVXbE14Y1dONlFXVkNaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk9RelIzVFVsSFN3cENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVDbWRET0hBM2J6UkJRVUZIUm05bFRteG1kMEZCUWtGTlFWSjZRa1pCYVVKeFdVOTRUa3RGVFZNMFoxaFdRbkZWTTAxeUwzY3JlVmxZV1hSYVJGbGhObVFLWVZsUFdrcGFRaXNyZDBsb1FVNWhkREppTW0xV1ZHVklSVkpRZVdoQlZGVXZXamhJVDJaRE5tbHhXUzlKZDJsWWJuZFhTM053T1hoTlFXOUhRME54UndwVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRU5VOTZaM1JUZEZGSlpDOUlUbGhIZDFaTk1WbGthblY0T0hneVpEUmpjamQwZWxkeVpVZFRZazFWU21oU0NuVldiRXBzYVU5a1NrdHpkVGgxWmtoUlpsbERUVU00VFRjMmRWUm9WMlZEU1RKQk5VZHVaRWRxTUZSVVlVa3hRM0U1TWxRNGIxaHROV2xJU0VaUWVHMEtkbHAwYWxoMGJuZERkVWQ2VEVGTFNFbE1iRzFzWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlJRMGxDYXpobFl6SXZSMjB5ZGxOSllWbHVWelZaZFdKc1RIaE1ZM1J4UmxkRWExVldRbWhSU0doWlltdFFRV2xDWWpGWE1Hd3ZVM2xvUkV3NGFGSnBZbUZrT1VNM1pqaHFkM2R3T1dkU1lVdDVZV2xZWkROQlNEaHZVVDA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjI1NTdhZGNjYjFiZGYxNjA2NzExYjkwM2UxYmRiOGMwMmFhNjE2MzM4YzY0NjM2NTdiYmQwM2ViYjRmNzQyMTEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1NjM0MjMyZmU2MTg4NWM0OTAyNGJmMWExMGJmZDNmYjljYzZhNmFjM2U5OTE1OGYxMjgzYmM0Yzk3MzEzYTAzIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MCIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjIuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvdGFncy92MC40LjAiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifSwiZW50cnlQb2ludCI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7IkdJVEhVQl9BQ1RPUl9JRCI6IjM5ODAyNyIsIkdJVEhVQl9FVkVOVF9OQU1FIjoicmVsZWFzZSIsIkdJVEhVQl9KT0IiOiJwdWJsaXNoIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfUkVGX1RZUEUiOiJ0YWciLCJHSVRIVUJfUkVQT1NJVE9SWSI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI0OTU1NzQ1NTUiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6IjcxMDk2MzUzIiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiIzODk1MTk3NzI1IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiI3IiwiR0lUSFVCX1NIQSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMiLCJHSVRIVUJfV09SS0ZMT1ciOiJwdWJsaXNoIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiOGEyZWUyZmQyMGRkYTU4ZmZhNGE4ZDgwOGE2NWNiMWUwNDcxMWMwMyIsIklNQUdFX09TIjoidWJ1bnR1MjIiLCJJTUFHRV9WRVJTSU9OIjoiMjAyMjEyMTIuMSIsIlJVTk5FUl9BUkNIIjoiWDY0IiwiUlVOTkVSX05BTUUiOiJIb3N0ZWQgQWdlbnQiLCJSVU5ORVJfT1MiOiJMaW51eCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiIzODk1MTk3NzI1LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifX1dfX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEQCIBk8ec2/Gm2vSIaYnW5YublLxLctqFWDkUVBhQHhYbkPAiBb1W0l/SyhDL8hRibad9C7f8jwwp9gRaKyaiXd3AH8oQ==", + "keyid": "JXkT/aBM9baLZ7dpjJLQhJrj3Ru5s/OSXoZzZsPUyhg" + } + ] + } + } + }, + { + "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "publicKey": { + "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + }, + "tlogEntries": [ + { + "logIndex": "10960848", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458314", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIEEIjIhzK2F4a9yt9peEarFYCBQETNkLAvHh4Q+suCbvAiAMOAoaKdW/+cU07wHSiG//gSJTeFDB30dl0dSx9dRG4g==" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxSUXk4elpVdHVjRVpwY1dkMlZGbElORmxDUlhZMU5sQnlXa2NyV1ZGcE5VaGFXVlZMWVZCamFUVXlTRUZKWjFwMU16QkxjRk4zUWxWTGFWcENTemc0TjNOUlFVcEdRV1pyZUVKQmVXWklURUZNU2psR05sb3diREE5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE0MzQ3ZjQxMjYwMTRiOTE3NDNkNjU5ZGNmY2ZkNmZiNjU4YTBmOWYzZDMxMGM1MDdmNWUzNWM3MGYwMGRjZGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NWE5MDU3MmQ3ZjUwODYyZDE4ZjdkYzljYjRlNTY2N2M4ZTMwYjZiN2VlZDk1MDVhYzMxZmE5NzIxOGMwYjA1In19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMC40LjAiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIQC/3eKnpFiqgvTYH4YBEv56PrZG+YQi5HZYUKaPci52HAIgZu30KpSwBUKiZBK887sQAJFAfkxBAyfHLALJ9F6Z0l0=", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ] + } + } + } + ] +} diff --git a/test/fixtures/sigstore/mismatched-subject-digest-attestations.json b/test/fixtures/sigstore/mismatched-subject-digest-attestations.json new file mode 100644 index 00000000..8f15f843 --- /dev/null +++ b/test/fixtures/sigstore/mismatched-subject-digest-attestations.json @@ -0,0 +1,98 @@ +{ + "attestations": [ + { + "predicateType": "https://slsa.dev/provenance/v0.2", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDnDCCAyKgAwIBAgIUEg2LbBC+v12QtPBt2jawiYrF33UwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMTExMTczMTUyWhcNMjMwMTExMTc0MTUyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscmo8xVdr+olWHVVpTlLdKdTwTDvNpINwLXi6W2OlPwTkMbJj0zCpO99heNH4ZxF1+NmO6NyjcbynKjf/GPUV6OCAkEwggI9MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdsZZ492PIgVwGjT/q8AwgHhDkj4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZAYDVR0RAQH/BFowWIZWaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMwFQYKKwYBBAGDvzABBAQHcHVibGlzaDAiBgorBgEEAYO/MAEFBBRzaWdzdG9yZS9zaWdzdG9yZS1qczAeBgorBgEEAYO/MAEGBBByZWZzL3RhZ3MvdjAuNC4wMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGFoeNlfwAABAMARzBFAiBqYOxNKEMS4gXVBqU3Mr/w+yYXYtZDYa6daYOZJZB++wIhANat2b2mVTeHERPyhATU/Z8HOfC6iqY/IwiXnwWKsp9xMAoGCCqGSM49BAMDA2gAMGUCMQD5OzgtStQId/HNXGwVM1Ydjux8x2d4cr7tzWreGSbMUJhRuVlJliOdJKsu8ufHQfYCMC8M76uThWeCI2A5GndGj0TTaI1Cq92T8oXm5iHHFPxmvZtjXtnwCuGzLAKHILlmlg==" + }, + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "10960845", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458312", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQDzgIQqH7VfIGmZ3wQ7WQ5wnGnhZrv6/3Q90rOK2vsWrgIhAJUvX2WQ/BDp4oti3LEdFzG8KpJIU7sMfSRehK8BRQ+r" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJ1UkVORFFYbExaMEYzU1VKQlowbFZSV2N5VEdKQ1F5dDJNVEpSZEZCQ2RESnFZWGRwV1hKR016TlZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxVVJYaE5WR042VFZSVmVWZG9ZMDVOYWsxM1RWUkZlRTFVWXpCTlZGVjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWelkyMXZPSGhXWkhJcmIyeFhTRlpXY0ZSc1RHUkxaRlIzVkVSMlRuQkpUbmRNV0drS05sY3lUMnhRZDFSclRXSkthakI2UTNCUE9UbG9aVTVJTkZwNFJqRXJUbTFQTms1NWFtTmllVzVMYW1ZdlIxQlZWalpQUTBGclJYZG5aMGs1VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWa2MxcGFDalE1TWxCSloxWjNSMnBVTDNFNFFYZG5TR2hFYTJvMGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxcEJXVVJXVWpCU1FWRklMMEpHYjNkWFNWcFhZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wSXhXVzE0Y0dNeVozVmxWekZ6VVVoS2JGcHVUWFprUjBadUNtTjVPVEpOUXpRd1RHcEJkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQUtaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJWa0puYjNKQ1owVkZRVmxQTDAxQlJVTkNRV1I1V2xkNGJGbFlUbXhOUkZsSFEybHpSd3BCVVZGQ1p6YzRkMEZSVFVWTFJHaG9UVzFXYkUxdFdtdE5ha0pyV2tkRk1VOUhXbTFaVkZKb1QwZFJORTFFYUdoT2FsWnFXV3BHYkUxRVVUTk5WRVpxQ2sxRVRYZEdVVmxMUzNkWlFrSkJSMFIyZWtGQ1FrRlJTR05JVm1saVIyeDZZVVJCYVVKbmIzSkNaMFZGUVZsUEwwMUJSVVpDUWxKNllWZGtlbVJIT1hrS1dsTTVlbUZYWkhwa1J6bDVXbE14Y1dONlFXVkNaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk9RelIzVFVsSFN3cENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVDbWRET0hBM2J6UkJRVUZIUm05bFRteG1kMEZCUWtGTlFWSjZRa1pCYVVKeFdVOTRUa3RGVFZNMFoxaFdRbkZWTTAxeUwzY3JlVmxZV1hSYVJGbGhObVFLWVZsUFdrcGFRaXNyZDBsb1FVNWhkREppTW0xV1ZHVklSVkpRZVdoQlZGVXZXamhJVDJaRE5tbHhXUzlKZDJsWWJuZFhTM053T1hoTlFXOUhRME54UndwVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRU5VOTZaM1JUZEZGSlpDOUlUbGhIZDFaTk1WbGthblY0T0hneVpEUmpjamQwZWxkeVpVZFRZazFWU21oU0NuVldiRXBzYVU5a1NrdHpkVGgxWmtoUlpsbERUVU00VFRjMmRWUm9WMlZEU1RKQk5VZHVaRWRxTUZSVVlVa3hRM0U1TWxRNGIxaHROV2xJU0VaUWVHMEtkbHAwYWxoMGJuZERkVWQ2VEVGTFNFbE1iRzFzWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlJRMGxDYXpobFl6SXZSMjB5ZGxOSllWbHVWelZaZFdKc1RIaE1ZM1J4UmxkRWExVldRbWhSU0doWlltdFFRV2xDWWpGWE1Hd3ZVM2xvUkV3NGFGSnBZbUZrT1VNM1pqaHFkM2R3T1dkU1lVdDVZV2xZWkROQlNEaHZVVDA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjI1NTdhZGNjYjFiZGYxNjA2NzExYjkwM2UxYmRiOGMwMmFhNjE2MzM4YzY0NjM2NTdiYmQwM2ViYjRmNzQyMTEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1NjM0MjMyZmU2MTg4NWM0OTAyNGJmMWExMGJmZDNmYjljYzZhNmFjM2U5OTE1OGYxMjgzYmM0Yzk3MzEzYTAzIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MCIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjIuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvdGFncy92MC40LjAiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifSwiZW50cnlQb2ludCI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7IkdJVEhVQl9BQ1RPUl9JRCI6IjM5ODAyNyIsIkdJVEhVQl9FVkVOVF9OQU1FIjoicmVsZWFzZSIsIkdJVEhVQl9KT0IiOiJwdWJsaXNoIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfUkVGX1RZUEUiOiJ0YWciLCJHSVRIVUJfUkVQT1NJVE9SWSI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI0OTU1NzQ1NTUiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6IjcxMDk2MzUzIiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiIzODk1MTk3NzI1IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiI3IiwiR0lUSFVCX1NIQSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMiLCJHSVRIVUJfV09SS0ZMT1ciOiJwdWJsaXNoIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiOGEyZWUyZmQyMGRkYTU4ZmZhNGE4ZDgwOGE2NWNiMWUwNDcxMWMwMyIsIklNQUdFX09TIjoidWJ1bnR1MjIiLCJJTUFHRV9WRVJTSU9OIjoiMjAyMjEyMTIuMSIsIlJVTk5FUl9BUkNIIjoiWDY0IiwiUlVOTkVSX05BTUUiOiJIb3N0ZWQgQWdlbnQiLCJSVU5ORVJfT1MiOiJMaW51eCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiIzODk1MTk3NzI1LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifX1dfX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEQCIBk8ec2/Gm2vSIaYnW5YublLxLctqFWDkUVBhQHhYbkPAiBb1W0l/SyhDL8hRibad9C7f8jwwp9gRaKyaiXd3AH8oQ==", + "keyid": "" + } + ] + } + } + }, + { + "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "publicKey": { + "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + }, + "tlogEntries": [ + { + "logIndex": "10960848", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458314", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIEEIjIhzK2F4a9yt9peEarFYCBQETNkLAvHh4Q+suCbvAiAMOAoaKdW/+cU07wHSiG//gSJTeFDB30dl0dSx9dRG4g==" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxSUXk4elpVdHVjRVpwY1dkMlZGbElORmxDUlhZMU5sQnlXa2NyV1ZGcE5VaGFXVlZMWVZCamFUVXlTRUZKWjFwMU16QkxjRk4zUWxWTGFWcENTemc0TjNOUlFVcEdRV1pyZUVKQmVXWklURUZNU2psR05sb3diREE5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE0MzQ3ZjQxMjYwMTRiOTE3NDNkNjU5ZGNmY2ZkNmZiNjU4YTBmOWYzZDMxMGM1MDdmNWUzNWM3MGYwMGRjZGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NWE5MDU3MmQ3ZjUwODYyZDE4ZjdkYzljYjRlNTY2N2M4ZTMwYjZiN2VlZDk1MDVhYzMxZmE5NzIxOGMwYjA1In19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjEyM2MwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMC40LjAiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIQC/3eKnpFiqgvTYH4YBEv56PrZG+YQi5HZYUKaPci52HAIgZu30KpSwBUKiZBK887sQAJFAfkxBAyfHLALJ9F6Z0l0=", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ] + } + } + } + ] +} diff --git a/test/fixtures/sigstore/mismatched-subject-name-attestations.json b/test/fixtures/sigstore/mismatched-subject-name-attestations.json new file mode 100644 index 00000000..7689d769 --- /dev/null +++ b/test/fixtures/sigstore/mismatched-subject-name-attestations.json @@ -0,0 +1,98 @@ +{ + "attestations": [ + { + "predicateType": "https://slsa.dev/provenance/v0.2", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDnDCCAyKgAwIBAgIUEg2LbBC+v12QtPBt2jawiYrF33UwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMTExMTczMTUyWhcNMjMwMTExMTc0MTUyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscmo8xVdr+olWHVVpTlLdKdTwTDvNpINwLXi6W2OlPwTkMbJj0zCpO99heNH4ZxF1+NmO6NyjcbynKjf/GPUV6OCAkEwggI9MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdsZZ492PIgVwGjT/q8AwgHhDkj4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZAYDVR0RAQH/BFowWIZWaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMwFQYKKwYBBAGDvzABBAQHcHVibGlzaDAiBgorBgEEAYO/MAEFBBRzaWdzdG9yZS9zaWdzdG9yZS1qczAeBgorBgEEAYO/MAEGBBByZWZzL3RhZ3MvdjAuNC4wMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGFoeNlfwAABAMARzBFAiBqYOxNKEMS4gXVBqU3Mr/w+yYXYtZDYa6daYOZJZB++wIhANat2b2mVTeHERPyhATU/Z8HOfC6iqY/IwiXnwWKsp9xMAoGCCqGSM49BAMDA2gAMGUCMQD5OzgtStQId/HNXGwVM1Ydjux8x2d4cr7tzWreGSbMUJhRuVlJliOdJKsu8ufHQfYCMC8M76uThWeCI2A5GndGj0TTaI1Cq92T8oXm5iHHFPxmvZtjXtnwCuGzLAKHILlmlg==" + }, + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "10960845", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458312", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQDzgIQqH7VfIGmZ3wQ7WQ5wnGnhZrv6/3Q90rOK2vsWrgIhAJUvX2WQ/BDp4oti3LEdFzG8KpJIU7sMfSRehK8BRQ+r" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJ1UkVORFFYbExaMEYzU1VKQlowbFZSV2N5VEdKQ1F5dDJNVEpSZEZCQ2RESnFZWGRwV1hKR016TlZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxVVJYaE5WR042VFZSVmVWZG9ZMDVOYWsxM1RWUkZlRTFVWXpCTlZGVjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWelkyMXZPSGhXWkhJcmIyeFhTRlpXY0ZSc1RHUkxaRlIzVkVSMlRuQkpUbmRNV0drS05sY3lUMnhRZDFSclRXSkthakI2UTNCUE9UbG9aVTVJTkZwNFJqRXJUbTFQTms1NWFtTmllVzVMYW1ZdlIxQlZWalpQUTBGclJYZG5aMGs1VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWa2MxcGFDalE1TWxCSloxWjNSMnBVTDNFNFFYZG5TR2hFYTJvMGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxcEJXVVJXVWpCU1FWRklMMEpHYjNkWFNWcFhZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wSXhXVzE0Y0dNeVozVmxWekZ6VVVoS2JGcHVUWFprUjBadUNtTjVPVEpOUXpRd1RHcEJkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQUtaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJWa0puYjNKQ1owVkZRVmxQTDAxQlJVTkNRV1I1V2xkNGJGbFlUbXhOUkZsSFEybHpSd3BCVVZGQ1p6YzRkMEZSVFVWTFJHaG9UVzFXYkUxdFdtdE5ha0pyV2tkRk1VOUhXbTFaVkZKb1QwZFJORTFFYUdoT2FsWnFXV3BHYkUxRVVUTk5WRVpxQ2sxRVRYZEdVVmxMUzNkWlFrSkJSMFIyZWtGQ1FrRlJTR05JVm1saVIyeDZZVVJCYVVKbmIzSkNaMFZGUVZsUEwwMUJSVVpDUWxKNllWZGtlbVJIT1hrS1dsTTVlbUZYWkhwa1J6bDVXbE14Y1dONlFXVkNaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk9RelIzVFVsSFN3cENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVDbWRET0hBM2J6UkJRVUZIUm05bFRteG1kMEZCUWtGTlFWSjZRa1pCYVVKeFdVOTRUa3RGVFZNMFoxaFdRbkZWTTAxeUwzY3JlVmxZV1hSYVJGbGhObVFLWVZsUFdrcGFRaXNyZDBsb1FVNWhkREppTW0xV1ZHVklSVkpRZVdoQlZGVXZXamhJVDJaRE5tbHhXUzlKZDJsWWJuZFhTM053T1hoTlFXOUhRME54UndwVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRU5VOTZaM1JUZEZGSlpDOUlUbGhIZDFaTk1WbGthblY0T0hneVpEUmpjamQwZWxkeVpVZFRZazFWU21oU0NuVldiRXBzYVU5a1NrdHpkVGgxWmtoUlpsbERUVU00VFRjMmRWUm9WMlZEU1RKQk5VZHVaRWRxTUZSVVlVa3hRM0U1TWxRNGIxaHROV2xJU0VaUWVHMEtkbHAwYWxoMGJuZERkVWQ2VEVGTFNFbE1iRzFzWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlJRMGxDYXpobFl6SXZSMjB5ZGxOSllWbHVWelZaZFdKc1RIaE1ZM1J4UmxkRWExVldRbWhSU0doWlltdFFRV2xDWWpGWE1Hd3ZVM2xvUkV3NGFGSnBZbUZrT1VNM1pqaHFkM2R3T1dkU1lVdDVZV2xZWkROQlNEaHZVVDA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjI1NTdhZGNjYjFiZGYxNjA2NzExYjkwM2UxYmRiOGMwMmFhNjE2MzM4YzY0NjM2NTdiYmQwM2ViYjRmNzQyMTEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1NjM0MjMyZmU2MTg4NWM0OTAyNGJmMWExMGJmZDNmYjljYzZhNmFjM2U5OTE1OGYxMjgzYmM0Yzk3MzEzYTAzIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MCIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjIuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvdGFncy92MC40LjAiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifSwiZW50cnlQb2ludCI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7IkdJVEhVQl9BQ1RPUl9JRCI6IjM5ODAyNyIsIkdJVEhVQl9FVkVOVF9OQU1FIjoicmVsZWFzZSIsIkdJVEhVQl9KT0IiOiJwdWJsaXNoIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfUkVGX1RZUEUiOiJ0YWciLCJHSVRIVUJfUkVQT1NJVE9SWSI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI0OTU1NzQ1NTUiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6IjcxMDk2MzUzIiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiIzODk1MTk3NzI1IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiI3IiwiR0lUSFVCX1NIQSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMiLCJHSVRIVUJfV09SS0ZMT1ciOiJwdWJsaXNoIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiOGEyZWUyZmQyMGRkYTU4ZmZhNGE4ZDgwOGE2NWNiMWUwNDcxMWMwMyIsIklNQUdFX09TIjoidWJ1bnR1MjIiLCJJTUFHRV9WRVJTSU9OIjoiMjAyMjEyMTIuMSIsIlJVTk5FUl9BUkNIIjoiWDY0IiwiUlVOTkVSX05BTUUiOiJIb3N0ZWQgQWdlbnQiLCJSVU5ORVJfT1MiOiJMaW51eCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiIzODk1MTk3NzI1LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifX1dfX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEQCIBk8ec2/Gm2vSIaYnW5YublLxLctqFWDkUVBhQHhYbkPAiBb1W0l/SyhDL8hRibad9C7f8jwwp9gRaKyaiXd3AH8oQ==", + "keyid": "" + } + ] + } + } + }, + { + "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "publicKey": { + "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + }, + "tlogEntries": [ + { + "logIndex": "10960848", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458314", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIEEIjIhzK2F4a9yt9peEarFYCBQETNkLAvHh4Q+suCbvAiAMOAoaKdW/+cU07wHSiG//gSJTeFDB30dl0dSx9dRG4g==" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxSUXk4elpVdHVjRVpwY1dkMlZGbElORmxDUlhZMU5sQnlXa2NyV1ZGcE5VaGFXVlZMWVZCamFUVXlTRUZKWjFwMU16QkxjRk4zUWxWTGFWcENTemc0TjNOUlFVcEdRV1pyZUVKQmVXWklURUZNU2psR05sb3diREE5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE0MzQ3ZjQxMjYwMTRiOTE3NDNkNjU5ZGNmY2ZkNmZiNjU4YTBmOWYzZDMxMGM1MDdmNWUzNWM3MGYwMGRjZGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NWE5MDU3MmQ3ZjUwODYyZDE4ZjdkYzljYjRlNTY2N2M4ZTMwYjZiN2VlZDk1MDVhYzMxZmE5NzIxOGMwYjA1In19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDEuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMC40LjAiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIQC/3eKnpFiqgvTYH4YBEv56PrZG+YQi5HZYUKaPci52HAIgZu30KpSwBUKiZBK887sQAJFAfkxBAyfHLALJ9F6Z0l0=", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ] + } + } + } + ] +} diff --git a/test/fixtures/sigstore/no-keyid-attestations.json b/test/fixtures/sigstore/no-keyid-attestations.json new file mode 100644 index 00000000..260438a0 --- /dev/null +++ b/test/fixtures/sigstore/no-keyid-attestations.json @@ -0,0 +1,98 @@ +{ + "attestations": [ + { + "predicateType": "https://slsa.dev/provenance/v0.2", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDnDCCAyKgAwIBAgIUEg2LbBC+v12QtPBt2jawiYrF33UwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMTExMTczMTUyWhcNMjMwMTExMTc0MTUyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscmo8xVdr+olWHVVpTlLdKdTwTDvNpINwLXi6W2OlPwTkMbJj0zCpO99heNH4ZxF1+NmO6NyjcbynKjf/GPUV6OCAkEwggI9MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdsZZ492PIgVwGjT/q8AwgHhDkj4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZAYDVR0RAQH/BFowWIZWaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMwFQYKKwYBBAGDvzABBAQHcHVibGlzaDAiBgorBgEEAYO/MAEFBBRzaWdzdG9yZS9zaWdzdG9yZS1qczAeBgorBgEEAYO/MAEGBBByZWZzL3RhZ3MvdjAuNC4wMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGFoeNlfwAABAMARzBFAiBqYOxNKEMS4gXVBqU3Mr/w+yYXYtZDYa6daYOZJZB++wIhANat2b2mVTeHERPyhATU/Z8HOfC6iqY/IwiXnwWKsp9xMAoGCCqGSM49BAMDA2gAMGUCMQD5OzgtStQId/HNXGwVM1Ydjux8x2d4cr7tzWreGSbMUJhRuVlJliOdJKsu8ufHQfYCMC8M76uThWeCI2A5GndGj0TTaI1Cq92T8oXm5iHHFPxmvZtjXtnwCuGzLAKHILlmlg==" + }, + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "10960845", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458312", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQDzgIQqH7VfIGmZ3wQ7WQ5wnGnhZrv6/3Q90rOK2vsWrgIhAJUvX2WQ/BDp4oti3LEdFzG8KpJIU7sMfSRehK8BRQ+r" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJ1UkVORFFYbExaMEYzU1VKQlowbFZSV2N5VEdKQ1F5dDJNVEpSZEZCQ2RESnFZWGRwV1hKR016TlZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxVVJYaE5WR042VFZSVmVWZG9ZMDVOYWsxM1RWUkZlRTFVWXpCTlZGVjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWelkyMXZPSGhXWkhJcmIyeFhTRlpXY0ZSc1RHUkxaRlIzVkVSMlRuQkpUbmRNV0drS05sY3lUMnhRZDFSclRXSkthakI2UTNCUE9UbG9aVTVJTkZwNFJqRXJUbTFQTms1NWFtTmllVzVMYW1ZdlIxQlZWalpQUTBGclJYZG5aMGs1VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWa2MxcGFDalE1TWxCSloxWjNSMnBVTDNFNFFYZG5TR2hFYTJvMGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxcEJXVVJXVWpCU1FWRklMMEpHYjNkWFNWcFhZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wSXhXVzE0Y0dNeVozVmxWekZ6VVVoS2JGcHVUWFprUjBadUNtTjVPVEpOUXpRd1RHcEJkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQUtaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJWa0puYjNKQ1owVkZRVmxQTDAxQlJVTkNRV1I1V2xkNGJGbFlUbXhOUkZsSFEybHpSd3BCVVZGQ1p6YzRkMEZSVFVWTFJHaG9UVzFXYkUxdFdtdE5ha0pyV2tkRk1VOUhXbTFaVkZKb1QwZFJORTFFYUdoT2FsWnFXV3BHYkUxRVVUTk5WRVpxQ2sxRVRYZEdVVmxMUzNkWlFrSkJSMFIyZWtGQ1FrRlJTR05JVm1saVIyeDZZVVJCYVVKbmIzSkNaMFZGUVZsUEwwMUJSVVpDUWxKNllWZGtlbVJIT1hrS1dsTTVlbUZYWkhwa1J6bDVXbE14Y1dONlFXVkNaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk9RelIzVFVsSFN3cENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVDbWRET0hBM2J6UkJRVUZIUm05bFRteG1kMEZCUWtGTlFWSjZRa1pCYVVKeFdVOTRUa3RGVFZNMFoxaFdRbkZWTTAxeUwzY3JlVmxZV1hSYVJGbGhObVFLWVZsUFdrcGFRaXNyZDBsb1FVNWhkREppTW0xV1ZHVklSVkpRZVdoQlZGVXZXamhJVDJaRE5tbHhXUzlKZDJsWWJuZFhTM053T1hoTlFXOUhRME54UndwVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRU5VOTZaM1JUZEZGSlpDOUlUbGhIZDFaTk1WbGthblY0T0hneVpEUmpjamQwZWxkeVpVZFRZazFWU21oU0NuVldiRXBzYVU5a1NrdHpkVGgxWmtoUlpsbERUVU00VFRjMmRWUm9WMlZEU1RKQk5VZHVaRWRxTUZSVVlVa3hRM0U1TWxRNGIxaHROV2xJU0VaUWVHMEtkbHAwYWxoMGJuZERkVWQ2VEVGTFNFbE1iRzFzWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlJRMGxDYXpobFl6SXZSMjB5ZGxOSllWbHVWelZaZFdKc1RIaE1ZM1J4UmxkRWExVldRbWhSU0doWlltdFFRV2xDWWpGWE1Hd3ZVM2xvUkV3NGFGSnBZbUZrT1VNM1pqaHFkM2R3T1dkU1lVdDVZV2xZWkROQlNEaHZVVDA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjI1NTdhZGNjYjFiZGYxNjA2NzExYjkwM2UxYmRiOGMwMmFhNjE2MzM4YzY0NjM2NTdiYmQwM2ViYjRmNzQyMTEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1NjM0MjMyZmU2MTg4NWM0OTAyNGJmMWExMGJmZDNmYjljYzZhNmFjM2U5OTE1OGYxMjgzYmM0Yzk3MzEzYTAzIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MCIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjIuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvdGFncy92MC40LjAiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifSwiZW50cnlQb2ludCI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7IkdJVEhVQl9BQ1RPUl9JRCI6IjM5ODAyNyIsIkdJVEhVQl9FVkVOVF9OQU1FIjoicmVsZWFzZSIsIkdJVEhVQl9KT0IiOiJwdWJsaXNoIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfUkVGX1RZUEUiOiJ0YWciLCJHSVRIVUJfUkVQT1NJVE9SWSI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI0OTU1NzQ1NTUiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6IjcxMDk2MzUzIiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiIzODk1MTk3NzI1IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiI3IiwiR0lUSFVCX1NIQSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMiLCJHSVRIVUJfV09SS0ZMT1ciOiJwdWJsaXNoIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiOGEyZWUyZmQyMGRkYTU4ZmZhNGE4ZDgwOGE2NWNiMWUwNDcxMWMwMyIsIklNQUdFX09TIjoidWJ1bnR1MjIiLCJJTUFHRV9WRVJTSU9OIjoiMjAyMjEyMTIuMSIsIlJVTk5FUl9BUkNIIjoiWDY0IiwiUlVOTkVSX05BTUUiOiJIb3N0ZWQgQWdlbnQiLCJSVU5ORVJfT1MiOiJMaW51eCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiIzODk1MTk3NzI1LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifX1dfX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEQCIBk8ec2/Gm2vSIaYnW5YublLxLctqFWDkUVBhQHhYbkPAiBb1W0l/SyhDL8hRibad9C7f8jwwp9gRaKyaiXd3AH8oQ0", + "keyid": "" + } + ] + } + } + }, + { + "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "publicKey": { + "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + }, + "tlogEntries": [ + { + "logIndex": "10960848", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458314", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIEEIjIhzK2F4a9yt9peEarFYCBQETNkLAvHh4Q+suCbvAiAMOAoaKdW/+cU07wHSiG//gSJTeFDB30dl0dSx9dRG4g==" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxSUXk4elpVdHVjRVpwY1dkMlZGbElORmxDUlhZMU5sQnlXa2NyV1ZGcE5VaGFXVlZMWVZCamFUVXlTRUZKWjFwMU16QkxjRk4zUWxWTGFWcENTemc0TjNOUlFVcEdRV1pyZUVKQmVXWklURUZNU2psR05sb3diREE5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE0MzQ3ZjQxMjYwMTRiOTE3NDNkNjU5ZGNmY2ZkNmZiNjU4YTBmOWYzZDMxMGM1MDdmNWUzNWM3MGYwMGRjZGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NWE5MDU3MmQ3ZjUwODYyZDE4ZjdkYzljYjRlNTY2N2M4ZTMwYjZiN2VlZDk1MDVhYzMxZmE5NzIxOGMwYjA1In19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMC40LjAiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIQC/3eKnpFiqgvTYH4YBEv56PrZG+YQi5HZYUKaPci52HAIgZu30KpSwBUKiZBK887sQAJFAfkxBAyfHLALJ9F6Z0l0=", + "keyid": "" + } + ] + } + } + } + ] +} diff --git a/test/fixtures/sigstore/unsupported-attestations.json b/test/fixtures/sigstore/unsupported-attestations.json new file mode 100644 index 00000000..f546df89 --- /dev/null +++ b/test/fixtures/sigstore/unsupported-attestations.json @@ -0,0 +1,98 @@ +{ + "attestations": [ + { + "predicateType": "https://slsa.dev/provenance/v0.2", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDnDCCAyKgAwIBAgIUEg2LbBC+v12QtPBt2jawiYrF33UwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMTExMTczMTUyWhcNMjMwMTExMTc0MTUyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscmo8xVdr+olWHVVpTlLdKdTwTDvNpINwLXi6W2OlPwTkMbJj0zCpO99heNH4ZxF1+NmO6NyjcbynKjf/GPUV6OCAkEwggI9MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdsZZ492PIgVwGjT/q8AwgHhDkj4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZAYDVR0RAQH/BFowWIZWaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMwFQYKKwYBBAGDvzABBAQHcHVibGlzaDAiBgorBgEEAYO/MAEFBBRzaWdzdG9yZS9zaWdzdG9yZS1qczAeBgorBgEEAYO/MAEGBBByZWZzL3RhZ3MvdjAuNC4wMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGFoeNlfwAABAMARzBFAiBqYOxNKEMS4gXVBqU3Mr/w+yYXYtZDYa6daYOZJZB++wIhANat2b2mVTeHERPyhATU/Z8HOfC6iqY/IwiXnwWKsp9xMAoGCCqGSM49BAMDA2gAMGUCMQD5OzgtStQId/HNXGwVM1Ydjux8x2d4cr7tzWreGSbMUJhRuVlJliOdJKsu8ufHQfYCMC8M76uThWeCI2A5GndGj0TTaI1Cq92T8oXm5iHHFPxmvZtjXtnwCuGzLAKHILlmlg==" + }, + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "10960845", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458312", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQDzgIQqH7VfIGmZ3wQ7WQ5wnGnhZrv6/3Q90rOK2vsWrgIhAJUvX2WQ/BDp4oti3LEdFzG8KpJIU7sMfSRehK8BRQ+r" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJ1UkVORFFYbExaMEYzU1VKQlowbFZSV2N5VEdKQ1F5dDJNVEpSZEZCQ2RESnFZWGRwV1hKR016TlZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxVVJYaE5WR042VFZSVmVWZG9ZMDVOYWsxM1RWUkZlRTFVWXpCTlZGVjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWelkyMXZPSGhXWkhJcmIyeFhTRlpXY0ZSc1RHUkxaRlIzVkVSMlRuQkpUbmRNV0drS05sY3lUMnhRZDFSclRXSkthakI2UTNCUE9UbG9aVTVJTkZwNFJqRXJUbTFQTms1NWFtTmllVzVMYW1ZdlIxQlZWalpQUTBGclJYZG5aMGs1VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWa2MxcGFDalE1TWxCSloxWjNSMnBVTDNFNFFYZG5TR2hFYTJvMGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxcEJXVVJXVWpCU1FWRklMMEpHYjNkWFNWcFhZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wSXhXVzE0Y0dNeVozVmxWekZ6VVVoS2JGcHVUWFprUjBadUNtTjVPVEpOUXpRd1RHcEJkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQUtaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJWa0puYjNKQ1owVkZRVmxQTDAxQlJVTkNRV1I1V2xkNGJGbFlUbXhOUkZsSFEybHpSd3BCVVZGQ1p6YzRkMEZSVFVWTFJHaG9UVzFXYkUxdFdtdE5ha0pyV2tkRk1VOUhXbTFaVkZKb1QwZFJORTFFYUdoT2FsWnFXV3BHYkUxRVVUTk5WRVpxQ2sxRVRYZEdVVmxMUzNkWlFrSkJSMFIyZWtGQ1FrRlJTR05JVm1saVIyeDZZVVJCYVVKbmIzSkNaMFZGUVZsUEwwMUJSVVpDUWxKNllWZGtlbVJIT1hrS1dsTTVlbUZYWkhwa1J6bDVXbE14Y1dONlFXVkNaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk9RelIzVFVsSFN3cENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVDbWRET0hBM2J6UkJRVUZIUm05bFRteG1kMEZCUWtGTlFWSjZRa1pCYVVKeFdVOTRUa3RGVFZNMFoxaFdRbkZWTTAxeUwzY3JlVmxZV1hSYVJGbGhObVFLWVZsUFdrcGFRaXNyZDBsb1FVNWhkREppTW0xV1ZHVklSVkpRZVdoQlZGVXZXamhJVDJaRE5tbHhXUzlKZDJsWWJuZFhTM053T1hoTlFXOUhRME54UndwVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRU5VOTZaM1JUZEZGSlpDOUlUbGhIZDFaTk1WbGthblY0T0hneVpEUmpjamQwZWxkeVpVZFRZazFWU21oU0NuVldiRXBzYVU5a1NrdHpkVGgxWmtoUlpsbERUVU00VFRjMmRWUm9WMlZEU1RKQk5VZHVaRWRxTUZSVVlVa3hRM0U1TWxRNGIxaHROV2xJU0VaUWVHMEtkbHAwYWxoMGJuZERkVWQ2VEVGTFNFbE1iRzFzWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlJRMGxDYXpobFl6SXZSMjB5ZGxOSllWbHVWelZaZFdKc1RIaE1ZM1J4UmxkRWExVldRbWhSU0doWlltdFFRV2xDWWpGWE1Hd3ZVM2xvUkV3NGFGSnBZbUZrT1VNM1pqaHFkM2R3T1dkU1lVdDVZV2xZWkROQlNEaHZVVDA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjI1NTdhZGNjYjFiZGYxNjA2NzExYjkwM2UxYmRiOGMwMmFhNjE2MzM4YzY0NjM2NTdiYmQwM2ViYjRmNzQyMTEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1NjM0MjMyZmU2MTg4NWM0OTAyNGJmMWExMGJmZDNmYjljYzZhNmFjM2U5OTE1OGYxMjgzYmM0Yzk3MzEzYTAzIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MCIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjIuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvdGFncy92MC40LjAiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifSwiZW50cnlQb2ludCI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7IkdJVEhVQl9BQ1RPUl9JRCI6IjM5ODAyNyIsIkdJVEhVQl9FVkVOVF9OQU1FIjoicmVsZWFzZSIsIkdJVEhVQl9KT0IiOiJwdWJsaXNoIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfUkVGX1RZUEUiOiJ0YWciLCJHSVRIVUJfUkVQT1NJVE9SWSI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI0OTU1NzQ1NTUiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6IjcxMDk2MzUzIiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiIzODk1MTk3NzI1IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiI3IiwiR0lUSFVCX1NIQSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMiLCJHSVRIVUJfV09SS0ZMT1ciOiJwdWJsaXNoIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiOGEyZWUyZmQyMGRkYTU4ZmZhNGE4ZDgwOGE2NWNiMWUwNDcxMWMwMyIsIklNQUdFX09TIjoidWJ1bnR1MjIiLCJJTUFHRV9WRVJTSU9OIjoiMjAyMjEyMTIuMSIsIlJVTk5FUl9BUkNIIjoiWDY0IiwiUlVOTkVSX05BTUUiOiJIb3N0ZWQgQWdlbnQiLCJSVU5ORVJfT1MiOiJMaW51eCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiIzODk1MTk3NzI1LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifX1dfX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEQCIBk8ec2/Gm2vSIaYnW5YublLxLctqFWDkUVBhQHhYbkPAiBb1W0l/SyhDL8hRibad9C7f8jwwp9gRaKyaiXd3AH8oQ==", + "keyid": "" + } + ] + } + } + }, + { + "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "publicKey": { + "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + }, + "tlogEntries": [ + { + "logIndex": "10960848", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458314", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIEEIjIhzK2F4a9yt9peEarFYCBQETNkLAvHh4Q+suCbvAiAMOAoaKdW/+cU07wHSiG//gSJTeFDB30dl0dSx9dRG4g==" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxSUXk4elpVdHVjRVpwY1dkMlZGbElORmxDUlhZMU5sQnlXa2NyV1ZGcE5VaGFXVlZMWVZCamFUVXlTRUZKWjFwMU16QkxjRk4zUWxWTGFWcENTemc0TjNOUlFVcEdRV1pyZUVKQmVXWklURUZNU2psR05sb3diREE5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE0MzQ3ZjQxMjYwMTRiOTE3NDNkNjU5ZGNmY2ZkNmZiNjU4YTBmOWYzZDMxMGM1MDdmNWUzNWM3MGYwMGRjZGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NWE5MDU3MmQ3ZjUwODYyZDE4ZjdkYzljYjRlNTY2N2M4ZTMwYjZiN2VlZDk1MDVhYzMxZmE5NzIxOGMwYjA1In19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMC40LjAiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19", + "payloadType": "tlog-entry-mismatch", + "signatures": [ + { + "sig": "MEUCIQC/3eKnpFiqgvTYH4YBEv56PrZG+YQi5HZYUKaPci52HAIgZu30KpSwBUKiZBK887sQAJFAfkxBAyfHLALJ9F6Z0l0=", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ] + } + } + } + ] +} diff --git a/test/fixtures/sigstore/valid-attestations.json b/test/fixtures/sigstore/valid-attestations.json new file mode 100644 index 00000000..0c82f27b --- /dev/null +++ b/test/fixtures/sigstore/valid-attestations.json @@ -0,0 +1,98 @@ +{ + "attestations": [ + { + "predicateType": "https://slsa.dev/provenance/v0.2", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "x509CertificateChain": { + "certificates": [ + { + "rawBytes": "MIIDnDCCAyKgAwIBAgIUEg2LbBC+v12QtPBt2jawiYrF33UwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMTExMTczMTUyWhcNMjMwMTExMTc0MTUyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEscmo8xVdr+olWHVVpTlLdKdTwTDvNpINwLXi6W2OlPwTkMbJj0zCpO99heNH4ZxF1+NmO6NyjcbynKjf/GPUV6OCAkEwggI9MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdsZZ492PIgVwGjT/q8AwgHhDkj4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZAYDVR0RAQH/BFowWIZWaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMwFQYKKwYBBAGDvzABBAQHcHVibGlzaDAiBgorBgEEAYO/MAEFBBRzaWdzdG9yZS9zaWdzdG9yZS1qczAeBgorBgEEAYO/MAEGBBByZWZzL3RhZ3MvdjAuNC4wMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGFoeNlfwAABAMARzBFAiBqYOxNKEMS4gXVBqU3Mr/w+yYXYtZDYa6daYOZJZB++wIhANat2b2mVTeHERPyhATU/Z8HOfC6iqY/IwiXnwWKsp9xMAoGCCqGSM49BAMDA2gAMGUCMQD5OzgtStQId/HNXGwVM1Ydjux8x2d4cr7tzWreGSbMUJhRuVlJliOdJKsu8ufHQfYCMC8M76uThWeCI2A5GndGj0TTaI1Cq92T8oXm5iHHFPxmvZtjXtnwCuGzLAKHILlmlg==" + }, + { + "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ" + } + ] + }, + "tlogEntries": [ + { + "logIndex": "10960845", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458312", + "inclusionPromise": { + "signedEntryTimestamp": "MEYCIQDzgIQqH7VfIGmZ3wQ7WQ5wnGnhZrv6/3Q90rOK2vsWrgIhAJUvX2WQ/BDp4oti3LEdFzG8KpJIU7sMfSRehK8BRQ+r" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJ1UkVORFFYbExaMEYzU1VKQlowbFZSV2N5VEdKQ1F5dDJNVEpSZEZCQ2RESnFZWGRwV1hKR016TlZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxVVJYaE5WR042VFZSVmVWZG9ZMDVOYWsxM1RWUkZlRTFVWXpCTlZGVjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWelkyMXZPSGhXWkhJcmIyeFhTRlpXY0ZSc1RHUkxaRlIzVkVSMlRuQkpUbmRNV0drS05sY3lUMnhRZDFSclRXSkthakI2UTNCUE9UbG9aVTVJTkZwNFJqRXJUbTFQTms1NWFtTmllVzVMYW1ZdlIxQlZWalpQUTBGclJYZG5aMGs1VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWa2MxcGFDalE1TWxCSloxWjNSMnBVTDNFNFFYZG5TR2hFYTJvMGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxcEJXVVJXVWpCU1FWRklMMEpHYjNkWFNWcFhZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wSXhXVzE0Y0dNeVozVmxWekZ6VVVoS2JGcHVUWFprUjBadUNtTjVPVEpOUXpRd1RHcEJkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQUtaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJWa0puYjNKQ1owVkZRVmxQTDAxQlJVTkNRV1I1V2xkNGJGbFlUbXhOUkZsSFEybHpSd3BCVVZGQ1p6YzRkMEZSVFVWTFJHaG9UVzFXYkUxdFdtdE5ha0pyV2tkRk1VOUhXbTFaVkZKb1QwZFJORTFFYUdoT2FsWnFXV3BHYkUxRVVUTk5WRVpxQ2sxRVRYZEdVVmxMUzNkWlFrSkJSMFIyZWtGQ1FrRlJTR05JVm1saVIyeDZZVVJCYVVKbmIzSkNaMFZGUVZsUEwwMUJSVVpDUWxKNllWZGtlbVJIT1hrS1dsTTVlbUZYWkhwa1J6bDVXbE14Y1dONlFXVkNaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk9RelIzVFVsSFN3cENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVDbWRET0hBM2J6UkJRVUZIUm05bFRteG1kMEZCUWtGTlFWSjZRa1pCYVVKeFdVOTRUa3RGVFZNMFoxaFdRbkZWTTAxeUwzY3JlVmxZV1hSYVJGbGhObVFLWVZsUFdrcGFRaXNyZDBsb1FVNWhkREppTW0xV1ZHVklSVkpRZVdoQlZGVXZXamhJVDJaRE5tbHhXUzlKZDJsWWJuZFhTM053T1hoTlFXOUhRME54UndwVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRU5VOTZaM1JUZEZGSlpDOUlUbGhIZDFaTk1WbGthblY0T0hneVpEUmpjamQwZWxkeVpVZFRZazFWU21oU0NuVldiRXBzYVU5a1NrdHpkVGgxWmtoUlpsbERUVU00VFRjMmRWUm9WMlZEU1RKQk5VZHVaRWRxTUZSVVlVa3hRM0U1TWxRNGIxaHROV2xJU0VaUWVHMEtkbHAwYWxoMGJuZERkVWQ2VEVGTFNFbE1iRzFzWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyIsInNpZyI6IlRVVlJRMGxDYXpobFl6SXZSMjB5ZGxOSllWbHVWelZaZFdKc1RIaE1ZM1J4UmxkRWExVldRbWhSU0doWlltdFFRV2xDWWpGWE1Hd3ZVM2xvUkV3NGFGSnBZbUZrT1VNM1pqaHFkM2R3T1dkU1lVdDVZV2xZWkROQlNEaHZVVDA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjI1NTdhZGNjYjFiZGYxNjA2NzExYjkwM2UxYmRiOGMwMmFhNjE2MzM4YzY0NjM2NTdiYmQwM2ViYjRmNzQyMTEifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1NjM0MjMyZmU2MTg4NWM0OTAyNGJmMWExMGJmZDNmYjljYzZhNmFjM2U5OTE1OGYxMjgzYmM0Yzk3MzEzYTAzIn19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MCIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjIuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvdGFncy92MC40LjAiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifSwiZW50cnlQb2ludCI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7IkdJVEhVQl9BQ1RPUl9JRCI6IjM5ODAyNyIsIkdJVEhVQl9FVkVOVF9OQU1FIjoicmVsZWFzZSIsIkdJVEhVQl9KT0IiOiJwdWJsaXNoIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfUkVGX1RZUEUiOiJ0YWciLCJHSVRIVUJfUkVQT1NJVE9SWSI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI0OTU1NzQ1NTUiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6IjcxMDk2MzUzIiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiIzODk1MTk3NzI1IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiI3IiwiR0lUSFVCX1NIQSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMiLCJHSVRIVUJfV09SS0ZMT1ciOiJwdWJsaXNoIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InNpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3B1Ymxpc2gueW1sQHJlZnMvdGFncy92MC40LjAiLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiOGEyZWUyZmQyMGRkYTU4ZmZhNGE4ZDgwOGE2NWNiMWUwNDcxMWMwMyIsIklNQUdFX09TIjoidWJ1bnR1MjIiLCJJTUFHRV9WRVJTSU9OIjoiMjAyMjEyMTIuMSIsIlJVTk5FUl9BUkNIIjoiWDY0IiwiUlVOTkVSX05BTUUiOiJIb3N0ZWQgQWdlbnQiLCJSVU5ORVJfT1MiOiJMaW51eCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiIzODk1MTk3NzI1LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMiLCJkaWdlc3QiOnsic2hhMSI6IjhhMmVlMmZkMjBkZGE1OGZmYTRhOGQ4MDhhNjVjYjFlMDQ3MTFjMDMifX1dfX0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEQCIBk8ec2/Gm2vSIaYnW5YublLxLctqFWDkUVBhQHhYbkPAiBb1W0l/SyhDL8hRibad9C7f8jwwp9gRaKyaiXd3AH8oQ==", + "keyid": "" + } + ] + } + } + }, + { + "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1", + "bundle": { + "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", + "verificationMaterial": { + "publicKey": { + "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + }, + "tlogEntries": [ + { + "logIndex": "10960848", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "intoto", + "version": "0.0.2" + }, + "integratedTime": "1673458314", + "inclusionPromise": { + "signedEntryTimestamp": "MEQCIEEIjIhzK2F4a9yt9peEarFYCBQETNkLAvHh4Q+suCbvAiAMOAoaKdW/+cU07wHSiG//gSJTeFDB30dl0dSx9dRG4g==" + }, + "inclusionProof": null, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxSUXk4elpVdHVjRVpwY1dkMlZGbElORmxDUlhZMU5sQnlXa2NyV1ZGcE5VaGFXVlZMWVZCamFUVXlTRUZKWjFwMU16QkxjRk4zUWxWTGFWcENTemc0TjNOUlFVcEdRV1pyZUVKQmVXWklURUZNU2psR05sb3diREE5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjE0MzQ3ZjQxMjYwMTRiOTE3NDNkNjU5ZGNmY2ZkNmZiNjU4YTBmOWYzZDMxMGM1MDdmNWUzNWM3MGYwMGRjZGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NWE5MDU3MmQ3ZjUwODYyZDE4ZjdkYzljYjRlNTY2N2M4ZTMwYjZiN2VlZDk1MDVhYzMxZmE5NzIxOGMwYjA1In19fX0=" + } + ], + "timestampVerificationData": { + "rfc3161Timestamps": [] + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDAuNC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI4MmMwYzVmYTkzNmQyNjQzMjE2NDM1ODFiNjVkM2RlNWMwYWY2ZWQ0ZmRmYWMxMmY1ODUxMTE1ZGYzOWNjMjVjZmFmMGFkMjJkOTA4NDg3YmZlZjMwMTE0ZDYxYzI1NzQ2MjA2ZDE4MzRiZTRmOGZkMTY1OTE3OGY3N2NjMDA0In19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMC40LjAiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIQC/3eKnpFiqgvTYH4YBEv56PrZG+YQi5HZYUKaPci52HAIgZu30KpSwBUKiZBK887sQAJFAfkxBAyfHLALJ9F6Z0l0=", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ] + } + } + } + ] +} diff --git a/test/registry.js b/test/registry.js index e6236caf..65858f8c 100644 --- a/test/registry.js +++ b/test/registry.js @@ -1,5 +1,23 @@ -const RegistryFetcher = require('../lib/registry.js') const t = require('tap') +// Stub out sigstore verification for testing to avoid needing to refresh the tuf cache +const RegistryFetcher = require('../lib/registry.js') +const MockedRegistryFetcher = t.mock('../lib/registry.js', { + sigstore: { + sigstore: { + verify: async (bundle, data, options) => { + options.keySelector && options.keySelector() + if (bundle.dsseEnvelope.payloadType === 'tlog-entry-mismatch') { + throw new Error('bundle content and tlog entry do not match') + } + if (bundle.dsseEnvelope.signatures[0].sig === 'invalid-signature') { + throw new Error('artifact signature verification failed') + } + }, + }, + }, +}) +const path = require('path') +const fs = require('fs') const mr = require('npm-registry-mock') const tnock = require('./fixtures/tnock') const port = 18000 + (+process.env.TAP_CHILD_ID || 0) @@ -285,6 +303,817 @@ t.test('verifySignatures no registry keys at all', async t => { ) }) +t.test('verifyAttestations valid attestations', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + const mani = await f.manifest() + t.ok(mani._attestations) + t.ok(mani._integrity) +}) + +t.test('verifyAttestations when registry returns no attestations', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(404) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + }) + + return t.rejects( + f.manifest(), + /404 Not Found - GET https:\/\/registry.npmjs.org\/-\/npm\/v1\/attestations\/sigstore@0\.4\.0/, + { + code: 'E404', + } + ) +}) + +t.test('verifyAttestations when package has no attestations', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + }, + }, + }, + }) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + }) + + const mani = await f.manifest() + t.ok(mani._integrity) +}) + +t.test('disable verifyAttestations when package has attestations', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: false, + }) + + const mani = await f.manifest() + t.ok(mani._attestations) + t.ok(mani._integrity) +}) + +t.test('verifyAttestations invalid signature', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/invalid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + /sigstore@0\.4\.0 failed to verify attestation: artifact signature verification failed/, + { + code: 'EATTESTATIONVERIFY', + } + ) +}) + +t.test('verifyAttestations errors when tuf update fails', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://sigstore-tuf-root.storage.googleapis.com') + .get(/./) // match any path + .reply(404) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new RegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + /sigstore@0.4.0 failed to verify attestation: error refreshing trust metadata/, + { + code: 'EATTESTATIONVERIFY', + } + ) +}) + +t.test('verifyAttestations publish attestation for unknown public key', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:JXkT/aBM9baLZ7dpjJLQhJrj3Ru5s/OSXoZzZsPUyhg', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEztMhKw7mGA6DV6Cc510h10d/KFISm3fIue5AoZiKjh+noDv0bxxzr780F/tkqqw80+hSnJXKj7DuUyRD0IZH3A==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEztMhKw7mGA6DV6Cc510h10d/KFISm3fIue5AoZiKjh+noDv0bxxzr780F/tkqqw80+hSnJXKj7DuUyRD0IZH3A==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 has attestations but no corresponding public key\(s\) can be found/, + { + code: 'EMISSINGSIGNATUREKEY', + } + ) +}) + +t.test('verifyAttestations no attestation with keyid', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/no-keyid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 has attestations but no corresponding public key\(s\) can be found/, + { + code: 'EMISSINGSIGNATUREKEY', + } + ) +}) + +t.test('verifyAttestations valid attestations', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/mismatched-keyid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 has attestations with keyid: JXkT\/aBM9baLZ7dpjJLQhJrj3Ru5s\/OSXoZzZsPUyhg but no corresponding public key can be found/, + { + code: 'EMISSINGSIGNATUREKEY', + } + ) +}) + +t.test('verifyAttestations no matching registry keys', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:JXkT/aBM9baLZ7dpjJLQhJrj3Ru5s/OSXoZzZsPUyhg', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEztMhKw7mGA6DV6Cc510h10d/KFISm3fIue5AoZiKjh+noDv0bxxzr780F/tkqqw80+hSnJXKj7DuUyRD0IZH3A==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEztMhKw7mGA6DV6Cc510h10d/KFISm3fIue5AoZiKjh+noDv0bxxzr780F/tkqqw80+hSnJXKj7DuUyRD0IZH3A==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 has attestations but no corresponding public key\(s\) can be found/, + { + code: 'EMISSINGSIGNATUREKEY', + } + ) +}) + +t.test('verifyAttestations no valid key', async t => { + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: '2010-01-01T00:00:00.000Z', + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 has attestations with keyid: SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA but the corresponding public key has expired 2010-01-01T00:00:00\.000Z/, + { + code: 'EEXPIREDSIGNATUREKEY', + } + ) +}) + +t.test('verifyAttestations no registry keys at all', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 has attestations but no corresponding public key\(s\) can be found/, + { + code: 'EMISSINGSIGNATUREKEY', + } + ) +}) + +t.test('verifyAttestations fetching without version', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/valid-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 package name and version \(PURL\): sigstore@\* doesn't match what was signed: pkg:npm\/sigstore@0\.4\.0/, + { + code: 'EMISSINGSIGNATUREKEY', + } + ) +}) + +t.test('verifyAttestations mismatched subject name', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/mismatched-subject-name-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 package name and version \(PURL\): pkg:npm\/sigstore@0\.4\.0 doesn't match what was signed: pkg:npm\/sigstore@1\.4\.0/, + { + code: 'EATTESTATIONSUBJECT', + } + ) +}) + +t.test('verifyAttestations mismatched subject sha512 digest', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/mismatched-subject-digest-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 package integrity \(hex digest\): 282c0c5fa936d264321643581b65d3de5c0af6ed4fdfac12f5851115df39cc25cfaf0ad22d908487bfef30114d61c25746206d1834be4f8fd1659178f77cc004 doesn't match what was signed: 123c0c5fa936d264321643581b65d3de5c0af6ed4fdfac12f5851115df39cc25cfaf0ad22d908487bfef30114d61c25746206d1834be4f8fd1659178f77cc004/, + { + code: 'EATTESTATIONSUBJECT', + } + ) +}) + +t.test('verifyAttestations bundle payload that does not match the tlog entry', async t => { + tnock(t, 'https://registry.npmjs.org') + .get('/sigstore') + .reply(200, { + _id: 'sigstore', + _rev: 'deadbeef', + name: 'sigstore', + 'dist-tags': { latest: '0.4.0' }, + versions: { + '0.4.0': { + name: 'sigstore', + version: '0.4.0', + dist: { + // eslint-disable-next-line max-len + integrity: 'sha512-KCwMX6k20mQyFkNYG2XT3lwK9u1P36wS9YURFd85zCXPrwrSLZCEh7/vMBFNYcJXRiBtGDS+T4/RZZF493zABA==', + // eslint-disable-next-line max-len + attestations: { url: 'https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0', provenance: { predicateType: 'https://slsa.dev/provenance/v0.2' } }, + }, + }, + }, + }) + + const fixture = fs.readFileSync( + path.join(__dirname, 'fixtures', 'sigstore/unsupported-attestations.json'), + 'utf8' + ) + + tnock(t, 'https://registry.npmjs.org') + .get('/-/npm/v1/attestations/sigstore@0.4.0') + .reply(200, JSON.parse(fixture)) + + const f = new MockedRegistryFetcher('sigstore@0.4.0', { + registry: 'https://registry.npmjs.org', + cache, + verifyAttestations: true, + [`//registry.npmjs.org/:_keys`]: [{ + expires: null, + keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA', + keytype: 'ecdsa-sha2-nistp256', + scheme: 'ecdsa-sha2-nistp256', + // eslint-disable-next-line max-len + key: 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==', + // eslint-disable-next-line max-len + pemkey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==\n-----END PUBLIC KEY-----', + }], + }) + + return t.rejects( + f.manifest(), + // eslint-disable-next-line max-len + /sigstore@0\.4\.0 failed to verify attestation: bundle content and tlog entry do not match/, + { + code: 'EATTESTATIONVERIFY', + } + ) +}) + t.test('404 fails with E404', t => { const f = new RegistryFetcher('thing-is-not-here', { registry, cache }) return t.rejects(f.resolve(), { code: 'E404' }).then(() => @@ -414,7 +1243,6 @@ t.test('packument that falls back to fullMetadata', t => { t.test('option replaceRegistryHost', rhTest => { const { join, resolve } = require('path') - const fs = require('fs') const abbrev = resolve(__dirname, 'fixtures/abbrev-1.1.1.tgz') const abbrevTGZ = fs.readFileSync(abbrev)