actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2025-12-14 03:12:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
381fca5703
docker-attest-build-provenance/packages/attest/dist/attest.js
ejahnGithub 381fca5703 init attest build provenance
2024-02-22 08:29:05 -08:00

63 lines
2.5 KiB
JavaScript
Raw Blame History

"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.attestProvenance = exports.attest = void 0;
const bundle_1 = require("@sigstore/bundle");
const provenance_1 = require("./provenance");
const sign_1 = require("./sign");
const store_1 = require("./store");
const assert_1 = __importDefault(require("assert"));
const crypto_1 = require("crypto");
const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json';
const INTOTO_STATEMENT_V1_TYPE = 'https://in-toto.io/Statement/v1';
async function attest(options) {
const subject = {
name: options.subjectName,
digest: options.subjectDigest
};
const statement = {
_type: INTOTO_STATEMENT_V1_TYPE,
subject: [subject],
predicateType: options.predicateType,
predicate: options.predicate
};
// Sign the provenance statement
const payload = {
body: Buffer.from(JSON.stringify(statement)),
type: INTOTO_PAYLOAD_TYPE
};
const bundle = await (0, sign_1.signPayload)(payload, options);
// Store the attestation
let attestationID;
if (options.skipWrite !== true) {
attestationID = await (0, store_1.writeAttestation)((0, bundle_1.bundleToJSON)(bundle), options.token);
}
return toAttestation(bundle, attestationID);
}
exports.attest = attest;
async function attestProvenance(options) {
const predicate = (0, provenance_1.generateProvenancePredicate)(process.env);
return attest({
...options,
predicateType: predicate.type,
predicate: predicate.params
});
}
exports.attestProvenance = attestProvenance;
function toAttestation(bundle, attestationID) {
// Extract the signing certificate from the bundle
(0, assert_1.default)(bundle.verificationMaterial.content.$case === 'x509CertificateChain', 'Bundle must contain an x509 certificate chain');
const signingCert = new crypto_1.X509Certificate(bundle.verificationMaterial.content.x509CertificateChain.certificates[0].rawBytes);
// Determine if we can provide a link to the transparency log
const tlogEntries = bundle.verificationMaterial.tlogEntries;
const tlogID = tlogEntries.length > 0 ? tlogEntries[0].logIndex : undefined;
return {
bundle: (0, bundle_1.bundleToJSON)(bundle),
certificate: signingCert.toString(),
tlogID,
attestationID
};
}
Reference in New Issue View Git Blame Copy Permalink