fixup! Get NPM signing keys from @sigstore/tuf

geigerzaehler · geigerzaehler · commit db1001110c05 · 2025-02-17T11:27:02.000+01:00
diff --git a/.yarn/patches/tuf-js-npm-3.0.1-9135d15fbd.patch b/.yarn/patches/tuf-js-npm-3.0.1-9135d15fbd.patch
@@ -19,7 +19,7 @@ index f966ce1bb0cdc6c785ce1263f1faea15d3fe764c..3b50fa0c24fd5f6e9e29cf398a3d3bf1
 -            timeout: this.timeout,
 -            retry: this.retry,
 +        const response = await globalThis.fetch(url, {
-+            timeout: this.timeout && AbortSignal.timeout(this.timeout)
++            signal: this.timeout && AbortSignal.timeout(this.timeout)
          });
          if (!response.ok || !response?.body) {
              throw new error_1.DownloadHTTPError('Failed to download', response.status);
diff --git a/sources/npmRegistryUtils.ts b/sources/npmRegistryUtils.ts
@@ -39,7 +39,8 @@ export async function fetchAsJson(packageName: string, version?: string) {
 
 interface KeyInfo {
   keyid: string;
-  key: crypto.KeyObject;
+  // base64 encoded DER SPKI
+  keyData: string;
 }
 
 async function fetchSigstoreTufKeys(): Promise<Array<KeyInfo> | null> {
@@ -68,7 +69,7 @@ async function fetchSigstoreTufKeys(): Promise<Array<KeyInfo> | null> {
     }
   }).map(k => ({
     keyid: k.keyId,
-    key: crypto.createPublicKey({key: Buffer.from(k.publicKey.rawBytes, `base64`), format: `der`, type: `spki`}),
+    keyData: k.publicKey.rawBytes,
   }));
 }
 
@@ -83,8 +84,7 @@ async function getVerificationKeys(): Promise<Array<KeyInfo>> {
     debugUtils.log(`Using COREPACK_INTEGRITY_KEYS to verify signatures: ${keys.map(k => k.keyid).join(`, `)}`);
     return keys.map(k => ({
       keyid: k.keyid,
-      key: crypto.createPublicKey(`-----BEGIN PUBLIC KEY-----\n${k.key}\n-----END PUBLIC KEY-----`,
-      ),
+      keyData: k.key,
     }));
   }
 
@@ -98,12 +98,11 @@ async function getVerificationKeys(): Promise<Array<KeyInfo>> {
   debugUtils.log(`Falling back to built-in npm verification keys`);
   return defaultConfig.keys.npm.map(k => ({
     keyid: k.keyid,
-    key: crypto.createPublicKey(`-----BEGIN PUBLIC KEY-----\n${k.key}\n-----END PUBLIC KEY-----`,
-    ),
+    keyData: k.key,
   }));
 }
 
-let verificationKeysCache: Promise<Array<{ keyid: string, key: crypto.KeyObject }>> | null = null;
+let verificationKeysCache: Promise<Array<KeyInfo>> | null = null;
 
 export async function verifySignature({signatures, integrity, packageName, version}: {
   signatures: Array<{keyid: string, sig: string}>;
@@ -115,21 +114,22 @@ export async function verifySignature({signatures, integrity, packageName, versi
     verificationKeysCache = getVerificationKeys();
 
   const keys = await verificationKeysCache;
-  const key = keys.find(({keyid}) => signatures.some(s => s.keyid === keyid));
-  if (key == null)
+  const keyInfo = keys.find(({keyid}) => signatures.some(s => s.keyid === keyid));
+  if (keyInfo == null)
     throw new Error(`Cannot find key to verify signature. signature keys: ${signatures.map(s => s.keyid)}, verification keys: ${keys.map(k => k.keyid)}`);
 
-  const signature = signatures.find(({keyid}) => keyid === key.keyid);
+  const signature = signatures.find(({keyid}) => keyid === keyInfo.keyid);
   assert(signature);
 
   const verifier = crypto.createVerify(`SHA256`);
   const payload = `${packageName}@${version}:${integrity}`;
   verifier.end(payload);
+  const key = crypto.createPublicKey({key: Buffer.from(keyInfo.keyData, `base64`), format: `der`, type: `spki`});
   const valid = verifier.verify(key, signature.sig, `base64`);
 
   if (!valid) {
     throw new Error(
-      `Signature verification failed for ${payload} with key ${key.keyid}\n` +
+      `Signature verification failed for ${payload} with key ${keyInfo.keyid}\n` +
       `If you are using a custom registry you can set COREPACK_INTEGRITY_KEYS.`,
     );
   }
diff --git a/yarn.lock b/yarn.lock
@@ -4703,12 +4703,12 @@ __metadata:
 
 "tuf-js@patch:tuf-js@npm%3A3.0.1#~/.yarn/patches/tuf-js-npm-3.0.1-9135d15fbd.patch":
   version: 3.0.1
-  resolution: "tuf-js@patch:tuf-js@npm%3A3.0.1#~/.yarn/patches/tuf-js-npm-3.0.1-9135d15fbd.patch::version=3.0.1&hash=a7966e"
+  resolution: "tuf-js@patch:tuf-js@npm%3A3.0.1#~/.yarn/patches/tuf-js-npm-3.0.1-9135d15fbd.patch::version=3.0.1&hash=05f694"
   dependencies:
     "@tufjs/models": "npm:3.0.1"
     debug: "npm:^4.3.6"
     make-fetch-happen: "npm:^14.0.1"
-  checksum: 10c0/d7374bf8db935947bd50e9436e4c8b3a7244fb70c876821d91bffe9f3d0e6448fab4ddccc93867f68cfe892d776fac7c988c0bbbfe9ac052b2f83482f55ea50e
+  checksum: 10c0/8f50e885865555112d5ffc5fe7803c9270a611462300b53fd0b528914eb6b9f849b7a4782c07f356f4f0aeb6b752cbb3f7e1c5f2b068bfb574fca3990d1675d5
   languageName: node
   linkType: hard
 
