npm · wraithgar · Jan 21, 2026 · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026
@@ -258,7 +258,6 @@ graph LR;
   bin-links-->proc-log;
   bin-links-->read-cmd-shim;
   bin-links-->write-file-atomic;
-  brace-expansion-->balanced-match;
   cacache-->fs-minipass;
   cacache-->glob;
   cacache-->lru-cache;
@@ -398,7 +397,6 @@ graph LR;
   make-fetch-happen-->proc-log;
   make-fetch-happen-->promise-retry;
   make-fetch-happen-->ssri;
-  minimatch-->brace-expansion;
   minimatch-->isaacs-brace-expansion["@isaacs/brace-expansion"];
   minipass-->yallist;
   minipass-collect-->minipass;

@@ -26,7 +26,7 @@
     "@npmcli/template-oss": "4.25.1",
     "front-matter": "^4.0.2",
     "ignore-walk": "^8.0.0",
-    "jsdom": "^27.0.0",
+    "jsdom": "27.0.0",
     "rehype-stringify": "^10.0.1",
     "remark-gfm": "^4.0.1",
     "remark-man": "^9.0.0",

@@ -30,27 +30,19 @@
 !/@sigstore/core
 !/@sigstore/protobuf-specs
 !/@sigstore/sign
-!/@sigstore/sign/node_modules/
-/@sigstore/sign/node_modules/*
-!/@sigstore/sign/node_modules/proc-log
 !/@sigstore/tuf
 !/@sigstore/verify
 !/@tufjs/
 /@tufjs/*
 !/@tufjs/canonical-json
 !/@tufjs/models
-!/@tufjs/models/node_modules/
-/@tufjs/models/node_modules/*
-!/@tufjs/models/node_modules/minimatch
 !/abbrev
 !/agent-base
 !/ansi-regex
 !/aproba
 !/archy
-!/balanced-match
 !/bin-links
 !/binary-extensions
-!/brace-expansion
 !/cacache
 !/chalk
 !/chownr

@@ -22,6 +22,9 @@ const length_1 = require("./length");
 const parse_1 = require("./parse");
 const tag_1 = require("./tag");
 class ASN1Obj {
+    tag;
+    subs;
+    value;
     constructor(tag, value, subs) {
         this.tag = tag;
         this.value = value;

@@ -37,6 +37,9 @@ const TAG_CLASS = {
 };
 // https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-encoded-tag-bytes
 class ASN1Tag {
+    number;
+    constructed;
+    class;
     constructor(enc) {
         // Bits 0 through 4 are the tag number
         this.number = enc & 0x1f;

@@ -1,12 +1,18 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SHA2_HASH_ALGOS = exports.ECDSA_SIGNATURE_ALGOS = void 0;
+exports.SHA2_HASH_ALGOS = exports.RSA_SIGNATURE_ALGOS = exports.ECDSA_SIGNATURE_ALGOS = void 0;
 exports.ECDSA_SIGNATURE_ALGOS = {
     '1.2.840.10045.4.3.1': 'sha224',
     '1.2.840.10045.4.3.2': 'sha256',
     '1.2.840.10045.4.3.3': 'sha384',
     '1.2.840.10045.4.3.4': 'sha512',
 };
+exports.RSA_SIGNATURE_ALGOS = {
+    '1.2.840.113549.1.1.14': 'sha224',
+    '1.2.840.113549.1.1.11': 'sha256',
+    '1.2.840.113549.1.1.12': 'sha384',
+    '1.2.840.113549.1.1.13': 'sha512',
+};
 exports.SHA2_HASH_ALGOS = {
     '2.16.840.1.101.3.4.2.1': 'sha256',
     '2.16.840.1.101.3.4.2.2': 'sha384',

@@ -58,6 +58,7 @@ const OID_PKCS9_CONTENT_TYPE_SIGNED_DATA = '1.2.840.113549.1.7.2';
 const OID_PKCS9_CONTENT_TYPE_TSTINFO = '1.2.840.113549.1.9.16.1.4';
 const OID_PKCS9_MESSAGE_DIGEST_KEY = '1.2.840.113549.1.9.4';
 class RFC3161Timestamp {
+    root;
     constructor(asn1) {
         this.root = asn1;
     }

@@ -38,6 +38,7 @@ const crypto = __importStar(require("../crypto"));
 const oid_1 = require("../oid");
 const error_1 = require("./error");
 class TSTInfo {
+    root;
     constructor(asn1) {
         this.root = asn1;
     }

@@ -19,14 +19,17 @@ limitations under the License.
 class StreamError extends Error {
 }
 class ByteStream {
+    static BLOCK_SIZE = 1024;
+    buf;
+    view;
+    start = 0;
     constructor(buffer) {
-        this.start = 0;
         if (buffer) {
             this.buf = buffer;
             this.view = Buffer.from(buffer);
         }
         else {
-            this.buf = new ArrayBuffer(0);
+            this.buf = Buffer.alloc(0);
             this.view = Buffer.from(this.buf);
         }
     }
@@ -103,7 +106,7 @@ class ByteStream {
         }
     }
     realloc(size) {
-        const newArray = new ArrayBuffer(size);
+        const newArray = Buffer.alloc(size);
         const newView = Buffer.from(newArray);
         // Copy the old buffer into the new one
         newView.set(this.view);
@@ -112,4 +115,3 @@ class ByteStream {
     }
 }
 exports.ByteStream = ByteStream;
-ByteStream.BLOCK_SIZE = 1024;
@@ -61,6 +61,7 @@ const EXTENSION_OID_BASIC_CONSTRAINTS = '2.5.29.19';
 const EXTENSION_OID_AUTHORITY_KEY_ID = '2.5.29.35';
 exports.EXTENSION_OID_SCT = '1.3.6.1.4.1.11129.2.4.2';
 class X509Certificate {
+    root;
     constructor(asn1) {
         this.root = asn1;
     }
@@ -99,6 +100,9 @@ class X509Certificate {
     }
     get signatureAlgorithm() {
         const oid = this.signatureAlgorithmObj.subs[0].toOID();
+        if (oid_1.RSA_SIGNATURE_ALGOS[oid]) {
+            return oid_1.RSA_SIGNATURE_ALGOS[oid];
+        }
         return oid_1.ECDSA_SIGNATURE_ALGOS[oid];
     }
     get signatureValue() {

@@ -5,6 +5,7 @@ const stream_1 = require("../stream");
 const sct_1 = require("./sct");
 // https://www.rfc-editor.org/rfc/rfc5280#section-4.1
 class X509Extension {
+    root;
     constructor(asn1) {
         this.root = asn1;
     }

@@ -52,6 +52,13 @@ limitations under the License.
 const crypto = __importStar(require("../crypto"));
 const stream_1 = require("../stream");
 class SignedCertificateTimestamp {
+    version;
+    logID;
+    timestamp;
+    extensions;
+    hashAlgorithm;
+    signatureAlgorithm;
+    signature;
     constructor(options) {
         this.version = options.version;
         this.logID = options.logID;

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/core",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "Base library for Sigstore",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

@@ -6,6 +6,8 @@ exports.BaseBundleBuilder = void 0;
 // Subclasses must implement the `package` method to assemble a valid bundle
 // with the generated signature and verification material.
 class BaseBundleBuilder {
+    signer;
+    witnesses;
     constructor(options) {
         this.signer = options.signer;
         this.witnesses = options.witnesses;

@@ -21,6 +21,7 @@ const base_1 = require("./base");
 const bundle_1 = require("./bundle");
 // BundleBuilder implementation for DSSE wrapped attestations
 class DSSEBundleBuilder extends base_1.BaseBundleBuilder {
+    certificateChain;
     constructor(options) {
         super(options);
         this.certificateChain = options.certificateChain ?? false;

@@ -0,0 +1,143 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bundleBuilderFromSigningConfig = bundleBuilderFromSigningConfig;
+/*
+Copyright 2025 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const protobuf_specs_1 = require("@sigstore/protobuf-specs");
+const dsse_1 = require("./bundler/dsse");
+const message_1 = require("./bundler/message");
+const signer_1 = require("./signer");
+const witness_1 = require("./witness");
+const MAX_CA_API_VERSION = 1;
+const MAX_TLOG_API_VERSION = 2;
+const MAX_TSA_API_VERSION = 1;
+const DEFAULT_TIMEOUT = 5000;
+const DEFAULT_REKORV2_TIMEOUT = 20000;
+const DEFAULT_RETRY = { retries: 2 };
+// Creates a BundleBuilder based on the provided SigningConfig
+function bundleBuilderFromSigningConfig(options) {
+    const { signingConfig, identityProvider, bundleType } = options;
+    const fetchOptions = options.fetchOptions || {
+        timeout: DEFAULT_TIMEOUT,
+        retry: DEFAULT_RETRY,
+    };
+    const signer = fulcioSignerFromConfig(signingConfig, identityProvider, fetchOptions);
+    const witnesses = witnessesFromConfig(signingConfig, fetchOptions);
+    switch (bundleType) {
+        case 'messageSignature':
+            return new message_1.MessageSignatureBundleBuilder({ signer, witnesses });
+        case 'dsseEnvelope':
+            return new dsse_1.DSSEBundleBuilder({ signer, witnesses });
+    }
+}
+function fulcioSignerFromConfig(signingConfig, identityProvider, fetchOptions) {
+    const service = certAuthorityService(signingConfig);
+    return new signer_1.FulcioSigner({
+        fulcioBaseURL: service.url,
+        identityProvider: identityProvider,
+        timeout: fetchOptions.timeout,
+        retry: fetchOptions.retry,
+    });
+}
+function witnessesFromConfig(signingConfig, fetchOptions) {
+    const witnesses = [];
+    if (signingConfig.rekorTlogConfig) {
+        if (signingConfig.rekorTlogConfig.selector !== protobuf_specs_1.ServiceSelector.ANY) {
+            throw new Error('Unsupported Rekor TLog selector in signing configuration');
+        }
+        const tlog = tlogService(signingConfig);
+        witnesses.push(new witness_1.RekorWitness({
+            rekorBaseURL: tlog.url,
+            majorApiVersion: tlog.majorApiVersion,
+            retry: fetchOptions.retry,
+            timeout: 
+            // Ensure Rekor V2 has at least a 20 second timeout
+            tlog.majorApiVersion === 1
+                ? fetchOptions.timeout
+                : Math.min(fetchOptions.timeout ||
+                    /* istanbul ignore next */ DEFAULT_TIMEOUT, DEFAULT_REKORV2_TIMEOUT),
+        }));
+    }
+    if (signingConfig.tsaConfig) {
+        if (signingConfig.tsaConfig.selector !== protobuf_specs_1.ServiceSelector.ANY) {
+            throw new Error('Unsupported TSA selector in signing configuration');
+        }
+        const tsa = tsaService(signingConfig);
+        witnesses.push(new witness_1.TSAWitness({
+            tsaBaseURL: tsa.url,
+            retry: fetchOptions.retry,
+            timeout: fetchOptions.timeout,
+        }));
+    }
+    return witnesses;
+}
+// Returns the first valid CA service from the signing configuration
+function certAuthorityService(signingConfig) {
+    const compatibleCAs = filterServicesByMaxAPIVersion(signingConfig.caUrls, MAX_CA_API_VERSION);
+    const sortedCAs = sortServicesByStartDate(compatibleCAs);
+    if (sortedCAs.length === 0) {
+        throw new Error('No valid CA services found in signing configuration');
+    }
+    return sortedCAs[0];
+}
+// Returns the first valid TLog service from the signing configuration
+function tlogService(signingConfig) {
+    const compatibleTLogs = filterServicesByMaxAPIVersion(signingConfig.rekorTlogUrls, MAX_TLOG_API_VERSION);
+    const sortedTLogs = sortServicesByStartDate(compatibleTLogs);
+    if (sortedTLogs.length === 0) {
+        throw new Error('No valid TLogs found in signing configuration');
+    }
+    return sortedTLogs[0];
+}
+// Returns the first valid TSA service from the signing configuration
+function tsaService(signingConfig) {
+    const compatibleTSAs = filterServicesByMaxAPIVersion(signingConfig.tsaUrls, MAX_TSA_API_VERSION);
+    const sortedTSAs = sortServicesByStartDate(compatibleTSAs);
+    if (sortedTSAs.length === 0) {
+        throw new Error('No valid TSAs found in signing configuration');
+    }
+    return sortedTSAs[0];
+}
+// Returns the services sorted by start date (most recent first), filtering out
+// any services that have an end date in the past
+function sortServicesByStartDate(services) {
+    const now = new Date();
+    // Filter out any services that have an end date in the past
+    const validServices = services.filter((service) => {
+        // If there's no end date, the service is still valid
+        if (!service.validFor?.end) {
+            return true;
+        }
+        // Keep services whose end date is in the future or present
+        return service.validFor.end >= now;
+    });
+    return validServices.sort((a, b) => {
+        /* istanbul ignore next */
+        const aStart = a.validFor?.start?.getTime() ?? 0;
+        /* istanbul ignore next */
+        const bStart = b.validFor?.start?.getTime() ?? 0;
+        // Sort descending (most recent first)
+        return bStart - aStart;
+    });
+}
+// Returns a filtered list of services whose major API version is less than or
+// equal to the specified version
+function filterServicesByMaxAPIVersion(services, apiVersion) {
+    // Filter out any services with a major API version greater than the specified version
+    return services.filter((service) => {
+        return service.majorApiVersion <= apiVersion;
+    });
+}
@@ -19,6 +19,8 @@ exports.InternalError = void 0;
 exports.internalError = internalError;
 const error_1 = require("./external/error");
 class InternalError extends Error {
+    code;
+    cause;
     constructor({ code, message, cause, }) {
         super(message);
         this.name = this.constructor.name;

@@ -17,6 +17,8 @@ limitations under the License.
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.HTTPError = void 0;
 class HTTPError extends Error {
+    statusCode;
+    location;
     constructor({ status, message, location, }) {
         super(`(${status}) ${message}`);
         this.statusCode = status;

@@ -21,6 +21,7 @@ const fetch_1 = require("./fetch");
  * Fulcio API client.
  */
 class Fulcio {
+    options;
     constructor(options) {
         this.options = options;
     }