diff --git a/mock-registry/lib/provenance.js b/mock-registry/lib/provenance.js index d978aa61cb2c0..371bd56dcc930 100644 --- a/mock-registry/lib/provenance.js +++ b/mock-registry/lib/provenance.js @@ -5,6 +5,7 @@ const sigstoreIdToken = () => { return `.${Buffer.from(JSON.stringify({ iss: 'https://oauth2.sigstore.dev/auth', email: 'foo@bar.com', + email_verified: true, })) .toString('base64')}.` } diff --git a/node_modules/@sigstore/sign/dist/util/oidc.js b/node_modules/@sigstore/sign/dist/util/oidc.js index 37c5b168ee12e..a9a3b10d3f61a 100644 --- a/node_modules/@sigstore/sign/dist/util/oidc.js +++ b/node_modules/@sigstore/sign/dist/util/oidc.js @@ -20,11 +20,16 @@ const core_1 = require("@sigstore/core"); function extractJWTSubject(jwt) { const parts = jwt.split('.', 3); const payload = JSON.parse(core_1.encoding.base64Decode(parts[1])); - switch (payload.iss) { - case 'https://accounts.google.com': - case 'https://oauth2.sigstore.dev/auth': - return payload.email; - default: - return payload.sub; + if (payload.email) { + if (!payload.email_verified) { + throw new Error('JWT email not verified by issuer'); + } + return payload.email; + } + if (payload.sub) { + return payload.sub; + } + else { + throw new Error('JWT subject not found'); } } diff --git a/node_modules/@sigstore/sign/package.json b/node_modules/@sigstore/sign/package.json index 4059997ced341..a24f8e87ff349 100644 --- a/node_modules/@sigstore/sign/package.json +++ b/node_modules/@sigstore/sign/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/sign", - "version": "4.0.0", + "version": "4.0.1", "description": "Sigstore signing library", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -36,7 +36,7 @@ "@sigstore/bundle": "^4.0.0", "@sigstore/core": "^3.0.0", "@sigstore/protobuf-specs": "^0.5.0", - "make-fetch-happen": "^15.0.0", + "make-fetch-happen": "^15.0.2", "proc-log": "^5.0.0", "promise-retry": "^2.0.1" }, diff --git a/package-lock.json b/package-lock.json index 1bf3308628ed9..63413b6d0fb34 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2014,14 +2014,16 @@ } }, "node_modules/@sigstore/sign": { - "version": "4.0.0", + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-4.0.1.tgz", + "integrity": "sha512-KFNGy01gx9Y3IBPG/CergxR9RZpN43N+lt3EozEfeoyqm8vEiLxwRl3ZO5sPx3Obv1ix/p7FWOlPc2Jgwfp9PA==", "inBundle": true, "license": "Apache-2.0", "dependencies": { "@sigstore/bundle": "^4.0.0", "@sigstore/core": "^3.0.0", "@sigstore/protobuf-specs": "^0.5.0", - "make-fetch-happen": "^15.0.0", + "make-fetch-happen": "^15.0.2", "proc-log": "^5.0.0", "promise-retry": "^2.0.1" }, diff --git a/workspaces/libnpmpublish/test/publish.js b/workspaces/libnpmpublish/test/publish.js index 8143b5cca541d..c1234badb9422 100644 --- a/workspaces/libnpmpublish/test/publish.js +++ b/workspaces/libnpmpublish/test/publish.js @@ -403,6 +403,7 @@ t.test('publish existing package with provenance in gha', async t => { const oidcClaims = { iss: 'https://oauth2.sigstore.dev/auth', email: 'foo@bar.com', + email_verified: true, } const idToken = `.${Buffer.from(JSON.stringify(oidcClaims)).toString('base64')}.` @@ -911,6 +912,7 @@ t.test('publish existing package with provenance in gitlab', async t => { const oidcClaims = { iss: 'https://oauth2.sigstore.dev/auth', email: 'foo@bar.com', + email_verified: true, } const idToken = `.${Buffer.from(JSON.stringify(oidcClaims)).toString('base64')}.`