npm · wraithgar · Oct 8, 2025 · Oct 8, 2025
@@ -5,6 +5,7 @@ const sigstoreIdToken = () => {
   return `.${Buffer.from(JSON.stringify({
     iss: 'https://oauth2.sigstore.dev/auth',
     email: 'foo@bar.com',
+    email_verified: true,
   }))
   .toString('base64')}.`
 }

@@ -20,11 +20,16 @@ const core_1 = require("@sigstore/core");
 function extractJWTSubject(jwt) {
     const parts = jwt.split('.', 3);
     const payload = JSON.parse(core_1.encoding.base64Decode(parts[1]));
-    switch (payload.iss) {
-        case 'https://accounts.google.com':
-        case 'https://oauth2.sigstore.dev/auth':
-            return payload.email;
-        default:
-            return payload.sub;
+    if (payload.email) {
+        if (!payload.email_verified) {
+            throw new Error('JWT email not verified by issuer');
+        }
+        return payload.email;
+    }
+    if (payload.sub) {
+        return payload.sub;
+    }
+    else {
+        throw new Error('JWT subject not found');
     }
 }
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/sign",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "description": "Sigstore signing library",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -36,7 +36,7 @@
     "@sigstore/bundle": "^4.0.0",
     "@sigstore/core": "^3.0.0",
     "@sigstore/protobuf-specs": "^0.5.0",
-    "make-fetch-happen": "^15.0.0",
+    "make-fetch-happen": "^15.0.2",
     "proc-log": "^5.0.0",
     "promise-retry": "^2.0.1"
   },

@@ -2014,14 +2014,16 @@
       }
     },
     "node_modules/@sigstore/sign": {
-      "version": "4.0.0",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-4.0.1.tgz",
+      "integrity": "sha512-KFNGy01gx9Y3IBPG/CergxR9RZpN43N+lt3EozEfeoyqm8vEiLxwRl3ZO5sPx3Obv1ix/p7FWOlPc2Jgwfp9PA==",
       "inBundle": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@sigstore/bundle": "^4.0.0",
         "@sigstore/core": "^3.0.0",
         "@sigstore/protobuf-specs": "^0.5.0",
-        "make-fetch-happen": "^15.0.0",
+        "make-fetch-happen": "^15.0.2",
         "proc-log": "^5.0.0",
         "promise-retry": "^2.0.1"
       },

@@ -403,6 +403,7 @@ t.test('publish existing package with provenance in gha', async t => {
   const oidcClaims = {
     iss: 'https://oauth2.sigstore.dev/auth',
     email: 'foo@bar.com',
+    email_verified: true,
   }
   const idToken = `.${Buffer.from(JSON.stringify(oidcClaims)).toString('base64')}.`
 
@@ -911,6 +912,7 @@ t.test('publish existing package with provenance in gitlab', async t => {
   const oidcClaims = {
     iss: 'https://oauth2.sigstore.dev/auth',
     email: 'foo@bar.com',
+    email_verified: true,
   }
   const idToken = `.${Buffer.from(JSON.stringify(oidcClaims)).toString('base64')}.`