RubyGems - sigstore - Versions diffs - 0.2.2 → 0.2.3 - Mend

sigstore 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/lib/sigstore/internal/merkle.rb +2 -2
data/lib/sigstore/internal/x509.rb +1 -6
data/lib/sigstore/models.rb +1 -1
data/lib/sigstore/rekor/checkpoint.rb +4 -4
data/lib/sigstore/rekor/client.rb +5 -2
data/lib/sigstore/signer.rb +2 -1
data/lib/sigstore/tuf.rb +3 -2
data/lib/sigstore/verifier.rb +29 -16
data/lib/sigstore/version.rb +2 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: adbc9be5acca424a61e1be380b84e86ddfb7752ec1e7e347b974a6dc7a59b34e
-  data.tar.gz: 8448dc2e3b7db3ac9ce3d187337a18fb9615f8bc7262fe2a3c64e207fd236300
+  metadata.gz: 4a9a3ef5da7b2fc632b31f48e168423e1c3d12dd601621937d1dc0ddf27be250
+  data.tar.gz: 9daf366761da11b908f6670644976bbb12ac11c6d7037d36c754083a56be9995
 SHA512:
-  metadata.gz: '0393afaefba1a158efd80e2e67653a218ef102db3848de301acefc99f5dbcd72c88ebc67cef4b11c573944d57169a2d0a2224cabfe0003899135ca5ba74282ca'
-  data.tar.gz: 92521025a92dbc5776caf13326e13e0988950e95c5206586674d01a80a25907110af6271dd045f76279e7f1a97fd1aea42e06d451514327e0384d2a7d1d57ebd
+  metadata.gz: 7f4ccdeef1781aa702cc3bde7fa2006b0d58d6e89e0eb5ef17cf53db6570bbd50a7d65ba2c33638f09fcd9439fb565566429926497e3aaa9e7e9cee16631b86e
+  data.tar.gz: 361d3082ca855a0ed086ffc15cb63c011be86c6bde88afd9c0c88cc916768b8370088e6a488af4316f7e2eec94fee81f72f1f117ff349e44af7c93aad774df0e

data/lib/sigstore/internal/merkle.rb CHANGED Viewed

@@ -69,7 +69,7 @@ module Sigstore
         intermediate_result = chain_inner(
           leaf_hash,
-          (proof[...inner] || raise(MissingHashError, "missing left hashes")),
+          proof[...inner] || raise(MissingHashError, "missing left hashes"),
           log_index
         )
@@ -93,7 +93,7 @@ module Sigstore
       def self.chain_inner(seed, hashes, log_index)
         hashes.each_with_index do |hash, i|
-          seed = if ((log_index >> i) & 1).zero?
+          seed = if (log_index >> i).nobits?(1)
                    hash_children(seed, hash)
                  else
                    hash_children(hash, seed)

data/lib/sigstore/internal/x509.rb CHANGED Viewed

@@ -438,7 +438,7 @@ module Sigstore
                     signature_algorithm
                     entry_type
                     signature]
-          Timestamp = defined?(Data.define) ? Data.define(*args) : Struct.new(*args, keyword_init: true) # rubocop:disable Naming/ConstantName
+          Timestamp = defined?(Data.define) ? Data.define(*args) : Struct.new(*args) # rubocop:disable Naming/ConstantName
           HASHES = {
             0 => "none",
@@ -474,11 +474,6 @@ module Sigstore
               sct_extensions_bytes = string.unpack1("a#{sct_extensions_len}", offset:).b
               offset += sct_extensions_len
-              unless sct_extensions_len.zero?
-                raise Error::Unimplemented,
-                      "sct_extensions_len=#{sct_extensions_len} not supported"
-              end
               sct_signature_alg_hash, sct_signature_alg_sign, sct_signature_len = string.unpack("CCn", offset:)
               offset += 1 + 1 + 2
               sct_signature_bytes = string.unpack1("a#{sct_signature_len}", offset:).b

data/lib/sigstore/models.rb CHANGED Viewed

@@ -19,7 +19,7 @@ require_relative "error"
 require_relative "trusted_root"
 module Sigstore
-  VerificationResult = Struct.new(:success, keyword_init: true) do
+  VerificationResult = Struct.new(:success) do
     # @implements VerificationResult
     alias_method :verified?, :success

data/lib/sigstore/rekor/checkpoint.rb CHANGED Viewed

@@ -17,9 +17,9 @@
 module Sigstore
   module Rekor
     module Checkpoint
-      Signature = Struct.new(:name, :sig_hash, :signature, keyword_init: true)
+      Signature = Struct.new(:name, :sig_hash, :signature)
-      SignedCheckpoint = Struct.new(:signed_note, :checkpoint, keyword_init: true) do
+      SignedCheckpoint = Struct.new(:signed_note, :checkpoint) do
         # @implements SignedCheckpoint
         def self.from_text(text)
@@ -30,7 +30,7 @@ module Sigstore
         end
       end
-      SignedNote = Struct.new(:note, :signatures, keyword_init: true) do
+      SignedNote = Struct.new(:note, :signatures) do
         # @implements SignedNote
         def self.from_text(text)
@@ -77,7 +77,7 @@ module Sigstore
         end
       end
-      LogCheckpoint = Struct.new(:origin, :log_size, :log_hash, :other_content, keyword_init: true) do
+      LogCheckpoint = Struct.new(:origin, :log_size, :log_hash, :other_content) do
         # @implements LogCheckpoint
         def self.from_text(text)

data/lib/sigstore/rekor/client.rb CHANGED Viewed

@@ -15,6 +15,7 @@
 # limitations under the License.
 require "net/http"
+require_relative "../version"
 module Sigstore
   module Rekor
@@ -66,7 +67,8 @@ module Sigstore
       def post(entry)
         resp = @session.post2(@url.path.chomp("/"), entry.to_json,
-                              { "Content-Type" => "application/json", "Accept" => "application/json" })
+                              { "Content-Type" => "application/json", "Accept" => "application/json",
+                                "User-Agent" => Sigstore::USER_AGENT })
         unless resp.code == "201"
           raise Error::FailedRekorPost,
@@ -89,7 +91,8 @@ module Sigstore
         def post(expected_entry)
           data = { entries: [expected_entry] }
           resp = @session.post2(@url.path, data.to_json,
-                                { "Content-Type" => "application/json", "Accept" => "application/json" })
+                                { "Content-Type" => "application/json", "Accept" => "application/json",
+                                  "User-Agent" => Sigstore::USER_AGENT })
           if resp.code != "200"
             raise Error::FailedRekorLookup,

data/lib/sigstore/signer.rb CHANGED Viewed

@@ -20,6 +20,7 @@ require_relative "models"
 require_relative "oidc"
 require_relative "policy"
 require_relative "verifier"
+require_relative "version"
 module Sigstore
   class Signer
@@ -109,7 +110,7 @@ module Sigstore
       resp = Net::HTTP.post(
         uri,
         JSON.dump(csr),
-        { "Content-Type" => "application/json" }
+        { "Content-Type" => "application/json", "User-Agent" => Sigstore::USER_AGENT }
       )
       unless resp.code == "200"

data/lib/sigstore/tuf.rb CHANGED Viewed

@@ -19,6 +19,7 @@ require "tempfile"
 require "uri"
 require "net/http"
 require "rubygems/remote_fetcher"
+require_relative "version"
 module Sigstore
   module TUF
@@ -133,8 +134,8 @@ module Sigstore
         fetcher = Gem::RemoteFetcher.fetcher
         begin
-          response = fetcher.request(uri, Net::HTTP::Get, nil) do
-            nil
+          response = fetcher.request(uri, Net::HTTP::Get, nil) do |req|
+            req["User-Agent"] = Sigstore::USER_AGENT
           end
           response.uri = uri
           case response

data/lib/sigstore/verifier.rb CHANGED Viewed

@@ -173,7 +173,9 @@ module Sigstore
           rescue JSON::ParserError
             raise Error::InvalidBundle, "invalid JSON for in-toto statement in DSSE payload"
           end
-          verify_in_toto(input, in_toto)
+          if (result = verify_in_toto(input, in_toto))
+            return result
+          end
         else
           raise Sigstore::Error::Unimplemented,
                 "unsupported DSSE payload type: #{bundle.dsse_envelope.payloadType.inspect}"
@@ -216,25 +218,27 @@ module Sigstore
     end
     def verify_in_toto(input, in_toto_payload)
-      type = in_toto_payload.fetch("_type")
+      type = in_toto_payload["_type"]
       raise Error::InvalidBundle, "Expected in-toto statement, got #{type.inspect}" unless type == "https://in-toto.io/Statement/v1"
-      subject = in_toto_payload.fetch("subject")
-      raise Error::InvalidBundle, "Expected in-toto statement with subject" unless subject && subject.size == 1
-      subject = subject.first
-      digest = subject.fetch("digest")
-      raise Error::InvalidBundle, "Expected in-toto statement with digest" if !digest || digest.empty?
+      subjects = in_toto_payload["subject"]
+      raise Error::InvalidBundle, "Expected in-toto statement with subject" if !subjects || subjects.empty?
+      expected_algorithm = Internal::Util.hash_algorithm_name(input.hashed_input.algorithm)
       expected_hexdigest = Internal::Util.hex_encode(input.hashed_input.digest)
-      digest.each do |name, value|
-        next if expected_hexdigest == value
-        return VerificationFailure.new(
-          "in-toto subject does not match for #{input.hashed_input.algorithm} of #{subject.fetch("name")}: " \
-          "expected #{name} to be #{value}, got #{expected_hexdigest}"
-        )
-      end
+      matched = subjects.map do |subject|
+        digest = subject["digest"]
+        raise Error::InvalidBundle, "Expected in-toto statement with digest" if !digest || digest.empty?
+        digest[expected_algorithm] == expected_hexdigest
+      end.any?
+      return if matched
+      VerificationFailure.new(
+        "None of in-toto subjects matches artifact for #{expected_algorithm}: #{expected_hexdigest}"
+      )
     end
     public
@@ -318,13 +322,22 @@ module Sigstore
           raise Error::Unimplemented, "only x509_entry and precert_entry supported, given #{sct.entry_type.inspect}"
         end
-      [sct.version, 0, sct.timestamp, sct.entry_type, signed_entry, 0].pack(<<~PACK)
+      [
+        sct.version,
+        0,
+        sct.timestamp,
+        sct.entry_type,
+        signed_entry,
+        sct.extensions_bytes&.bytesize.to_i,
+        sct.extensions_bytes
+      ].pack(<<~PACK)
         C # version
         C # signature_type
         Q> # timestamp
         n # entry_type
         a#{signed_entry.bytesize} # signed_entry
         n # extensions length
+        a#{sct.extensions_bytes&.bytesize.to_i} # extension
       PACK
     end

data/lib/sigstore/version.rb CHANGED Viewed

@@ -15,5 +15,6 @@
 # limitations under the License.
 module Sigstore
-  VERSION = "0.2.2"
+  VERSION = "0.2.3"
+  USER_AGENT = "sigstore-ruby/#{VERSION}".freeze
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sigstore
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - The Sigstore Authors
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-10-25 00:00:00.000000000 Z
+date: 2026-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logger