@attest-it/core 0.0.0 → 0.0.2

package/dist/core-unstripped.d.ts

@@ -1,11 +1,5 @@
 import { z } from 'zod';
 
-/**
- * Supported signature algorithms.
- * @public
- */
-export declare type Algorithm = 'ed25519' | 'rsa';
-
 /**
  * A single attestation entry.
  * @public
@@ -64,8 +58,6 @@ export declare interface AttestItSettings {
     attestationsPath: string;
     /** Default command to execute for attestation (can be overridden per suite) */
     defaultCommand?: string;
-    /** Cryptographic algorithm to use for signatures */
-    algorithm: 'ed25519' | 'rsa';
 }
 
 /**
@@ -143,24 +135,21 @@ export declare class ConfigNotFoundError extends Error {
  */
 declare const configSchema: z.ZodObject<{
     settings: z.ZodDefault<z.ZodObject<{
-        algorithm: z.ZodDefault<z.ZodEnum<["ed25519", "rsa"]>>;
         attestationsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
-    }, "strict", z.ZodTypeAny, {
-        algorithm: "ed25519" | "rsa";
-        attestationsPath: string;
-        defaultCommand?: string | undefined;
-        maxAgeDays: number;
-        publicKeyPath: string;
-    }, {
-        algorithm?: "ed25519" | "rsa" | undefined;
-        attestationsPath?: string | undefined;
-        defaultCommand?: string | undefined;
-        maxAgeDays?: number | undefined;
-        publicKeyPath?: string | undefined;
-    }>>;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">>>;
     suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodObject<{
         command: z.ZodOptional<z.ZodString>;
         description: z.ZodOptional<z.ZodString>;
@@ -200,12 +189,11 @@ declare const configSchema: z.ZodObject<{
     version: z.ZodLiteral<1>;
 }, "strict", z.ZodTypeAny, {
     settings: {
-        algorithm: "ed25519" | "rsa";
         attestationsPath: string;
         defaultCommand?: string | undefined;
         maxAgeDays: number;
         publicKeyPath: string;
-    };
+    } & { [k: string]: unknown };
     suites: Record<string, {
         command?: string | undefined;
         description?: string | undefined;
@@ -216,13 +204,12 @@ declare const configSchema: z.ZodObject<{
     }>;
     version: 1;
 }, {
-    settings?: {
-        algorithm?: "ed25519" | "rsa" | undefined;
-        attestationsPath?: string | undefined;
-        defaultCommand?: string | undefined;
-        maxAgeDays?: number | undefined;
-        publicKeyPath?: string | undefined;
-    } | undefined;
+    settings?: undefined | z.objectInputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">;
     suites: Record<string, {
         command?: string | undefined;
         description?: string | undefined;
@@ -326,7 +313,11 @@ export declare interface FingerprintResult {
 }
 
 /**
- * Generate a new keypair using OpenSSL.
+ * Generate a new RSA-2048 keypair using OpenSSL.
+ *
+ * RSA-2048 with SHA-256 is used because it's universally supported across
+ * all OpenSSL and LibreSSL versions, including older macOS systems.
+ *
  * @param options - Generation options
  * @returns Paths to generated keys
  * @throws Error if OpenSSL fails or keys exist without force
@@ -353,8 +344,6 @@ export declare function getDefaultPublicKeyPath(): string;
  * @public
  */
 export declare interface KeygenOptions {
-    /** Algorithm to use (default: ed25519) */
-    algorithm?: Algorithm;
     /** Path for private key (default: OS-specific config dir) */
     privatePath?: string;
     /** Path for public key (default: repo root) */
@@ -490,7 +479,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare function setKeyPermissions(keyPath: string): Promise<void>;
 
           /**
-           * Sign data using a private key.
+           * Sign data using an RSA private key with SHA-256.
+           *
+           * Uses `openssl dgst -sha256 -sign` which is universally supported across
+           * all OpenSSL and LibreSSL versions.
+           *
            * @param options - Signing options
            * @returns Base64-encoded signature
            * @throws Error if signing fails
@@ -596,7 +589,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare type VerificationStatus = 'EXPIRED' | 'FINGERPRINT_CHANGED' | 'INVALIDATED_BY_PARENT' | 'NEEDS_ATTESTATION' | 'SIGNATURE_INVALID' | 'VALID';
 
           /**
-           * Verify a signature using a public key.
+           * Verify a signature using an RSA public key with SHA-256.
+           *
+           * Uses `openssl dgst -sha256 -verify` which is universally supported across
+           * all OpenSSL and LibreSSL versions.
+           *
            * @param options - Verification options
            * @returns true if signature is valid
            * @throws Error if verification fails (not just invalid signature)

package/dist/{crypto-ITLMIMRJ.js → crypto-VAXWUGKL.js}

@@ -1,3 +1,3 @@
-export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, setKeyPermissions, sign, verify } from './chunk-UWYR7JNE.js';
-//# sourceMappingURL=crypto-ITLMIMRJ.js.map
-//# sourceMappingURL=crypto-ITLMIMRJ.js.map
+export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, setKeyPermissions, sign, verify } from './chunk-CEE7ONNG.js';
+//# sourceMappingURL=crypto-VAXWUGKL.js.map
+//# sourceMappingURL=crypto-VAXWUGKL.js.map

package/dist/{crypto-ITLMIMRJ.js.map → crypto-VAXWUGKL.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"crypto-ITLMIMRJ.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"crypto-VAXWUGKL.js"}

package/dist/index.cjs

@@ -142,7 +142,6 @@ async function cleanupFiles(...paths) {
 async function generateKeyPair(options = {}) {
   await ensureOpenSSLAvailable();
   const {
-    algorithm = "ed25519",
     privatePath = getDefaultPrivateKeyPath(),
     publicPath = getDefaultPublicKeyPath(),
     force = false
@@ -160,7 +159,15 @@ async function generateKeyPair(options = {}) {
   await ensureDir(path2__namespace.dirname(privatePath));
   await ensureDir(path2__namespace.dirname(publicPath));
   try {
-    const genArgs = algorithm === "ed25519" ? ["genpkey", "-algorithm", "Ed25519", "-out", privatePath] : ["genpkey", "-algorithm", "RSA", "-pkeyopt", "rsa_keygen_bits:2048", "-out", privatePath];
+    const genArgs = [
+      "genpkey",
+      "-algorithm",
+      "RSA",
+      "-pkeyopt",
+      "rsa_keygen_bits:2048",
+      "-out",
+      privatePath
+    ];
     const genResult = await runOpenSSL(genArgs);
     if (genResult.exitCode !== 0) {
       throw new Error(`Failed to generate private key: ${genResult.stderr}`);
@@ -192,16 +199,8 @@ async function sign(options) {
   const sigFile = path2__namespace.join(tmpDir, "sig.bin");
   try {
     await fs2__namespace.writeFile(dataFile, processBuffer);
-    const result = await runOpenSSL([
-      "pkeyutl",
-      "-sign",
-      "-inkey",
-      privateKeyPath,
-      "-in",
-      dataFile,
-      "-out",
-      sigFile
-    ]);
+    const signArgs = ["dgst", "-sha256", "-sign", privateKeyPath, "-out", sigFile, dataFile];
+    const result = await runOpenSSL(signArgs);
     if (result.exitCode !== 0) {
       throw new Error(`Failed to sign data: ${result.stderr}`);
     }
@@ -229,21 +228,17 @@ async function verify(options) {
   try {
     await fs2__namespace.writeFile(dataFile, processBuffer);
     await fs2__namespace.writeFile(sigFile, sigBuffer);
-    const result = await runOpenSSL([
-      "pkeyutl",
+    const verifyArgs = [
+      "dgst",
+      "-sha256",
       "-verify",
-      "-pubin",
-      "-inkey",
       publicKeyPath,
-      "-sigfile",
+      "-signature",
       sigFile,
-      "-in",
       dataFile
-    ]);
-    if (result.exitCode !== 0 && result.exitCode !== 1) {
-      throw new Error(`Verification error: ${result.stderr}`);
-    }
-    return result.exitCode === 0;
+    ];
+    const result = await runOpenSSL(verifyArgs);
+    return result.exitCode === 0 && result.stdout.toString().includes("Verified OK");
   } finally {
     try {
       await fs2__namespace.rm(tmpDir, { recursive: true, force: true });
@@ -268,9 +263,9 @@ var settingsSchema = zod.z.object({
   maxAgeDays: zod.z.number().int().positive().default(30),
   publicKeyPath: zod.z.string().default(".attest-it/pubkey.pem"),
   attestationsPath: zod.z.string().default(".attest-it/attestations.json"),
-  defaultCommand: zod.z.string().optional(),
-  algorithm: zod.z.enum(["ed25519", "rsa"]).default("ed25519")
-}).strict();
+  defaultCommand: zod.z.string().optional()
+  // Note: algorithm field was removed - RSA is the only supported algorithm
+}).passthrough();
 var suiteSchema = zod.z.object({
   description: zod.z.string().optional(),
   packages: zod.z.array(zod.z.string().min(1, "Package path cannot be empty")).min(1, "At least one package pattern is required"),
@@ -403,7 +398,6 @@ function toAttestItConfig(config) {
       maxAgeDays: config.settings.maxAgeDays,
       publicKeyPath: config.settings.publicKeyPath,
       attestationsPath: config.settings.attestationsPath,
-      algorithm: config.settings.algorithm,
       ...config.settings.defaultCommand !== void 0 && {
         defaultCommand: config.settings.defaultCommand
       }