@attest-it/core 0.7.0 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-T3NLSO5B.js → chunk-FGYLU2HL.js} +38 -8
- package/dist/chunk-FGYLU2HL.js.map +1 -0
- package/dist/core-alpha.d.ts +29 -5
- package/dist/core-beta.d.ts +29 -5
- package/dist/core-public.d.ts +29 -5
- package/dist/core-unstripped.d.ts +29 -5
- package/dist/crypto-SSL7OBY2.js +3 -0
- package/dist/{crypto-VT6YNHUE.js.map → crypto-SSL7OBY2.js.map} +1 -1
- package/dist/index.cjs +76 -35
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +29 -5
- package/dist/index.d.ts +29 -5
- package/dist/index.js +67 -56
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
- package/dist/chunk-T3NLSO5B.js.map +0 -1
- package/dist/crypto-VT6YNHUE.js +0 -3
package/dist/core-public.d.ts
CHANGED
|
@@ -62,6 +62,8 @@ export declare interface AttestItSettings {
|
|
|
62
62
|
publicKeyPath: string;
|
|
63
63
|
/** Path to the attestations file */
|
|
64
64
|
attestationsPath: string;
|
|
65
|
+
/** Path to the seals file */
|
|
66
|
+
sealsPath: string;
|
|
65
67
|
/** Default command to execute for attestation (can be overridden per suite) */
|
|
66
68
|
defaultCommand?: string;
|
|
67
69
|
/** Key provider configuration for signing attestations */
|
|
@@ -226,6 +228,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
226
228
|
}>>;
|
|
227
229
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
228
230
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
231
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
229
232
|
}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
|
|
230
233
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
231
234
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -266,6 +269,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
266
269
|
}>>;
|
|
267
270
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
268
271
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
272
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
269
273
|
}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
|
|
270
274
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
271
275
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -306,6 +310,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
306
310
|
}>>;
|
|
307
311
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
308
312
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
313
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
309
314
|
}, z.ZodTypeAny, "passthrough">>>;
|
|
310
315
|
suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodEffects<z.ZodObject<{
|
|
311
316
|
command: z.ZodOptional<z.ZodString>;
|
|
@@ -428,6 +433,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
428
433
|
} | undefined;
|
|
429
434
|
maxAgeDays: number;
|
|
430
435
|
publicKeyPath: string;
|
|
436
|
+
sealsPath: string;
|
|
431
437
|
} & { [k: string]: unknown };
|
|
432
438
|
suites: Record<string, {
|
|
433
439
|
command?: string | undefined;
|
|
@@ -500,6 +506,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
500
506
|
}>>;
|
|
501
507
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
502
508
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
509
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
503
510
|
}, z.ZodTypeAny, "passthrough">;
|
|
504
511
|
suites: Record<string, {
|
|
505
512
|
command?: string | undefined;
|
|
@@ -946,6 +953,8 @@ export declare interface KeyGenerationResult {
|
|
|
946
953
|
publicKeyPath: string;
|
|
947
954
|
/** Human-readable storage location description */
|
|
948
955
|
storageDescription: string;
|
|
956
|
+
/** Whether the private key is encrypted with a passphrase */
|
|
957
|
+
encrypted?: boolean;
|
|
949
958
|
}
|
|
950
959
|
|
|
951
960
|
/**
|
|
@@ -959,6 +968,8 @@ export declare interface KeygenOptions {
|
|
|
959
968
|
publicPath?: string;
|
|
960
969
|
/** Overwrite existing keys (default: false) */
|
|
961
970
|
force?: boolean;
|
|
971
|
+
/** Passphrase to encrypt the private key with AES-256 (optional) */
|
|
972
|
+
passphrase?: string;
|
|
962
973
|
}
|
|
963
974
|
|
|
964
975
|
/**
|
|
@@ -970,6 +981,8 @@ export declare interface KeygenProviderOptions {
|
|
|
970
981
|
publicKeyPath: string;
|
|
971
982
|
/** Overwrite existing keys */
|
|
972
983
|
force?: boolean;
|
|
984
|
+
/** Passphrase to encrypt the private key (filesystem provider only) */
|
|
985
|
+
passphrase?: string;
|
|
973
986
|
}
|
|
974
987
|
|
|
975
988
|
/**
|
|
@@ -1271,7 +1284,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1271
1284
|
* The merge strategy prioritizes security-critical fields from the policy
|
|
1272
1285
|
* configuration while combining operational fields from both sources:
|
|
1273
1286
|
*
|
|
1274
|
-
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
|
|
1287
|
+
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
|
|
1275
1288
|
* - **Operational settings** (defaultCommand, keyProvider) are added from operational config
|
|
1276
1289
|
* - **Team and gates** come exclusively from policy config
|
|
1277
1290
|
* - **Suites and groups** come exclusively from operational config
|
|
@@ -1708,14 +1721,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1708
1721
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
1709
1722
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
1710
1723
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
1724
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
1711
1725
|
}, "strict", z.ZodTypeAny, {
|
|
1712
1726
|
attestationsPath: string;
|
|
1713
1727
|
maxAgeDays: number;
|
|
1714
1728
|
publicKeyPath: string;
|
|
1729
|
+
sealsPath: string;
|
|
1715
1730
|
}, {
|
|
1716
1731
|
attestationsPath?: string | undefined;
|
|
1717
1732
|
maxAgeDays?: number | undefined;
|
|
1718
1733
|
publicKeyPath?: string | undefined;
|
|
1734
|
+
sealsPath?: string | undefined;
|
|
1719
1735
|
}>>;
|
|
1720
1736
|
team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
1721
1737
|
email: z.ZodOptional<z.ZodString>;
|
|
@@ -1749,6 +1765,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1749
1765
|
attestationsPath: string;
|
|
1750
1766
|
maxAgeDays: number;
|
|
1751
1767
|
publicKeyPath: string;
|
|
1768
|
+
sealsPath: string;
|
|
1752
1769
|
};
|
|
1753
1770
|
team?: Record<string, {
|
|
1754
1771
|
email?: string | undefined;
|
|
@@ -1772,6 +1789,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1772
1789
|
attestationsPath?: string | undefined;
|
|
1773
1790
|
maxAgeDays?: number | undefined;
|
|
1774
1791
|
publicKeyPath?: string | undefined;
|
|
1792
|
+
sealsPath?: string | undefined;
|
|
1775
1793
|
} | undefined;
|
|
1776
1794
|
team?: Record<string, {
|
|
1777
1795
|
email?: string | undefined;
|
|
@@ -1855,21 +1873,23 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1855
1873
|
* Read seals from the seals.json file (async).
|
|
1856
1874
|
*
|
|
1857
1875
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1876
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1858
1877
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1859
1878
|
* @throws Error if file exists but cannot be read or parsed
|
|
1860
1879
|
* @public
|
|
1861
1880
|
*/
|
|
1862
|
-
export declare function readSeals(dir: string): Promise<SealsFile>;
|
|
1881
|
+
export declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
|
|
1863
1882
|
|
|
1864
1883
|
/**
|
|
1865
1884
|
* Read seals from the seals.json file (sync).
|
|
1866
1885
|
*
|
|
1867
1886
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1887
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1868
1888
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1869
1889
|
* @throws Error if file exists but cannot be read or parsed
|
|
1870
1890
|
* @public
|
|
1871
1891
|
*/
|
|
1872
|
-
export declare function readSealsSync(dir: string): SealsFile;
|
|
1892
|
+
export declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
|
|
1873
1893
|
|
|
1874
1894
|
/**
|
|
1875
1895
|
* Options for reading and verifying signed attestations.
|
|
@@ -2107,6 +2127,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2107
2127
|
keyRef?: string;
|
|
2108
2128
|
/** Data to sign (string or Buffer) */
|
|
2109
2129
|
data: Buffer | string;
|
|
2130
|
+
/** Passphrase for encrypted private keys (optional) */
|
|
2131
|
+
passphrase?: string;
|
|
2110
2132
|
}
|
|
2111
2133
|
|
|
2112
2134
|
/**
|
|
@@ -2419,20 +2441,22 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2419
2441
|
*
|
|
2420
2442
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2421
2443
|
* @param sealsFile - The seals file to write
|
|
2444
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2422
2445
|
* @throws Error if file cannot be written
|
|
2423
2446
|
* @public
|
|
2424
2447
|
*/
|
|
2425
|
-
export declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
|
|
2448
|
+
export declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
|
|
2426
2449
|
|
|
2427
2450
|
/**
|
|
2428
2451
|
* Write seals to the seals.json file (sync).
|
|
2429
2452
|
*
|
|
2430
2453
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2431
2454
|
* @param sealsFile - The seals file to write
|
|
2455
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2432
2456
|
* @throws Error if file cannot be written
|
|
2433
2457
|
* @public
|
|
2434
2458
|
*/
|
|
2435
|
-
export declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
|
|
2459
|
+
export declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
|
|
2436
2460
|
|
|
2437
2461
|
/**
|
|
2438
2462
|
* Write attestations with a cryptographic signature.
|
|
@@ -62,6 +62,8 @@ export declare interface AttestItSettings {
|
|
|
62
62
|
publicKeyPath: string;
|
|
63
63
|
/** Path to the attestations file */
|
|
64
64
|
attestationsPath: string;
|
|
65
|
+
/** Path to the seals file */
|
|
66
|
+
sealsPath: string;
|
|
65
67
|
/** Default command to execute for attestation (can be overridden per suite) */
|
|
66
68
|
defaultCommand?: string;
|
|
67
69
|
/** Key provider configuration for signing attestations */
|
|
@@ -226,6 +228,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
226
228
|
}>>;
|
|
227
229
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
228
230
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
231
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
229
232
|
}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
|
|
230
233
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
231
234
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -266,6 +269,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
266
269
|
}>>;
|
|
267
270
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
268
271
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
272
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
269
273
|
}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
|
|
270
274
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
271
275
|
defaultCommand: z.ZodOptional<z.ZodString>;
|
|
@@ -306,6 +310,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
306
310
|
}>>;
|
|
307
311
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
308
312
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
313
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
309
314
|
}, z.ZodTypeAny, "passthrough">>>;
|
|
310
315
|
suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodEffects<z.ZodObject<{
|
|
311
316
|
command: z.ZodOptional<z.ZodString>;
|
|
@@ -428,6 +433,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
428
433
|
} | undefined;
|
|
429
434
|
maxAgeDays: number;
|
|
430
435
|
publicKeyPath: string;
|
|
436
|
+
sealsPath: string;
|
|
431
437
|
} & { [k: string]: unknown };
|
|
432
438
|
suites: Record<string, {
|
|
433
439
|
command?: string | undefined;
|
|
@@ -500,6 +506,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
500
506
|
}>>;
|
|
501
507
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
502
508
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
509
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
503
510
|
}, z.ZodTypeAny, "passthrough">;
|
|
504
511
|
suites: Record<string, {
|
|
505
512
|
command?: string | undefined;
|
|
@@ -946,6 +953,8 @@ export declare interface KeyGenerationResult {
|
|
|
946
953
|
publicKeyPath: string;
|
|
947
954
|
/** Human-readable storage location description */
|
|
948
955
|
storageDescription: string;
|
|
956
|
+
/** Whether the private key is encrypted with a passphrase */
|
|
957
|
+
encrypted?: boolean;
|
|
949
958
|
}
|
|
950
959
|
|
|
951
960
|
/**
|
|
@@ -959,6 +968,8 @@ export declare interface KeygenOptions {
|
|
|
959
968
|
publicPath?: string;
|
|
960
969
|
/** Overwrite existing keys (default: false) */
|
|
961
970
|
force?: boolean;
|
|
971
|
+
/** Passphrase to encrypt the private key with AES-256 (optional) */
|
|
972
|
+
passphrase?: string;
|
|
962
973
|
}
|
|
963
974
|
|
|
964
975
|
/**
|
|
@@ -970,6 +981,8 @@ export declare interface KeygenProviderOptions {
|
|
|
970
981
|
publicKeyPath: string;
|
|
971
982
|
/** Overwrite existing keys */
|
|
972
983
|
force?: boolean;
|
|
984
|
+
/** Passphrase to encrypt the private key (filesystem provider only) */
|
|
985
|
+
passphrase?: string;
|
|
973
986
|
}
|
|
974
987
|
|
|
975
988
|
/**
|
|
@@ -1271,7 +1284,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1271
1284
|
* The merge strategy prioritizes security-critical fields from the policy
|
|
1272
1285
|
* configuration while combining operational fields from both sources:
|
|
1273
1286
|
*
|
|
1274
|
-
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
|
|
1287
|
+
* - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
|
|
1275
1288
|
* - **Operational settings** (defaultCommand, keyProvider) are added from operational config
|
|
1276
1289
|
* - **Team and gates** come exclusively from policy config
|
|
1277
1290
|
* - **Suites and groups** come exclusively from operational config
|
|
@@ -1708,14 +1721,17 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1708
1721
|
attestationsPath: z.ZodDefault<z.ZodString>;
|
|
1709
1722
|
maxAgeDays: z.ZodDefault<z.ZodNumber>;
|
|
1710
1723
|
publicKeyPath: z.ZodDefault<z.ZodString>;
|
|
1724
|
+
sealsPath: z.ZodDefault<z.ZodString>;
|
|
1711
1725
|
}, "strict", z.ZodTypeAny, {
|
|
1712
1726
|
attestationsPath: string;
|
|
1713
1727
|
maxAgeDays: number;
|
|
1714
1728
|
publicKeyPath: string;
|
|
1729
|
+
sealsPath: string;
|
|
1715
1730
|
}, {
|
|
1716
1731
|
attestationsPath?: string | undefined;
|
|
1717
1732
|
maxAgeDays?: number | undefined;
|
|
1718
1733
|
publicKeyPath?: string | undefined;
|
|
1734
|
+
sealsPath?: string | undefined;
|
|
1719
1735
|
}>>;
|
|
1720
1736
|
team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
1721
1737
|
email: z.ZodOptional<z.ZodString>;
|
|
@@ -1749,6 +1765,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1749
1765
|
attestationsPath: string;
|
|
1750
1766
|
maxAgeDays: number;
|
|
1751
1767
|
publicKeyPath: string;
|
|
1768
|
+
sealsPath: string;
|
|
1752
1769
|
};
|
|
1753
1770
|
team?: Record<string, {
|
|
1754
1771
|
email?: string | undefined;
|
|
@@ -1772,6 +1789,7 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1772
1789
|
attestationsPath?: string | undefined;
|
|
1773
1790
|
maxAgeDays?: number | undefined;
|
|
1774
1791
|
publicKeyPath?: string | undefined;
|
|
1792
|
+
sealsPath?: string | undefined;
|
|
1775
1793
|
} | undefined;
|
|
1776
1794
|
team?: Record<string, {
|
|
1777
1795
|
email?: string | undefined;
|
|
@@ -1855,21 +1873,23 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
1855
1873
|
* Read seals from the seals.json file (async).
|
|
1856
1874
|
*
|
|
1857
1875
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1876
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1858
1877
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1859
1878
|
* @throws Error if file exists but cannot be read or parsed
|
|
1860
1879
|
* @public
|
|
1861
1880
|
*/
|
|
1862
|
-
export declare function readSeals(dir: string): Promise<SealsFile>;
|
|
1881
|
+
export declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
|
|
1863
1882
|
|
|
1864
1883
|
/**
|
|
1865
1884
|
* Read seals from the seals.json file (sync).
|
|
1866
1885
|
*
|
|
1867
1886
|
* @param dir - Directory containing .attest-it/seals.json
|
|
1887
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
1868
1888
|
* @returns The seals file contents, or an empty seals file if the file doesn't exist
|
|
1869
1889
|
* @throws Error if file exists but cannot be read or parsed
|
|
1870
1890
|
* @public
|
|
1871
1891
|
*/
|
|
1872
|
-
export declare function readSealsSync(dir: string): SealsFile;
|
|
1892
|
+
export declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
|
|
1873
1893
|
|
|
1874
1894
|
/**
|
|
1875
1895
|
* Options for reading and verifying signed attestations.
|
|
@@ -2107,6 +2127,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2107
2127
|
keyRef?: string;
|
|
2108
2128
|
/** Data to sign (string or Buffer) */
|
|
2109
2129
|
data: Buffer | string;
|
|
2130
|
+
/** Passphrase for encrypted private keys (optional) */
|
|
2131
|
+
passphrase?: string;
|
|
2110
2132
|
}
|
|
2111
2133
|
|
|
2112
2134
|
/**
|
|
@@ -2419,20 +2441,22 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
|
|
|
2419
2441
|
*
|
|
2420
2442
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2421
2443
|
* @param sealsFile - The seals file to write
|
|
2444
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2422
2445
|
* @throws Error if file cannot be written
|
|
2423
2446
|
* @public
|
|
2424
2447
|
*/
|
|
2425
|
-
export declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
|
|
2448
|
+
export declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
|
|
2426
2449
|
|
|
2427
2450
|
/**
|
|
2428
2451
|
* Write seals to the seals.json file (sync).
|
|
2429
2452
|
*
|
|
2430
2453
|
* @param dir - Directory containing .attest-it/seals.json
|
|
2431
2454
|
* @param sealsFile - The seals file to write
|
|
2455
|
+
* @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
|
|
2432
2456
|
* @throws Error if file cannot be written
|
|
2433
2457
|
* @public
|
|
2434
2458
|
*/
|
|
2435
|
-
export declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
|
|
2459
|
+
export declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
|
|
2436
2460
|
|
|
2437
2461
|
/**
|
|
2438
2462
|
* Write attestations with a cryptographic signature.
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, getDefaultYubiKeyEncryptedKeyPath, setKeyPermissions, sign, verify } from './chunk-FGYLU2HL.js';
|
|
2
|
+
//# sourceMappingURL=crypto-SSL7OBY2.js.map
|
|
3
|
+
//# sourceMappingURL=crypto-SSL7OBY2.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":[],"names":[],"mappings":"","file":"crypto-
|
|
1
|
+
{"version":3,"sources":[],"names":[],"mappings":"","file":"crypto-SSL7OBY2.js"}
|
package/dist/index.cjs
CHANGED
|
@@ -63,7 +63,7 @@ __export(crypto_exports, {
|
|
|
63
63
|
verify: () => verify
|
|
64
64
|
});
|
|
65
65
|
async function runOpenSSL(args, stdin) {
|
|
66
|
-
return new Promise((
|
|
66
|
+
return new Promise((resolve5, reject) => {
|
|
67
67
|
const child = child_process.spawn("openssl", args, {
|
|
68
68
|
stdio: ["pipe", "pipe", "pipe"]
|
|
69
69
|
});
|
|
@@ -79,12 +79,15 @@ async function runOpenSSL(args, stdin) {
|
|
|
79
79
|
reject(new Error(`Failed to spawn OpenSSL: ${err.message}`));
|
|
80
80
|
});
|
|
81
81
|
child.on("close", (code) => {
|
|
82
|
-
|
|
82
|
+
resolve5({
|
|
83
83
|
exitCode: code ?? 1,
|
|
84
84
|
stdout: Buffer.concat(stdoutChunks),
|
|
85
85
|
stderr
|
|
86
86
|
});
|
|
87
87
|
});
|
|
88
|
+
if (stdin) {
|
|
89
|
+
child.stdin.write(stdin);
|
|
90
|
+
}
|
|
88
91
|
child.stdin.end();
|
|
89
92
|
});
|
|
90
93
|
}
|
|
@@ -157,7 +160,8 @@ async function generateKeyPair(options = {}) {
|
|
|
157
160
|
const {
|
|
158
161
|
privatePath = getDefaultPrivateKeyPath(),
|
|
159
162
|
publicPath = getDefaultPublicKeyPath(),
|
|
160
|
-
force = false
|
|
163
|
+
force = false,
|
|
164
|
+
passphrase
|
|
161
165
|
} = options;
|
|
162
166
|
const privateExists = await fileExists(privatePath);
|
|
163
167
|
const publicExists = await fileExists(publicPath);
|
|
@@ -181,12 +185,25 @@ async function generateKeyPair(options = {}) {
|
|
|
181
185
|
"-out",
|
|
182
186
|
privatePath
|
|
183
187
|
];
|
|
184
|
-
|
|
188
|
+
if (passphrase) {
|
|
189
|
+
genArgs.push("-aes256", "-pass", "stdin");
|
|
190
|
+
}
|
|
191
|
+
const genResult = await runOpenSSL(
|
|
192
|
+
genArgs,
|
|
193
|
+
passphrase ? Buffer.from(passphrase + "\n") : void 0
|
|
194
|
+
);
|
|
185
195
|
if (genResult.exitCode !== 0) {
|
|
186
196
|
throw new Error(`Failed to generate private key: ${genResult.stderr}`);
|
|
187
197
|
}
|
|
188
198
|
await setKeyPermissions(privatePath);
|
|
189
|
-
const
|
|
199
|
+
const pubArgs = ["pkey", "-in", privatePath, "-pubout", "-out", publicPath];
|
|
200
|
+
if (passphrase) {
|
|
201
|
+
pubArgs.push("-passin", "stdin");
|
|
202
|
+
}
|
|
203
|
+
const pubResult = await runOpenSSL(
|
|
204
|
+
pubArgs,
|
|
205
|
+
passphrase ? Buffer.from(passphrase + "\n") : void 0
|
|
206
|
+
);
|
|
190
207
|
if (pubResult.exitCode !== 0) {
|
|
191
208
|
throw new Error(`Failed to extract public key: ${pubResult.stderr}`);
|
|
192
209
|
}
|
|
@@ -201,7 +218,7 @@ async function generateKeyPair(options = {}) {
|
|
|
201
218
|
}
|
|
202
219
|
async function sign(options) {
|
|
203
220
|
await ensureOpenSSLAvailable();
|
|
204
|
-
const { privateKeyPath, keyProvider, keyRef, data } = options;
|
|
221
|
+
const { privateKeyPath, keyProvider, keyRef, data, passphrase } = options;
|
|
205
222
|
let effectiveKeyPath;
|
|
206
223
|
let cleanup;
|
|
207
224
|
if (keyProvider && keyRef) {
|
|
@@ -226,9 +243,22 @@ async function sign(options) {
|
|
|
226
243
|
const sigFile = path2__namespace.join(tmpDir, "sig.bin");
|
|
227
244
|
try {
|
|
228
245
|
await fs8__namespace.writeFile(dataFile, processBuffer);
|
|
229
|
-
const signArgs = ["dgst", "-sha256"
|
|
230
|
-
|
|
246
|
+
const signArgs = ["dgst", "-sha256"];
|
|
247
|
+
if (passphrase) {
|
|
248
|
+
signArgs.push("-passin", "stdin");
|
|
249
|
+
}
|
|
250
|
+
signArgs.push("-sign", effectiveKeyPath, "-out", sigFile, dataFile);
|
|
251
|
+
const result = await runOpenSSL(
|
|
252
|
+
signArgs,
|
|
253
|
+
passphrase ? Buffer.from(passphrase + "\n") : void 0
|
|
254
|
+
);
|
|
231
255
|
if (result.exitCode !== 0) {
|
|
256
|
+
const stderr = result.stderr.toLowerCase();
|
|
257
|
+
if (stderr.includes("bad decrypt") || stderr.includes("bad password") || stderr.includes("unable to load key") || stderr.includes("wrong password")) {
|
|
258
|
+
throw new Error(
|
|
259
|
+
"Failed to decrypt private key. Please check that the passphrase is correct."
|
|
260
|
+
);
|
|
261
|
+
}
|
|
232
262
|
throw new Error(`Failed to sign data: ${result.stderr}`);
|
|
233
263
|
}
|
|
234
264
|
const sigBuffer = await fs8__namespace.readFile(sigFile);
|
|
@@ -335,6 +365,7 @@ var settingsSchema = zod.z.object({
|
|
|
335
365
|
maxAgeDays: zod.z.number().int().positive().default(30),
|
|
336
366
|
publicKeyPath: zod.z.string().default(".attest-it/pubkey.pem"),
|
|
337
367
|
attestationsPath: zod.z.string().default(".attest-it/attestations.json"),
|
|
368
|
+
sealsPath: zod.z.string().default(".attest-it/seals.json"),
|
|
338
369
|
defaultCommand: zod.z.string().optional(),
|
|
339
370
|
keyProvider: keyProviderSchema.optional()
|
|
340
371
|
// Note: algorithm field was removed - RSA is the only supported algorithm
|
|
@@ -488,7 +519,8 @@ function toAttestItConfig(config) {
|
|
|
488
519
|
settings: {
|
|
489
520
|
maxAgeDays: config.settings.maxAgeDays,
|
|
490
521
|
publicKeyPath: config.settings.publicKeyPath,
|
|
491
|
-
attestationsPath: config.settings.attestationsPath
|
|
522
|
+
attestationsPath: config.settings.attestationsPath,
|
|
523
|
+
sealsPath: config.settings.sealsPath
|
|
492
524
|
},
|
|
493
525
|
suites: {}
|
|
494
526
|
};
|
|
@@ -575,7 +607,8 @@ var keyProviderSchema2 = zod.z.object({
|
|
|
575
607
|
var policySettingsSchema = zod.z.object({
|
|
576
608
|
maxAgeDays: zod.z.number().int().positive().default(30),
|
|
577
609
|
publicKeyPath: zod.z.string().default(".attest-it/pubkey.pem"),
|
|
578
|
-
attestationsPath: zod.z.string().default(".attest-it/attestations.json")
|
|
610
|
+
attestationsPath: zod.z.string().default(".attest-it/attestations.json"),
|
|
611
|
+
sealsPath: zod.z.string().default(".attest-it/seals.json")
|
|
579
612
|
}).strict();
|
|
580
613
|
var policySchema = zod.z.object({
|
|
581
614
|
version: zod.z.literal(1),
|
|
@@ -752,7 +785,8 @@ function mergeConfigs(policy, operational) {
|
|
|
752
785
|
// Security settings from policy (these are trust-critical)
|
|
753
786
|
maxAgeDays: policy.settings.maxAgeDays,
|
|
754
787
|
publicKeyPath: policy.settings.publicKeyPath,
|
|
755
|
-
attestationsPath: policy.settings.attestationsPath
|
|
788
|
+
attestationsPath: policy.settings.attestationsPath,
|
|
789
|
+
sealsPath: policy.settings.sealsPath
|
|
756
790
|
};
|
|
757
791
|
if (operational.settings.defaultCommand !== void 0) {
|
|
758
792
|
settings.defaultCommand = operational.settings.defaultCommand;
|
|
@@ -847,7 +881,7 @@ function computeFinalFingerprint(fileHashes) {
|
|
|
847
881
|
}
|
|
848
882
|
async function hashFileAsync(realPath, normalizedPath, stats) {
|
|
849
883
|
if (stats.size > LARGE_FILE_THRESHOLD) {
|
|
850
|
-
return new Promise((
|
|
884
|
+
return new Promise((resolve5, reject) => {
|
|
851
885
|
const hash2 = crypto3__namespace.createHash("sha256");
|
|
852
886
|
hash2.update(normalizedPath);
|
|
853
887
|
hash2.update(":");
|
|
@@ -856,7 +890,7 @@ async function hashFileAsync(realPath, normalizedPath, stats) {
|
|
|
856
890
|
hash2.update(chunk);
|
|
857
891
|
});
|
|
858
892
|
stream.on("end", () => {
|
|
859
|
-
|
|
893
|
+
resolve5(hash2.digest());
|
|
860
894
|
});
|
|
861
895
|
stream.on("error", reject);
|
|
862
896
|
});
|
|
@@ -1470,16 +1504,23 @@ var FilesystemKeyProvider = class {
|
|
|
1470
1504
|
* @param options - Key generation options
|
|
1471
1505
|
*/
|
|
1472
1506
|
async generateKeyPair(options) {
|
|
1473
|
-
const { publicKeyPath, force = false } = options;
|
|
1474
|
-
const
|
|
1507
|
+
const { publicKeyPath, force = false, passphrase } = options;
|
|
1508
|
+
const cryptoOptions = {
|
|
1475
1509
|
privatePath: this.privateKeyPath,
|
|
1476
1510
|
publicPath: publicKeyPath,
|
|
1477
1511
|
force
|
|
1478
|
-
}
|
|
1512
|
+
};
|
|
1513
|
+
if (passphrase !== void 0) {
|
|
1514
|
+
cryptoOptions.passphrase = passphrase;
|
|
1515
|
+
}
|
|
1516
|
+
const result = await generateKeyPair(cryptoOptions);
|
|
1517
|
+
const encrypted = passphrase !== void 0 && passphrase.length > 0;
|
|
1518
|
+
const encryptionStatus = encrypted ? " (passphrase-encrypted)" : "";
|
|
1479
1519
|
return {
|
|
1480
1520
|
privateKeyRef: result.privatePath,
|
|
1481
1521
|
publicKeyPath: result.publicPath,
|
|
1482
|
-
storageDescription: `Filesystem: ${result.privatePath}
|
|
1522
|
+
storageDescription: `Filesystem: ${result.privatePath}${encryptionStatus}`,
|
|
1523
|
+
encrypted
|
|
1483
1524
|
};
|
|
1484
1525
|
}
|
|
1485
1526
|
/**
|
|
@@ -1718,7 +1759,7 @@ var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
|
|
|
1718
1759
|
}
|
|
1719
1760
|
};
|
|
1720
1761
|
async function execCommand(command, args) {
|
|
1721
|
-
return new Promise((
|
|
1762
|
+
return new Promise((resolve5, reject) => {
|
|
1722
1763
|
const proc = child_process.spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
|
|
1723
1764
|
let stdout = "";
|
|
1724
1765
|
let stderr = "";
|
|
@@ -1730,7 +1771,7 @@ async function execCommand(command, args) {
|
|
|
1730
1771
|
});
|
|
1731
1772
|
proc.on("close", (code) => {
|
|
1732
1773
|
if (code === 0) {
|
|
1733
|
-
|
|
1774
|
+
resolve5(stdout.trim());
|
|
1734
1775
|
} else {
|
|
1735
1776
|
reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
|
|
1736
1777
|
}
|
|
@@ -1932,7 +1973,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
|
|
|
1932
1973
|
}
|
|
1933
1974
|
};
|
|
1934
1975
|
async function execCommand2(command, args) {
|
|
1935
|
-
return new Promise((
|
|
1976
|
+
return new Promise((resolve5, reject) => {
|
|
1936
1977
|
const proc = child_process.spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
|
|
1937
1978
|
let stdout = "";
|
|
1938
1979
|
let stderr = "";
|
|
@@ -1944,7 +1985,7 @@ async function execCommand2(command, args) {
|
|
|
1944
1985
|
});
|
|
1945
1986
|
proc.on("close", (code) => {
|
|
1946
1987
|
if (code === 0) {
|
|
1947
|
-
|
|
1988
|
+
resolve5(stdout.trim());
|
|
1948
1989
|
} else {
|
|
1949
1990
|
reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
|
|
1950
1991
|
}
|
|
@@ -2609,7 +2650,7 @@ var YubiKeyProvider = class _YubiKeyProvider {
|
|
|
2609
2650
|
}
|
|
2610
2651
|
};
|
|
2611
2652
|
async function execCommand3(command, args) {
|
|
2612
|
-
return new Promise((
|
|
2653
|
+
return new Promise((resolve5, reject) => {
|
|
2613
2654
|
const proc = child_process.spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
|
|
2614
2655
|
let stdout = "";
|
|
2615
2656
|
let stderr = "";
|
|
@@ -2621,7 +2662,7 @@ async function execCommand3(command, args) {
|
|
|
2621
2662
|
});
|
|
2622
2663
|
proc.on("close", (code) => {
|
|
2623
2664
|
if (code === 0) {
|
|
2624
|
-
|
|
2665
|
+
resolve5(stdout.trim());
|
|
2625
2666
|
} else {
|
|
2626
2667
|
reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
|
|
2627
2668
|
}
|
|
@@ -2924,8 +2965,8 @@ ${issues}`);
|
|
|
2924
2965
|
}
|
|
2925
2966
|
return result.data;
|
|
2926
2967
|
}
|
|
2927
|
-
async function readSeals(dir) {
|
|
2928
|
-
const sealsPath = path2__namespace.join(dir, ".attest-it", "seals.json");
|
|
2968
|
+
async function readSeals(dir, sealsPathOverride) {
|
|
2969
|
+
const sealsPath = sealsPathOverride ? path2__namespace.resolve(dir, sealsPathOverride) : path2__namespace.join(dir, ".attest-it", "seals.json");
|
|
2929
2970
|
try {
|
|
2930
2971
|
const content = await fs__namespace.promises.readFile(sealsPath, "utf8");
|
|
2931
2972
|
return parseSealsContent(content);
|
|
@@ -2941,8 +2982,8 @@ async function readSeals(dir) {
|
|
|
2941
2982
|
);
|
|
2942
2983
|
}
|
|
2943
2984
|
}
|
|
2944
|
-
function readSealsSync(dir) {
|
|
2945
|
-
const sealsPath = path2__namespace.join(dir, ".attest-it", "seals.json");
|
|
2985
|
+
function readSealsSync(dir, sealsPathOverride) {
|
|
2986
|
+
const sealsPath = sealsPathOverride ? path2__namespace.resolve(dir, sealsPathOverride) : path2__namespace.join(dir, ".attest-it", "seals.json");
|
|
2946
2987
|
try {
|
|
2947
2988
|
const content = fs__namespace.readFileSync(sealsPath, "utf8");
|
|
2948
2989
|
return parseSealsContent(content);
|
|
@@ -2958,11 +2999,11 @@ function readSealsSync(dir) {
|
|
|
2958
2999
|
);
|
|
2959
3000
|
}
|
|
2960
3001
|
}
|
|
2961
|
-
async function writeSeals(dir, sealsFile) {
|
|
2962
|
-
const
|
|
2963
|
-
const
|
|
3002
|
+
async function writeSeals(dir, sealsFile, sealsPathOverride) {
|
|
3003
|
+
const sealsPath = sealsPathOverride ? path2__namespace.resolve(dir, sealsPathOverride) : path2__namespace.join(dir, ".attest-it", "seals.json");
|
|
3004
|
+
const sealsDir = path2__namespace.dirname(sealsPath);
|
|
2964
3005
|
try {
|
|
2965
|
-
await fs__namespace.promises.mkdir(
|
|
3006
|
+
await fs__namespace.promises.mkdir(sealsDir, { recursive: true });
|
|
2966
3007
|
const content = JSON.stringify(sealsFile, null, 2) + "\n";
|
|
2967
3008
|
await fs__namespace.promises.writeFile(sealsPath, content, "utf8");
|
|
2968
3009
|
} catch (error) {
|
|
@@ -2971,11 +3012,11 @@ async function writeSeals(dir, sealsFile) {
|
|
|
2971
3012
|
);
|
|
2972
3013
|
}
|
|
2973
3014
|
}
|
|
2974
|
-
function writeSealsSync(dir, sealsFile) {
|
|
2975
|
-
const
|
|
2976
|
-
const
|
|
3015
|
+
function writeSealsSync(dir, sealsFile, sealsPathOverride) {
|
|
3016
|
+
const sealsPath = sealsPathOverride ? path2__namespace.resolve(dir, sealsPathOverride) : path2__namespace.join(dir, ".attest-it", "seals.json");
|
|
3017
|
+
const sealsDir = path2__namespace.dirname(sealsPath);
|
|
2977
3018
|
try {
|
|
2978
|
-
fs__namespace.mkdirSync(
|
|
3019
|
+
fs__namespace.mkdirSync(sealsDir, { recursive: true });
|
|
2979
3020
|
const content = JSON.stringify(sealsFile, null, 2) + "\n";
|
|
2980
3021
|
fs__namespace.writeFileSync(sealsPath, content, "utf8");
|
|
2981
3022
|
} catch (error) {
|