@enactprotocol/trust 2.0.0 → 2.0.1

package/dist/sigstore/attestation.js

@@ -0,0 +1,324 @@
+/**
+ * Attestation generation module
+ *
+ * This module provides functions for creating in-toto attestations and SLSA provenance
+ * statements that can be signed using Sigstore.
+ */
+import { hashContent, hashFile } from "../hash";
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * The primary Enact website/registry URL
+ * Used for attestation types, tool URLs, and documentation references
+ */
+export const ENACT_BASE_URL = "https://enact.tools";
+/** in-toto statement type */
+export const INTOTO_STATEMENT_TYPE = "https://in-toto.io/Statement/v1";
+/** SLSA Provenance predicate type v1.0 */
+export const SLSA_PROVENANCE_TYPE = "https://slsa.dev/provenance/v1";
+/** Enact tool attestation predicate type */
+export const ENACT_TOOL_TYPE = `${ENACT_BASE_URL}/attestation/tool/v1`;
+/** Enact audit attestation predicate type */
+export const ENACT_AUDIT_TYPE = `${ENACT_BASE_URL}/attestation/audit/v1`;
+/** Enact build type for SLSA provenance */
+export const ENACT_BUILD_TYPE = `${ENACT_BASE_URL}/build/v1`;
+// ============================================================================
+// Subject Creation
+// ============================================================================
+/**
+ * Create an in-toto subject from content
+ *
+ * @param name - The subject name (e.g., file path or artifact identifier)
+ * @param content - The content to hash
+ * @returns The in-toto subject with sha256 digest
+ *
+ * @example
+ * ```ts
+ * const subject = createSubjectFromContent("tool.yaml", yamlContent);
+ * // { name: "tool.yaml", digest: { sha256: "abc123..." } }
+ * ```
+ */
+export function createSubjectFromContent(name, content) {
+    const hash = hashContent(content, "sha256");
+    return {
+        name,
+        digest: {
+            sha256: hash.digest,
+        },
+    };
+}
+/**
+ * Create an in-toto subject from a file
+ *
+ * @param name - The subject name (can differ from file path)
+ * @param filePath - Path to the file to hash
+ * @returns Promise resolving to the in-toto subject
+ *
+ * @example
+ * ```ts
+ * const subject = await createSubjectFromFile("my-tool@1.0.0", "/path/to/tool.yaml");
+ * ```
+ */
+export async function createSubjectFromFile(name, filePath) {
+    const hash = await hashFile(filePath, { algorithm: "sha256" });
+    return {
+        name,
+        digest: {
+            sha256: hash.digest,
+        },
+    };
+}
+/**
+ * Create an in-toto subject with multiple digest algorithms
+ *
+ * @param name - The subject name
+ * @param content - The content to hash
+ * @returns Subject with both sha256 and sha512 digests
+ */
+export function createSubjectWithMultipleDigests(name, content) {
+    const sha256 = hashContent(content, "sha256");
+    const sha512 = hashContent(content, "sha512");
+    return {
+        name,
+        digest: {
+            sha256: sha256.digest,
+            sha512: sha512.digest,
+        },
+    };
+}
+// ============================================================================
+// Statement Creation
+// ============================================================================
+/**
+ * Create a generic in-toto statement
+ *
+ * @param subjects - The subjects (artifacts) covered by this attestation
+ * @param predicateType - The predicate type URI
+ * @param predicate - The predicate content
+ * @returns The in-toto statement
+ *
+ * @example
+ * ```ts
+ * const statement = createStatement(
+ *   [subject],
+ *   "https://example.com/predicate/v1",
+ *   { customField: "value" }
+ * );
+ * ```
+ */
+export function createStatement(subjects, predicateType, predicate) {
+    return {
+        _type: INTOTO_STATEMENT_TYPE,
+        subject: subjects,
+        predicateType,
+        predicate,
+    };
+}
+/**
+ * Create a SLSA provenance predicate
+ *
+ * @param options - Provenance options
+ * @returns The SLSA provenance predicate
+ *
+ * @example
+ * ```ts
+ * const provenance = createSLSAProvenance({
+ *   buildType: "https://enact.tools/build/v1",
+ *   builderId: "https://github.com/enact-dev/enact-cli@v2.0.0",
+ *   externalParameters: {
+ *     manifestPath: "tool.yaml"
+ *   }
+ * });
+ * ```
+ */
+export function createSLSAProvenance(options) {
+    const provenance = {
+        buildDefinition: {
+            buildType: options.buildType,
+            externalParameters: options.externalParameters || {},
+        },
+        runDetails: {
+            builder: {
+                id: options.builderId,
+            },
+        },
+    };
+    // Add optional fields
+    if (options.internalParameters) {
+        provenance.buildDefinition.internalParameters = options.internalParameters;
+    }
+    if (options.resolvedDependencies) {
+        provenance.buildDefinition.resolvedDependencies = options.resolvedDependencies;
+    }
+    // Add metadata if any timestamps are provided
+    if (options.invocationId || options.startedOn || options.finishedOn) {
+        provenance.runDetails.metadata = {};
+        if (options.invocationId) {
+            provenance.runDetails.metadata.invocationId = options.invocationId;
+        }
+        if (options.startedOn) {
+            provenance.runDetails.metadata.startedOn = options.startedOn.toISOString();
+        }
+        if (options.finishedOn) {
+            provenance.runDetails.metadata.finishedOn = options.finishedOn.toISOString();
+        }
+    }
+    return provenance;
+}
+/**
+ * Create a SLSA provenance statement for an artifact
+ *
+ * @param subjects - The artifacts to attest
+ * @param options - Provenance options
+ * @returns The complete in-toto statement with SLSA provenance
+ */
+export function createSLSAProvenanceStatement(subjects, options) {
+    const provenance = createSLSAProvenance(options);
+    return createStatement(subjects, SLSA_PROVENANCE_TYPE, provenance);
+}
+/**
+ * Create an Enact tool attestation predicate
+ *
+ * @param options - Tool attestation options
+ * @returns The Enact tool predicate
+ *
+ * @example
+ * ```ts
+ * const toolPredicate = createEnactToolPredicate({
+ *   name: "my-tool",
+ *   version: "1.0.0",
+ *   publisher: "user@example.com",
+ *   description: "A useful tool"
+ * });
+ * ```
+ */
+export function createEnactToolPredicate(options) {
+    const predicate = {
+        type: ENACT_TOOL_TYPE,
+        tool: {
+            name: options.name,
+            version: options.version,
+            publisher: options.publisher,
+        },
+    };
+    // Add optional tool fields
+    if (options.description) {
+        predicate.tool.description = options.description;
+    }
+    if (options.repository) {
+        predicate.tool.repository = options.repository;
+    }
+    // Add build information if provided
+    if (options.buildTimestamp || options.buildEnvironment || options.sourceCommit) {
+        predicate.build = {
+            timestamp: (options.buildTimestamp || new Date()).toISOString(),
+        };
+        if (options.buildEnvironment) {
+            predicate.build.environment = options.buildEnvironment;
+        }
+        if (options.sourceCommit) {
+            predicate.build.sourceCommit = options.sourceCommit;
+        }
+    }
+    return predicate;
+}
+/**
+ * Create an Enact tool attestation statement
+ *
+ * @param manifestContent - The tool manifest content
+ * @param options - Tool attestation options
+ * @returns The complete in-toto statement for the tool
+ */
+export function createEnactToolStatement(manifestContent, options) {
+    const subject = createSubjectFromContent(`${options.name}@${options.version}`, manifestContent);
+    const predicate = createEnactToolPredicate(options);
+    return createStatement([subject], ENACT_TOOL_TYPE, predicate);
+}
+/**
+ * Create an Enact audit attestation predicate
+ *
+ * @param options - Audit attestation options
+ * @returns The Enact audit predicate
+ */
+export function createEnactAuditPredicate(options) {
+    const predicate = {
+        type: ENACT_AUDIT_TYPE,
+        tool: {
+            name: options.toolName,
+            version: options.toolVersion,
+        },
+        audit: {
+            auditor: options.auditor,
+            timestamp: (options.timestamp || new Date()).toISOString(),
+            result: options.result,
+        },
+    };
+    if (options.notes) {
+        predicate.audit.notes = options.notes;
+    }
+    return predicate;
+}
+/**
+ * Create an Enact audit attestation statement
+ *
+ * @param manifestContent - The tool manifest content being audited
+ * @param options - Audit attestation options
+ * @returns The complete in-toto statement for the audit
+ */
+export function createEnactAuditStatement(manifestContent, options) {
+    const subject = createSubjectFromContent(`${options.toolName}@${options.toolVersion}`, manifestContent);
+    const predicate = createEnactAuditPredicate(options);
+    return createStatement([subject], ENACT_AUDIT_TYPE, predicate);
+}
+// ============================================================================
+// Resource Descriptors
+// ============================================================================
+/**
+ * Create a SLSA resource descriptor for a file
+ *
+ * @param filePath - Path to the file
+ * @param options - Additional descriptor options
+ * @returns Promise resolving to the resource descriptor
+ */
+export async function createResourceDescriptorFromFile(filePath, options = {}) {
+    const hash = await hashFile(filePath, { algorithm: "sha256" });
+    const descriptor = {
+        name: options.name || filePath,
+        digest: {
+            sha256: hash.digest,
+        },
+    };
+    if (options.uri)
+        descriptor.uri = options.uri;
+    if (options.downloadLocation)
+        descriptor.downloadLocation = options.downloadLocation;
+    if (options.mediaType)
+        descriptor.mediaType = options.mediaType;
+    return descriptor;
+}
+/**
+ * Create a SLSA resource descriptor from content
+ *
+ * @param content - The content
+ * @param options - Descriptor options
+ * @returns The resource descriptor
+ */
+export function createResourceDescriptorFromContent(content, options = {}) {
+    const hash = hashContent(content, "sha256");
+    const descriptor = {
+        digest: {
+            sha256: hash.digest,
+        },
+    };
+    if (options.uri)
+        descriptor.uri = options.uri;
+    if (options.name)
+        descriptor.name = options.name;
+    if (options.downloadLocation)
+        descriptor.downloadLocation = options.downloadLocation;
+    if (options.mediaType)
+        descriptor.mediaType = options.mediaType;
+    return descriptor;
+}
+//# sourceMappingURL=attestation.js.map

package/dist/sigstore/attestation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/sigstore/attestation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAShD,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,qBAAqB,CAAC;AAEpD,6BAA6B;AAC7B,MAAM,CAAC,MAAM,qBAAqB,GAAG,iCAAiC,CAAC;AAEvE,0CAA0C;AAC1C,MAAM,CAAC,MAAM,oBAAoB,GAAG,gCAAgC,CAAC;AAErE,4CAA4C;AAC5C,MAAM,CAAC,MAAM,eAAe,GAAG,GAAG,cAAc,sBAAsB,CAAC;AAEvE,6CAA6C;AAC7C,MAAM,CAAC,MAAM,gBAAgB,GAAG,GAAG,cAAc,uBAAuB,CAAC;AAEzE,2CAA2C;AAC3C,MAAM,CAAC,MAAM,gBAAgB,GAAG,GAAG,cAAc,WAAW,CAAC;AAE7D,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAAY,EAAE,OAAwB;IAC7E,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,OAAO;QACL,IAAI;QACJ,MAAM,EAAE;YACN,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,IAAY,EACZ,QAAgB;IAEhB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC/D,OAAO;QACL,IAAI;QACJ,MAAM,EAAE;YACN,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAC9C,IAAY,EACZ,OAAwB;IAExB,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAE9C,OAAO;QACL,IAAI;QACJ,MAAM,EAAE;YACN,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB;KACF,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAyB,EACzB,aAAqB,EACrB,SAAY;IAEZ,OAAO;QACL,KAAK,EAAE,qBAAqB;QAC5B,OAAO,EAAE,QAAQ;QACjB,aAAa;QACb,SAAS;KACV,CAAC;AACJ,CAAC;AA4BD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA8B;IACjE,MAAM,UAAU,GAA4B;QAC1C,eAAe,EAAE;YACf,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,IAAI,EAAE;SACrD;QACD,UAAU,EAAE;YACV,OAAO,EAAE;gBACP,EAAE,EAAE,OAAO,CAAC,SAAS;aACtB;SACF;KACF,CAAC;IAEF,sBAAsB;IACtB,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,UAAU,CAAC,eAAe,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAC7E,CAAC;IAED,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;QACjC,UAAU,CAAC,eAAe,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IACjF,CAAC;IAED,8CAA8C;IAC9C,IAAI,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACpE,UAAU,CAAC,UAAU,CAAC,QAAQ,GAAG,EAAE,CAAC;QAEpC,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACrE,CAAC;QAED,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QAC7E,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAC3C,QAAyB,EACzB,OAA8B;IAE9B,MAAM,UAAU,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACjD,OAAO,eAAe,CAAC,QAAQ,EAAE,oBAAoB,EAAE,UAAU,CAAC,CAAC;AACrE,CAAC;AA8BD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAoC;IAC3E,MAAM,SAAS,GAAuB;QACpC,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE;YACJ,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B;KACF,CAAC;IAEF,2BAA2B;IAC3B,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,SAAS,CAAC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IACnD,CAAC;IAED,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,SAAS,CAAC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACjD,CAAC;IAED,oCAAoC;IACpC,IAAI,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC/E,SAAS,CAAC,KAAK,GAAG;YAChB,SAAS,EAAE,CAAC,OAAO,CAAC,cAAc,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;SAChE,CAAC;QAEF,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;YAC7B,SAAS,CAAC,KAAK,CAAC,WAAW,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACzD,CAAC;QAED,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,SAAS,CAAC,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,eAAgC,EAChC,OAAoC;IAEpC,MAAM,OAAO,GAAG,wBAAwB,CAAC,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,eAAe,CAAC,CAAC;IAChG,MAAM,SAAS,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACpD,OAAO,eAAe,CAAC,CAAC,OAAO,CAAC,EAAE,eAAe,EAAE,SAAS,CAAC,CAAC;AAChE,CAAC;AAyCD;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAAqC;IAErC,MAAM,SAAS,GAAwB;QACrC,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE;YACJ,IAAI,EAAE,OAAO,CAAC,QAAQ;YACtB,OAAO,EAAE,OAAO,CAAC,WAAW;SAC7B;QACD,KAAK,EAAE;YACL,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;YAC1D,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB;KACF,CAAC;IAEF,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,SAAS,CAAC,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IACxC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,yBAAyB,CACvC,eAAgC,EAChC,OAAqC;IAErC,MAAM,OAAO,GAAG,wBAAwB,CACtC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,EAC5C,eAAe,CAChB,CAAC;IACF,MAAM,SAAS,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IACrD,OAAO,eAAe,CAAC,CAAC,OAAO,CAAC,EAAE,gBAAgB,EAAE,SAAS,CAAC,CAAC;AACjE,CAAC;AAED,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,QAAgB,EAChB,UAKI,EAAE;IAEN,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;IAE/D,MAAM,UAAU,GAA2B;QACzC,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,QAAQ;QAC9B,MAAM,EAAE;YACN,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB;KACF,CAAC;IAEF,IAAI,OAAO,CAAC,GAAG;QAAE,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAC9C,IAAI,OAAO,CAAC,gBAAgB;QAAE,UAAU,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IACrF,IAAI,OAAO,CAAC,SAAS;QAAE,UAAU,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IAEhE,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mCAAmC,CACjD,OAAwB,EACxB,UAKI,EAAE;IAEN,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAE5C,MAAM,UAAU,GAA2B;QACzC,MAAM,EAAE;YACN,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB;KACF,CAAC;IAEF,IAAI,OAAO,CAAC,GAAG;QAAE,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAC9C,IAAI,OAAO,CAAC,IAAI;QAAE,UAAU,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IACjD,IAAI,OAAO,CAAC,gBAAgB;QAAE,UAAU,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IACrF,IAAI,OAAO,CAAC,SAAS;QAAE,UAAU,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IAEhE,OAAO,UAAU,CAAC;AACpB,CAAC"}

package/dist/sigstore/cosign.d.ts

@@ -0,0 +1,90 @@
+/**
+ * Cosign CLI integration for interactive OIDC signing
+ *
+ * The sigstore-js library is designed for CI environments where OIDC tokens
+ * are available via environment variables. For interactive local signing,
+ * we shell out to the cosign CLI which handles the browser-based OAuth flow.
+ */
+import type { SigstoreBundle } from "./types";
+/**
+ * Check if cosign CLI is available
+ */
+export declare function isCosignAvailable(): boolean;
+/**
+ * Get cosign version information
+ */
+export declare function getCosignVersion(): string | undefined;
+/**
+ * Options for cosign signing
+ */
+export interface CosignSignOptions {
+    /** Timeout in milliseconds for the OIDC flow */
+    timeout?: number;
+    /** Output bundle path (if not provided, a temp file is used) */
+    outputPath?: string;
+    /** Whether to run in verbose mode */
+    verbose?: boolean;
+}
+/**
+ * Result of cosign signing
+ */
+export interface CosignSignResult {
+    /** The Sigstore bundle */
+    bundle: SigstoreBundle;
+    /** Path where the bundle was saved */
+    bundlePath: string;
+    /** Signer identity (email) extracted from the bundle */
+    signerIdentity: string | undefined;
+}
+/**
+ * Sign a blob (file or buffer) using cosign with interactive OIDC
+ *
+ * This opens a browser for OAuth authentication with Sigstore's public
+ * OIDC provider. The signature, certificate, and Rekor entry are bundled
+ * together in the Sigstore bundle format.
+ *
+ * @param data - The data to sign (Buffer or path to file)
+ * @param options - Signing options
+ * @returns The signing result with bundle
+ */
+export declare function signWithCosign(data: Buffer | string, options?: CosignSignOptions): Promise<CosignSignResult>;
+/**
+ * Sign an in-toto attestation using cosign
+ *
+ * For in-toto attestations, we use cosign attest-blob which wraps the
+ * attestation in a DSSE envelope.
+ *
+ * @param attestation - The in-toto statement to sign
+ * @param options - Signing options
+ * @returns The signing result with bundle
+ */
+export declare function attestWithCosign(attestation: Record<string, unknown>, options?: CosignSignOptions): Promise<CosignSignResult>;
+/**
+ * Verify a blob signature using cosign
+ *
+ * @param data - The data that was signed
+ * @param bundle - The Sigstore bundle
+ * @param expectedIdentity - Expected signer identity (email)
+ * @param expectedIssuer - Expected OIDC issuer
+ * @returns Whether verification succeeded
+ */
+export declare function verifyWithCosign(data: Buffer | string, bundle: SigstoreBundle, expectedIdentity?: string, expectedIssuer?: string): Promise<{
+    verified: boolean;
+    error?: string | undefined;
+    identity?: string | undefined;
+}>;
+/**
+ * Verify an attestation bundle using cosign
+ *
+ * @param bundle - The Sigstore bundle containing a DSSE-wrapped attestation
+ * @param expectedIdentity - Expected signer identity (email)
+ * @param expectedIssuer - Expected OIDC issuer
+ * @param predicateType - The attestation predicate type (optional)
+ * @returns Verification result
+ */
+export declare function verifyAttestationWithCosign(bundle: SigstoreBundle, expectedIdentity?: string, expectedIssuer?: string, predicateType?: string): Promise<{
+    verified: boolean;
+    error?: string | undefined;
+    identity?: string | undefined;
+}>;
+//# sourceMappingURL=cosign.d.ts.map

package/dist/sigstore/cosign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cosign.d.ts","sourceRoot":"","sources":["../../src/sigstore/cosign.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE9C;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAO3C;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAQrD;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,gDAAgD;IAChD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0BAA0B;IAC1B,MAAM,EAAE,cAAc,CAAC;IACvB,sCAAsC;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,wDAAwD;IACxD,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;CACpC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,GAAG,MAAM,EACrB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAwH3B;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpC,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAiI3B;AAED;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,GAAG,MAAM,EACrB,MAAM,EAAE,cAAc,EACtB,gBAAgB,CAAC,EAAE,MAAM,EACzB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CAAE,CAAC,CA2E3F;AA0CD;;;;;;;;GAQG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,cAAc,EACtB,gBAAgB,CAAC,EAAE,MAAM,EACzB,cAAc,CAAC,EAAE,MAAM,EACvB,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CAAE,CAAC,CA2E3F"}