deps: @sigstore/tuf@2.3.0

node_modules/@sigstore/tuf/dist/client.js

@@ -22,12 +22,29 @@ limitations under the License.
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const tuf_js_1 = require("tuf-js");
+const _1 = require(".");
 const target_1 = require("./target");
+const TUF_SEEDS_PATH = require.resolve('../seeds.json');
+const TARGETS_DIR_NAME = 'targets';
 class TUFClient {
     constructor(options) {
-        initTufCache(options);
-        const remote = initRemoteConfig(options);
-        this.updater = initClient(options.cachePath, remote, options);
+        const url = new URL(options.mirrorURL);
+        const repoName = encodeURIComponent(url.host + url.pathname.replace(/\/$/, ''));
+        const cachePath = path_1.default.join(options.cachePath, repoName);
+        initTufCache(cachePath);
+        seedCache({
+            cachePath,
+            mirrorURL: options.mirrorURL,
+            tufRootPath: options.rootPath,
+            forceInit: options.forceInit,
+        });
+        this.updater = initClient({
+            mirrorURL: options.mirrorURL,
+            cachePath,
+            forceCache: options.forceCache,
+            retry: options.retry,
+            timeout: options.timeout,
+        });
     }
     async refresh() {
         return this.updater.refresh();
@@ -42,53 +59,55 @@ exports.TUFClient = TUFClient;
 // created. If the targets directory does not exist, it will be created.
 // If the root.json file does not exist, it will be copied from the
 // rootPath argument.
-function initTufCache({ cachePath, rootPath: tufRootPath, force, }) {
-    const targetsPath = path_1.default.join(cachePath, 'targets');
-    const cachedRootPath = path_1.default.join(cachePath, 'root.json');
+function initTufCache(cachePath) {
+    const targetsPath = path_1.default.join(cachePath, TARGETS_DIR_NAME);
     if (!fs_1.default.existsSync(cachePath)) {
         fs_1.default.mkdirSync(cachePath, { recursive: true });
     }
     if (!fs_1.default.existsSync(targetsPath)) {
         fs_1.default.mkdirSync(targetsPath);
     }
-    // If the root.json file does not exist (or we're forcing re-initialization),
-    // copy it from the rootPath argument
-    if (!fs_1.default.existsSync(cachedRootPath) || force) {
-        fs_1.default.copyFileSync(tufRootPath, cachedRootPath);
-    }
-    return cachePath;
 }
-// Initializes the remote.json file, which contains the URL of the TUF
-// repository. If the file does not exist, it will be created. If the file
-// exists, it will be parsed and returned.
-function initRemoteConfig({ cachePath, mirrorURL, force, }) {
-    let remoteConfig;
-    const remoteConfigPath = path_1.default.join(cachePath, 'remote.json');
-    // If the remote config file exists, read it and parse it (skip if force is
-    // true)
-    if (!force && fs_1.default.existsSync(remoteConfigPath)) {
-        const data = fs_1.default.readFileSync(remoteConfigPath, 'utf-8');
-        remoteConfig = JSON.parse(data);
-    }
-    // If the remote config file does not exist (or we're forcing initialization),
-    // create it
-    if (!remoteConfig || force) {
-        remoteConfig = { mirror: mirrorURL };
-        fs_1.default.writeFileSync(remoteConfigPath, JSON.stringify(remoteConfig));
+// Populates the TUF cache with the initial root.json file. If the root.json
+// file does not exist (or we're forcing re-initialization), copy it from either
+// the rootPath argument or from one of the repo seeds.
+function seedCache({ cachePath, mirrorURL, tufRootPath, forceInit, }) {
+    const cachedRootPath = path_1.default.join(cachePath, 'root.json');
+    // If the root.json file does not exist (or we're forcing re-initialization),
+    // populate it either from the supplied rootPath or from one of the repo seeds.
+    if (!fs_1.default.existsSync(cachedRootPath) || forceInit) {
+        if (tufRootPath) {
+            fs_1.default.copyFileSync(tufRootPath, cachedRootPath);
+        }
+        else {
+            // Load the embedded repo seeds
+            const seeds = JSON.parse(fs_1.default.readFileSync(TUF_SEEDS_PATH).toString('utf-8'));
+            const repoSeed = seeds[mirrorURL];
+            if (!repoSeed) {
+                throw new _1.TUFError({
+                    code: 'TUF_INIT_CACHE_ERROR',
+                    message: `No root.json found for mirror: ${mirrorURL}`,
+                });
+            }
+            fs_1.default.writeFileSync(cachedRootPath, Buffer.from(repoSeed['root.json'], 'base64'));
+            // Copy any seed targets into the cache
+            Object.entries(repoSeed.targets).forEach(([targetName, target]) => {
+                fs_1.default.writeFileSync(path_1.default.join(cachePath, TARGETS_DIR_NAME, targetName), Buffer.from(target, 'base64'));
+            });
+        }
     }
-    return remoteConfig;
 }
-function initClient(cachePath, remote, options) {
-    const baseURL = remote.mirror;
+function initClient(options) {
     const config = {
         fetchTimeout: options.timeout,
         fetchRetry: options.retry,
     };
     return new tuf_js_1.Updater({
-        metadataBaseUrl: baseURL,
-        targetBaseUrl: `${baseURL}/targets`,
-        metadataDir: cachePath,
-        targetDir: path_1.default.join(cachePath, 'targets'),
+        metadataBaseUrl: options.mirrorURL,
+        targetBaseUrl: `${options.mirrorURL}/targets`,
+        metadataDir: options.cachePath,
+        targetDir: path_1.default.join(options.cachePath, TARGETS_DIR_NAME),
+        forceCache: options.forceCache,
         config,
     });
 }

node_modules/@sigstore/tuf/dist/index.js

@@ -21,7 +21,6 @@ const appdata_1 = require("./appdata");
 const client_1 = require("./client");
 exports.DEFAULT_MIRROR_URL = 'https://tuf-repo-cdn.sigstore.dev';
 const DEFAULT_CACHE_DIR = 'sigstore-js';
-const DEFAULT_TUF_ROOT_PATH = '../store/public-good-instance-root.json';
 const DEFAULT_RETRY = { retries: 2 };
 const DEFAULT_TIMEOUT = 5000;
 const TRUSTED_ROOT_TARGET = 'trusted_root.json';
@@ -45,11 +44,12 @@ function createClient(options) {
     /* istanbul ignore next */
     return new client_1.TUFClient({
         cachePath: options.cachePath || (0, appdata_1.appDataPath)(DEFAULT_CACHE_DIR),
-        rootPath: options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH),
+        rootPath: options.rootPath,
         mirrorURL: options.mirrorURL || exports.DEFAULT_MIRROR_URL,
         retry: options.retry ?? DEFAULT_RETRY,
         timeout: options.timeout ?? DEFAULT_TIMEOUT,
-        force: options.force ?? false,
+        forceCache: options.forceCache ?? false,
+        forceInit: options.forceInit ?? options.force ?? false,
     });
 }
 var error_1 = require("./error");

node_modules/@sigstore/tuf/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/tuf",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "Client for the Sigstore TUF repository",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -11,7 +11,7 @@
   },
   "files": [
     "dist",
-    "store"
+    "seeds.json"
   ],
   "author": "bdehamer@github.com",
   "license": "Apache-2.0",
@@ -29,11 +29,11 @@
   "devDependencies": {
     "@sigstore/jest": "^0.0.0",
     "@tufjs/repo-mock": "^2.0.0",
-    "@types/make-fetch-happen": "^10.0.0"
+    "@types/make-fetch-happen": "^10.0.4"
   },
   "dependencies": {
     "@sigstore/protobuf-specs": "^0.2.1",
-    "tuf-js": "^2.1.0"
+    "tuf-js": "^2.2.0"
   },
   "engines": {
     "node": "^16.14.0 || >=18.0.0"

node_modules/tuf-js/dist/config.js

@@ -4,12 +4,12 @@ exports.defaultConfig = void 0;
 exports.defaultConfig = {
     maxRootRotations: 32,
     maxDelegations: 32,
-    rootMaxLength: 512000,
-    timestampMaxLength: 16384,
-    snapshotMaxLength: 2000000,
-    targetsMaxLength: 5000000,
+    rootMaxLength: 512000, //bytes
+    timestampMaxLength: 16384, // bytes
+    snapshotMaxLength: 2000000, // bytes
+    targetsMaxLength: 5000000, // bytes
     prefixTargetsWithHash: true,
-    fetchTimeout: 100000,
+    fetchTimeout: 100000, // milliseconds
     fetchRetries: undefined,
     fetchRetry: 2,
 };

node_modules/tuf-js/dist/updater.js

@@ -44,6 +44,7 @@ class Updater {
         this.metadataBaseUrl = metadataBaseUrl;
         this.targetDir = targetDir;
         this.targetBaseUrl = targetBaseUrl;
+        this.forceCache = options.forceCache ?? false;
         const data = this.loadLocalMetadata(models_1.MetadataKind.Root);
         this.trustedSet = new store_1.TrustedMetadataStore(data);
         this.config = { ...config_1.defaultConfig, ...config };
@@ -57,8 +58,25 @@ class Updater {
     // refresh and load the metadata before downloading the target
     // refresh should be called once after the client is initialized
     async refresh() {
-        await this.loadRoot();
-        await this.loadTimestamp();
+        // If forceCache is true, try to load the timestamp from local storage
+        // without fetching it from the remote. Otherwise, load the root and
+        // timestamp from the remote per the TUF spec.
+        if (this.forceCache) {
+            // If anything fails, load the root and timestamp from the remote. This
+            // should cover any situation where the local metadata is corrupted or
+            // expired.
+            try {
+                await this.loadTimestamp({ checkRemote: false });
+            }
+            catch (error) {
+                await this.loadRoot();
+                await this.loadTimestamp();
+            }
+        }
+        else {
+            await this.loadRoot();
+            await this.loadTimestamp();
+        }
         await this.loadSnapshot();
         await this.loadTargets(models_1.MetadataKind.Targets, models_1.MetadataKind.Root);
     }
@@ -143,11 +161,16 @@ class Updater {
     }
     // Load local and remote timestamp metadata.
     // Client workflow 5.4: update timestamp role
-    async loadTimestamp() {
+    async loadTimestamp({ checkRemote } = { checkRemote: true }) {
         // Load local and remote timestamp metadata
         try {
             const data = this.loadLocalMetadata(models_1.MetadataKind.Timestamp);
             this.trustedSet.updateTimestamp(data);
+            // If checkRemote is disabled, return here to avoid fetching the remote
+            // timestamp metadata.
+            if (!checkRemote) {
+                return;
+            }
         }
         catch (error) {
             // continue

node_modules/tuf-js/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tuf-js",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "JavaScript implementation of The Update Framework (TUF)",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -29,8 +29,8 @@
   "homepage": "https://github.com/theupdateframework/tuf-js/tree/main/packages/client#readme",
   "devDependencies": {
     "@tufjs/repo-mock": "2.0.0",
-    "@types/debug": "^4.1.8",
-    "@types/make-fetch-happen": "^10.0.1"
+    "@types/debug": "^4.1.12",
+    "@types/make-fetch-happen": "^10.0.4"
   },
   "dependencies": {
     "@tufjs/models": "2.0.0",

package-lock.json

@@ -97,7 +97,7 @@
         "@npmcli/package-json": "^5.0.0",
         "@npmcli/promise-spawn": "^7.0.1",
         "@npmcli/run-script": "^7.0.3",
-        "@sigstore/tuf": "^2.2.0",
+        "@sigstore/tuf": "^2.3.0",
         "abbrev": "^2.0.0",
         "archy": "~1.0.0",
         "cacache": "^18.0.2",
@@ -2160,13 +2160,13 @@
       }
     },
     "node_modules/@sigstore/tuf": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/@sigstore/tuf/-/tuf-2.2.0.tgz",
-      "integrity": "sha512-KKATZ5orWfqd9ZG6MN8PtCIx4eevWSuGRKQvofnWXRpyMyUEpmrzg5M5BrCpjM+NfZ0RbNGOh5tCz/P2uoRqOA==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@sigstore/tuf/-/tuf-2.3.0.tgz",
+      "integrity": "sha512-S98jo9cpJwO1mtQ+2zY7bOdcYyfVYCUaofCG6wWRzk3pxKHVAkSfshkfecto2+LKsx7Ovtqbgb2LS8zTRhxJ9Q==",
       "inBundle": true,
       "dependencies": {
         "@sigstore/protobuf-specs": "^0.2.1",
-        "tuf-js": "^2.1.0"
+        "tuf-js": "^2.2.0"
       },
       "engines": {
         "node": "^16.14.0 || >=18.0.0"
@@ -15264,9 +15264,9 @@
       }
     },
     "node_modules/tuf-js": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/tuf-js/-/tuf-js-2.1.0.tgz",
-      "integrity": "sha512-eD7YPPjVlMzdggrOeE8zwoegUaG/rt6Bt3jwoQPunRiNVzgcCE009UDFJKJjG+Gk9wFu6W/Vi+P5d/5QpdD9jA==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/tuf-js/-/tuf-js-2.2.0.tgz",
+      "integrity": "sha512-ZSDngmP1z6zw+FIkIBjvOp/II/mIub/O7Pp12j1WNsiCpg5R5wAc//i555bBQsE44O94btLt0xM/Zr2LQjwdCg==",
       "inBundle": true,
       "dependencies": {
         "@tufjs/models": "2.0.0",

package.json

@@ -59,7 +59,7 @@
     "@npmcli/package-json": "^5.0.0",
     "@npmcli/promise-spawn": "^7.0.1",
     "@npmcli/run-script": "^7.0.3",
-    "@sigstore/tuf": "^2.2.0",
+    "@sigstore/tuf": "^2.3.0",
     "abbrev": "^2.0.0",
     "archy": "~1.0.0",
     "cacache": "^18.0.2",

test/lib/commands/audit.js

@@ -939,7 +939,7 @@ t.test('audit signatures', async t => {
     const opts = {
       baseURL: 'https://tuf-repo-cdn.sigstore.dev',
       metadataPathPrefix: '',
-      cachePath: path.join(npm.cache, '_tuf'),
+      cachePath: path.join(npm.cache, '_tuf', 'tuf-repo-cdn.sigstore.dev'),
     }
     return tufmock(target, opts)
   }