deps: @sigstore/[email protected]

Signed-off-by: Brian DeHamer <[email protected]>

Author: bdehamer

node_modules/@sigstore/sign/dist/util/oidc.js

@@ -20,11 +20,16 @@ const core_1 = require("@sigstore/core");
 function extractJWTSubject(jwt) {
     const parts = jwt.split('.', 3);
     const payload = JSON.parse(core_1.encoding.base64Decode(parts[1]));
-    switch (payload.iss) {
-        case 'https://accounts.google.com':
-        case 'https://oauth2.sigstore.dev/auth':
-            return payload.email;
-        default:
-            return payload.sub;
+    if (payload.email) {
+        if (!payload.email_verified) {
+            throw new Error('JWT email not verified by issuer');
+        }
+        return payload.email;
+    }
+    if (payload.sub) {
+        return payload.sub;
+    }
+    else {
+        throw new Error('JWT subject not found');
     }
 }

node_modules/@sigstore/sign/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/sign",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "description": "Sigstore signing library",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -36,7 +36,7 @@
     "@sigstore/bundle": "^4.0.0",
     "@sigstore/core": "^3.0.0",
     "@sigstore/protobuf-specs": "^0.5.0",
-    "make-fetch-happen": "^15.0.0",
+    "make-fetch-happen": "^15.0.2",
     "proc-log": "^5.0.0",
     "promise-retry": "^2.0.1"
   },