json file missing

[laurentsimon]

I get this error when using the library and ncc to compile my project: ::error::Cannot find module '../../store/public-good-instance-root.json'

Problem with tuf-js?

Any pointers? happy to send a PR, but I'm not sure where this file is looked up.

[laurentsimon]

/cc asraa

[ianlewis]

FWIW: Here is a GHA run where we encounter the issue: https://github.com/slsa-framework/slsa-github-generator/actions/runs/4180524822/jobs/7241595353

/cc @asraa

[asraa]

This seems like a similar problem to the rekor.pub being distributed - for Ian and Laurent - this file is likely the initial trusted root after which the Rekor/Fulcio key material is fetched from

[asraa]

I think this is where it is being read:

sigstore-js/src/tuf/index.ts

Line 63 in 6ccf8d0

const tufRootSrc = require.resolve(`../../store/${name}-root.json`);

There's a small indirection here that probably made codesearch hard. The public-good-instance-root.json is fetched from its definition in this map.json file that describes the TUF roots: https://github.com/sigstore/sigstore-js/blob/6ccf8d04a6b8c12e0a2457f217325a022dff7b76/store/map.json

[laurentsimon]

Thanks Asra, indeed I just did a lazy grep which returned nothing :-)

The fix for the rekor.pub was to use require.resolve (see https://github.com/sigstore/sigstore-js/pull/216/files) but the code here already uses that. I do see the map.json file copied correctly by ncc, but not the dynamically-created one.

I wonder whether the dynamic name makes ncc not realize that it needs to copy the file over? The hard-codedmap.json

sigstore-js/src/tuf/index.ts

Line 46 in 6ccf8d0

const mapSrc = require.resolve('../../store/map.json');

seems to be working just fine.

[bdehamer]

Haven't used ncc before, but it does seem that the dynamic nature of the resolution of the public-good-instance-root.json makes it so that ncc doesn't realize that this file needs to be packed.

After I ran ncc on the sigstore-js project, I saw that the require.resolve for the "map.json" file got re-written to:

const mapSrc = __nccwpck_require__.ab + "map.json";

while the statement for the "public-good-instance-root.json" was left as:

const tufRootSrc = require.resolve(`../../store/${name}-root.json`);

Definitely open to suggestions for how to make this more ncc-friendly.

[ianlewis]

Based on vercel/ncc#74 (comment) we might have better luck with ncc static analysis if the require took the following form. I guess it then could know that anything under ../../store/ should be included?

const tufRootFile = `${name}-root.json`
const tufRootSrc = require.resolve(`../../store/' + tufRootFile);

[bdehamer]

@ianlewis we haven't yet published the new version (probably next week), but #330 should have resolved this issue.

[ianlewis]

@ianlewis we haven't yet published the new version (probably next week), but #330 should have resolved this issue.

@bdehamer Thanks! I saw your PR. I'll look forward to the new release.

[bdehamer]

New version published: https://github.com/sigstore/sigstore-js/releases/tag/v1.1.1