Merge ceremony branch ceremony/2023-09-26 into main (#981)

* Add staged repository metadata (#974)

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: GitHub <noreply@github.com>

* Bumped npm delegate to v2 and resigned. (#975)

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* sign-root-targets for bobcallaway (#977)

Signed-off-by: Bob Callaway <bcallaway@google.com>

* sign-root-targets for joshuagl (#976)

Signed-off-by: Joshua Lock <joshuagloe@gmail.com>

* sign-root-targets for SantiagoTorres (#979)

Signed-off-by: Santiago Torres-Arias <santiagotorres@purdue.edu>

* sign-root-targets for mnm678 (#978)

Signed-off-by: Marina Moore <mnm678@gmail.com>

* update snapshot and timestamp (#980)

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kommendorkapten <kommendorkapten@users.noreply.github.com>

---------

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Joshua Lock <joshuagloe@gmail.com>
Signed-off-by: Santiago Torres-Arias <santiagotorres@purdue.edu>
Signed-off-by: Marina Moore <mnm678@gmail.com>
Co-authored-by: GitHub <noreply@github.com>
Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>
Co-authored-by: Joshua Lock <jlock@vmware.com>
Co-authored-by: Santiago Torres <santiagotorres@purdue.edu>
Co-authored-by: Marina Moore <mnm678@users.noreply.github.com>
Co-authored-by: kommendorkapten <kommendorkapten@users.noreply.github.com>

repository/repository/106.snapshot.json

@@ -0,0 +1,64 @@
+{
+	"signed": {
+		"_type": "snapshot",
+		"spec_version": "1.0",
+		"version": 106,
+		"expires": "2023-10-17T18:34:42Z",
+		"meta": {
+			"registry.npmjs.org.json": {
+				"length": 717,
+				"hashes": {
+					"sha256": "eb130d653ed6e4b3e6ea1d1cbdd1eb38da6067c8153a4ebfbd479b839cd762be",
+					"sha512": "b5667f9232900eb57fb3eac48a6b4e696eae07667b509d51d4f748347b54170a42269868df35bc02d56746fe25998ec18201391aaa1beb8ff40c9a867312ea3b"
+				},
+				"version": 2
+			},
+			"rekor.json": {
+				"length": 797,
+				"hashes": {
+					"sha256": "9d2e1a5842937d8e0d3e3759170b0ad15c56c5df36afc5cf73583ddd283a463b",
+					"sha512": "176e9e710ddddd1b357a7d7970831bae59763395a0c18976110cbd35b25e5412dc50f356ec421a7a30265670cf7aec9ed84ee944ba700ec2394b9c876645b960"
+				},
+				"version": 3
+			},
+			"revocation.json": {
+				"length": 800,
+				"hashes": {
+					"sha256": "6f60848ba8fb0955a02abfd1232fb3845dc9ee9f418bf03521a7ddb48217e040",
+					"sha512": "a965dddd0d0edef6c59e84cf02ecf5a53299f633fd339b2b61814a4219ab4df672a6390f265b8b29e1c8cea9368ea3440df013790759d50231a30df1c1f02551"
+				},
+				"version": 2
+			},
+			"root.json": {
+				"length": 5297,
+				"hashes": {
+					"sha256": "f5ad897c9414cca99629f400ac3585e41bd8ebb44c5af07fb08dd636a9eced9c",
+					"sha512": "7445ddfdd338ef786c324fc3d68f75be28cb95b7fb581d2a383e3e5dde18aa17029a5636ec0a22e9631931bbcb34057788311718ea41e21e7cdd3c0de13ede42"
+				},
+				"version": 2
+			},
+			"staging.json": {
+				"length": 401,
+				"hashes": {
+					"sha256": "cda57759abac5375397eea3531d7ca51e3a67da9a2dc93f2cdab749e2ae73149",
+					"sha512": "e9e59587bde453144c7079884a880c706f1d43f26e8bb23fac2b96a99569a2a30ae6cf51ec51c2454f760ce83d4c20915e062aede7f319b3da6a6ed1d26ca281"
+				},
+				"version": 2
+			},
+			"targets.json": {
+				"length": 5254,
+				"hashes": {
+					"sha256": "5a3137bfb141c23bba733309e71260a020052def7443e76d7f97b807e72299bc",
+					"sha512": "d3285632920302399e89f853a47feaa63bfb3f82425a58f61d44d2def5198d23b6dd7b5541c5cdc4196db0188a22c484e03ef08b6773b543ec4c0df6d8c2df2f"
+				},
+				"version": 8
+			}
+		}
+	},
+	"signatures": [
+		{
+			"keyid": "45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b",
+			"sig": "3045022100c697edf9b44288c3bf75e58bb7b7dca0ea878b7d5ed0955e95b829b2dba2d15f0220705b09be24fe266939b689e792db29edf8ef3163da8485bf37e20e50eecbdb6d"
+		}
+	]
+}

repository/repository/2.registry.npmjs.org.json

@@ -0,0 +1,23 @@
+{
+	"signed": {
+		"_type": "targets",
+		"spec_version": "1.0",
+		"version": 2,
+		"expires": "2024-03-26T05:51:49Z",
+		"targets": {
+			"registry.npmjs.org/keys.json": {
+				"length": 1017,
+				"hashes": {
+					"sha256": "7a8ec9678ad824cdccaa7a6dc0961caf8f8df61bc7274189122c123446248426",
+					"sha512": "881a853ee92d8cf513b07c164fea36b22a7305c256125bdfffdc5c65a4205c4c3fc2b5bcc98964349167ea68d40b8cd02551fcaa870a30d4601ba1caf6f63699"
+				}
+			}
+		}
+	},
+	"signatures": [
+		{
+			"keyid": "a89d235ee2f298d757438c7473b11b0b7b42ff1a45f1dfaac4c014183d6f8c45",
+			"sig": "3046022100e7fac1f705f006f351a7b9050403bc4e75843a0376d489c5bc0cb4c77019512a022100c911301e106de5e3e3029fe686b8a069f1d96f1f6cdbd894ddc3bf0d45200de9"
+		}
+	]
+}

repository/repository/8.root.json

@@ -0,0 +1,140 @@
+{
+	"signed": {
+		"_type": "root",
+		"spec_version": "1.0",
+		"version": 8,
+		"expires": "2024-03-26T04:38:55Z",
+		"keys": {
+			"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"
+				}
+			}
+		},
+		"roles": {
+			"root": {
+				"keyids": [
+					"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
+					"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+					"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+					"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+					"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"
+				],
+				"threshold": 3
+			},
+			"snapshot": {
+				"keyids": [
+					"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b"
+				],
+				"threshold": 1
+			},
+			"targets": {
+				"keyids": [
+					"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
+					"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+					"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+					"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+					"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"
+				],
+				"threshold": 3
+			},
+			"timestamp": {
+				"keyids": [
+					"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a"
+				],
+				"threshold": 1
+			}
+		},
+		"consistent_snapshot": true
+	},
+	"signatures": [
+		{
+			"keyid": "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+			"sig": "3044022024b8036b374f7071723f3f2cb1979c42e5da1910f0b178835ad546e3c360836302207140ccd408afcf8720dd9bea7f00325768c3aa47c22d531c849c974fd50e45dd"
+		},
+		{
+			"keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+			"sig": "3046022100dcb1a96ecbfc05768a3c73726a92d681da78eaec068a9a0cfe13a12db672e44b022100a0dae7bc2e6b953e215f57cc614eb71660b9461d6dc86264b0b74a4f2e1307e1"
+		},
+		{
+			"keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de",
+			"sig": "3046022100c4708d94077cb3d6dd60ebd2dd66545e7afb0464ce2593a5f23f6e3604b9f21e022100992e969cd5069eab17439b2ba60743fe422877bc1a1c46e935a6d5cb47b3cfc6"
+		},
+		{
+			"keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+			"sig": "3045022051faa6b6fc373730b97c1a4cd92d03efd98b83d4c9c93bf4f404d1f88ea2eb18022100f71ac1cd73dcba950f4210b12f9a05b8140b0490247c5339191e842b868155b4"
+		}
+	]
+}

repository/repository/8.targets.json

@@ -0,0 +1,160 @@
+{
+	"signed": {
+		"_type": "targets",
+		"spec_version": "1.0",
+		"version": 8,
+		"expires": "2024-03-26T05:51:49Z",
+		"targets": {
+			"artifact.pub": {
+				"length": 177,
+				"hashes": {
+					"sha256": "59ebf97a9850aecec4bc39c1f5c1dc46e6490a6b5fd2a6cacdcac0c3a6fc4cbf",
+					"sha512": "308fd1d1d95d7f80aa33b837795251cc3e886792982275e062409e13e4e236ffc34d676682aa96fdc751414de99c864bf132dde71581fa651c6343905e3bf988"
+				},
+				"custom": {
+					"sigstore": {
+						"status": "Active",
+						"usage": "Unknown"
+					}
+				}
+			},
+			"ctfe.pub": {
+				"length": 177,
+				"hashes": {
+					"sha256": "7fcb94a5d0ed541260473b990b99a6c39864c1fb16f3f3e594a5a3cebbfe138a",
+					"sha512": "4b20747d1afe2544238ad38cc0cc3010921b177d60ac743767e0ef675b915489bd01a36606c0ff83c06448622d7160f0d866c83d20f0c0f44653dcc3f9aa0bd4"
+				},
+				"custom": {
+					"sigstore": {
+						"status": "Active",
+						"uri": "https://ctfe.sigstore.dev/test",
+						"usage": "CTFE"
+					}
+				}
+			},
+			"ctfe_2022.pub": {
+				"length": 178,
+				"hashes": {
+					"sha256": "270488a309d22e804eeb245493e87c667658d749006b9fee9cc614572d4fbbdc",
+					"sha512": "e83fa4f427b24ee7728637fad1b4aa45ebde2ba02751fa860694b1bb16059a490328f9985e51cc70e4d237545315a1bc866dc4fdeef2f6248d99cc7a6077bf85"
+				},
+				"custom": {
+					"sigstore": {
+						"status": "Active",
+						"uri": "https://ctfe.sigstore.dev/2022",
+						"usage": "CTFE"
+					}
+				}
+			},
+			"fulcio.crt.pem": {
+				"length": 744,
+				"hashes": {
+					"sha256": "f360c53b2e13495a628b9b8096455badcb6d375b185c4816d95a5d746ff29908",
+					"sha512": "0713252a7fd17f7f3ab12f88a64accf2eb14b8ad40ca711d7fe8b4ecba3b24db9e9dffadb997b196d3867b8f9ff217faf930d80e4dab4e235c7fc3f07be69224"
+				},
+				"custom": {
+					"sigstore": {
+						"status": "Expired",
+						"uri": "https://fulcio.sigstore.dev",
+						"usage": "Fulcio"
+					}
+				}
+			},
+			"fulcio_intermediate_v1.crt.pem": {
+				"length": 789,
+				"hashes": {
+					"sha256": "f8cbecf186db7714624a5f4e99da31a917cbef70a94dd6921f5c3ca969dfe30a",
+					"sha512": "0f99f47dbc26c5f1e3cba0bfd9af4245a26e5cb735d6ef005792ec7e603f66fdb897de985973a6e50940ca7eff5e1849719e967b5ad2dac74a29115a41cf6f21"
+				},
+				"custom": {
+					"sigstore": {
+						"status": "Active",
+						"uri": "https://fulcio.sigstore.dev",
+						"usage": "Fulcio"
+					}
+				}
+			},
+			"fulcio_v1.crt.pem": {
+				"length": 740,
+				"hashes": {
+					"sha256": "f989aa23def87c549404eadba767768d2a3c8d6d30a8b793f9f518a8eafd2cf5",
+					"sha512": "f2e33a6dc208cee1f51d33bbea675ab0f0ced269617497985f9a0680689ee7073e4b6f8fef64c91bda590d30c129b3070dddce824c05bc165ac9802f0705cab6"
+				},
+				"custom": {
+					"sigstore": {
+						"status": "Active",
+						"uri": "https://fulcio.sigstore.dev",
+						"usage": "Fulcio"
+					}
+				}
+			},
+			"rekor.pub": {
+				"length": 178,
+				"hashes": {
+					"sha256": "dce5ef715502ec9f3cdfd11f8cc384b31a6141023d3e7595e9908a81cb6241bd",
+					"sha512": "0ae7705e02db33e814329746a4a0e5603c5bdcd91c96d072158d71011a2695788866565a2fec0fe363eb72cbcaeda39e54c5fe8d416daf9f3101fdba4217ef35"
+				},
+				"custom": {
+					"sigstore": {
+						"status": "Active",
+						"uri": "https://rekor.sigstore.dev",
+						"usage": "Rekor"
+					}
+				}
+			},
+			"trusted_root.json": {
+				"length": 7014,
+				"hashes": {
+					"sha256": "4364d7724c04cc912ce2a6c45ed2610e8d8d1c4dc857fb500292738d4d9c8d2c",
+					"sha512": "fdebade075c4840d40f1806a14d0660ae1d22f47c0516abc4141e09f4ddf6ee6f4dbfbf08a7025bea10a4b8794658a4cd8ebb1024b963f239a9bfe02c2057fc6"
+				}
+			}
+		},
+		"delegations": {
+			"keys": {
+				"a89d235ee2f298d757438c7473b11b0b7b42ff1a45f1dfaac4c014183d6f8c45": {
+					"keytype": "ecdsa-sha2-nistp256",
+					"scheme": "ecdsa-sha2-nistp256",
+					"keyid_hash_algorithms": [
+						"sha256",
+						"sha512"
+					],
+					"keyval": {
+						"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoLrh0jmOfHWLwsyo/4oGbldF91WV\nfXvxVlDhW8fZwP/3vTnliBkDp5sH8/Dpm1SBOHkqENVt1+4Un/sFtl2zAQ==\n-----END PUBLIC KEY-----\n"
+					}
+				}
+			},
+			"roles": [
+				{
+					"name": "registry.npmjs.org",
+					"keyids": [
+						"a89d235ee2f298d757438c7473b11b0b7b42ff1a45f1dfaac4c014183d6f8c45"
+					],
+					"threshold": 1,
+					"terminating": true,
+					"paths": [
+						"registry.npmjs.org/*"
+					]
+				}
+			]
+		}
+	},
+	"signatures": [
+		{
+			"keyid": "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+			"sig": "3045022100c973e7d5dab04e3eaf699dbba367cd6816045fde062cfc50005ab967b6a97ee902202e8c9bedc033e608c74f65aebf67e7de483dc0ac99813644c9eadabb662b9637"
+		},
+		{
+			"keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+			"sig": "3045022046f1af42d72d48106347c07f54f8309d53fbfa7c5e6a56d53b7e6d8a691e108b022100964ece326415381be9d04c39f622e71caf4e9d0ea1a8a316ff8565a0060565e7"
+		},
+		{
+			"keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de",
+			"sig": "30460221008c983d56a349806c589d765dd3f05c0c72e1f07eb9d4f756ddc8efc87851c001022100a91532545f1e5e52eae690ea18a893b50f3e754c5a15aad3ce62e59911c700d6"
+		},
+		{
+			"keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+			"sig": "3045022044abeff8c146c62a5ea063620014304e7593eaf5b189338c150dab88541ab6040221009c5a7b1285e426e731ddfcabcc647259cb2590f1a3e3864797ed360059de7bb2"
+		}
+	]
+}