Skip to content

Fix BoringSSL compatibility for Bun runtime #1516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
keithagroves wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix BoringSSL compatibility for Bun runtime #1516

keithagroves wants to merge 1 commit into from

Conversation

@keithagroves
Copy link

@keithagroves keithagroves commented Dec 4, 2025

Summary

Resolves #1515. Bun uses BoringSSL which requires an explicit digest algorithm for EC key signing, but the ephemeral signer was using crypto.sign(null, ...) which only works with Node's OpenSSL implementation.

Changes:

  • Updated ephemeral.ts to use 'sha256' explicitly instead of null
  • Changed from default crypto import to named imports (generateKeyPairSync, sign) for better compatibility
  • Both Node.js (OpenSSL) and Bun (BoringSSL) now work correctly

Background:

When null is passed to crypto.sign() with OpenSSL, it treats the data as pre-computed hash and signs it directly. BoringSSL doesn't support this mode for ECDSA - it requires an explicit hash algorithm. By specifying 'sha256' (the standard pairing for P-256 ECDSA per NIST specifications), the code works consistently across both implementations.

Release Note

Fixed BoringSSL compatibility in ephemeral signer to enable Bun runtime support.

Documentation

NONE

@keithagroves
Fix BoringSSL compatibility for Bun runtime
4875066 
Bun uses BoringSSL which requires an explicit digest algorithm for EC key
signing, but the ephemeral signer was using crypto.sign(null, ...) which
only works with Node's OpenSSL implementation.

Changes:
- Updated ephemeral signer to use 'sha256' explicitly instead of null
- Changed from default crypto import to named imports for better compatibility
- Both Node.js (OpenSSL) and Bun (BoringSSL) now work correctly

This enables Bun users to use @sigstore/sign without any patches or workarounds.

Signed-off-by: keithagroves <[email protected]>
@keithagroves keithagroves requested a review from a team as a code owner December 4, 2025 12:42
@changeset-bot
Copy link

changeset-bot bot commented Dec 4, 2025

🦋 Changeset detected

Latest commit: 4875066

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sigstore/sign Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

@sigstore/sign incompatible with Bun runtime

1 participant

@keithagroves