Fix BoringSSL compatibility for Bun runtime

Bun uses BoringSSL which requires an explicit digest algorithm for EC key
signing, but the ephemeral signer was using crypto.sign(null, ...) which
only works with Node's OpenSSL implementation.

Changes:
- Updated ephemeral signer to use 'sha256' explicitly instead of null
- Changed from default crypto import to named imports for better compatibility
- Both Node.js (OpenSSL) and Bun (BoringSSL) now work correctly

This enables Bun users to use @sigstore/sign without any patches or workarounds.

Signed-off-by: keithagroves <[email protected]>

Author: keithagroves

.changeset/bun-boringssl-compatibility.md

@@ -0,0 +1,5 @@
+---
+'@sigstore/sign': patch
+---
+
+Fix BoringSSL compatibility for Bun runtime. The ephemeral signer now explicitly uses SHA-256 as the digest algorithm instead of relying on implicit defaults, enabling @sigstore/sign to work with Bun's BoringSSL implementation.

packages/sign/src/signer/fulcio/ephemeral.ts

@@ -13,7 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import crypto, { KeyPairKeyObjectResult } from 'crypto';
+import { generateKeyPairSync, sign, KeyPairKeyObjectResult } from 'crypto';
 
 import type { Signature, Signer } from '../signer';
 
@@ -27,13 +27,13 @@ export class EphemeralSigner implements Signer {
   private keypair: KeyPairKeyObjectResult;
 
   constructor() {
-    this.keypair = crypto.generateKeyPairSync(EC_KEYPAIR_TYPE, {
+    this.keypair = generateKeyPairSync(EC_KEYPAIR_TYPE, {
       namedCurve: P256_CURVE,
     });
   }
 
   public async sign(data: Buffer): Promise<Signature> {
-    const signature = crypto.sign(null, data, this.keypair.privateKey);
+    const signature = sign('sha256', data, this.keypair.privateKey);
     const publicKey = this.keypair.publicKey
       .export({ format: 'pem', type: 'spki' })
       .toString('ascii');