diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index 467e8a35..90d82ad2 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -136,7 +136,7 @@ "properties": { "keyId": { "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", + "description": "The unique identity of the log, represented by its public key.", "format": "binary", "binaryEncoding": "base64" } @@ -229,7 +229,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" }, "dev.sigstore.rekor.v1.InclusionPromise": { "properties": { diff --git a/gen/jsonschema/schemas/Checkpoint.schema.json b/gen/jsonschema/schemas/Checkpoint.schema.json index 05264683..3a73f36e 100644 --- a/gen/jsonschema/schemas/Checkpoint.schema.json +++ b/gen/jsonschema/schemas/Checkpoint.schema.json @@ -11,7 +11,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" } } } \ No newline at end of file diff --git a/gen/jsonschema/schemas/CheckpointKeyId.schema.json b/gen/jsonschema/schemas/CheckpointKeyId.schema.json new file mode 100644 index 00000000..de1ec94f --- /dev/null +++ b/gen/jsonschema/schemas/CheckpointKeyId.schema.json @@ -0,0 +1,20 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/CheckpointKeyId", + "definitions": { + "CheckpointKeyId": { + "properties": { + "keyId": { + "type": "string", + "description": "The key ID in a checkpoint, as a prefix to the signature. SHOULD be 4 bytes long, as a truncated hash.", + "format": "binary", + "binaryEncoding": "base64" + } + }, + "additionalProperties": false, + "type": "object", + "title": "Checkpoint Key Id", + "description": "The checkpoint key ID, following the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format of the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key." + } + } +} \ No newline at end of file diff --git a/gen/jsonschema/schemas/ClientTrustConfig.schema.json b/gen/jsonschema/schemas/ClientTrustConfig.schema.json index 1135cbf1..24367583 100644 --- a/gen/jsonschema/schemas/ClientTrustConfig.schema.json +++ b/gen/jsonschema/schemas/ClientTrustConfig.schema.json @@ -41,7 +41,7 @@ "properties": { "keyId": { "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", + "description": "The unique identity of the log, represented by its public key.", "format": "binary", "binaryEncoding": "base64" } @@ -243,7 +243,12 @@ "logId": { "$ref": "#/definitions/dev.sigstore.common.v1.LogId", "additionalProperties": false, - "description": "The unique identifier for this transparency log." + "description": "The unique identifier for this transparency log. Represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2" + }, + "checkpointKeyId": { + "$ref": "#/definitions/dev.sigstore.common.v1.LogId", + "additionalProperties": false, + "description": "The checkpoint key identifier for the log used in a checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. Follows the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format, the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key. SHOULD be set for logs generating Ed25519 signatures. SHOULD be 4 bytes long, as a truncated hash." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/InclusionProof.schema.json b/gen/jsonschema/schemas/InclusionProof.schema.json index 8c1d1242..c7e7211a 100644 --- a/gen/jsonschema/schemas/InclusionProof.schema.json +++ b/gen/jsonschema/schemas/InclusionProof.schema.json @@ -47,7 +47,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" } } } \ No newline at end of file diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 4d995c1f..68ffe779 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -182,7 +182,7 @@ "properties": { "keyId": { "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", + "description": "The unique identity of the log, represented by its public key.", "format": "binary", "binaryEncoding": "base64" } @@ -422,7 +422,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" }, "dev.sigstore.rekor.v1.InclusionPromise": { "properties": { @@ -585,7 +585,12 @@ "logId": { "$ref": "#/definitions/dev.sigstore.common.v1.LogId", "additionalProperties": false, - "description": "The unique identifier for this transparency log." + "description": "The unique identifier for this transparency log. Represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2" + }, + "checkpointKeyId": { + "$ref": "#/definitions/dev.sigstore.common.v1.LogId", + "additionalProperties": false, + "description": "The checkpoint key identifier for the log used in a checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. Follows the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format, the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key. SHOULD be set for logs generating Ed25519 signatures. SHOULD be 4 bytes long, as a truncated hash." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/LogId.schema.json b/gen/jsonschema/schemas/LogId.schema.json index 7056b6ad..3f579b21 100644 --- a/gen/jsonschema/schemas/LogId.schema.json +++ b/gen/jsonschema/schemas/LogId.schema.json @@ -6,7 +6,7 @@ "properties": { "keyId": { "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", + "description": "The unique identity of the log, represented by its public key.", "format": "binary", "binaryEncoding": "base64" } diff --git a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json index 29e89e3b..cc3d6a2e 100644 --- a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json +++ b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json @@ -48,7 +48,7 @@ "properties": { "keyId": { "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", + "description": "The unique identity of the log, represented by its public key.", "format": "binary", "binaryEncoding": "base64" } @@ -67,7 +67,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" }, "dev.sigstore.rekor.v1.InclusionPromise": { "properties": { diff --git a/gen/jsonschema/schemas/TransparencyLogInstance.schema.json b/gen/jsonschema/schemas/TransparencyLogInstance.schema.json index db691db2..8e65adaa 100644 --- a/gen/jsonschema/schemas/TransparencyLogInstance.schema.json +++ b/gen/jsonschema/schemas/TransparencyLogInstance.schema.json @@ -29,7 +29,12 @@ "logId": { "$ref": "#/definitions/dev.sigstore.common.v1.LogId", "additionalProperties": false, - "description": "The unique identifier for this transparency log." + "description": "The unique identifier for this transparency log. Represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2" + }, + "checkpointKeyId": { + "$ref": "#/definitions/dev.sigstore.common.v1.LogId", + "additionalProperties": false, + "description": "The checkpoint key identifier for the log used in a checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. Follows the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format, the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key. SHOULD be set for logs generating Ed25519 signatures. SHOULD be 4 bytes long, as a truncated hash." } }, "additionalProperties": false, @@ -41,7 +46,7 @@ "properties": { "keyId": { "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", + "description": "The unique identity of the log, represented by its public key.", "format": "binary", "binaryEncoding": "base64" } diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json index 8ee8a154..eb64ff22 100644 --- a/gen/jsonschema/schemas/TrustedRoot.schema.json +++ b/gen/jsonschema/schemas/TrustedRoot.schema.json @@ -63,7 +63,7 @@ "properties": { "keyId": { "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", + "description": "The unique identity of the log, represented by its public key.", "format": "binary", "binaryEncoding": "base64" } @@ -235,7 +235,12 @@ "logId": { "$ref": "#/definitions/dev.sigstore.common.v1.LogId", "additionalProperties": false, - "description": "The unique identifier for this transparency log." + "description": "The unique identifier for this transparency log. Represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2" + }, + "checkpointKeyId": { + "$ref": "#/definitions/dev.sigstore.common.v1.LogId", + "additionalProperties": false, + "description": "The checkpoint key identifier for the log used in a checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. Follows the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format, the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key. SHOULD be set for logs generating Ed25519 signatures. SHOULD be 4 bytes long, as a truncated hash." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json index 4530cb2b..5bb1ac50 100644 --- a/gen/jsonschema/schemas/VerificationMaterial.schema.json +++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json @@ -72,7 +72,7 @@ "properties": { "keyId": { "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", + "description": "The unique identity of the log, represented by its public key.", "format": "binary", "binaryEncoding": "base64" } @@ -146,7 +146,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" }, "dev.sigstore.rekor.v1.InclusionPromise": { "properties": { diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index 37c003a8..0982c674 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -426,10 +426,7 @@ type LogId struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // The unique id of the log, represented as the SHA-256 hash - // of the log's public key, calculated over the DER encoding - // of the key represented as SubjectPublicKeyInfo. - // See https://www.rfc-editor.org/rfc/rfc6962#section-3.2 + // The unique identity of the log, represented by its public key. KeyId []byte `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` } diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go index a385e9fd..0ab50bf7 100644 --- a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go +++ b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go @@ -95,13 +95,16 @@ func (x *KindVersion) GetVersion() string { return "" } -// The checkpoint MUST contain a signature of the tree head (root hash), -// size of the tree and the transparency log's unique identifier (log ID). -// It MAY also be followed by any optional data. The result is a string, -// the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md -// The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 -// The signature has the same format as -// InclusionPromise.signed_entry_timestamp. See below for more details. +// The checkpoint MUST contain an origin string as a unique log identifier, +// the tree size, and the root hash. It MAY also be followed by optional data, +// and clients MUST NOT assume optional data. The checkpoint MUST also contain +// a signature over the root hash (tree head). The checkpoint MAY contain additional +// signatures, but the first SHOULD be the signature from the log. Checkpoint contents +// are concatenated with newlines into a single string. +// The checkpoint format is described in +// https://github.com/transparency-dev/formats/blob/main/log/README.md +// and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. +// An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go type Checkpoint struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go index 55e80eb5..c8e00755 100644 --- a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go +++ b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go @@ -55,7 +55,27 @@ type TransparencyLogInstance struct { // This attribute contains the signature algorithm used by the log. PublicKey *v1.PublicKey `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` // The unique identifier for this transparency log. + // Represented as the SHA-256 hash of the log's public key, + // calculated over the DER encoding of the key represented as + // SubjectPublicKeyInfo. + // See https://www.rfc-editor.org/rfc/rfc6962#section-3.2 LogId *v1.LogId `protobuf:"bytes,4,opt,name=log_id,json=logId,proto3" json:"log_id,omitempty"` + // The checkpoint key identifier for the log used in a checkpoint. + // Optional, not provided for logs that do not generate checkpoints. + // For logs that do generate checkpoints, if not set, assume + // log_id equals checkpoint_key_id. + // Follows the specification described here + // for ECDSA and Ed25519 signatures: + // https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures + // For RSA signatures, the key ID will match the ECDSA format, the + // hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT + // use RSA-signed checkpoints, since witnesses do not support + // RSA signatures. + // This is provided for convenience. Clients can also calculate the + // checkpoint key ID given the log's public key. + // SHOULD be set for logs generating Ed25519 signatures. + // SHOULD be 4 bytes long, as a truncated hash. + CheckpointKeyId *v1.LogId `protobuf:"bytes,5,opt,name=checkpoint_key_id,json=checkpointKeyId,proto3" json:"checkpoint_key_id,omitempty"` } func (x *TransparencyLogInstance) Reset() { @@ -118,6 +138,13 @@ func (x *TransparencyLogInstance) GetLogId() *v1.LogId { return nil } +func (x *TransparencyLogInstance) GetCheckpointKeyId() *v1.LogId { + if x != nil { + return x.CheckpointKeyId + } + return nil +} + // CertificateAuthority enlists the information required to identify which // CA to use and perform signature verification. type CertificateAuthority struct { @@ -508,7 +535,7 @@ var file_sigstore_trustroot_proto_rawDesc = []byte{ 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xfa, 0x01, + 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc5, 0x02, 0x0a, 0x17, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x61, 0x73, @@ -524,79 +551,83 @@ var file_sigstore_trustroot_proto_rawDesc = []byte{ 0x63, 0x4b, 0x65, 0x79, 0x12, 0x34, 0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x6f, - 0x67, 0x49, 0x64, 0x52, 0x05, 0x6c, 0x6f, 0x67, 0x49, 0x64, 0x22, 0xfa, 0x01, 0x0a, 0x14, 0x43, + 0x67, 0x49, 0x64, 0x52, 0x05, 0x6c, 0x6f, 0x67, 0x49, 0x64, 0x12, 0x49, 0x0a, 0x11, 0x63, 0x68, + 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, + 0x6f, 0x67, 0x49, 0x64, 0x52, 0x0f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, + 0x4b, 0x65, 0x79, 0x49, 0x64, 0x22, 0xfa, 0x01, 0x0a, 0x14, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x43, + 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x29, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, + 0x75, 0x69, 0x73, 0x68, 0x65, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x4b, 0x0a, 0x0a, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x63, 0x68, + 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x09, 0x63, 0x65, 0x72, 0x74, 0x43, 0x68, 0x61, + 0x69, 0x6e, 0x12, 0x3e, 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x18, + 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x54, + 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x52, 0x08, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x46, + 0x6f, 0x72, 0x22, 0x92, 0x03, 0x0a, 0x0b, 0x54, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, + 0x6f, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, + 0x65, 0x12, 0x48, 0x0a, 0x05, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, + 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x49, 0x6e, 0x73, 0x74, + 0x61, 0x6e, 0x63, 0x65, 0x52, 0x05, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x12, 0x68, 0x0a, 0x17, 0x63, + 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, + 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x74, 0x79, 0x12, 0x43, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, - 0x73, 0x74, 0x69, 0x6e, 0x67, 0x75, 0x69, 0x73, 0x68, 0x65, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x52, - 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x4b, 0x0a, 0x0a, 0x63, 0x65, - 0x72, 0x74, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, - 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x09, 0x63, 0x65, - 0x72, 0x74, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x3e, 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, - 0x5f, 0x66, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, - 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x52, 0x08, 0x76, - 0x61, 0x6c, 0x69, 0x64, 0x46, 0x6f, 0x72, 0x22, 0x92, 0x03, 0x0a, 0x0b, 0x54, 0x72, 0x75, 0x73, - 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x65, 0x64, 0x69, 0x61, - 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x65, 0x64, - 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x48, 0x0a, 0x05, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x18, - 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x4a, 0x0a, 0x06, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x18, + 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, - 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x05, 0x74, 0x6c, 0x6f, 0x67, 0x73, - 0x12, 0x68, 0x0a, 0x17, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, - 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, - 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x74, 0x79, 0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, - 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x4a, 0x0a, 0x06, 0x63, 0x74, - 0x6c, 0x6f, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, - 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, - 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, - 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x06, - 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x12, 0x64, 0x0a, 0x15, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, - 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, - 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x14, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, - 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0x79, 0x0a, 0x0d, - 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x15, 0x0a, - 0x06, 0x63, 0x61, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, - 0x61, 0x55, 0x72, 0x6c, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x69, 0x64, 0x63, 0x5f, 0x75, 0x72, 0x6c, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6f, 0x69, 0x64, 0x63, 0x55, 0x72, 0x6c, 0x12, - 0x1b, 0x0a, 0x09, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x75, 0x72, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, - 0x28, 0x09, 0x52, 0x08, 0x74, 0x6c, 0x6f, 0x67, 0x55, 0x72, 0x6c, 0x73, 0x12, 0x19, 0x0a, 0x08, - 0x74, 0x73, 0x61, 0x5f, 0x75, 0x72, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, - 0x74, 0x73, 0x61, 0x55, 0x72, 0x6c, 0x73, 0x22, 0xd8, 0x01, 0x0a, 0x11, 0x43, 0x6c, 0x69, 0x65, - 0x6e, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1d, 0x0a, - 0x0a, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x09, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x4e, 0x0a, 0x0c, - 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x5f, 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, - 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, - 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, - 0x0b, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x54, 0x0a, 0x0e, - 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, - 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x03, - 0xe0, 0x41, 0x02, 0x52, 0x0d, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x42, 0x88, 0x01, 0x0a, 0x1f, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, - 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x42, 0x0e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, - 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x39, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, - 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, - 0x2f, 0x76, 0x31, 0xea, 0x02, 0x17, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, - 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x06, 0x63, 0x74, 0x6c, 0x6f, 0x67, + 0x73, 0x12, 0x64, 0x0a, 0x15, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x5f, 0x61, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, + 0x79, 0x52, 0x14, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, + 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0x79, 0x0a, 0x0d, 0x53, 0x69, 0x67, 0x6e, 0x69, + 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x15, 0x0a, 0x06, 0x63, 0x61, 0x5f, 0x75, + 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x61, 0x55, 0x72, 0x6c, 0x12, + 0x19, 0x0a, 0x08, 0x6f, 0x69, 0x64, 0x63, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x07, 0x6f, 0x69, 0x64, 0x63, 0x55, 0x72, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x6c, + 0x6f, 0x67, 0x5f, 0x75, 0x72, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x74, + 0x6c, 0x6f, 0x67, 0x55, 0x72, 0x6c, 0x73, 0x12, 0x19, 0x0a, 0x08, 0x74, 0x73, 0x61, 0x5f, 0x75, + 0x72, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x74, 0x73, 0x61, 0x55, 0x72, + 0x6c, 0x73, 0x22, 0xd8, 0x01, 0x0a, 0x11, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x54, 0x72, 0x75, + 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x65, 0x64, 0x69, + 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x65, + 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x4e, 0x0a, 0x0c, 0x74, 0x72, 0x75, 0x73, 0x74, + 0x65, 0x64, 0x5f, 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, + 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x65, + 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0b, 0x74, 0x72, 0x75, 0x73, + 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x54, 0x0a, 0x0e, 0x73, 0x69, 0x67, 0x6e, 0x69, + 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, + 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x69, 0x67, 0x6e, + 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0d, + 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x88, 0x01, + 0x0a, 0x1f, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, + 0x31, 0x42, 0x0e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x72, 0x6f, 0x74, + 0x6f, 0x50, 0x01, 0x5a, 0x39, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, + 0x6f, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2f, 0x76, 0x31, 0xea, 0x02, + 0x17, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x54, 0x72, 0x75, 0x73, 0x74, + 0x52, 0x6f, 0x6f, 0x74, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -629,20 +660,21 @@ var file_sigstore_trustroot_proto_depIdxs = []int32{ 5, // 0: dev.sigstore.trustroot.v1.TransparencyLogInstance.hash_algorithm:type_name -> dev.sigstore.common.v1.HashAlgorithm 6, // 1: dev.sigstore.trustroot.v1.TransparencyLogInstance.public_key:type_name -> dev.sigstore.common.v1.PublicKey 7, // 2: dev.sigstore.trustroot.v1.TransparencyLogInstance.log_id:type_name -> dev.sigstore.common.v1.LogId - 8, // 3: dev.sigstore.trustroot.v1.CertificateAuthority.subject:type_name -> dev.sigstore.common.v1.DistinguishedName - 9, // 4: dev.sigstore.trustroot.v1.CertificateAuthority.cert_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain - 10, // 5: dev.sigstore.trustroot.v1.CertificateAuthority.valid_for:type_name -> dev.sigstore.common.v1.TimeRange - 0, // 6: dev.sigstore.trustroot.v1.TrustedRoot.tlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance - 1, // 7: dev.sigstore.trustroot.v1.TrustedRoot.certificate_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority - 0, // 8: dev.sigstore.trustroot.v1.TrustedRoot.ctlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance - 1, // 9: dev.sigstore.trustroot.v1.TrustedRoot.timestamp_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority - 2, // 10: dev.sigstore.trustroot.v1.ClientTrustConfig.trusted_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot - 3, // 11: dev.sigstore.trustroot.v1.ClientTrustConfig.signing_config:type_name -> dev.sigstore.trustroot.v1.SigningConfig - 12, // [12:12] is the sub-list for method output_type - 12, // [12:12] is the sub-list for method input_type - 12, // [12:12] is the sub-list for extension type_name - 12, // [12:12] is the sub-list for extension extendee - 0, // [0:12] is the sub-list for field type_name + 7, // 3: dev.sigstore.trustroot.v1.TransparencyLogInstance.checkpoint_key_id:type_name -> dev.sigstore.common.v1.LogId + 8, // 4: dev.sigstore.trustroot.v1.CertificateAuthority.subject:type_name -> dev.sigstore.common.v1.DistinguishedName + 9, // 5: dev.sigstore.trustroot.v1.CertificateAuthority.cert_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain + 10, // 6: dev.sigstore.trustroot.v1.CertificateAuthority.valid_for:type_name -> dev.sigstore.common.v1.TimeRange + 0, // 7: dev.sigstore.trustroot.v1.TrustedRoot.tlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance + 1, // 8: dev.sigstore.trustroot.v1.TrustedRoot.certificate_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority + 0, // 9: dev.sigstore.trustroot.v1.TrustedRoot.ctlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance + 1, // 10: dev.sigstore.trustroot.v1.TrustedRoot.timestamp_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority + 2, // 11: dev.sigstore.trustroot.v1.ClientTrustConfig.trusted_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot + 3, // 12: dev.sigstore.trustroot.v1.ClientTrustConfig.signing_config:type_name -> dev.sigstore.trustroot.v1.SigningConfig + 13, // [13:13] is the sub-list for method output_type + 13, // [13:13] is the sub-list for method input_type + 13, // [13:13] is the sub-list for extension type_name + 13, // [13:13] is the sub-list for extension extendee + 0, // [0:13] is the sub-list for field type_name } func init() { file_sigstore_trustroot_proto_init() } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index 8caa8d69..75333527 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -142,12 +142,7 @@ class LogId(betterproto.Message): """LogId captures the identity of a transparency log.""" key_id: bytes = betterproto.bytes_field(1) - """ - The unique id of the log, represented as the SHA-256 hash of the log's - public key, calculated over the DER encoding of the key represented as - SubjectPublicKeyInfo. See https://www.rfc- - editor.org/rfc/rfc6962#section-3.2 - """ + """The unique identity of the log, represented by its public key.""" @dataclass(eq=False, repr=False) diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py index 81f2c522..d45068f6 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py @@ -28,14 +28,17 @@ class KindVersion(betterproto.Message): @dataclass(eq=False, repr=False) class Checkpoint(betterproto.Message): """ - The checkpoint MUST contain a signature of the tree head (root hash), size - of the tree and the transparency log's unique identifier (log ID). It MAY - also be followed by any optional data. The result is a string, the format - is described here https://github.com/transparency- - dev/formats/blob/main/log/README.md The details are here https://github.com - /sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/sign - ed_note.go#L114 The signature has the same format as - InclusionPromise.signed_entry_timestamp. See below for more details. + The checkpoint MUST contain an origin string as a unique log identifier, + the tree size, and the root hash. It MAY also be followed by optional data, + and clients MUST NOT assume optional data. The checkpoint MUST also contain + a signature over the root hash (tree head). The checkpoint MAY contain + additional signatures, but the first SHOULD be the signature from the log. + Checkpoint contents are concatenated with newlines into a single string. + The checkpoint format is described in https://github.com/transparency- + dev/formats/blob/main/log/README.md and + https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example + implementation can be found in + https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go """ envelope: str = betterproto.string_field(1) diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py index 6a9cd168..e50f2cfd 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py @@ -33,7 +33,27 @@ class TransparencyLogInstance(betterproto.Message): """ log_id: "__common_v1__.LogId" = betterproto.message_field(4) - """The unique identifier for this transparency log.""" + """ + The unique identifier for this transparency log. Represented as the SHA-256 + hash of the log's public key, calculated over the DER encoding of the key + represented as SubjectPublicKeyInfo. See https://www.rfc- + editor.org/rfc/rfc6962#section-3.2 + """ + + checkpoint_key_id: "__common_v1__.LogId" = betterproto.message_field(5) + """ + The checkpoint key identifier for the log used in a checkpoint. Optional, + not provided for logs that do not generate checkpoints. For logs that do + generate checkpoints, if not set, assume log_id equals checkpoint_key_id. + Follows the specification described here for ECDSA and Ed25519 signatures: + https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA + signatures, the key ID will match the ECDSA format, the hashed DER-encoded + SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed + checkpoints, since witnesses do not support RSA signatures. This is + provided for convenience. Clients can also calculate the checkpoint key ID + given the log's public key. SHOULD be set for logs generating Ed25519 + signatures. SHOULD be 4 bytes long, as a truncated hash. + """ @dataclass(eq=False, repr=False) diff --git a/gen/pb-ruby/lib/sigstore_trustroot_pb.rb b/gen/pb-ruby/lib/sigstore_trustroot_pb.rb index d31a17fc..19c93e2e 100644 --- a/gen/pb-ruby/lib/sigstore_trustroot_pb.rb +++ b/gen/pb-ruby/lib/sigstore_trustroot_pb.rb @@ -13,6 +13,7 @@ optional :hash_algorithm, :enum, 2, "dev.sigstore.common.v1.HashAlgorithm" optional :public_key, :message, 3, "dev.sigstore.common.v1.PublicKey" optional :log_id, :message, 4, "dev.sigstore.common.v1.LogId" + optional :checkpoint_key_id, :message, 5, "dev.sigstore.common.v1.LogId" end add_message "dev.sigstore.trustroot.v1.CertificateAuthority" do optional :subject, :message, 1, "dev.sigstore.common.v1.DistinguishedName" diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs index 6e5d37cc..19c70b94 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs @@ -55,10 +55,7 @@ pub struct MessageSignature { #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] pub struct LogId { - /// The unique id of the log, represented as the SHA-256 hash - /// of the log's public key, calculated over the DER encoding - /// of the key represented as SubjectPublicKeyInfo. - /// See + /// The unique identity of the log, represented by its public key. #[prost(bytes = "vec", tag = "1")] pub key_id: ::prost::alloc::vec::Vec, } diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs index 6147a67a..9fed5246 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs @@ -17,13 +17,16 @@ pub struct KindVersion { #[prost(string, tag = "2")] pub version: ::prost::alloc::string::String, } -/// The checkpoint MUST contain a signature of the tree head (root hash), -/// size of the tree and the transparency log's unique identifier (log ID). -/// It MAY also be followed by any optional data. The result is a string, -/// the format is described here -/// The details are here -/// The signature has the same format as -/// InclusionPromise.signed_entry_timestamp. See below for more details. +/// The checkpoint MUST contain an origin string as a unique log identifier, +/// the tree size, and the root hash. It MAY also be followed by optional data, +/// and clients MUST NOT assume optional data. The checkpoint MUST also contain +/// a signature over the root hash (tree head). The checkpoint MAY contain additional +/// signatures, but the first SHOULD be the signature from the log. Checkpoint contents +/// are concatenated with newlines into a single string. +/// The checkpoint format is described in +/// +/// and +/// An example implementation can be found in #[derive( sigstore_protobuf_specs_derive::Deserialize_proto, sigstore_protobuf_specs_derive::Serialize_proto diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs index ec3c66fe..42d7f77f 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs @@ -25,8 +25,29 @@ pub struct TransparencyLogInstance { #[prost(message, optional, tag = "3")] pub public_key: ::core::option::Option, /// The unique identifier for this transparency log. + /// Represented as the SHA-256 hash of the log's public key, + /// calculated over the DER encoding of the key represented as + /// SubjectPublicKeyInfo. + /// See #[prost(message, optional, tag = "4")] pub log_id: ::core::option::Option, + /// The checkpoint key identifier for the log used in a checkpoint. + /// Optional, not provided for logs that do not generate checkpoints. + /// For logs that do generate checkpoints, if not set, assume + /// log_id equals checkpoint_key_id. + /// Follows the specification described here + /// for ECDSA and Ed25519 signatures: + /// + /// For RSA signatures, the key ID will match the ECDSA format, the + /// hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT + /// use RSA-signed checkpoints, since witnesses do not support + /// RSA signatures. + /// This is provided for convenience. Clients can also calculate the + /// checkpoint key ID given the log's public key. + /// SHOULD be set for logs generating Ed25519 signatures. + /// SHOULD be 4 bytes long, as a truncated hash. + #[prost(message, optional, tag = "5")] + pub checkpoint_key_id: ::core::option::Option, } /// CertificateAuthority enlists the information required to identify which /// CA to use and perform signature verification. diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin index ed9dbd16..c8da0f5a 100644 Binary files a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin and b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin differ diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts index 9f0601b0..ca00cebd 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_common.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts @@ -332,12 +332,7 @@ export interface MessageSignature { /** LogId captures the identity of a transparency log. */ export interface LogId { - /** - * The unique id of the log, represented as the SHA-256 hash - * of the log's public key, calculated over the DER encoding - * of the key represented as SubjectPublicKeyInfo. - * See https://www.rfc-editor.org/rfc/rfc6962#section-3.2 - */ + /** The unique identity of the log, represented by its public key. */ keyId: Buffer; } diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts index 8ff7d451..d33b5933 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts @@ -13,13 +13,16 @@ export interface KindVersion { } /** - * The checkpoint MUST contain a signature of the tree head (root hash), - * size of the tree and the transparency log's unique identifier (log ID). - * It MAY also be followed by any optional data. The result is a string, - * the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md - * The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 - * The signature has the same format as - * InclusionPromise.signed_entry_timestamp. See below for more details. + * The checkpoint MUST contain an origin string as a unique log identifier, + * the tree size, and the root hash. It MAY also be followed by optional data, + * and clients MUST NOT assume optional data. The checkpoint MUST also contain + * a signature over the root hash (tree head). The checkpoint MAY contain additional + * signatures, but the first SHOULD be the signature from the log. Checkpoint contents + * are concatenated with newlines into a single string. + * The checkpoint format is described in + * https://github.com/transparency-dev/formats/blob/main/log/README.md + * and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. + * An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go */ export interface Checkpoint { envelope: string; diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts index 5fb262d4..ef6e96b4 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts @@ -30,8 +30,34 @@ export interface TransparencyLogInstance { publicKey: | PublicKey | undefined; - /** The unique identifier for this transparency log. */ - logId: LogId | undefined; + /** + * The unique identifier for this transparency log. + * Represented as the SHA-256 hash of the log's public key, + * calculated over the DER encoding of the key represented as + * SubjectPublicKeyInfo. + * See https://www.rfc-editor.org/rfc/rfc6962#section-3.2 + */ + logId: + | LogId + | undefined; + /** + * The checkpoint key identifier for the log used in a checkpoint. + * Optional, not provided for logs that do not generate checkpoints. + * For logs that do generate checkpoints, if not set, assume + * log_id equals checkpoint_key_id. + * Follows the specification described here + * for ECDSA and Ed25519 signatures: + * https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures + * For RSA signatures, the key ID will match the ECDSA format, the + * hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT + * use RSA-signed checkpoints, since witnesses do not support + * RSA signatures. + * This is provided for convenience. Clients can also calculate the + * checkpoint key ID given the log's public key. + * SHOULD be set for logs generating Ed25519 signatures. + * SHOULD be 4 bytes long, as a truncated hash. + */ + checkpointKeyId: LogId | undefined; } /** @@ -194,7 +220,7 @@ export interface ClientTrustConfig { } function createBaseTransparencyLogInstance(): TransparencyLogInstance { - return { baseUrl: "", hashAlgorithm: 0, publicKey: undefined, logId: undefined }; + return { baseUrl: "", hashAlgorithm: 0, publicKey: undefined, logId: undefined, checkpointKeyId: undefined }; } export const TransparencyLogInstance = { @@ -204,6 +230,7 @@ export const TransparencyLogInstance = { hashAlgorithm: isSet(object.hashAlgorithm) ? hashAlgorithmFromJSON(object.hashAlgorithm) : 0, publicKey: isSet(object.publicKey) ? PublicKey.fromJSON(object.publicKey) : undefined, logId: isSet(object.logId) ? LogId.fromJSON(object.logId) : undefined, + checkpointKeyId: isSet(object.checkpointKeyId) ? LogId.fromJSON(object.checkpointKeyId) : undefined, }; }, @@ -214,6 +241,8 @@ export const TransparencyLogInstance = { message.publicKey !== undefined && (obj.publicKey = message.publicKey ? PublicKey.toJSON(message.publicKey) : undefined); message.logId !== undefined && (obj.logId = message.logId ? LogId.toJSON(message.logId) : undefined); + message.checkpointKeyId !== undefined && + (obj.checkpointKeyId = message.checkpointKeyId ? LogId.toJSON(message.checkpointKeyId) : undefined); return obj; }, }; diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index d3d538a6..1f0fad33 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -133,10 +133,7 @@ message MessageSignature { // LogId captures the identity of a transparency log. message LogId { - // The unique id of the log, represented as the SHA-256 hash - // of the log's public key, calculated over the DER encoding - // of the key represented as SubjectPublicKeyInfo. - // See https://www.rfc-editor.org/rfc/rfc6962#section-3.2 + // The unique identity of the log, represented by its public key. bytes key_id = 1 [(google.api.field_behavior) = REQUIRED]; } diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto index 2eca88f7..424ff40c 100644 --- a/protos/sigstore_rekor.proto +++ b/protos/sigstore_rekor.proto @@ -34,13 +34,16 @@ message KindVersion { string version = 2 [(google.api.field_behavior) = REQUIRED]; } -// The checkpoint MUST contain a signature of the tree head (root hash), -// size of the tree and the transparency log's unique identifier (log ID). -// It MAY also be followed by any optional data. The result is a string, -// the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md -// The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 -// The signature has the same format as -// InclusionPromise.signed_entry_timestamp. See below for more details. +// The checkpoint MUST contain an origin string as a unique log identifier, +// the tree size, and the root hash. It MAY also be followed by optional data, +// and clients MUST NOT assume optional data. The checkpoint MUST also contain +// a signature over the root hash (tree head). The checkpoint MAY contain additional +// signatures, but the first SHOULD be the signature from the log. Checkpoint contents +// are concatenated with newlines into a single string. +// The checkpoint format is described in +// https://github.com/transparency-dev/formats/blob/main/log/README.md +// and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. +// An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go message Checkpoint { string envelope = 1 [(google.api.field_behavior) = REQUIRED]; } diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 755da4b8..32c07a91 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -39,7 +39,27 @@ message TransparencyLogInstance { // This attribute contains the signature algorithm used by the log. dev.sigstore.common.v1.PublicKey public_key = 3; // The unique identifier for this transparency log. + // Represented as the SHA-256 hash of the log's public key, + // calculated over the DER encoding of the key represented as + // SubjectPublicKeyInfo. + // See https://www.rfc-editor.org/rfc/rfc6962#section-3.2 dev.sigstore.common.v1.LogId log_id = 4; + // The checkpoint key identifier for the log used in a checkpoint. + // Optional, not provided for logs that do not generate checkpoints. + // For logs that do generate checkpoints, if not set, assume + // log_id equals checkpoint_key_id. + // Follows the specification described here + // for ECDSA and Ed25519 signatures: + // https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures + // For RSA signatures, the key ID will match the ECDSA format, the + // hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT + // use RSA-signed checkpoints, since witnesses do not support + // RSA signatures. + // This is provided for convenience. Clients can also calculate the + // checkpoint key ID given the log's public key. + // SHOULD be set for logs generating Ed25519 signatures. + // SHOULD be 4 bytes long, as a truncated hash. + dev.sigstore.common.v1.LogId checkpoint_key_id = 5; } // CertificateAuthority enlists the information required to identify which