From 9a895c0783920bfba4678583b9137c4472abc8b6 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Thu, 4 Apr 2024 19:34:15 +0000 Subject: [PATCH] Add checkpoint key ID to trust root This adds a string to represent the checkpoint key ID for a log, which will differ for ed25519 logs. To simplify client implementation, we will provide this string so that clients don't have to compute the checkpoint key ID themselves using the public key. If it's not set, then a client should assume the log ID is equal to the checkpoint key ID, which is true for ecdsa and rsa logs. Ref: https://github.com/sigstore/rekor/issues/2062 Signed-off-by: Hayden Blauzvern --- gen/jsonschema/schemas/Bundle.schema.json | 2 +- gen/jsonschema/schemas/Checkpoint.schema.json | 2 +- .../schemas/CheckpointKeyId.schema.json | 20 + .../schemas/ClientTrustConfig.schema.json | 19 + .../schemas/InclusionProof.schema.json | 2 +- gen/jsonschema/schemas/Input.schema.json | 21 +- .../schemas/TransparencyLogEntry.schema.json | 2 +- .../TransparencyLogInstance.schema.json | 19 + .../schemas/TrustedRoot.schema.json | 19 + .../schemas/VerificationMaterial.schema.json | 2 +- gen/pb-go/common/v1/sigstore_common.pb.go | 435 ++++++++++-------- gen/pb-go/rekor/v1/sigstore_rekor.pb.go | 17 +- .../trustroot/v1/sigstore_trustroot.pb.go | 198 ++++---- .../dev/sigstore/common/v1/__init__.py | 19 + .../dev/sigstore/rekor/v1/__init__.py | 19 +- .../dev/sigstore/trustroot/v1/__init__.py | 8 + gen/pb-ruby/lib/sigstore_common_pb.rb | 4 + gen/pb-ruby/lib/sigstore_trustroot_pb.rb | 1 + .../src/generated/dev.sigstore.common.v1.rs | 23 + .../src/generated/dev.sigstore.rekor.v1.rs | 17 +- .../generated/dev.sigstore.trustroot.v1.rs | 9 + .../src/generated/file_descriptor_set.bin | Bin 116786 -> 118156 bytes .../src/__generated__/sigstore_common.ts | 35 ++ .../src/__generated__/sigstore_rekor.ts | 17 +- .../src/__generated__/sigstore_trustroot.ts | 18 +- protos/sigstore_common.proto | 14 + protos/sigstore_rekor.proto | 17 +- protos/sigstore_trustroot.proto | 6 + 28 files changed, 651 insertions(+), 314 deletions(-) create mode 100644 gen/jsonschema/schemas/CheckpointKeyId.schema.json diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index 467e8a35..5517c08a 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -229,7 +229,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" }, "dev.sigstore.rekor.v1.InclusionPromise": { "properties": { diff --git a/gen/jsonschema/schemas/Checkpoint.schema.json b/gen/jsonschema/schemas/Checkpoint.schema.json index 05264683..3a73f36e 100644 --- a/gen/jsonschema/schemas/Checkpoint.schema.json +++ b/gen/jsonschema/schemas/Checkpoint.schema.json @@ -11,7 +11,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" } } } \ No newline at end of file diff --git a/gen/jsonschema/schemas/CheckpointKeyId.schema.json b/gen/jsonschema/schemas/CheckpointKeyId.schema.json new file mode 100644 index 00000000..de1ec94f --- /dev/null +++ b/gen/jsonschema/schemas/CheckpointKeyId.schema.json @@ -0,0 +1,20 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/CheckpointKeyId", + "definitions": { + "CheckpointKeyId": { + "properties": { + "keyId": { + "type": "string", + "description": "The key ID in a checkpoint, as a prefix to the signature. SHOULD be 4 bytes long, as a truncated hash.", + "format": "binary", + "binaryEncoding": "base64" + } + }, + "additionalProperties": false, + "type": "object", + "title": "Checkpoint Key Id", + "description": "The checkpoint key ID, following the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format of the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key." + } + } +} \ No newline at end of file diff --git a/gen/jsonschema/schemas/ClientTrustConfig.schema.json b/gen/jsonschema/schemas/ClientTrustConfig.schema.json index 1135cbf1..94197bb9 100644 --- a/gen/jsonschema/schemas/ClientTrustConfig.schema.json +++ b/gen/jsonschema/schemas/ClientTrustConfig.schema.json @@ -24,6 +24,20 @@ "title": "Client Trust Config", "description": "ClientTrustConfig describes the complete state needed by a client to perform both signing and verification operations against a particular instance of Sigstore." }, + "dev.sigstore.common.v1.CheckpointKeyId": { + "properties": { + "keyId": { + "type": "string", + "description": "The key ID in a checkpoint, as a prefix to the signature. SHOULD be 4 bytes long, as a truncated hash.", + "format": "binary", + "binaryEncoding": "base64" + } + }, + "additionalProperties": false, + "type": "object", + "title": "Checkpoint Key Id", + "description": "The checkpoint key ID, following the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format of the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key." + }, "dev.sigstore.common.v1.DistinguishedName": { "properties": { "organization": { @@ -244,6 +258,11 @@ "$ref": "#/definitions/dev.sigstore.common.v1.LogId", "additionalProperties": false, "description": "The unique identifier for this transparency log." + }, + "checkpointKeyId": { + "$ref": "#/definitions/dev.sigstore.common.v1.CheckpointKeyId", + "additionalProperties": false, + "description": "The key identifier for the log used in the checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. MUST be set for logs generating Ed25519 signatures." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/InclusionProof.schema.json b/gen/jsonschema/schemas/InclusionProof.schema.json index 8c1d1242..c7e7211a 100644 --- a/gen/jsonschema/schemas/InclusionProof.schema.json +++ b/gen/jsonschema/schemas/InclusionProof.schema.json @@ -47,7 +47,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" } } } \ No newline at end of file diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 4d995c1f..ab9e2428 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -138,6 +138,20 @@ "title": "Verification Material", "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, + "dev.sigstore.common.v1.CheckpointKeyId": { + "properties": { + "keyId": { + "type": "string", + "description": "The key ID in a checkpoint, as a prefix to the signature. SHOULD be 4 bytes long, as a truncated hash.", + "format": "binary", + "binaryEncoding": "base64" + } + }, + "additionalProperties": false, + "type": "object", + "title": "Checkpoint Key Id", + "description": "The checkpoint key ID, following the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format of the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key." + }, "dev.sigstore.common.v1.DistinguishedName": { "properties": { "organization": { @@ -422,7 +436,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" }, "dev.sigstore.rekor.v1.InclusionPromise": { "properties": { @@ -586,6 +600,11 @@ "$ref": "#/definitions/dev.sigstore.common.v1.LogId", "additionalProperties": false, "description": "The unique identifier for this transparency log." + }, + "checkpointKeyId": { + "$ref": "#/definitions/dev.sigstore.common.v1.CheckpointKeyId", + "additionalProperties": false, + "description": "The key identifier for the log used in the checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. MUST be set for logs generating Ed25519 signatures." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json index 29e89e3b..5e62e941 100644 --- a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json +++ b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json @@ -67,7 +67,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" }, "dev.sigstore.rekor.v1.InclusionPromise": { "properties": { diff --git a/gen/jsonschema/schemas/TransparencyLogInstance.schema.json b/gen/jsonschema/schemas/TransparencyLogInstance.schema.json index db691db2..55adbf15 100644 --- a/gen/jsonschema/schemas/TransparencyLogInstance.schema.json +++ b/gen/jsonschema/schemas/TransparencyLogInstance.schema.json @@ -30,6 +30,11 @@ "$ref": "#/definitions/dev.sigstore.common.v1.LogId", "additionalProperties": false, "description": "The unique identifier for this transparency log." + }, + "checkpointKeyId": { + "$ref": "#/definitions/dev.sigstore.common.v1.CheckpointKeyId", + "additionalProperties": false, + "description": "The key identifier for the log used in the checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. MUST be set for logs generating Ed25519 signatures." } }, "additionalProperties": false, @@ -37,6 +42,20 @@ "title": "Transparency Log Instance", "description": "TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise." }, + "dev.sigstore.common.v1.CheckpointKeyId": { + "properties": { + "keyId": { + "type": "string", + "description": "The key ID in a checkpoint, as a prefix to the signature. SHOULD be 4 bytes long, as a truncated hash.", + "format": "binary", + "binaryEncoding": "base64" + } + }, + "additionalProperties": false, + "type": "object", + "title": "Checkpoint Key Id", + "description": "The checkpoint key ID, following the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format of the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key." + }, "dev.sigstore.common.v1.LogId": { "properties": { "keyId": { diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json index 8ee8a154..ef813db2 100644 --- a/gen/jsonschema/schemas/TrustedRoot.schema.json +++ b/gen/jsonschema/schemas/TrustedRoot.schema.json @@ -46,6 +46,20 @@ "title": "Trusted Root", "description": "TrustedRoot describes the client's complete set of trusted entities. How the TrustedRoot is populated is not specified, but can be a combination of many sources such as TUF repositories, files on disk etc. The TrustedRoot is not meant to be used for any artifact verification, only to capture the complete/global set of trusted verification materials. When verifying an artifact, based on the artifact and policies, a selection of keys/authorities are expected to be extracted and provided to the verification function. This way the set of keys/authorities can be kept to a minimal set by the policy to gain better control over what signatures that are allowed. The embedded transparency logs, CT logs, CAs and TSAs MUST include any previously used instance -- otherwise signatures made in the past cannot be verified. All the listed instances SHOULD be sorted by the 'valid_for' in ascending order, that is, the oldest instance first. Only the last instance is allowed to have their 'end' timestamp unset. All previous instances MUST have a closed interval of validity. The last instance MAY have a closed interval. Clients MUST accept instances that overlaps in time, if not clients may experience problems during rotations of verification materials. To be able to manage planned rotations of either transparency logs or certificate authorities, clienst MUST accept lists of instances where the last instance have a 'valid_for' that belongs to the future. This should not be a problem as clients SHOULD first seek the trust root for a suitable instance before creating a per artifact trust root (that is, a sub-set of the complete trust root) that is used for verification." }, + "dev.sigstore.common.v1.CheckpointKeyId": { + "properties": { + "keyId": { + "type": "string", + "description": "The key ID in a checkpoint, as a prefix to the signature. SHOULD be 4 bytes long, as a truncated hash.", + "format": "binary", + "binaryEncoding": "base64" + } + }, + "additionalProperties": false, + "type": "object", + "title": "Checkpoint Key Id", + "description": "The checkpoint key ID, following the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format of the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key." + }, "dev.sigstore.common.v1.DistinguishedName": { "properties": { "organization": { @@ -236,6 +250,11 @@ "$ref": "#/definitions/dev.sigstore.common.v1.LogId", "additionalProperties": false, "description": "The unique identifier for this transparency log." + }, + "checkpointKeyId": { + "$ref": "#/definitions/dev.sigstore.common.v1.CheckpointKeyId", + "additionalProperties": false, + "description": "The key identifier for the log used in the checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. MUST be set for logs generating Ed25519 signatures." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json index 4530cb2b..8d8f5771 100644 --- a/gen/jsonschema/schemas/VerificationMaterial.schema.json +++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json @@ -146,7 +146,7 @@ "additionalProperties": false, "type": "object", "title": "Checkpoint", - "description": "The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." + "description": "The checkpoint MUST contain an origin string as a unique log identifier, the tree size, and the root hash. It MAY also be followed by optional data, and clients MUST NOT assume optional data. The checkpoint MUST also contain a signature over the root hash (tree head). The checkpoint MAY contain additional signatures, but the first SHOULD be the signature from the log. Checkpoint contents are concatenated with newlines into a single string. The checkpoint format is described in https://github.com/transparency-dev/formats/blob/main/log/README.md and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go" }, "dev.sigstore.rekor.v1.InclusionPromise": { "properties": { diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index 37c003a8..36c06fc6 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -472,6 +472,63 @@ func (x *LogId) GetKeyId() []byte { return nil } +// The checkpoint key ID, following the specification described here +// for ECDSA and Ed25519 signatures: +// https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures +// For RSA signatures, the key ID will match the ECDSA format of the hashed +// DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use +// RSA-signed checkpoints, since witnesses do not support RSA signatures. +// This is provided for convenience. Clients can also calculate the checkpoint +// key ID given the log's public key. +type CheckpointKeyId struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The key ID in a checkpoint, as a prefix to the signature. SHOULD be + // 4 bytes long, as a truncated hash. + KeyId []byte `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` +} + +func (x *CheckpointKeyId) Reset() { + *x = CheckpointKeyId{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_common_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CheckpointKeyId) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CheckpointKeyId) ProtoMessage() {} + +func (x *CheckpointKeyId) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_common_proto_msgTypes[3] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CheckpointKeyId.ProtoReflect.Descriptor instead. +func (*CheckpointKeyId) Descriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{3} +} + +func (x *CheckpointKeyId) GetKeyId() []byte { + if x != nil { + return x.KeyId + } + return nil +} + // This message holds a RFC 3161 timestamp. type RFC3161SignedTimestamp struct { state protoimpl.MessageState @@ -486,7 +543,7 @@ type RFC3161SignedTimestamp struct { func (x *RFC3161SignedTimestamp) Reset() { *x = RFC3161SignedTimestamp{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[3] + mi := &file_sigstore_common_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -499,7 +556,7 @@ func (x *RFC3161SignedTimestamp) String() string { func (*RFC3161SignedTimestamp) ProtoMessage() {} func (x *RFC3161SignedTimestamp) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[3] + mi := &file_sigstore_common_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -512,7 +569,7 @@ func (x *RFC3161SignedTimestamp) ProtoReflect() protoreflect.Message { // Deprecated: Use RFC3161SignedTimestamp.ProtoReflect.Descriptor instead. func (*RFC3161SignedTimestamp) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{3} + return file_sigstore_common_proto_rawDescGZIP(), []int{4} } func (x *RFC3161SignedTimestamp) GetSignedTimestamp() []byte { @@ -539,7 +596,7 @@ type PublicKey struct { func (x *PublicKey) Reset() { *x = PublicKey{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[4] + mi := &file_sigstore_common_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -552,7 +609,7 @@ func (x *PublicKey) String() string { func (*PublicKey) ProtoMessage() {} func (x *PublicKey) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[4] + mi := &file_sigstore_common_proto_msgTypes[5] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -565,7 +622,7 @@ func (x *PublicKey) ProtoReflect() protoreflect.Message { // Deprecated: Use PublicKey.ProtoReflect.Descriptor instead. func (*PublicKey) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{4} + return file_sigstore_common_proto_rawDescGZIP(), []int{5} } func (x *PublicKey) GetRawBytes() []byte { @@ -611,7 +668,7 @@ type PublicKeyIdentifier struct { func (x *PublicKeyIdentifier) Reset() { *x = PublicKeyIdentifier{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[5] + mi := &file_sigstore_common_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -624,7 +681,7 @@ func (x *PublicKeyIdentifier) String() string { func (*PublicKeyIdentifier) ProtoMessage() {} func (x *PublicKeyIdentifier) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[5] + mi := &file_sigstore_common_proto_msgTypes[6] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -637,7 +694,7 @@ func (x *PublicKeyIdentifier) ProtoReflect() protoreflect.Message { // Deprecated: Use PublicKeyIdentifier.ProtoReflect.Descriptor instead. func (*PublicKeyIdentifier) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{5} + return file_sigstore_common_proto_rawDescGZIP(), []int{6} } func (x *PublicKeyIdentifier) GetHint() string { @@ -659,7 +716,7 @@ type ObjectIdentifier struct { func (x *ObjectIdentifier) Reset() { *x = ObjectIdentifier{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[6] + mi := &file_sigstore_common_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -672,7 +729,7 @@ func (x *ObjectIdentifier) String() string { func (*ObjectIdentifier) ProtoMessage() {} func (x *ObjectIdentifier) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[6] + mi := &file_sigstore_common_proto_msgTypes[7] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -685,7 +742,7 @@ func (x *ObjectIdentifier) ProtoReflect() protoreflect.Message { // Deprecated: Use ObjectIdentifier.ProtoReflect.Descriptor instead. func (*ObjectIdentifier) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{6} + return file_sigstore_common_proto_rawDescGZIP(), []int{7} } func (x *ObjectIdentifier) GetId() []int32 { @@ -708,7 +765,7 @@ type ObjectIdentifierValuePair struct { func (x *ObjectIdentifierValuePair) Reset() { *x = ObjectIdentifierValuePair{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[7] + mi := &file_sigstore_common_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -721,7 +778,7 @@ func (x *ObjectIdentifierValuePair) String() string { func (*ObjectIdentifierValuePair) ProtoMessage() {} func (x *ObjectIdentifierValuePair) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[7] + mi := &file_sigstore_common_proto_msgTypes[8] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -734,7 +791,7 @@ func (x *ObjectIdentifierValuePair) ProtoReflect() protoreflect.Message { // Deprecated: Use ObjectIdentifierValuePair.ProtoReflect.Descriptor instead. func (*ObjectIdentifierValuePair) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{7} + return file_sigstore_common_proto_rawDescGZIP(), []int{8} } func (x *ObjectIdentifierValuePair) GetOid() *ObjectIdentifier { @@ -763,7 +820,7 @@ type DistinguishedName struct { func (x *DistinguishedName) Reset() { *x = DistinguishedName{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[8] + mi := &file_sigstore_common_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -776,7 +833,7 @@ func (x *DistinguishedName) String() string { func (*DistinguishedName) ProtoMessage() {} func (x *DistinguishedName) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[8] + mi := &file_sigstore_common_proto_msgTypes[9] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -789,7 +846,7 @@ func (x *DistinguishedName) ProtoReflect() protoreflect.Message { // Deprecated: Use DistinguishedName.ProtoReflect.Descriptor instead. func (*DistinguishedName) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{8} + return file_sigstore_common_proto_rawDescGZIP(), []int{9} } func (x *DistinguishedName) GetOrganization() string { @@ -818,7 +875,7 @@ type X509Certificate struct { func (x *X509Certificate) Reset() { *x = X509Certificate{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[9] + mi := &file_sigstore_common_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -831,7 +888,7 @@ func (x *X509Certificate) String() string { func (*X509Certificate) ProtoMessage() {} func (x *X509Certificate) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[9] + mi := &file_sigstore_common_proto_msgTypes[10] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -844,7 +901,7 @@ func (x *X509Certificate) ProtoReflect() protoreflect.Message { // Deprecated: Use X509Certificate.ProtoReflect.Descriptor instead. func (*X509Certificate) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{9} + return file_sigstore_common_proto_rawDescGZIP(), []int{10} } func (x *X509Certificate) GetRawBytes() []byte { @@ -870,7 +927,7 @@ type SubjectAlternativeName struct { func (x *SubjectAlternativeName) Reset() { *x = SubjectAlternativeName{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[10] + mi := &file_sigstore_common_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -883,7 +940,7 @@ func (x *SubjectAlternativeName) String() string { func (*SubjectAlternativeName) ProtoMessage() {} func (x *SubjectAlternativeName) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[10] + mi := &file_sigstore_common_proto_msgTypes[11] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -896,7 +953,7 @@ func (x *SubjectAlternativeName) ProtoReflect() protoreflect.Message { // Deprecated: Use SubjectAlternativeName.ProtoReflect.Descriptor instead. func (*SubjectAlternativeName) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{10} + return file_sigstore_common_proto_rawDescGZIP(), []int{11} } func (x *SubjectAlternativeName) GetType() SubjectAlternativeNameType { @@ -967,7 +1024,7 @@ type X509CertificateChain struct { func (x *X509CertificateChain) Reset() { *x = X509CertificateChain{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[11] + mi := &file_sigstore_common_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -980,7 +1037,7 @@ func (x *X509CertificateChain) String() string { func (*X509CertificateChain) ProtoMessage() {} func (x *X509CertificateChain) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[11] + mi := &file_sigstore_common_proto_msgTypes[12] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -993,7 +1050,7 @@ func (x *X509CertificateChain) ProtoReflect() protoreflect.Message { // Deprecated: Use X509CertificateChain.ProtoReflect.Descriptor instead. func (*X509CertificateChain) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{11} + return file_sigstore_common_proto_rawDescGZIP(), []int{12} } func (x *X509CertificateChain) GetCertificates() []*X509Certificate { @@ -1019,7 +1076,7 @@ type TimeRange struct { func (x *TimeRange) Reset() { *x = TimeRange{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[12] + mi := &file_sigstore_common_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1032,7 +1089,7 @@ func (x *TimeRange) String() string { func (*TimeRange) ProtoMessage() {} func (x *TimeRange) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[12] + mi := &file_sigstore_common_proto_msgTypes[13] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1045,7 +1102,7 @@ func (x *TimeRange) ProtoReflect() protoreflect.Message { // Deprecated: Use TimeRange.ProtoReflect.Descriptor instead. func (*TimeRange) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{12} + return file_sigstore_common_proto_rawDescGZIP(), []int{13} } func (x *TimeRange) GetStart() *timestamppb.Timestamp { @@ -1089,128 +1146,131 @@ var file_sigstore_common_proto_rawDesc = []byte{ 0x03, 0xe0, 0x41, 0x02, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x22, 0x23, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x05, 0x6b, - 0x65, 0x79, 0x49, 0x64, 0x22, 0x48, 0x0a, 0x16, 0x52, 0x46, 0x43, 0x33, 0x31, 0x36, 0x31, 0x53, - 0x69, 0x67, 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x2e, - 0x0a, 0x10, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, - 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0f, 0x73, - 0x69, 0x67, 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0xd9, - 0x01, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x0a, 0x09, - 0x72, 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x48, - 0x00, 0x52, 0x08, 0x72, 0x61, 0x77, 0x42, 0x79, 0x74, 0x65, 0x73, 0x88, 0x01, 0x01, 0x12, 0x49, - 0x0a, 0x0b, 0x6b, 0x65, 0x79, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, - 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x0a, 0x6b, - 0x65, 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x43, 0x0a, 0x09, 0x76, 0x61, 0x6c, - 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, - 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, - 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48, - 0x01, 0x52, 0x08, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x46, 0x6f, 0x72, 0x88, 0x01, 0x01, 0x42, 0x0c, - 0x0a, 0x0a, 0x5f, 0x72, 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x42, 0x0c, 0x0a, 0x0a, - 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x22, 0x29, 0x0a, 0x13, 0x50, 0x75, - 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, - 0x72, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x04, 0x68, 0x69, 0x6e, 0x74, 0x22, 0x27, 0x0a, 0x10, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x13, 0x0a, 0x02, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x03, 0x28, 0x05, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x02, 0x69, 0x64, 0x22, 0x6d, - 0x0a, 0x19, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, - 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x50, 0x61, 0x69, 0x72, 0x12, 0x3a, 0x0a, 0x03, 0x6f, - 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, - 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, - 0x31, 0x2e, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, - 0x65, 0x72, 0x52, 0x03, 0x6f, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x58, 0x0a, - 0x11, 0x44, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x75, 0x69, 0x73, 0x68, 0x65, 0x64, 0x4e, 0x61, - 0x6d, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, - 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6d, - 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x33, 0x0a, 0x0f, 0x58, 0x35, 0x30, 0x39, 0x43, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x20, 0x0a, 0x09, 0x72, 0x61, - 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, - 0x41, 0x02, 0x52, 0x08, 0x72, 0x61, 0x77, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x9e, 0x01, 0x0a, - 0x16, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, - 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x46, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x53, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, - 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, - 0x18, 0x0a, 0x06, 0x72, 0x65, 0x67, 0x65, 0x78, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, - 0x00, 0x52, 0x06, 0x72, 0x65, 0x67, 0x65, 0x78, 0x70, 0x12, 0x16, 0x0a, 0x05, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x42, 0x0a, 0x0a, 0x08, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x22, 0x63, 0x0a, - 0x14, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x4b, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, + 0x65, 0x79, 0x49, 0x64, 0x22, 0x2d, 0x0a, 0x0f, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, + 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x05, 0x6b, 0x65, + 0x79, 0x49, 0x64, 0x22, 0x48, 0x0a, 0x16, 0x52, 0x46, 0x43, 0x33, 0x31, 0x36, 0x31, 0x53, 0x69, + 0x67, 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x2e, 0x0a, + 0x10, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, + 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0f, 0x73, 0x69, + 0x67, 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0xd9, 0x01, + 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x0a, 0x09, 0x72, + 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, + 0x52, 0x08, 0x72, 0x61, 0x77, 0x42, 0x79, 0x74, 0x65, 0x73, 0x88, 0x01, 0x01, 0x12, 0x49, 0x0a, + 0x0b, 0x6b, 0x65, 0x79, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, + 0x69, 0x63, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x0a, 0x6b, 0x65, + 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x43, 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x73, 0x22, 0x78, 0x0a, 0x09, 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, - 0x30, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x05, 0x73, 0x74, 0x61, 0x72, - 0x74, 0x12, 0x31, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x48, 0x00, 0x52, 0x03, 0x65, 0x6e, - 0x64, 0x88, 0x01, 0x01, 0x42, 0x06, 0x0a, 0x04, 0x5f, 0x65, 0x6e, 0x64, 0x2a, 0x75, 0x0a, 0x0d, - 0x48, 0x61, 0x73, 0x68, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1e, 0x0a, - 0x1a, 0x48, 0x41, 0x53, 0x48, 0x5f, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, - 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0c, 0x0a, - 0x08, 0x53, 0x48, 0x41, 0x32, 0x5f, 0x32, 0x35, 0x36, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x53, - 0x48, 0x41, 0x32, 0x5f, 0x33, 0x38, 0x34, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, - 0x32, 0x5f, 0x35, 0x31, 0x32, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, - 0x32, 0x35, 0x36, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, 0x33, 0x38, - 0x34, 0x10, 0x05, 0x2a, 0xa7, 0x04, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, - 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x22, 0x0a, 0x1e, 0x50, 0x55, 0x42, 0x4c, - 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x44, 0x45, 0x54, 0x41, 0x49, 0x4c, 0x53, 0x5f, 0x55, - 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x11, - 0x50, 0x4b, 0x43, 0x53, 0x31, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, - 0x35, 0x10, 0x01, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x15, 0x0a, 0x0d, 0x50, 0x4b, 0x43, 0x53, 0x31, - 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x02, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x18, - 0x0a, 0x10, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, - 0x56, 0x35, 0x10, 0x03, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x14, 0x0a, 0x0c, 0x50, 0x4b, 0x49, 0x58, - 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x04, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x21, - 0x0a, 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, - 0x56, 0x31, 0x35, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, - 0x09, 0x12, 0x21, 0x0a, 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, - 0x43, 0x53, 0x31, 0x56, 0x31, 0x35, 0x5f, 0x33, 0x30, 0x37, 0x32, 0x5f, 0x53, 0x48, 0x41, 0x32, - 0x35, 0x36, 0x10, 0x0a, 0x12, 0x21, 0x0a, 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, - 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, 0x31, 0x35, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x5f, 0x53, - 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0b, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, - 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x5f, 0x53, 0x48, 0x41, - 0x32, 0x35, 0x36, 0x10, 0x10, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, - 0x41, 0x5f, 0x50, 0x53, 0x53, 0x5f, 0x33, 0x30, 0x37, 0x32, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, - 0x36, 0x10, 0x11, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, - 0x50, 0x53, 0x53, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, - 0x12, 0x12, 0x24, 0x0a, 0x1c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, - 0x50, 0x32, 0x35, 0x36, 0x5f, 0x48, 0x4d, 0x41, 0x43, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, - 0x36, 0x10, 0x06, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, - 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, - 0x35, 0x36, 0x10, 0x05, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, - 0x53, 0x41, 0x5f, 0x50, 0x33, 0x38, 0x34, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x33, 0x38, 0x34, 0x10, - 0x0c, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, - 0x50, 0x35, 0x32, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x35, 0x31, 0x32, 0x10, 0x0d, 0x12, 0x10, - 0x0a, 0x0c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, 0x07, - 0x12, 0x13, 0x0a, 0x0f, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, - 0x5f, 0x50, 0x48, 0x10, 0x08, 0x12, 0x0e, 0x0a, 0x0a, 0x4c, 0x4d, 0x53, 0x5f, 0x53, 0x48, 0x41, - 0x32, 0x35, 0x36, 0x10, 0x0e, 0x12, 0x10, 0x0a, 0x0c, 0x4c, 0x4d, 0x4f, 0x54, 0x53, 0x5f, 0x53, - 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0f, 0x22, 0x04, 0x08, 0x13, 0x10, 0x32, 0x2a, 0x6f, 0x0a, - 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, - 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2d, 0x0a, 0x29, 0x53, - 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x41, 0x4c, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x54, 0x49, - 0x56, 0x45, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, - 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x4d, - 0x41, 0x49, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x52, 0x49, 0x10, 0x02, 0x12, 0x0e, - 0x0a, 0x0a, 0x4f, 0x54, 0x48, 0x45, 0x52, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x10, 0x03, 0x42, 0x7c, - 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x0b, - 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x36, 0x67, - 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, - 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, - 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, - 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x3a, 0x3a, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48, 0x01, + 0x52, 0x08, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x46, 0x6f, 0x72, 0x88, 0x01, 0x01, 0x42, 0x0c, 0x0a, + 0x0a, 0x5f, 0x72, 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x42, 0x0c, 0x0a, 0x0a, 0x5f, + 0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x22, 0x29, 0x0a, 0x13, 0x50, 0x75, 0x62, + 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, + 0x12, 0x12, 0x0a, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, + 0x68, 0x69, 0x6e, 0x74, 0x22, 0x27, 0x0a, 0x10, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x13, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, + 0x20, 0x03, 0x28, 0x05, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x02, 0x69, 0x64, 0x22, 0x6d, 0x0a, + 0x19, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, + 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x50, 0x61, 0x69, 0x72, 0x12, 0x3a, 0x0a, 0x03, 0x6f, 0x69, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, + 0x2e, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, + 0x72, 0x52, 0x03, 0x6f, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x58, 0x0a, 0x11, + 0x44, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x75, 0x69, 0x73, 0x68, 0x65, 0x64, 0x4e, 0x61, 0x6d, + 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x5f, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x33, 0x0a, 0x0f, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x20, 0x0a, 0x09, 0x72, 0x61, 0x77, + 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, + 0x02, 0x52, 0x08, 0x72, 0x61, 0x77, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x9e, 0x01, 0x0a, 0x16, + 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, + 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x46, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, + 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, + 0x4e, 0x61, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x18, + 0x0a, 0x06, 0x72, 0x65, 0x67, 0x65, 0x78, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, + 0x52, 0x06, 0x72, 0x65, 0x67, 0x65, 0x78, 0x70, 0x12, 0x16, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x42, 0x0a, 0x0a, 0x08, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x22, 0x63, 0x0a, 0x14, + 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, + 0x68, 0x61, 0x69, 0x6e, 0x12, 0x4b, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, + 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x73, 0x22, 0x78, 0x0a, 0x09, 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x30, + 0x0a, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, + 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, + 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, + 0x12, 0x31, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, + 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, + 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x48, 0x00, 0x52, 0x03, 0x65, 0x6e, 0x64, + 0x88, 0x01, 0x01, 0x42, 0x06, 0x0a, 0x04, 0x5f, 0x65, 0x6e, 0x64, 0x2a, 0x75, 0x0a, 0x0d, 0x48, + 0x61, 0x73, 0x68, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1e, 0x0a, 0x1a, + 0x48, 0x41, 0x53, 0x48, 0x5f, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, + 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, + 0x53, 0x48, 0x41, 0x32, 0x5f, 0x32, 0x35, 0x36, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, + 0x41, 0x32, 0x5f, 0x33, 0x38, 0x34, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x32, + 0x5f, 0x35, 0x31, 0x32, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, 0x32, + 0x35, 0x36, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, 0x33, 0x38, 0x34, + 0x10, 0x05, 0x2a, 0xa7, 0x04, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x22, 0x0a, 0x1e, 0x50, 0x55, 0x42, 0x4c, 0x49, + 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x44, 0x45, 0x54, 0x41, 0x49, 0x4c, 0x53, 0x5f, 0x55, 0x4e, + 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x11, 0x50, + 0x4b, 0x43, 0x53, 0x31, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, 0x35, + 0x10, 0x01, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x15, 0x0a, 0x0d, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x5f, + 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x02, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x18, 0x0a, + 0x10, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, + 0x35, 0x10, 0x03, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x14, 0x0a, 0x0c, 0x50, 0x4b, 0x49, 0x58, 0x5f, + 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x04, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x21, 0x0a, + 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, + 0x31, 0x35, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x09, + 0x12, 0x21, 0x0a, 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, + 0x53, 0x31, 0x56, 0x31, 0x35, 0x5f, 0x33, 0x30, 0x37, 0x32, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, + 0x36, 0x10, 0x0a, 0x12, 0x21, 0x0a, 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, + 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, 0x31, 0x35, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x5f, 0x53, 0x48, + 0x41, 0x32, 0x35, 0x36, 0x10, 0x0b, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, + 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x5f, 0x53, 0x48, 0x41, 0x32, + 0x35, 0x36, 0x10, 0x10, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, + 0x5f, 0x50, 0x53, 0x53, 0x5f, 0x33, 0x30, 0x37, 0x32, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, + 0x10, 0x11, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, + 0x53, 0x53, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x12, + 0x12, 0x24, 0x0a, 0x1c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, + 0x32, 0x35, 0x36, 0x5f, 0x48, 0x4d, 0x41, 0x43, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, 0x36, + 0x10, 0x06, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, + 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, + 0x36, 0x10, 0x05, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, + 0x41, 0x5f, 0x50, 0x33, 0x38, 0x34, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x33, 0x38, 0x34, 0x10, 0x0c, + 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, + 0x35, 0x32, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x35, 0x31, 0x32, 0x10, 0x0d, 0x12, 0x10, 0x0a, + 0x0c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, 0x07, 0x12, + 0x13, 0x0a, 0x0f, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x5f, + 0x50, 0x48, 0x10, 0x08, 0x12, 0x0e, 0x0a, 0x0a, 0x4c, 0x4d, 0x53, 0x5f, 0x53, 0x48, 0x41, 0x32, + 0x35, 0x36, 0x10, 0x0e, 0x12, 0x10, 0x0a, 0x0c, 0x4c, 0x4d, 0x4f, 0x54, 0x53, 0x5f, 0x53, 0x48, + 0x41, 0x32, 0x35, 0x36, 0x10, 0x0f, 0x22, 0x04, 0x08, 0x13, 0x10, 0x32, 0x2a, 0x6f, 0x0a, 0x1a, + 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, + 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, + 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x41, 0x4c, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x54, 0x49, 0x56, + 0x45, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, + 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x4d, 0x41, + 0x49, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x52, 0x49, 0x10, 0x02, 0x12, 0x0e, 0x0a, + 0x0a, 0x4f, 0x54, 0x48, 0x45, 0x52, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x10, 0x03, 0x42, 0x7c, 0x0a, + 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x0b, 0x43, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x36, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, + 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, + 0x3a, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -1226,7 +1286,7 @@ func file_sigstore_common_proto_rawDescGZIP() []byte { } var file_sigstore_common_proto_enumTypes = make([]protoimpl.EnumInfo, 3) -var file_sigstore_common_proto_msgTypes = make([]protoimpl.MessageInfo, 13) +var file_sigstore_common_proto_msgTypes = make([]protoimpl.MessageInfo, 14) var file_sigstore_common_proto_goTypes = []interface{}{ (HashAlgorithm)(0), // 0: dev.sigstore.common.v1.HashAlgorithm (PublicKeyDetails)(0), // 1: dev.sigstore.common.v1.PublicKeyDetails @@ -1234,28 +1294,29 @@ var file_sigstore_common_proto_goTypes = []interface{}{ (*HashOutput)(nil), // 3: dev.sigstore.common.v1.HashOutput (*MessageSignature)(nil), // 4: dev.sigstore.common.v1.MessageSignature (*LogId)(nil), // 5: dev.sigstore.common.v1.LogId - (*RFC3161SignedTimestamp)(nil), // 6: dev.sigstore.common.v1.RFC3161SignedTimestamp - (*PublicKey)(nil), // 7: dev.sigstore.common.v1.PublicKey - (*PublicKeyIdentifier)(nil), // 8: dev.sigstore.common.v1.PublicKeyIdentifier - (*ObjectIdentifier)(nil), // 9: dev.sigstore.common.v1.ObjectIdentifier - (*ObjectIdentifierValuePair)(nil), // 10: dev.sigstore.common.v1.ObjectIdentifierValuePair - (*DistinguishedName)(nil), // 11: dev.sigstore.common.v1.DistinguishedName - (*X509Certificate)(nil), // 12: dev.sigstore.common.v1.X509Certificate - (*SubjectAlternativeName)(nil), // 13: dev.sigstore.common.v1.SubjectAlternativeName - (*X509CertificateChain)(nil), // 14: dev.sigstore.common.v1.X509CertificateChain - (*TimeRange)(nil), // 15: dev.sigstore.common.v1.TimeRange - (*timestamppb.Timestamp)(nil), // 16: google.protobuf.Timestamp + (*CheckpointKeyId)(nil), // 6: dev.sigstore.common.v1.CheckpointKeyId + (*RFC3161SignedTimestamp)(nil), // 7: dev.sigstore.common.v1.RFC3161SignedTimestamp + (*PublicKey)(nil), // 8: dev.sigstore.common.v1.PublicKey + (*PublicKeyIdentifier)(nil), // 9: dev.sigstore.common.v1.PublicKeyIdentifier + (*ObjectIdentifier)(nil), // 10: dev.sigstore.common.v1.ObjectIdentifier + (*ObjectIdentifierValuePair)(nil), // 11: dev.sigstore.common.v1.ObjectIdentifierValuePair + (*DistinguishedName)(nil), // 12: dev.sigstore.common.v1.DistinguishedName + (*X509Certificate)(nil), // 13: dev.sigstore.common.v1.X509Certificate + (*SubjectAlternativeName)(nil), // 14: dev.sigstore.common.v1.SubjectAlternativeName + (*X509CertificateChain)(nil), // 15: dev.sigstore.common.v1.X509CertificateChain + (*TimeRange)(nil), // 16: dev.sigstore.common.v1.TimeRange + (*timestamppb.Timestamp)(nil), // 17: google.protobuf.Timestamp } var file_sigstore_common_proto_depIdxs = []int32{ 0, // 0: dev.sigstore.common.v1.HashOutput.algorithm:type_name -> dev.sigstore.common.v1.HashAlgorithm 3, // 1: dev.sigstore.common.v1.MessageSignature.message_digest:type_name -> dev.sigstore.common.v1.HashOutput 1, // 2: dev.sigstore.common.v1.PublicKey.key_details:type_name -> dev.sigstore.common.v1.PublicKeyDetails - 15, // 3: dev.sigstore.common.v1.PublicKey.valid_for:type_name -> dev.sigstore.common.v1.TimeRange - 9, // 4: dev.sigstore.common.v1.ObjectIdentifierValuePair.oid:type_name -> dev.sigstore.common.v1.ObjectIdentifier + 16, // 3: dev.sigstore.common.v1.PublicKey.valid_for:type_name -> dev.sigstore.common.v1.TimeRange + 10, // 4: dev.sigstore.common.v1.ObjectIdentifierValuePair.oid:type_name -> dev.sigstore.common.v1.ObjectIdentifier 2, // 5: dev.sigstore.common.v1.SubjectAlternativeName.type:type_name -> dev.sigstore.common.v1.SubjectAlternativeNameType - 12, // 6: dev.sigstore.common.v1.X509CertificateChain.certificates:type_name -> dev.sigstore.common.v1.X509Certificate - 16, // 7: dev.sigstore.common.v1.TimeRange.start:type_name -> google.protobuf.Timestamp - 16, // 8: dev.sigstore.common.v1.TimeRange.end:type_name -> google.protobuf.Timestamp + 13, // 6: dev.sigstore.common.v1.X509CertificateChain.certificates:type_name -> dev.sigstore.common.v1.X509Certificate + 17, // 7: dev.sigstore.common.v1.TimeRange.start:type_name -> google.protobuf.Timestamp + 17, // 8: dev.sigstore.common.v1.TimeRange.end:type_name -> google.protobuf.Timestamp 9, // [9:9] is the sub-list for method output_type 9, // [9:9] is the sub-list for method input_type 9, // [9:9] is the sub-list for extension type_name @@ -1306,7 +1367,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*RFC3161SignedTimestamp); i { + switch v := v.(*CheckpointKeyId); i { case 0: return &v.state case 1: @@ -1318,7 +1379,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PublicKey); i { + switch v := v.(*RFC3161SignedTimestamp); i { case 0: return &v.state case 1: @@ -1330,7 +1391,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PublicKeyIdentifier); i { + switch v := v.(*PublicKey); i { case 0: return &v.state case 1: @@ -1342,7 +1403,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ObjectIdentifier); i { + switch v := v.(*PublicKeyIdentifier); i { case 0: return &v.state case 1: @@ -1354,7 +1415,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ObjectIdentifierValuePair); i { + switch v := v.(*ObjectIdentifier); i { case 0: return &v.state case 1: @@ -1366,7 +1427,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DistinguishedName); i { + switch v := v.(*ObjectIdentifierValuePair); i { case 0: return &v.state case 1: @@ -1378,7 +1439,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509Certificate); i { + switch v := v.(*DistinguishedName); i { case 0: return &v.state case 1: @@ -1390,7 +1451,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SubjectAlternativeName); i { + switch v := v.(*X509Certificate); i { case 0: return &v.state case 1: @@ -1402,7 +1463,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509CertificateChain); i { + switch v := v.(*SubjectAlternativeName); i { case 0: return &v.state case 1: @@ -1414,6 +1475,18 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*X509CertificateChain); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_common_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*TimeRange); i { case 0: return &v.state @@ -1426,19 +1499,19 @@ func file_sigstore_common_proto_init() { } } } - file_sigstore_common_proto_msgTypes[4].OneofWrappers = []interface{}{} - file_sigstore_common_proto_msgTypes[10].OneofWrappers = []interface{}{ + file_sigstore_common_proto_msgTypes[5].OneofWrappers = []interface{}{} + file_sigstore_common_proto_msgTypes[11].OneofWrappers = []interface{}{ (*SubjectAlternativeName_Regexp)(nil), (*SubjectAlternativeName_Value)(nil), } - file_sigstore_common_proto_msgTypes[12].OneofWrappers = []interface{}{} + file_sigstore_common_proto_msgTypes[13].OneofWrappers = []interface{}{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_sigstore_common_proto_rawDesc, NumEnums: 3, - NumMessages: 13, + NumMessages: 14, NumExtensions: 0, NumServices: 0, }, diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go index a385e9fd..0ab50bf7 100644 --- a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go +++ b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go @@ -95,13 +95,16 @@ func (x *KindVersion) GetVersion() string { return "" } -// The checkpoint MUST contain a signature of the tree head (root hash), -// size of the tree and the transparency log's unique identifier (log ID). -// It MAY also be followed by any optional data. The result is a string, -// the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md -// The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 -// The signature has the same format as -// InclusionPromise.signed_entry_timestamp. See below for more details. +// The checkpoint MUST contain an origin string as a unique log identifier, +// the tree size, and the root hash. It MAY also be followed by optional data, +// and clients MUST NOT assume optional data. The checkpoint MUST also contain +// a signature over the root hash (tree head). The checkpoint MAY contain additional +// signatures, but the first SHOULD be the signature from the log. Checkpoint contents +// are concatenated with newlines into a single string. +// The checkpoint format is described in +// https://github.com/transparency-dev/formats/blob/main/log/README.md +// and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. +// An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go type Checkpoint struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go index 55e80eb5..4a1b4ed0 100644 --- a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go +++ b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go @@ -56,6 +56,12 @@ type TransparencyLogInstance struct { PublicKey *v1.PublicKey `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` // The unique identifier for this transparency log. LogId *v1.LogId `protobuf:"bytes,4,opt,name=log_id,json=logId,proto3" json:"log_id,omitempty"` + // The key identifier for the log used in the checkpoint. + // Optional, not provided for logs that do not generate checkpoints. + // For logs that do generate checkpoints, if not set, assume + // log_id equals checkpoint_key_id. + // MUST be set for logs generating Ed25519 signatures. + CheckpointKeyId *v1.CheckpointKeyId `protobuf:"bytes,5,opt,name=checkpoint_key_id,json=checkpointKeyId,proto3" json:"checkpoint_key_id,omitempty"` } func (x *TransparencyLogInstance) Reset() { @@ -118,6 +124,13 @@ func (x *TransparencyLogInstance) GetLogId() *v1.LogId { return nil } +func (x *TransparencyLogInstance) GetCheckpointKeyId() *v1.CheckpointKeyId { + if x != nil { + return x.CheckpointKeyId + } + return nil +} + // CertificateAuthority enlists the information required to identify which // CA to use and perform signature verification. type CertificateAuthority struct { @@ -508,7 +521,7 @@ var file_sigstore_trustroot_proto_rawDesc = []byte{ 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xfa, 0x01, + 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcf, 0x02, 0x0a, 0x17, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x61, 0x73, @@ -524,79 +537,84 @@ var file_sigstore_trustroot_proto_rawDesc = []byte{ 0x63, 0x4b, 0x65, 0x79, 0x12, 0x34, 0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x6f, - 0x67, 0x49, 0x64, 0x52, 0x05, 0x6c, 0x6f, 0x67, 0x49, 0x64, 0x22, 0xfa, 0x01, 0x0a, 0x14, 0x43, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x74, 0x79, 0x12, 0x43, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, - 0x73, 0x74, 0x69, 0x6e, 0x67, 0x75, 0x69, 0x73, 0x68, 0x65, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x52, - 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x4b, 0x0a, 0x0a, 0x63, 0x65, - 0x72, 0x74, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, - 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x09, 0x63, 0x65, - 0x72, 0x74, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x3e, 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, - 0x5f, 0x66, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, - 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x52, 0x08, 0x76, - 0x61, 0x6c, 0x69, 0x64, 0x46, 0x6f, 0x72, 0x22, 0x92, 0x03, 0x0a, 0x0b, 0x54, 0x72, 0x75, 0x73, - 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x65, 0x64, 0x69, 0x61, - 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x65, 0x64, - 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x48, 0x0a, 0x05, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x18, - 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, - 0x31, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, - 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x05, 0x74, 0x6c, 0x6f, 0x67, 0x73, - 0x12, 0x68, 0x0a, 0x17, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, - 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, - 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x74, 0x79, 0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, - 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x4a, 0x0a, 0x06, 0x63, 0x74, - 0x6c, 0x6f, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, + 0x67, 0x49, 0x64, 0x52, 0x05, 0x6c, 0x6f, 0x67, 0x49, 0x64, 0x12, 0x53, 0x0a, 0x11, 0x63, 0x68, + 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x43, + 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x52, 0x0f, + 0x63, 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x22, + 0xfa, 0x01, 0x0a, 0x14, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x43, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x75, 0x69, 0x73, 0x68, 0x65, 0x64, + 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x10, 0x0a, + 0x03, 0x75, 0x72, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, + 0x4b, 0x0a, 0x0a, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, + 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, + 0x6e, 0x52, 0x09, 0x63, 0x65, 0x72, 0x74, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x3e, 0x0a, 0x09, + 0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, + 0x67, 0x65, 0x52, 0x08, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x46, 0x6f, 0x72, 0x22, 0x92, 0x03, 0x0a, + 0x0b, 0x54, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x1d, 0x0a, 0x0a, + 0x6d, 0x65, 0x64, 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x09, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x48, 0x0a, 0x05, 0x74, + 0x6c, 0x6f, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, - 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x06, - 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x12, 0x64, 0x0a, 0x15, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, - 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, - 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x14, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, - 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0x79, 0x0a, 0x0d, - 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x15, 0x0a, - 0x06, 0x63, 0x61, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, - 0x61, 0x55, 0x72, 0x6c, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x69, 0x64, 0x63, 0x5f, 0x75, 0x72, 0x6c, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6f, 0x69, 0x64, 0x63, 0x55, 0x72, 0x6c, 0x12, - 0x1b, 0x0a, 0x09, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x75, 0x72, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, - 0x28, 0x09, 0x52, 0x08, 0x74, 0x6c, 0x6f, 0x67, 0x55, 0x72, 0x6c, 0x73, 0x12, 0x19, 0x0a, 0x08, - 0x74, 0x73, 0x61, 0x5f, 0x75, 0x72, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, - 0x74, 0x73, 0x61, 0x55, 0x72, 0x6c, 0x73, 0x22, 0xd8, 0x01, 0x0a, 0x11, 0x43, 0x6c, 0x69, 0x65, - 0x6e, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1d, 0x0a, - 0x0a, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x09, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x4e, 0x0a, 0x0c, - 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x5f, 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, - 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, - 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, - 0x0b, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x54, 0x0a, 0x0e, - 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, - 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x03, - 0xe0, 0x41, 0x02, 0x52, 0x0d, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x42, 0x88, 0x01, 0x0a, 0x1f, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, - 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x42, 0x0e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, - 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x39, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, - 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, - 0x2f, 0x76, 0x31, 0xea, 0x02, 0x17, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, - 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x05, + 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x12, 0x68, 0x0a, 0x17, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, + 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, + 0x76, 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, + 0x4a, 0x0a, 0x06, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, + 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x6e, + 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, + 0x6e, 0x63, 0x65, 0x52, 0x06, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x12, 0x64, 0x0a, 0x15, 0x74, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x74, 0x69, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, + 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, + 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x14, 0x74, 0x69, 0x6d, + 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, + 0x73, 0x22, 0x79, 0x0a, 0x0d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, + 0x69, 0x67, 0x12, 0x15, 0x0a, 0x06, 0x63, 0x61, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x05, 0x63, 0x61, 0x55, 0x72, 0x6c, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x69, 0x64, + 0x63, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6f, 0x69, 0x64, + 0x63, 0x55, 0x72, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x75, 0x72, 0x6c, + 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x74, 0x6c, 0x6f, 0x67, 0x55, 0x72, 0x6c, + 0x73, 0x12, 0x19, 0x0a, 0x08, 0x74, 0x73, 0x61, 0x5f, 0x75, 0x72, 0x6c, 0x73, 0x18, 0x04, 0x20, + 0x03, 0x28, 0x09, 0x52, 0x07, 0x74, 0x73, 0x61, 0x55, 0x72, 0x6c, 0x73, 0x22, 0xd8, 0x01, 0x0a, + 0x11, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, + 0x69, 0x67, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, + 0x65, 0x12, 0x4e, 0x0a, 0x0c, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x5f, 0x72, 0x6f, 0x6f, + 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, + 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x42, + 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0b, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, + 0x74, 0x12, 0x54, 0x0a, 0x0e, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, + 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0d, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, + 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x88, 0x01, 0x0a, 0x1f, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x74, + 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x42, 0x0e, 0x54, 0x72, 0x75, + 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x39, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, + 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x74, 0x72, 0x75, 0x73, + 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x17, 0x53, 0x69, 0x67, 0x73, 0x74, + 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x3a, 0x3a, + 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -621,28 +639,30 @@ var file_sigstore_trustroot_proto_goTypes = []interface{}{ (v1.HashAlgorithm)(0), // 5: dev.sigstore.common.v1.HashAlgorithm (*v1.PublicKey)(nil), // 6: dev.sigstore.common.v1.PublicKey (*v1.LogId)(nil), // 7: dev.sigstore.common.v1.LogId - (*v1.DistinguishedName)(nil), // 8: dev.sigstore.common.v1.DistinguishedName - (*v1.X509CertificateChain)(nil), // 9: dev.sigstore.common.v1.X509CertificateChain - (*v1.TimeRange)(nil), // 10: dev.sigstore.common.v1.TimeRange + (*v1.CheckpointKeyId)(nil), // 8: dev.sigstore.common.v1.CheckpointKeyId + (*v1.DistinguishedName)(nil), // 9: dev.sigstore.common.v1.DistinguishedName + (*v1.X509CertificateChain)(nil), // 10: dev.sigstore.common.v1.X509CertificateChain + (*v1.TimeRange)(nil), // 11: dev.sigstore.common.v1.TimeRange } var file_sigstore_trustroot_proto_depIdxs = []int32{ 5, // 0: dev.sigstore.trustroot.v1.TransparencyLogInstance.hash_algorithm:type_name -> dev.sigstore.common.v1.HashAlgorithm 6, // 1: dev.sigstore.trustroot.v1.TransparencyLogInstance.public_key:type_name -> dev.sigstore.common.v1.PublicKey 7, // 2: dev.sigstore.trustroot.v1.TransparencyLogInstance.log_id:type_name -> dev.sigstore.common.v1.LogId - 8, // 3: dev.sigstore.trustroot.v1.CertificateAuthority.subject:type_name -> dev.sigstore.common.v1.DistinguishedName - 9, // 4: dev.sigstore.trustroot.v1.CertificateAuthority.cert_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain - 10, // 5: dev.sigstore.trustroot.v1.CertificateAuthority.valid_for:type_name -> dev.sigstore.common.v1.TimeRange - 0, // 6: dev.sigstore.trustroot.v1.TrustedRoot.tlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance - 1, // 7: dev.sigstore.trustroot.v1.TrustedRoot.certificate_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority - 0, // 8: dev.sigstore.trustroot.v1.TrustedRoot.ctlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance - 1, // 9: dev.sigstore.trustroot.v1.TrustedRoot.timestamp_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority - 2, // 10: dev.sigstore.trustroot.v1.ClientTrustConfig.trusted_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot - 3, // 11: dev.sigstore.trustroot.v1.ClientTrustConfig.signing_config:type_name -> dev.sigstore.trustroot.v1.SigningConfig - 12, // [12:12] is the sub-list for method output_type - 12, // [12:12] is the sub-list for method input_type - 12, // [12:12] is the sub-list for extension type_name - 12, // [12:12] is the sub-list for extension extendee - 0, // [0:12] is the sub-list for field type_name + 8, // 3: dev.sigstore.trustroot.v1.TransparencyLogInstance.checkpoint_key_id:type_name -> dev.sigstore.common.v1.CheckpointKeyId + 9, // 4: dev.sigstore.trustroot.v1.CertificateAuthority.subject:type_name -> dev.sigstore.common.v1.DistinguishedName + 10, // 5: dev.sigstore.trustroot.v1.CertificateAuthority.cert_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain + 11, // 6: dev.sigstore.trustroot.v1.CertificateAuthority.valid_for:type_name -> dev.sigstore.common.v1.TimeRange + 0, // 7: dev.sigstore.trustroot.v1.TrustedRoot.tlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance + 1, // 8: dev.sigstore.trustroot.v1.TrustedRoot.certificate_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority + 0, // 9: dev.sigstore.trustroot.v1.TrustedRoot.ctlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance + 1, // 10: dev.sigstore.trustroot.v1.TrustedRoot.timestamp_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority + 2, // 11: dev.sigstore.trustroot.v1.ClientTrustConfig.trusted_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot + 3, // 12: dev.sigstore.trustroot.v1.ClientTrustConfig.signing_config:type_name -> dev.sigstore.trustroot.v1.SigningConfig + 13, // [13:13] is the sub-list for method output_type + 13, // [13:13] is the sub-list for method input_type + 13, // [13:13] is the sub-list for extension type_name + 13, // [13:13] is the sub-list for extension extendee + 0, // [0:13] is the sub-list for field type_name } func init() { file_sigstore_trustroot_proto_init() } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index 8caa8d69..98c97c26 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -150,6 +150,25 @@ class LogId(betterproto.Message): """ +@dataclass(eq=False, repr=False) +class CheckpointKeyId(betterproto.Message): + """ + The checkpoint key ID, following the specification described here for ECDSA + and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed- + note.md#signatures For RSA signatures, the key ID will match the ECDSA + format of the hashed DER-encoded SPKI public key. Publicly witnessed logs + MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA + signatures. This is provided for convenience. Clients can also calculate + the checkpoint key ID given the log's public key. + """ + + key_id: bytes = betterproto.bytes_field(1) + """ + The key ID in a checkpoint, as a prefix to the signature. SHOULD be 4 bytes + long, as a truncated hash. + """ + + @dataclass(eq=False, repr=False) class Rfc3161SignedTimestamp(betterproto.Message): """This message holds a RFC 3161 timestamp.""" diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py index 81f2c522..d45068f6 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py @@ -28,14 +28,17 @@ class KindVersion(betterproto.Message): @dataclass(eq=False, repr=False) class Checkpoint(betterproto.Message): """ - The checkpoint MUST contain a signature of the tree head (root hash), size - of the tree and the transparency log's unique identifier (log ID). It MAY - also be followed by any optional data. The result is a string, the format - is described here https://github.com/transparency- - dev/formats/blob/main/log/README.md The details are here https://github.com - /sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/sign - ed_note.go#L114 The signature has the same format as - InclusionPromise.signed_entry_timestamp. See below for more details. + The checkpoint MUST contain an origin string as a unique log identifier, + the tree size, and the root hash. It MAY also be followed by optional data, + and clients MUST NOT assume optional data. The checkpoint MUST also contain + a signature over the root hash (tree head). The checkpoint MAY contain + additional signatures, but the first SHOULD be the signature from the log. + Checkpoint contents are concatenated with newlines into a single string. + The checkpoint format is described in https://github.com/transparency- + dev/formats/blob/main/log/README.md and + https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example + implementation can be found in + https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go """ envelope: str = betterproto.string_field(1) diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py index 6a9cd168..581b4ba4 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py @@ -35,6 +35,14 @@ class TransparencyLogInstance(betterproto.Message): log_id: "__common_v1__.LogId" = betterproto.message_field(4) """The unique identifier for this transparency log.""" + checkpoint_key_id: "__common_v1__.CheckpointKeyId" = betterproto.message_field(5) + """ + The key identifier for the log used in the checkpoint. Optional, not + provided for logs that do not generate checkpoints. For logs that do + generate checkpoints, if not set, assume log_id equals checkpoint_key_id. + MUST be set for logs generating Ed25519 signatures. + """ + @dataclass(eq=False, repr=False) class CertificateAuthority(betterproto.Message): diff --git a/gen/pb-ruby/lib/sigstore_common_pb.rb b/gen/pb-ruby/lib/sigstore_common_pb.rb index 28e21f21..82354932 100644 --- a/gen/pb-ruby/lib/sigstore_common_pb.rb +++ b/gen/pb-ruby/lib/sigstore_common_pb.rb @@ -19,6 +19,9 @@ add_message "dev.sigstore.common.v1.LogId" do optional :key_id, :bytes, 1 end + add_message "dev.sigstore.common.v1.CheckpointKeyId" do + optional :key_id, :bytes, 1 + end add_message "dev.sigstore.common.v1.RFC3161SignedTimestamp" do optional :signed_timestamp, :bytes, 1 end @@ -102,6 +105,7 @@ module V1 HashOutput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.HashOutput").msgclass MessageSignature = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.MessageSignature").msgclass LogId = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.LogId").msgclass + CheckpointKeyId = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.CheckpointKeyId").msgclass RFC3161SignedTimestamp = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.RFC3161SignedTimestamp").msgclass PublicKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.PublicKey").msgclass PublicKeyIdentifier = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.PublicKeyIdentifier").msgclass diff --git a/gen/pb-ruby/lib/sigstore_trustroot_pb.rb b/gen/pb-ruby/lib/sigstore_trustroot_pb.rb index d31a17fc..b3ee0a16 100644 --- a/gen/pb-ruby/lib/sigstore_trustroot_pb.rb +++ b/gen/pb-ruby/lib/sigstore_trustroot_pb.rb @@ -13,6 +13,7 @@ optional :hash_algorithm, :enum, 2, "dev.sigstore.common.v1.HashAlgorithm" optional :public_key, :message, 3, "dev.sigstore.common.v1.PublicKey" optional :log_id, :message, 4, "dev.sigstore.common.v1.LogId" + optional :checkpoint_key_id, :message, 5, "dev.sigstore.common.v1.CheckpointKeyId" end add_message "dev.sigstore.trustroot.v1.CertificateAuthority" do optional :subject, :message, 1, "dev.sigstore.common.v1.DistinguishedName" diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs index 6e5d37cc..8282a35b 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs @@ -62,6 +62,29 @@ pub struct LogId { #[prost(bytes = "vec", tag = "1")] pub key_id: ::prost::alloc::vec::Vec, } +/// The checkpoint key ID, following the specification described here +/// for ECDSA and Ed25519 signatures: +/// +/// For RSA signatures, the key ID will match the ECDSA format of the hashed +/// DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use +/// RSA-signed checkpoints, since witnesses do not support RSA signatures. +/// This is provided for convenience. Clients can also calculate the checkpoint +/// key ID given the log's public key. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.CheckpointKeyId")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct CheckpointKeyId { + /// The key ID in a checkpoint, as a prefix to the signature. SHOULD be + /// 4 bytes long, as a truncated hash. + #[prost(bytes = "vec", tag = "1")] + pub key_id: ::prost::alloc::vec::Vec, +} /// This message holds a RFC 3161 timestamp. #[derive( sigstore_protobuf_specs_derive::Deserialize_proto, diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs index 6147a67a..9fed5246 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs @@ -17,13 +17,16 @@ pub struct KindVersion { #[prost(string, tag = "2")] pub version: ::prost::alloc::string::String, } -/// The checkpoint MUST contain a signature of the tree head (root hash), -/// size of the tree and the transparency log's unique identifier (log ID). -/// It MAY also be followed by any optional data. The result is a string, -/// the format is described here -/// The details are here -/// The signature has the same format as -/// InclusionPromise.signed_entry_timestamp. See below for more details. +/// The checkpoint MUST contain an origin string as a unique log identifier, +/// the tree size, and the root hash. It MAY also be followed by optional data, +/// and clients MUST NOT assume optional data. The checkpoint MUST also contain +/// a signature over the root hash (tree head). The checkpoint MAY contain additional +/// signatures, but the first SHOULD be the signature from the log. Checkpoint contents +/// are concatenated with newlines into a single string. +/// The checkpoint format is described in +/// +/// and +/// An example implementation can be found in #[derive( sigstore_protobuf_specs_derive::Deserialize_proto, sigstore_protobuf_specs_derive::Serialize_proto diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs index ec3c66fe..466df943 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs @@ -27,6 +27,15 @@ pub struct TransparencyLogInstance { /// The unique identifier for this transparency log. #[prost(message, optional, tag = "4")] pub log_id: ::core::option::Option, + /// The key identifier for the log used in the checkpoint. + /// Optional, not provided for logs that do not generate checkpoints. + /// For logs that do generate checkpoints, if not set, assume + /// log_id equals checkpoint_key_id. + /// MUST be set for logs generating Ed25519 signatures. + #[prost(message, optional, tag = "5")] + pub checkpoint_key_id: ::core::option::Option< + super::super::common::v1::CheckpointKeyId, + >, } /// CertificateAuthority enlists the information required to identify which /// CA to use and perform signature verification. diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin index ed9dbd16116b9096880d56ef0f90299935269d1e..8b0569132cb9eedf6d8b19a8c250dd2b79164ce8 100644 GIT binary patch delta 5805 zcmZu#4RBP|72dONck^-sS+azL1PqT~3FMcbK!`^2gPQOc0;s4MH=9SYW!YVJHy|C# zqS#Taf^kE#TWvu4jqLzt)U31Evwm zY8o5OZAM3Xm9ZffiNv;sqy0t-0?D`;3U3I9f~jyUYV?`OP$JxG_89|a!W58A7)#pP zSGO3!XrHm9Z_fPr^^Ha{+#e051`}p-kuU~Qsd#cxt#xWGjY_x8S>07D|MW&;y|tTy z;b<*On|;;MSjw!~)HgM!ER5Sh-wpEIvnuJ7a@E)xjzo-2!Bl8KK2?suB|I`>8|1Tr zU~<6h6Gr=z?rJld4#oQ5`|7Tx9Y%bxHxdrrWcX*REb; ztXR3m7))Zb@T6KfdtKO)Rq!qvGP9~lqc3J)Ge&YS9*-qb*KZ(%kkkkSKAbf0Kc0wf z39~~S#!xJ}#f*kcaMc)X5&TFcjZiRZ1S829endipkzmS{yULxKu#e5?4?~+5tyOo? z*t94Rnn$C6XFutsVyp0YG`B0@IY4@Ad03vj9m6mTT(_MnBbda4c*5Kee#l70q`7SP zYmC)*u3WpU-RMO)<{7=)Qf3m7iuT)Tsl;FunPT<@4Gw&b5Tk{cEqkTu(GG-P2dJ>v zff~co@eb4(mbHj6LT6q5pe{WxUn~|Pg*^e^5V>Bkjx^BRVh@;xNUsn-C2Y~dTO777 zH_*dr{D#qC(v?v_hz?U>g|q?)qr)_LiUVPEn5Hh3MzN}l4%4(wF$zY#0pB5V{fbD& z)eEXaq!)=0jC$GVQPQWEueGy`lgzrjfL69*%_A4bNHc)&=_nPII1offsnl>Fd^$=~ zr-=^9i^Z3$pDd&$bG>fz0g$d@1juVtHqBNfD858D&lGE`O=_x8H6|+E^7x2AKuHRVSG|}{Q9t2R8LcBnIjAvr)lC%4#a7mri$C;X+l_?=4qO=L@a_6dcb#v zT)(sS-$L`#I+)IoK3O`UvlC|-apD3YT!1R(992xRRk8Rs>67e5_6X2Xz-LC%?_F}eZ+j#l`Ysoe z8XS~hkIwIJrdetH1m}5Ymw*sFPlct@A|Tv3Pvy!xKpe|?n%FLng`s@2&(lq9Y}4xw z_&y-lpOj7Hc);@kdF57+#<2Mz=?zTG2#X(5TCaC7QvO4lH=p;7WvqTgdca=fjRMM( z;6=!OL}Q99(-I{qDJ(I=*$C3u| zPiS0;3}HdQ_bIu)utQh?;!n9!ajqBec0MD$ip?-WngOa}1PIyBXzI<*Dy)7+vu2Az zRz)%NeNOscC|@lX>n#2`6_$uDNey(t>RL?8<`%g5$S=?sRc`=!jY`#P0tn&@WK0(I zQW4HywBBD#)$~M76mRs3Ro6;iwc|Hl=_}4F4TxP|p(2&pfY7``ldI*n0Ab?_)zyo$Y-4o5_Z_*u zx7N4O>GWtwe#iBfV>y~lTy*38LvTJFhzX1*G|9_7(%tvmC; zQmS(M|K`O$z)|C>qw>$a)`8_zu_9{365)O{;bbboBbV&HgVFHjL6b)i1LHw7h55@& zR0-LOQwbA8S@_2$S}sN|9?=ppOdGP_T9qqkVmcP*SuGeb`huw-)L1TL4;0ynCYVeP zZZeG{)k0W7}h|R8^(;-7Bg|92gb})A`J%z%wS*T59wOg@tDIzMzF6h ztlShiMhsKEgDFY5A)H92a^r@4mYqY44T;z$`3Nz>w3HiSK_5!-=mbv_7;gbFk6;?b zl!f7Lz=)b#BVo*V28QLB+)cDUf{4oS%h~LPq1c`#F|6fAUxdN>^;#;nUR*(QG(=aT z?zaCk+os@Ob#7Y2dOUAiNG*t-b^a?q%R*ROlcG*7{2wqyeEg+mbpE zYO^0x7xZLp)@pBR8zuJg3y9({&$Yy=>!Q7d^YjwY4qIH6wFc|GF1o#=0ri!MWNp?O z&;o1(BMr6@tiecwZG;gw0IdP_|3{Jz?loHXucAmtW0sCL*O;ZlOQ$tv=}>vK#w;Bv zx<=5glyvTZ)?^iR)2hy#H%Et%upG=}bJ zL6uM&)DYnoOmsE^eG3Y#jaUQq)kdIinbIjEj1sEoTc&o1$GKGUq^7l7#cSw^&UPH8 z(m}z{+Q&M4xW8%bSw74$T6>nyqxjmv_cB)+RHs$0)tSGpp_kp}DvU6k9efGUy7g|! zF6VL}b#Oqi)m=EvS%a-^jDqY3PvJn7tEBIYJopzJb;C5mAH?d z?=bbTwhrfsSv$cH6j$Y5j%j z96fH0MeK6~0$sm-j*R5C`*Dt6sY?y=B4T}WKV6y~k+U*8#CZ`Zn`Jx1c@e3u5r>ol zGBR%I573d$INns{Gwv)}ymW?xpb)Qg)V**ZK6|yjAFpyCUeztm<;e}95AMo*`vAS8 zP1@zmdLB1l33gGTYTtlJxLuhGz2vWOKe5cZvXi3j_uW?TVY)Uhuv!%5s$dVUo;~3{ z>$i8{YsNnwAyJVl;7iSI9ev&YoG>0_);&U7Jo)e4rn>4$)m5$P-Sji6%beOxbG7ty z{D!*t6+-PRf6AS`;^rEtyk&F0;-zA)WoMEm@@8fCSt~R;suI zK|5JLN4&&WX(&EM)S#1s4JFC(pNdAfJHA zhNuEN369thDYBDhG&vA&|4wSYO?=7egU^hQk?V-14bc~49wU96IL3QL;|O^6WxgGv z<5aWHxrxfgEHznRtT_M8lRnmi58&bhgII=^&&Yi!jTuJCK2n#W&4& zl@7+0A?wUAoxc^Ihtw7{d8rwqB1eabhiJUIDPR>8Lo{u=xU47u4_oiOKwmc>&QYM- zdk*I)_zT-%8n0@g#t{WXpE$`;z?Z6HK`hvD{6Nc~e;j`}=r{`2`lBs<+YdnYI5AH6Sp?OC z6m0OI$#C)%584c;E*F);W@UTCW-gkxOq9c^6$%_8-_t~*OqiAhszYQ~iA`{7vD3q3 zPp@0=bak(pl}K;O3?}5aw^Q#D$SftSRBiwf(_yNr@gRr}Q`qq!VmeGyr->fL3*l38 z_af?!S_TCG$e!S863eJ|ng?O{6wSO%tW$u`jG}%E# z3JBfPR59LzAU#brVbKKAKq&Ac`TipR(?QdR15kXClPU*ifH}{QeYY|LLg0Wpa6tGt zDR$GgLp(gQ(^iYPd^P6Uw@pXJ}HlxE(>1gaT*DSCCKMN%MzGz;u@E z$ts8v4&r4-+%!NqE1lY=P0NT1rVm^ z_)vzqz3fonRr3AKZ7&Xl;(@HL`V&0D%@zpEV$KU!#g!RYZWGeT^C>xuy`l zPWB{M$Pod0rX11hw4g%wf~`V&ohCNG*04%Lf%D{h(~YPUs^`fLi&hk>lq0$z%}#0> z#@`^l;H3!&%?lI^E0=(X=K|H~@BmSl3sm2w>cUXnvI{hEDLeHWp}G8 zU*+OA*y$y*+nAUUgqLX8j(8Y7e~ISJ=foj~^ewVOu8=bYRHa}cbl;-NDpwciA8wyP z$fkg0uBoAMniCNh*++RO@HP3qkq_QQ=ZDLo`85woi55B_LR@^I2+B2yc)bRW8d7LVSRF<^Y1}230kAQl;G7Dr&iC5QFLl zMdl6!9?E9&nW%WBy>RYsy4NcGEUMqFJ^XI1Hwy8U)M8YeL!tTUX!gybx=~AxtfB_P z$;p3ipxO=2ZP`pF?`)0dwl=m1Czsrna59^n{MLk%&n6O1JU!@wcsln`Jd0=MVP`0_ zWoFLVo=*N`d%{T$Cer!j=42x4+y;Tu)7982q`jKz7sk^MJDG>_$xJ#v7Q*lV-iyNs{_AH<>`Q#d!Tg_I3iF`ac1eiZ~ZfB^;MMo)b<_dehMM z90FSp)^C^HbJxQW@B~4qFBOnHE~uY{rEvL+J^nH(Ts(6w}YZ&nW02 zD7I9DJ!Ar55V@K*5av(?UVGT7Ib^m>Tv{&nbF<+hM0`u+muqQ%Fk;t;F8JaJWJcxQ zb#zxx6tjeh)EqLS7~Gc;WcbdMW~ z56T^dO+TPYx~~H_LMLeAggdalxCrze7$z=a3(OK1fxctPGIhcj7n;6fYL9r7#{#b< zW~Y321O0YcCyJ?Ua5>D*@g5&GJ+rgOhd0vfEb>{JuM>PP_)#$2#Ff5Pg`@Y;3&!wD zyw}_vybhYZ_8P^m_CX+BIJFL%y}@ao48D4?_i!A%{Q)(uR3sI#!h1iYHY4}|M&KGm!TX`vCoB7DT~D9u9={>gKDRPJ zaNp-v1_ z8^|rFQ*yCLrZk&N?UTm0;8)pD(sf)ljF#TSa&uyH687ssJ z6&`d4Wz~bUvUjkUE!K2%FsKV_878Z^g#`lLpj%i*D%(L6_A71_iyI|r&#wD~G-k~F0qati>#Rn&+rfoQjMOu zAEBh0*SeYcbttKpHRA0O6$+k%-Gvth=pA#?Zg1tW4BldQQ_x%D1L(!w1-Y3j8jLUR zktg?3+WH@fuzcg!6qb=k=(EC>Us2vF{k~m463^>LLN0ua_63@#?x^7?-NI*&QP?co z%L556T7BJe`9aznY(--w5RV#u5&7vs+R_}c=ctVE8}f@pVje<%kwxv|H+-i_je|nw z2`Z!JSaD8r@5Czf9fS%jVpw3V@(~g@N4q@!2l}|V9j_!GA%25F`@9Yh!Jxf!iTFgj z0O~57I7Az%xy#lUiVUuQSL0mQg6rQkzfBaz=~0{T{j4xsQXx>CKm&fS=L0UyHoKwj zJCc3Bq#4pVLLWD6b7R(HcUuK-$Z80Ka2u9?-cD6?Dd`-gIUT9u+`>z4rmA!}&_FmT zJdWC$GfqY3ij(|hg9R{T?y#5CJ!Q(wF=~*P-zB?n_9zWgY)6p}Us2|cs_8BPpT~|F zcX$YNI~I3}4#ftrQ*Jv(i(@;B)+VfX7K7ol+1aQsD{dMa%#DhL${M}DOMZTgB3(LE z%pP-Bkp~}B=B{ECd=qxfSmZ{*H(^)Do#G4b9(*$IA>UEC@z3;mI-iLu2jn+P@xJ9i!fN1D_G@(|!$(1pYt#v>)AE%402X5NnNUZ~e*Opf! z=)mRx@BQy-8$75|)}NrucSvu&GS!MHsmilqVo4M9-UcZsBu$$xZfFX?BXZ_*^skO1 zH!1KQSx0VC@P7v!p$YmbntYgm7+inlQ@}U;v*deTu02UFRX@w$SG+D`z=o_7*vspd z=uW$HlxEJt5Bf6+VsM@y^crUd2+kAyrO6e-I1O2&@`+Jev~rZtyjq73W0WvHT?ms= z4#S1`2pS~}Q2wt5Zy@6rOi=yZkHZ?1^`~h0;xVq3wqj3XRO6BG>5TE0x+?|e7~#p% QoO&o*V}<8V(HB$x506!AGynhq diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts index 9f0601b0..72cd53d4 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_common.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts @@ -341,6 +341,24 @@ export interface LogId { keyId: Buffer; } +/** + * The checkpoint key ID, following the specification described here + * for ECDSA and Ed25519 signatures: + * https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures + * For RSA signatures, the key ID will match the ECDSA format of the hashed + * DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use + * RSA-signed checkpoints, since witnesses do not support RSA signatures. + * This is provided for convenience. Clients can also calculate the checkpoint + * key ID given the log's public key. + */ +export interface CheckpointKeyId { + /** + * The key ID in a checkpoint, as a prefix to the signature. SHOULD be + * 4 bytes long, as a truncated hash. + */ + keyId: Buffer; +} + /** This message holds a RFC 3161 timestamp. */ export interface RFC3161SignedTimestamp { /** @@ -498,6 +516,23 @@ export const LogId = { }, }; +function createBaseCheckpointKeyId(): CheckpointKeyId { + return { keyId: Buffer.alloc(0) }; +} + +export const CheckpointKeyId = { + fromJSON(object: any): CheckpointKeyId { + return { keyId: isSet(object.keyId) ? Buffer.from(bytesFromBase64(object.keyId)) : Buffer.alloc(0) }; + }, + + toJSON(message: CheckpointKeyId): unknown { + const obj: any = {}; + message.keyId !== undefined && + (obj.keyId = base64FromBytes(message.keyId !== undefined ? message.keyId : Buffer.alloc(0))); + return obj; + }, +}; + function createBaseRFC3161SignedTimestamp(): RFC3161SignedTimestamp { return { signedTimestamp: Buffer.alloc(0) }; } diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts index 8ff7d451..d33b5933 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts @@ -13,13 +13,16 @@ export interface KindVersion { } /** - * The checkpoint MUST contain a signature of the tree head (root hash), - * size of the tree and the transparency log's unique identifier (log ID). - * It MAY also be followed by any optional data. The result is a string, - * the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md - * The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 - * The signature has the same format as - * InclusionPromise.signed_entry_timestamp. See below for more details. + * The checkpoint MUST contain an origin string as a unique log identifier, + * the tree size, and the root hash. It MAY also be followed by optional data, + * and clients MUST NOT assume optional data. The checkpoint MUST also contain + * a signature over the root hash (tree head). The checkpoint MAY contain additional + * signatures, but the first SHOULD be the signature from the log. Checkpoint contents + * are concatenated with newlines into a single string. + * The checkpoint format is described in + * https://github.com/transparency-dev/formats/blob/main/log/README.md + * and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. + * An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go */ export interface Checkpoint { envelope: string; diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts index 5fb262d4..4dac5666 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts @@ -1,5 +1,6 @@ /* eslint-disable */ import { + CheckpointKeyId, DistinguishedName, HashAlgorithm, hashAlgorithmFromJSON, @@ -31,7 +32,17 @@ export interface TransparencyLogInstance { | PublicKey | undefined; /** The unique identifier for this transparency log. */ - logId: LogId | undefined; + logId: + | LogId + | undefined; + /** + * The key identifier for the log used in the checkpoint. + * Optional, not provided for logs that do not generate checkpoints. + * For logs that do generate checkpoints, if not set, assume + * log_id equals checkpoint_key_id. + * MUST be set for logs generating Ed25519 signatures. + */ + checkpointKeyId: CheckpointKeyId | undefined; } /** @@ -194,7 +205,7 @@ export interface ClientTrustConfig { } function createBaseTransparencyLogInstance(): TransparencyLogInstance { - return { baseUrl: "", hashAlgorithm: 0, publicKey: undefined, logId: undefined }; + return { baseUrl: "", hashAlgorithm: 0, publicKey: undefined, logId: undefined, checkpointKeyId: undefined }; } export const TransparencyLogInstance = { @@ -204,6 +215,7 @@ export const TransparencyLogInstance = { hashAlgorithm: isSet(object.hashAlgorithm) ? hashAlgorithmFromJSON(object.hashAlgorithm) : 0, publicKey: isSet(object.publicKey) ? PublicKey.fromJSON(object.publicKey) : undefined, logId: isSet(object.logId) ? LogId.fromJSON(object.logId) : undefined, + checkpointKeyId: isSet(object.checkpointKeyId) ? CheckpointKeyId.fromJSON(object.checkpointKeyId) : undefined, }; }, @@ -214,6 +226,8 @@ export const TransparencyLogInstance = { message.publicKey !== undefined && (obj.publicKey = message.publicKey ? PublicKey.toJSON(message.publicKey) : undefined); message.logId !== undefined && (obj.logId = message.logId ? LogId.toJSON(message.logId) : undefined); + message.checkpointKeyId !== undefined && + (obj.checkpointKeyId = message.checkpointKeyId ? CheckpointKeyId.toJSON(message.checkpointKeyId) : undefined); return obj; }, }; diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index d3d538a6..9eaf9b21 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -140,6 +140,20 @@ message LogId { bytes key_id = 1 [(google.api.field_behavior) = REQUIRED]; } +// The checkpoint key ID, following the specification described here +// for ECDSA and Ed25519 signatures: +// https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures +// For RSA signatures, the key ID will match the ECDSA format of the hashed +// DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use +// RSA-signed checkpoints, since witnesses do not support RSA signatures. +// This is provided for convenience. Clients can also calculate the checkpoint +// key ID given the log's public key. +message CheckpointKeyId { + // The key ID in a checkpoint, as a prefix to the signature. SHOULD be + // 4 bytes long, as a truncated hash. + bytes key_id = 1 [(google.api.field_behavior) = REQUIRED]; +} + // This message holds a RFC 3161 timestamp. message RFC3161SignedTimestamp { // Signed timestamp is the DER encoded TimeStampResponse. diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto index 2eca88f7..424ff40c 100644 --- a/protos/sigstore_rekor.proto +++ b/protos/sigstore_rekor.proto @@ -34,13 +34,16 @@ message KindVersion { string version = 2 [(google.api.field_behavior) = REQUIRED]; } -// The checkpoint MUST contain a signature of the tree head (root hash), -// size of the tree and the transparency log's unique identifier (log ID). -// It MAY also be followed by any optional data. The result is a string, -// the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md -// The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 -// The signature has the same format as -// InclusionPromise.signed_entry_timestamp. See below for more details. +// The checkpoint MUST contain an origin string as a unique log identifier, +// the tree size, and the root hash. It MAY also be followed by optional data, +// and clients MUST NOT assume optional data. The checkpoint MUST also contain +// a signature over the root hash (tree head). The checkpoint MAY contain additional +// signatures, but the first SHOULD be the signature from the log. Checkpoint contents +// are concatenated with newlines into a single string. +// The checkpoint format is described in +// https://github.com/transparency-dev/formats/blob/main/log/README.md +// and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. +// An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go message Checkpoint { string envelope = 1 [(google.api.field_behavior) = REQUIRED]; } diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 755da4b8..598f7015 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -40,6 +40,12 @@ message TransparencyLogInstance { dev.sigstore.common.v1.PublicKey public_key = 3; // The unique identifier for this transparency log. dev.sigstore.common.v1.LogId log_id = 4; + // The key identifier for the log used in the checkpoint. + // Optional, not provided for logs that do not generate checkpoints. + // For logs that do generate checkpoints, if not set, assume + // log_id equals checkpoint_key_id. + // MUST be set for logs generating Ed25519 signatures. + dev.sigstore.common.v1.CheckpointKeyId checkpoint_key_id = 5; } // CertificateAuthority enlists the information required to identify which