From d96fa4407cb4489233f133ab036c0ed98c2756a4 Mon Sep 17 00:00:00 2001 From: Aditya Sirish <8928778+adityasaky@users.noreply.github.com> Date: Mon, 8 Jan 2024 03:05:30 -0500 Subject: [PATCH] Support DSSE signature extension for Sigstore (#145) DSSE is adding support for signature extensions where a signature can include signing-ecosystem specific information for each signature. The first extension is for Sigstore. This commit allows for using VerificationMaterial as the structure for the DSSE extension. Signed-off-by: Aditya Sirish --- gen/jsonschema/schemas/Bundle.schema.json | 2 +- gen/jsonschema/schemas/Input.schema.json | 2 +- gen/jsonschema/schemas/VerificationMaterial.schema.json | 2 +- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 9 ++++++++- .../dev/sigstore/bundle/v1/__init__.py | 9 ++++++++- gen/pb-rust/schemas/Bundle.schema.json | 2 +- gen/pb-rust/schemas/Input.schema.json | 2 +- gen/pb-rust/schemas/VerificationMaterial.schema.json | 2 +- gen/pb-typescript/src/__generated__/sigstore_bundle.ts | 9 ++++++++- protos/sigstore_bundle.proto | 9 ++++++++- 10 files changed, 38 insertions(+), 10 deletions(-) diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index 86d3179d..fb44fade 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -94,7 +94,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.common.v1.HashOutput": { "properties": { diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index c8a8c353..b5fe5060 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -127,7 +127,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.common.v1.DistinguishedName": { "properties": { diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json index 4657bc35..0a742626 100644 --- a/gen/jsonschema/schemas/VerificationMaterial.schema.json +++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json @@ -41,7 +41,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.bundle.v1.TimestampVerificationData": { "properties": { diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index e93ed477..75db040c 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -94,7 +94,14 @@ func (x *TimestampVerificationData) GetRfc3161Timestamps() []*v1.RFC3161SignedTi } // VerificationMaterial captures details on the materials used to verify -// signatures. +// signatures. This message may be embedded in a DSSE envelope as a signature +// extension. Specifically, the `ext` field of the extension will expect this +// message when the signature extension is for Sigstore. This is identified by +// the `kind` field in the extension, which must be set to +// application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. +// When used as a DSSE extension, if the `public_key` field is used to indicate +// the key identifier, it MUST match the `keyid` field of the signature the +// extension is attached to. type VerificationMaterial struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index 536eb8af..60016c56 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -34,7 +34,14 @@ class TimestampVerificationData(betterproto.Message): class VerificationMaterial(betterproto.Message): """ VerificationMaterial captures details on the materials used to verify - signatures. + signatures. This message may be embedded in a DSSE envelope as a signature + extension. Specifically, the `ext` field of the extension will expect this + message when the signature extension is for Sigstore. This is identified by + the `kind` field in the extension, which must be set to + application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. + When used as a DSSE extension, if the `public_key` field is used to + indicate the key identifier, it MUST match the `keyid` field of the + signature the extension is attached to. """ public_key: "__common_v1__.PublicKeyIdentifier" = betterproto.message_field( diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json index 86d3179d..fb44fade 100644 --- a/gen/pb-rust/schemas/Bundle.schema.json +++ b/gen/pb-rust/schemas/Bundle.schema.json @@ -94,7 +94,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.common.v1.HashOutput": { "properties": { diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index c8a8c353..b5fe5060 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -127,7 +127,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.common.v1.DistinguishedName": { "properties": { diff --git a/gen/pb-rust/schemas/VerificationMaterial.schema.json b/gen/pb-rust/schemas/VerificationMaterial.schema.json index 4657bc35..0a742626 100644 --- a/gen/pb-rust/schemas/VerificationMaterial.schema.json +++ b/gen/pb-rust/schemas/VerificationMaterial.schema.json @@ -41,7 +41,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.bundle.v1.TimestampVerificationData": { "properties": { diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts index 576ac586..33e69c6b 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts @@ -21,7 +21,14 @@ export interface TimestampVerificationData { /** * VerificationMaterial captures details on the materials used to verify - * signatures. + * signatures. This message may be embedded in a DSSE envelope as a signature + * extension. Specifically, the `ext` field of the extension will expect this + * message when the signature extension is for Sigstore. This is identified by + * the `kind` field in the extension, which must be set to + * application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. + * When used as a DSSE extension, if the `public_key` field is used to indicate + * the key identifier, it MUST match the `keyid` field of the signature the + * extension is attached to. */ export interface VerificationMaterial { content?: diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index 08d78a86..3d4c5e0f 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -48,7 +48,14 @@ message TimestampVerificationData { } // VerificationMaterial captures details on the materials used to verify -// signatures. +// signatures. This message may be embedded in a DSSE envelope as a signature +// extension. Specifically, the `ext` field of the extension will expect this +// message when the signature extension is for Sigstore. This is identified by +// the `kind` field in the extension, which must be set to +// application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. +// When used as a DSSE extension, if the `public_key` field is used to indicate +// the key identifier, it MUST match the `keyid` field of the signature the +// extension is attached to. message VerificationMaterial { oneof content { dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED];