Clairified that a DSSE envelope in a sigstore bundle MUST have exactly

one signature.
sigstore · May 9, 2024 · da32cef · da32cef
1 parent 0a028ad
commit da32cef
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 3 deletions.
diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json
@@ -20,7 +20,7 @@
                 "dsseEnvelope": {
                     "$ref": "#/definitions/io.intoto.Envelope",
                     "additionalProperties": false,
-                    "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e"
+                    "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e DSSE envelopes in a bundle MUST have exactly one signture. This is a limitation from the DSSE spec, as it can contain multiple signatures. There are two primary reasons: 1. It simplfies the verification logic and policy 2. The bundle (currently) can only contain a single    instance of the required verification materials During verification a client MUST reject an envelope if it the number of signatures is not equal to one."
                 }
             },
             "additionalProperties": false,

diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
@@ -53,7 +53,7 @@
                 "dsseEnvelope": {
                     "$ref": "#/definitions/io.intoto.Envelope",
                     "additionalProperties": false,
-                    "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e"
+                    "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e DSSE envelopes in a bundle MUST have exactly one signture. This is a limitation from the DSSE spec, as it can contain multiple signatures. There are two primary reasons: 1. It simplfies the verification logic and policy 2. The bundle (currently) can only contain a single    instance of the required verification materials During verification a client MUST reject an envelope if it the number of signatures is not equal to one."
                 }
             },
             "additionalProperties": false,

diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs
@@ -190,6 +190,14 @@ pub mod bundle {
         /// supported and expected type. This is part of the DSSE
         /// protocol which is defined here:
         /// <<https://github.com/secure-systems-lab/dsse/blob/master/protocol.md>>
+        /// DSSE envelopes in a bundle MUST have exactly one signture.
+        /// This is a limitation from the DSSE spec, as it can contain
+        /// multiple signatures. There are two primary reasons:
+        /// 1. It simplfies the verification logic and policy
+        /// 2. The bundle (currently) can only contain a single
+        ///     instance of the required verification materials
+        /// During verification a client MUST reject an envelope if
+        /// it the number of signatures is not equal to one.
         #[prost(message, tag = "4")]
         DsseEnvelope(super::super::super::super::super::io::intoto::Envelope),
     }

diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto
@@ -134,6 +134,14 @@ message Bundle {
                 // supported and expected type. This is part of the DSSE
                 // protocol which is defined here:
                 // <https://github.com/secure-systems-lab/dsse/blob/master/protocol.md>
+                // DSSE envelopes in a bundle MUST have exactly one signture.
+                // This is a limitation from the DSSE spec, as it can contain
+                // multiple signatures. There are two primary reasons:
+                // 1. It simplfies the verification logic and policy
+                // 2. The bundle (currently) can only contain a single
+                //    instance of the required verification materials
+                // During verification a client MUST reject an envelope if
+                // it the number of signatures is not equal to one.
                 io.intoto.Envelope dsse_envelope = 4 [(google.api.field_behavior) = REQUIRED];
         }
         // Reserved for future additions of artifact types.