Support DSSE signature extension for Sigstore

DSSE is adding support for signature extensions where a signature can include signing-ecosystem specific information for each signature. The first extension is for Sigstore. This commit allows for using VerificationMaterial as the structure for the DSSE extension. Signed-off-by: Aditya Sirish <[email protected]>
sigstore · Oct 30, 2023 · f290fc8 · f290fc8
1 parent 8a6fd59
commit f290fc8
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto
@@ -48,7 +48,14 @@ message TimestampVerificationData {
 }
 
 // VerificationMaterial captures details on the materials used to verify
-// signatures.
+// signatures. This message may be embedded in a DSSE envelope as a signature
+// extension. Specifically, the `ext` field of the extension will expect this
+// message when the signature extension is for Sigstore. This is identified by
+// the `kind` field in the extension, which must be set to
+// application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore.
+// When used as a DSSE extension, if the `public_key` field is used to indicate
+// the key identifier, it MUST match the `keyid` field of the signature the
+// extension is attached to.
 message VerificationMaterial {
         oneof content {
                 dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED];