Add definition for Sigstore's DSSE signature extension #145
Conversation
haydentherapper
requested review from
znewman01,
woodruffw and
kommendorkapten
|
cc @jku @loosebazooka @TomHennen too |
adityasaky
force-pushed
the
add-dsse-extension
branch
from
da3855a to
556a36d
Compare
adityasaky
force-pushed
the
add-dsse-extension
branch
from
556a36d to
f290fc8
Compare
|
I've re-emphasized that the public_key field must match the keyid in the dsse signature per #148. I've also cleaned up my commits etc. |
There was a problem hiding this comment.
I'm good with this! Thanks for all the discussion (and patience) on this. Tagging a few more maintainers: @woodruffw @kommendorkapten @mnm678 @bdehamer
|
@adityasaky Not sure why the tests didn't catch this, but can you run |
DSSE is adding support for signature extensions where a signature can include signing-ecosystem specific information for each signature. The first extension is for Sigstore. This commit allows for using VerificationMaterial as the structure for the DSSE extension. Signed-off-by: Aditya Sirish <[email protected]>
adityasaky
force-pushed
the
add-dsse-extension
branch
from
f290fc8 to
6e53809
Compare
|
Done! |
| // signatures. This message may be embedded in a DSSE envelope as a signature | ||
| // extension. Specifically, the `ext` field of the extension will expect this | ||
| // message when the signature extension is for Sigstore. This is identified by | ||
| // the `kind` field in the extension, which must be set to | ||
| // application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. | ||
| // When used as a DSSE extension, if the `public_key` field is used to indicate | ||
| // the key identifier, it MUST match the `keyid` field of the signature the | ||
| // extension is attached to. |
There was a problem hiding this comment.
Just to make sure I'm not missing anything: this is the PR's only change, right? I don't see any protobuf definition changes 🙂
There was a problem hiding this comment.
Yes, the doc is the only change. This PR originally proposed a new message that was a subset of verification materials, but the feedback was to just use verification materials directly. The doc change unblocks secure-systems-lab/dsse#61 which introduces the sigstore DSSE extension.
the doc change doesn't seem actionable to a Sigstore client implementer
WRT a sigstore client, it's a question of whether it will support a DSSE envelope that uses the signature extension as an input to signature verification. See: sigstore/sig-clients#9 and the follow up sigstore/sig-clients#9 (comment).
Summary
Addresses sigstore/sig-clients#9
This PR adds a definition for Sigstore's DSSE signature extension. The definition is a subset of the current VerificationMaterials message, omitting the option for a key ID in place of the cert chain. This is because the sigstore signature extension in a DSSE signature must only be used to communicate the intermediate certs and timestamp / tlog info.
secure-systems-lab/dsse#61 introduces extensions to the DSSE specification.
Release Note
Define DSSE signature extension for Sigstore signatures.
Documentation
None.