From 6e5380944cc06967049f8661a27c61456a01b46b Mon Sep 17 00:00:00 2001 From: Aditya Sirish Date: Tue, 26 Sep 2023 14:08:22 -0400 Subject: [PATCH] Support DSSE signature extension for Sigstore DSSE is adding support for signature extensions where a signature can include signing-ecosystem specific information for each signature. The first extension is for Sigstore. This commit allows for using VerificationMaterial as the structure for the DSSE extension. Signed-off-by: Aditya Sirish --- gen/jsonschema/schemas/Bundle.schema.json | 2 +- gen/jsonschema/schemas/Input.schema.json | 2 +- .../schemas/VerificationMaterial.schema.json | 2 +- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 9 ++++++++- .../dev/sigstore/bundle/v1/__init__.py | 15 +++++++++++---- .../dev/sigstore/verification/v1/__init__.py | 18 +++++++++--------- gen/pb-rust/schemas/Bundle.schema.json | 2 +- gen/pb-rust/schemas/Input.schema.json | 2 +- .../schemas/VerificationMaterial.schema.json | 2 +- .../src/__generated__/sigstore_bundle.ts | 9 ++++++++- protos/sigstore_bundle.proto | 9 ++++++++- 11 files changed, 50 insertions(+), 22 deletions(-) diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index 86d3179d..fb44fade 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -94,7 +94,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.common.v1.HashOutput": { "properties": { diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index c5d0f755..8da9538c 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -127,7 +127,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.common.v1.DistinguishedName": { "properties": { diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json index 4657bc35..0a742626 100644 --- a/gen/jsonschema/schemas/VerificationMaterial.schema.json +++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json @@ -41,7 +41,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.bundle.v1.TimestampVerificationData": { "properties": { diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index e93ed477..75db040c 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -94,7 +94,14 @@ func (x *TimestampVerificationData) GetRfc3161Timestamps() []*v1.RFC3161SignedTi } // VerificationMaterial captures details on the materials used to verify -// signatures. +// signatures. This message may be embedded in a DSSE envelope as a signature +// extension. Specifically, the `ext` field of the extension will expect this +// message when the signature extension is for Sigstore. This is identified by +// the `kind` field in the extension, which must be set to +// application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. +// When used as a DSSE extension, if the `public_key` field is used to indicate +// the key identifier, it MUST match the `keyid` field of the signature the +// extension is attached to. type VerificationMaterial struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index 49c7fee2..60016c56 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -19,9 +19,9 @@ class TimestampVerificationData(betterproto.Message): in the future. """ - rfc3161_timestamps: List[ - "__common_v1__.Rfc3161SignedTimestamp" - ] = betterproto.message_field(1) + rfc3161_timestamps: List["__common_v1__.Rfc3161SignedTimestamp"] = ( + betterproto.message_field(1) + ) """ A list of RFC3161 signed timestamps provided by the user. This can be used when the entry has not been stored on a transparency log, or in conjunction @@ -34,7 +34,14 @@ class TimestampVerificationData(betterproto.Message): class VerificationMaterial(betterproto.Message): """ VerificationMaterial captures details on the materials used to verify - signatures. + signatures. This message may be embedded in a DSSE envelope as a signature + extension. Specifically, the `ext` field of the extension will expect this + message when the signature extension is for Sigstore. This is identified by + the `kind` field in the extension, which must be set to + application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. + When used as a DSSE extension, if the `public_key` field is used to + indicate the key identifier, it MUST match the `keyid` field of the + signature the extension is attached to. """ public_key: "__common_v1__.PublicKeyIdentifier" = betterproto.message_field( diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py index c1d19ba9..76c87f1f 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py @@ -61,27 +61,27 @@ class ArtifactVerificationOptions(betterproto.Message): application specific. """ - tlog_options: Optional[ - "ArtifactVerificationOptionsTlogOptions" - ] = betterproto.message_field(3, optional=True, group="_tlog_options") + tlog_options: Optional["ArtifactVerificationOptionsTlogOptions"] = ( + betterproto.message_field(3, optional=True, group="_tlog_options") + ) """ Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false """ - ctlog_options: Optional[ - "ArtifactVerificationOptionsCtlogOptions" - ] = betterproto.message_field(4, optional=True, group="_ctlog_options") + ctlog_options: Optional["ArtifactVerificationOptionsCtlogOptions"] = ( + betterproto.message_field(4, optional=True, group="_ctlog_options") + ) """ Optional options for certificate transparency log verification. If none is provided, the default verification options are: Threshold: 1 Detached SCT: false Disable: false """ - tsa_options: Optional[ - "ArtifactVerificationOptionsTimestampAuthorityOptions" - ] = betterproto.message_field(5, optional=True, group="_tsa_options") + tsa_options: Optional["ArtifactVerificationOptionsTimestampAuthorityOptions"] = ( + betterproto.message_field(5, optional=True, group="_tsa_options") + ) """ Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json index 86d3179d..fb44fade 100644 --- a/gen/pb-rust/schemas/Bundle.schema.json +++ b/gen/pb-rust/schemas/Bundle.schema.json @@ -94,7 +94,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.common.v1.HashOutput": { "properties": { diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index c5d0f755..8da9538c 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -127,7 +127,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.common.v1.DistinguishedName": { "properties": { diff --git a/gen/pb-rust/schemas/VerificationMaterial.schema.json b/gen/pb-rust/schemas/VerificationMaterial.schema.json index 4657bc35..0a742626 100644 --- a/gen/pb-rust/schemas/VerificationMaterial.schema.json +++ b/gen/pb-rust/schemas/VerificationMaterial.schema.json @@ -41,7 +41,7 @@ } ], "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures." + "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." }, "dev.sigstore.bundle.v1.TimestampVerificationData": { "properties": { diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts index 576ac586..33e69c6b 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts @@ -21,7 +21,14 @@ export interface TimestampVerificationData { /** * VerificationMaterial captures details on the materials used to verify - * signatures. + * signatures. This message may be embedded in a DSSE envelope as a signature + * extension. Specifically, the `ext` field of the extension will expect this + * message when the signature extension is for Sigstore. This is identified by + * the `kind` field in the extension, which must be set to + * application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. + * When used as a DSSE extension, if the `public_key` field is used to indicate + * the key identifier, it MUST match the `keyid` field of the signature the + * extension is attached to. */ export interface VerificationMaterial { content?: diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index 08d78a86..3d4c5e0f 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -48,7 +48,14 @@ message TimestampVerificationData { } // VerificationMaterial captures details on the materials used to verify -// signatures. +// signatures. This message may be embedded in a DSSE envelope as a signature +// extension. Specifically, the `ext` field of the extension will expect this +// message when the signature extension is for Sigstore. This is identified by +// the `kind` field in the extension, which must be set to +// application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. +// When used as a DSSE extension, if the `public_key` field is used to indicate +// the key identifier, it MUST match the `keyid` field of the signature the +// extension is attached to. message VerificationMaterial { oneof content { dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED];