Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add definition for Sigstore's DSSE signature extension #145

Merged
merged 1 commit into from
Jan 8, 2024
Merged

Add definition for Sigstore's DSSE signature extension #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion gen/jsonschema/schemas/Bundle.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@
}
],
"title": "Verification Material",
"description": "VerificationMaterial captures details on the materials used to verify signatures."
"description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
},
"dev.sigstore.common.v1.HashOutput": {
"properties": {
Expand Down
2 changes: 1 addition & 1 deletion gen/jsonschema/schemas/Input.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@
}
],
"title": "Verification Material",
"description": "VerificationMaterial captures details on the materials used to verify signatures."
"description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
},
"dev.sigstore.common.v1.DistinguishedName": {
"properties": {
Expand Down
2 changes: 1 addition & 1 deletion gen/jsonschema/schemas/VerificationMaterial.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
}
],
"title": "Verification Material",
"description": "VerificationMaterial captures details on the materials used to verify signatures."
"description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
},
"dev.sigstore.bundle.v1.TimestampVerificationData": {
"properties": {
Expand Down
9 changes: 8 additions & 1 deletion gen/pb-go/bundle/v1/sigstore_bundle.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 11 additions & 4 deletions gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 9 additions & 9 deletions gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion gen/pb-rust/schemas/Bundle.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@
}
],
"title": "Verification Material",
"description": "VerificationMaterial captures details on the materials used to verify signatures."
"description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
},
"dev.sigstore.common.v1.HashOutput": {
"properties": {
Expand Down
2 changes: 1 addition & 1 deletion gen/pb-rust/schemas/Input.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@
}
],
"title": "Verification Material",
"description": "VerificationMaterial captures details on the materials used to verify signatures."
"description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
},
"dev.sigstore.common.v1.DistinguishedName": {
"properties": {
Expand Down
2 changes: 1 addition & 1 deletion gen/pb-rust/schemas/VerificationMaterial.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
}
],
"title": "Verification Material",
"description": "VerificationMaterial captures details on the materials used to verify signatures."
"description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
},
"dev.sigstore.bundle.v1.TimestampVerificationData": {
"properties": {
Expand Down
9 changes: 8 additions & 1 deletion gen/pb-typescript/src/__generated__/sigstore_bundle.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 8 additions & 1 deletion protos/sigstore_bundle.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,14 @@ message TimestampVerificationData {
}

// VerificationMaterial captures details on the materials used to verify
// signatures.
// signatures. This message may be embedded in a DSSE envelope as a signature
// extension. Specifically, the `ext` field of the extension will expect this
// message when the signature extension is for Sigstore. This is identified by
// the `kind` field in the extension, which must be set to
// application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore.
// When used as a DSSE extension, if the `public_key` field is used to indicate
// the key identifier, it MUST match the `keyid` field of the signature the
// extension is attached to.
Comment on lines +51 to +58
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to make sure I'm not missing anything: this is the PR's only change, right? I don't see any protobuf definition changes 🙂

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the doc is the only change. This PR originally proposed a new message that was a subset of verification materials, but the feedback was to just use verification materials directly. The doc change unblocks secure-systems-lab/dsse#61 which introduces the sigstore DSSE extension.

the doc change doesn't seem actionable to a Sigstore client implementer

WRT a sigstore client, it's a question of whether it will support a DSSE envelope that uses the signature extension as an input to signature verification. See: sigstore/sig-clients#9 and the follow up sigstore/sig-clients#9 (comment).

message VerificationMaterial {
oneof content {
dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED];
Expand Down