From c18c1e9a604d507bcfecd366f272fdf09ea898e4 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Fri, 30 Jun 2023 17:45:10 +0000 Subject: [PATCH 1/3] Require inclusion proofs, make promises optional The log always generates inclusion proofs, so we will make it a requirement that clients verify the proof. Promises will be deprecated over time, but for now, we'll make them optional. Fixes #82 Ref https://github.com/sigstore/rekor/issues/1566 Signed-off-by: Hayden Blauzvern --- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 4 +-- gen/pb-go/rekor/v1/sigstore_rekor.pb.go | 27 ++++++++++--------- .../trustroot/v1/sigstore_trustroot.pb.go | 2 +- .../dev/sigstore/bundle/v1/__init__.py | 4 +-- .../dev/sigstore/rekor/v1/__init__.py | 14 +++++----- .../dev/sigstore/trustroot/v1/__init__.py | 2 +- .../src/__generated__/sigstore_bundle.ts | 4 +-- .../src/__generated__/sigstore_rekor.ts | 13 +++++---- .../src/__generated__/sigstore_trustroot.ts | 2 +- protos/sigstore_bundle.proto | 4 +-- protos/sigstore_rekor.proto | 15 ++++++----- protos/sigstore_trustroot.proto | 2 +- 12 files changed, 50 insertions(+), 43 deletions(-) diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index 9d93fa62..882a902d 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -104,8 +104,8 @@ type VerificationMaterial struct { // *VerificationMaterial_PublicKey // *VerificationMaterial_X509CertificateChain Content isVerificationMaterial_Content `protobuf_oneof:"content"` - // This is the inclusion promise and/or proof, where - // the timestamp is coming from the transparency log. + // This is the inclusion proof, where the timestamp is coming from + // the transparency log. TlogEntries []*v11.TransparencyLogEntry `protobuf:"bytes,3,rep,name=tlog_entries,json=tlogEntries,proto3" json:"tlog_entries,omitempty"` // Timestamp verification data, over the artifact's signature. TimestampVerificationData *TimestampVerificationData `protobuf:"bytes,4,opt,name=timestamp_verification_data,json=timestampVerificationData,proto3" json:"timestamp_verification_data,omitempty"` diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go index 038288c0..f53e15c7 100644 --- a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go +++ b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go @@ -151,7 +151,7 @@ func (x *Checkpoint) GetEnvelope() string { } // InclusionProof is the proof returned from the transparency log. Can -// be used for on line verification against the log. +// be used for offline or online verification against the log. type InclusionProof struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -306,7 +306,7 @@ func (x *InclusionPromise) GetSignedEntryTimestamp() []byte { // attributes (excluding the payload) that are required for verifying the // inclusion promise. The inclusion promise (called SignedEntryTimestamp in // the response from Rekor) is similar to a Signed Certificate Timestamp -// as described here https://www.rfc-editor.org/rfc/rfc9162#name-signed-certificate-timestam. +// as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2. type TransparencyLogEntry struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -322,10 +322,11 @@ type TransparencyLogEntry struct { KindVersion *KindVersion `protobuf:"bytes,3,opt,name=kind_version,json=kindVersion,proto3" json:"kind_version,omitempty"` // The UNIX timestamp from the log when the entry was persisted. IntegratedTime int64 `protobuf:"varint,4,opt,name=integrated_time,json=integratedTime,proto3" json:"integrated_time,omitempty"` - // The inclusion promise/signed entry timestamp from the log. + // The inclusion promise/signed entry timestamp from the log. Optional, + // but MUST be verified if present. InclusionPromise *InclusionPromise `protobuf:"bytes,5,opt,name=inclusion_promise,json=inclusionPromise,proto3" json:"inclusion_promise,omitempty"` - // The inclusion proof can be used for online verification that the - // entry was appended to the log, and that the log has not been + // The inclusion proof can be used for offline or online verification + // that the entry was appended to the log, and that the log has not been // altered. InclusionProof *InclusionProof `protobuf:"bytes,6,opt,name=inclusion_proof,json=inclusionProof,proto3" json:"inclusion_proof,omitempty"` // Optional. The canonicalized transparency log entry, used to @@ -480,17 +481,17 @@ var file_sigstore_rekor_proto_rawDesc = []byte{ 0x69, 0x6e, 0x64, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2c, 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, - 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x59, 0x0a, 0x11, 0x69, 0x6e, 0x63, 0x6c, + 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x54, 0x0a, 0x11, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x6d, 0x69, 0x73, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x63, 0x6c, - 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6d, 0x69, 0x73, 0x65, 0x42, 0x03, 0xe0, 0x41, - 0x02, 0x52, 0x10, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6d, - 0x69, 0x73, 0x65, 0x12, 0x4e, 0x0a, 0x0f, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, - 0x5f, 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x64, - 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, - 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, - 0x6f, 0x6f, 0x66, 0x52, 0x0e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, + 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6d, 0x69, 0x73, 0x65, 0x52, 0x10, 0x69, 0x6e, + 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6d, 0x69, 0x73, 0x65, 0x12, 0x53, + 0x0a, 0x0f, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x6f, + 0x66, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, + 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6f, 0x66, 0x42, 0x03, + 0xe0, 0x41, 0x02, 0x52, 0x0e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6f, 0x66, 0x12, 0x2d, 0x0a, 0x12, 0x63, 0x61, 0x6e, 0x6f, 0x6e, 0x69, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x11, 0x63, 0x61, 0x6e, 0x6f, 0x6e, 0x69, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x42, 0x6f, diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go index c28615f9..9e25cbd9 100644 --- a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go +++ b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go @@ -40,7 +40,7 @@ const ( // See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters // for more details. // The included parameters are the minimal set required to identify a log, -// and verify an inclusion promise. +// and verify an inclusion proof/promise. type TransparencyLogInstance struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index 28681e7d..53eb7b88 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -47,8 +47,8 @@ class VerificationMaterial(betterproto.Message): 3 ) """ - This is the inclusion promise and/or proof, where the timestamp is coming - from the transparency log. + This is the inclusion proof, where the timestamp is coming from the + transparency log. """ timestamp_verification_data: "TimestampVerificationData" = ( diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py index 27a10ded..318528c6 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py @@ -43,7 +43,7 @@ class Checkpoint(betterproto.Message): class InclusionProof(betterproto.Message): """ InclusionProof is the proof returned from the transparency log. Can be used - for on line verification against the log. + for offline or online verification against the log. """ log_index: int = betterproto.int64_field(1) @@ -101,8 +101,7 @@ class TransparencyLogEntry(betterproto.Message): attributes (excluding the payload) that are required for verifying the inclusion promise. The inclusion promise (called SignedEntryTimestamp in the response from Rekor) is similar to a Signed Certificate Timestamp as - described here https://www.rfc-editor.org/rfc/rfc9162#name-signed- - certificate-timestam. + described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2. """ log_index: int = betterproto.int64_field(1) @@ -121,12 +120,15 @@ class TransparencyLogEntry(betterproto.Message): """The UNIX timestamp from the log when the entry was persisted.""" inclusion_promise: "InclusionPromise" = betterproto.message_field(5) - """The inclusion promise/signed entry timestamp from the log.""" + """ + The inclusion promise/signed entry timestamp from the log. Optional, but + MUST be verified if present. + """ inclusion_proof: "InclusionProof" = betterproto.message_field(6) """ - The inclusion proof can be used for online verification that the entry was - appended to the log, and that the log has not been altered. + The inclusion proof can be used for offline or online verification that the + entry was appended to the log, and that the log has not been altered. """ canonicalized_body: bytes = betterproto.bytes_field(7) diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py index a3625149..747aba1c 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py @@ -15,7 +15,7 @@ class TransparencyLogInstance(betterproto.Message): TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log- parameters for more details. The included parameters are the minimal set - required to identify a log, and verify an inclusion promise. + required to identify a log, and verify an inclusion proof/promise. """ base_url: str = betterproto.string_field(1) diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts index f80d5196..3b21d339 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts @@ -28,8 +28,8 @@ export interface VerificationMaterial { | { $case: "publicKey"; publicKey: PublicKeyIdentifier } | { $case: "x509CertificateChain"; x509CertificateChain: X509CertificateChain }; /** - * This is the inclusion promise and/or proof, where - * the timestamp is coming from the transparency log. + * This is the inclusion proof, where the timestamp is coming from + * the transparency log. */ tlogEntries: TransparencyLogEntry[]; /** Timestamp verification data, over the artifact's signature. */ diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts index d327f9d9..cfc4faf7 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts @@ -28,7 +28,7 @@ export interface Checkpoint { /** * InclusionProof is the proof returned from the transparency log. Can - * be used for on line verification against the log. + * be used for offline or online verification against the log. */ export interface InclusionProof { /** The index of the entry in the log. */ @@ -79,7 +79,7 @@ export interface InclusionPromise { * attributes (excluding the payload) that are required for verifying the * inclusion promise. The inclusion promise (called SignedEntryTimestamp in * the response from Rekor) is similar to a Signed Certificate Timestamp - * as described here https://www.rfc-editor.org/rfc/rfc9162#name-signed-certificate-timestam. + * as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2. */ export interface TransparencyLogEntry { /** The index of the entry in the log. */ @@ -98,13 +98,16 @@ export interface TransparencyLogEntry { | undefined; /** The UNIX timestamp from the log when the entry was persisted. */ integratedTime: string; - /** The inclusion promise/signed entry timestamp from the log. */ + /** + * The inclusion promise/signed entry timestamp from the log. Optional, + * but MUST be verified if present. + */ inclusionPromise: | InclusionPromise | undefined; /** - * The inclusion proof can be used for online verification that the - * entry was appended to the log, and that the log has not been + * The inclusion proof can be used for offline or online verification + * that the entry was appended to the log, and that the log has not been * altered. */ inclusionProof: diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts index d373e177..a60f71dd 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts @@ -16,7 +16,7 @@ import { * See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters * for more details. * The included parameters are the minimal set required to identify a log, - * and verify an inclusion promise. + * and verify an inclusion proof/promise. */ export interface TransparencyLogInstance { /** The base URL at which can be used to URLs for the client. */ diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index 48f7fc46..4c349952 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -53,8 +53,8 @@ message VerificationMaterial { dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED]; dev.sigstore.common.v1.X509CertificateChain x509_certificate_chain = 2 [(google.api.field_behavior) = REQUIRED]; } - // This is the inclusion promise and/or proof, where - // the timestamp is coming from the transparency log. + // This is the inclusion proof, where the timestamp is coming from + // the transparency log. repeated dev.sigstore.rekor.v1.TransparencyLogEntry tlog_entries = 3; // Timestamp verification data, over the artifact's signature. TimestampVerificationData timestamp_verification_data = 4; diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto index 7d3c554f..164d4b7d 100644 --- a/protos/sigstore_rekor.proto +++ b/protos/sigstore_rekor.proto @@ -46,7 +46,7 @@ message Checkpoint { } // InclusionProof is the proof returned from the transparency log. Can -// be used for on line verification against the log. +// be used for offline or online verification against the log. message InclusionProof { // The index of the entry in the log. int64 log_index = 1 [(google.api.field_behavior) = REQUIRED]; @@ -87,7 +87,7 @@ message InclusionPromise { // attributes (excluding the payload) that are required for verifying the // inclusion promise. The inclusion promise (called SignedEntryTimestamp in // the response from Rekor) is similar to a Signed Certificate Timestamp -// as described here https://www.rfc-editor.org/rfc/rfc9162#name-signed-certificate-timestam. +// as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2. message TransparencyLogEntry { // The index of the entry in the log. int64 log_index = 1 [(google.api.field_behavior) = REQUIRED]; @@ -99,12 +99,13 @@ message TransparencyLogEntry { KindVersion kind_version = 3 [(google.api.field_behavior) = REQUIRED]; // The UNIX timestamp from the log when the entry was persisted. int64 integrated_time = 4 [(google.api.field_behavior) = REQUIRED]; - // The inclusion promise/signed entry timestamp from the log. - InclusionPromise inclusion_promise = 5 [(google.api.field_behavior) = REQUIRED]; - // The inclusion proof can be used for online verification that the - // entry was appended to the log, and that the log has not been + // The inclusion promise/signed entry timestamp from the log. Optional, + // but MUST be verified if present. + InclusionPromise inclusion_promise = 5; + // The inclusion proof can be used for offline or online verification + // that the entry was appended to the log, and that the log has not been // altered. - InclusionProof inclusion_proof = 6; + InclusionProof inclusion_proof = 6 [(google.api.field_behavior) = REQUIRED]; // Optional. The canonicalized transparency log entry, used to // reconstruct the Signed Entry Timestamp (SET) during verification. // The contents of this field are the same as the `body` field in diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index f289e4ee..3d76f867 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -27,7 +27,7 @@ option java_outer_classname = "TrustRootProto"; // See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters // for more details. // The included parameters are the minimal set required to identify a log, -// and verify an inclusion promise. +// and verify an inclusion proof/promise. message TransparencyLogInstance { // The base URL at which can be used to URLs for the client. string base_url = 1; From a0861a3254192f7d16773f10bf7010eb3c4b323e Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Fri, 30 Jun 2023 20:12:30 +0000 Subject: [PATCH 2/3] Bump version Signed-off-by: Hayden Blauzvern --- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 1 + gen/pb-python/pyproject.toml | 2 +- .../dev/sigstore/bundle/v1/__init__.py | 4 ++-- gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb | 2 +- gen/pb-typescript/package.json | 2 +- gen/pb-typescript/src/__generated__/sigstore_bundle.ts | 1 + protos/sigstore_bundle.proto | 5 +++-- 7 files changed, 10 insertions(+), 7 deletions(-) diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index 882a902d..e644201f 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -200,6 +200,7 @@ type Bundle struct { unknownFields protoimpl.UnknownFields // MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 + // or application/vnd.dev.sigstore.bundle+json;version=0.2 // when encoded as JSON. MediaType string `protobuf:"bytes,1,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"` // When a signer is identified by a X.509 certificate, a verifier MUST diff --git a/gen/pb-python/pyproject.toml b/gen/pb-python/pyproject.toml index a7f446bd..4cc5adb8 100644 --- a/gen/pb-python/pyproject.toml +++ b/gen/pb-python/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "sigstore-protobuf-specs" -version = "0.1.0" +version = "0.2.0" description = "A library for serializing and deserializing Sigstore messages" readme = "README.md" license = { file = "LICENSE" } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index 53eb7b88..a75ea640 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -61,8 +61,8 @@ class VerificationMaterial(betterproto.Message): class Bundle(betterproto.Message): media_type: str = betterproto.string_field(1) """ - MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 when encoded - as JSON. + MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or + application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON. """ verification_material: "VerificationMaterial" = betterproto.message_field(2) diff --git a/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb b/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb index d04df77f..849fcd38 100644 --- a/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb +++ b/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb @@ -16,6 +16,6 @@ module Dev module Sigstore - VERSION = '0.1.0' + VERSION = '0.2.0' end end \ No newline at end of file diff --git a/gen/pb-typescript/package.json b/gen/pb-typescript/package.json index 7cb4aa9c..6697d247 100644 --- a/gen/pb-typescript/package.json +++ b/gen/pb-typescript/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/protobuf-specs", - "version": "0.1.0", + "version": "0.2.0", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts index 3b21d339..ceac33dd 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts @@ -39,6 +39,7 @@ export interface VerificationMaterial { export interface Bundle { /** * MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 + * or application/vnd.dev.sigstore.bundle+json;version=0.2 * when encoded as JSON. */ mediaType: string; diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index 4c349952..0166de6a 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -31,8 +31,8 @@ option java_outer_classname = "BundleProto"; // The primary message ('Bundle') MUST be versioned, by populating the // 'media_type' field. Semver-ish (only major/minor versions) scheme MUST // be used. The current version as specified by this file is: -// application/vnd.dev.sigstore.bundle+json;version=0.1 -// The semantic version is thus '0.1'. +// application/vnd.dev.sigstore.bundle+json;version=0.2 +// The semantic version is thus '0.2'. // Various timestamped counter signatures over the artifacts signature. // Currently only RFC3161 signatures are provided. More formats may be added @@ -62,6 +62,7 @@ message VerificationMaterial { message Bundle { // MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 + // or application/vnd.dev.sigstore.bundle+json;version=0.2 // when encoded as JSON. string media_type = 1; // When a signer is identified by a X.509 certificate, a verifier MUST From 6591df69889cdae7eb2af6e049fd691602ff9d6f Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Fri, 30 Jun 2023 22:04:02 +0000 Subject: [PATCH 3/3] Update client verification requirements for promises Signed-off-by: Hayden Blauzvern --- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 6 ++++++ gen/pb-go/rekor/v1/sigstore_rekor.pb.go | 5 +++-- .../dev/sigstore/bundle/v1/__init__.py | 6 +++++- .../dev/sigstore/rekor/v1/__init__.py | 5 +++-- gen/pb-typescript/src/__generated__/sigstore_bundle.ts | 6 ++++++ gen/pb-typescript/src/__generated__/sigstore_rekor.ts | 5 +++-- protos/sigstore_bundle.proto | 6 ++++++ protos/sigstore_rekor.proto | 5 +++-- 8 files changed, 35 insertions(+), 9 deletions(-) diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index e644201f..0883c6ec 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -106,6 +106,12 @@ type VerificationMaterial struct { Content isVerificationMaterial_Content `protobuf_oneof:"content"` // This is the inclusion proof, where the timestamp is coming from // the transparency log. + // Client verification libraries MAY provide an option to support v0.1 + // bundles for backwards compatibility, which may contain an inclusion + // promise and not an inclusion proof. In this case, the client MUST + // validate the promise. + // Verifiers SHOULD NOT allow v0.1 bundles if they're used in an + // ecosystem which never produced them. TlogEntries []*v11.TransparencyLogEntry `protobuf:"bytes,3,rep,name=tlog_entries,json=tlogEntries,proto3" json:"tlog_entries,omitempty"` // Timestamp verification data, over the artifact's signature. TimestampVerificationData *TimestampVerificationData `protobuf:"bytes,4,opt,name=timestamp_verification_data,json=timestampVerificationData,proto3" json:"timestamp_verification_data,omitempty"` diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go index f53e15c7..21bc9506 100644 --- a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go +++ b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go @@ -322,8 +322,9 @@ type TransparencyLogEntry struct { KindVersion *KindVersion `protobuf:"bytes,3,opt,name=kind_version,json=kindVersion,proto3" json:"kind_version,omitempty"` // The UNIX timestamp from the log when the entry was persisted. IntegratedTime int64 `protobuf:"varint,4,opt,name=integrated_time,json=integratedTime,proto3" json:"integrated_time,omitempty"` - // The inclusion promise/signed entry timestamp from the log. Optional, - // but MUST be verified if present. + // The inclusion promise/signed entry timestamp from the log. + // Required for v0.1 bundles, and MUST be verified. + // Optional for >= v0.2 bundles, and SHOULD be verified when present. InclusionPromise *InclusionPromise `protobuf:"bytes,5,opt,name=inclusion_promise,json=inclusionPromise,proto3" json:"inclusion_promise,omitempty"` // The inclusion proof can be used for offline or online verification // that the entry was appended to the log, and that the log has not been diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index a75ea640..120142db 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -48,7 +48,11 @@ class VerificationMaterial(betterproto.Message): ) """ This is the inclusion proof, where the timestamp is coming from the - transparency log. + transparency log. Client verification libraries MAY provide an option to + support v0.1 bundles for backwards compatibility, which may contain an + inclusion promise and not an inclusion proof. In this case, the client MUST + validate the promise. Verifiers SHOULD NOT allow v0.1 bundles if they're + used in an ecosystem which never produced them. """ timestamp_verification_data: "TimestampVerificationData" = ( diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py index 318528c6..0586c2e2 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py @@ -121,8 +121,9 @@ class TransparencyLogEntry(betterproto.Message): inclusion_promise: "InclusionPromise" = betterproto.message_field(5) """ - The inclusion promise/signed entry timestamp from the log. Optional, but - MUST be verified if present. + The inclusion promise/signed entry timestamp from the log. Required for + v0.1 bundles, and MUST be verified. Optional for >= v0.2 bundles, and + SHOULD be verified when present. """ inclusion_proof: "InclusionProof" = betterproto.message_field(6) diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts index ceac33dd..2397dcab 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts @@ -30,6 +30,12 @@ export interface VerificationMaterial { /** * This is the inclusion proof, where the timestamp is coming from * the transparency log. + * Client verification libraries MAY provide an option to support v0.1 + * bundles for backwards compatibility, which may contain an inclusion + * promise and not an inclusion proof. In this case, the client MUST + * validate the promise. + * Verifiers SHOULD NOT allow v0.1 bundles if they're used in an + * ecosystem which never produced them. */ tlogEntries: TransparencyLogEntry[]; /** Timestamp verification data, over the artifact's signature. */ diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts index cfc4faf7..9931bf05 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts @@ -99,8 +99,9 @@ export interface TransparencyLogEntry { /** The UNIX timestamp from the log when the entry was persisted. */ integratedTime: string; /** - * The inclusion promise/signed entry timestamp from the log. Optional, - * but MUST be verified if present. + * The inclusion promise/signed entry timestamp from the log. + * Required for v0.1 bundles, and MUST be verified. + * Optional for >= v0.2 bundles, and SHOULD be verified when present. */ inclusionPromise: | InclusionPromise diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index 0166de6a..5cd3a366 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -55,6 +55,12 @@ message VerificationMaterial { } // This is the inclusion proof, where the timestamp is coming from // the transparency log. + // Client verification libraries MAY provide an option to support v0.1 + // bundles for backwards compatibility, which may contain an inclusion + // promise and not an inclusion proof. In this case, the client MUST + // validate the promise. + // Verifiers SHOULD NOT allow v0.1 bundles if they're used in an + // ecosystem which never produced them. repeated dev.sigstore.rekor.v1.TransparencyLogEntry tlog_entries = 3; // Timestamp verification data, over the artifact's signature. TimestampVerificationData timestamp_verification_data = 4; diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto index 164d4b7d..0fde4866 100644 --- a/protos/sigstore_rekor.proto +++ b/protos/sigstore_rekor.proto @@ -99,8 +99,9 @@ message TransparencyLogEntry { KindVersion kind_version = 3 [(google.api.field_behavior) = REQUIRED]; // The UNIX timestamp from the log when the entry was persisted. int64 integrated_time = 4 [(google.api.field_behavior) = REQUIRED]; - // The inclusion promise/signed entry timestamp from the log. Optional, - // but MUST be verified if present. + // The inclusion promise/signed entry timestamp from the log. + // Required for v0.1 bundles, and MUST be verified. + // Optional for >= v0.2 bundles, and SHOULD be verified when present. InclusionPromise inclusion_promise = 5; // The inclusion proof can be used for offline or online verification // that the entry was appended to the log, and that the log has not been