protobug_sigstore_protos 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/lib/protobug_sigstore_protos.rb +11 -0
- data/lib/sigstore/bundle/v1/sigstore_bundle_pb.rb +244 -0
- data/lib/sigstore/common/v1/sigstore_common_pb.rb +441 -0
- data/lib/sigstore/dsse/envelope_pb.rb +77 -0
- data/lib/sigstore/events/events_pb.rb +194 -0
- data/lib/sigstore/rekor/v1/sigstore_rekor_pb.rb +252 -0
- data/lib/sigstore/trustroot/v1/sigstore_trustroot_pb.rb +346 -0
- data/lib/sigstore/verification/v1/sigstore_verification_pb.rb +365 -0
- metadata +95 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 30f6e577a588ca3dd5284829aba9f5d77a7091b5ac7a1c1649fac0ea4b95b39d
|
4
|
+
data.tar.gz: b8c7bff445bb381dfbdffd4b077c928262aca8eb6e17c3e7b94ae0e836710c65
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: b6d033e11fa51e33c47a8ec09195ee6a422a4b96c5da291ec14e9345e1df7b1789d74f08466d2afeaf6a562bfbb6d3143738bbb18091d101b90fd24a43e89785
|
7
|
+
data.tar.gz: 71ed97d7f53a21d3d4a1c0a03be2395282b24601c2a8e47b1a71d759cecfbd1e94fed8f10790b156a66d2c0b90672becef3cfd3b48a1f9b72e0c083c0ef0504b
|
@@ -0,0 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "protobug"
|
4
|
+
|
5
|
+
require_relative "sigstore/bundle/v1/sigstore_bundle_pb"
|
6
|
+
require_relative "sigstore/common/v1/sigstore_common_pb"
|
7
|
+
require_relative "sigstore/dsse/envelope_pb"
|
8
|
+
require_relative "sigstore/events/events_pb"
|
9
|
+
require_relative "sigstore/rekor/v1/sigstore_rekor_pb"
|
10
|
+
require_relative "sigstore/trustroot/v1/sigstore_trustroot_pb"
|
11
|
+
require_relative "sigstore/verification/v1/sigstore_verification_pb"
|
@@ -0,0 +1,244 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Code generated by protoc-gen-protobug. DO NOT EDIT.
|
4
|
+
|
5
|
+
# source: sigstore_bundle.proto
|
6
|
+
# syntax: proto3
|
7
|
+
# package: dev.sigstore.bundle.v1
|
8
|
+
# options:
|
9
|
+
# java_package: "dev.sigstore.proto.bundle.v1"
|
10
|
+
# java_outer_classname: "BundleProto"
|
11
|
+
# java_multiple_files: true
|
12
|
+
# go_package: "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
|
13
|
+
# ruby_package: "Sigstore::Bundle::V1"
|
14
|
+
|
15
|
+
# Copyright 2022 The Sigstore Authors.
|
16
|
+
#
|
17
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
18
|
+
# you may not use this file except in compliance with the License.
|
19
|
+
# You may obtain a copy of the License at
|
20
|
+
#
|
21
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
22
|
+
#
|
23
|
+
# Unless required by applicable law or agreed to in writing, software
|
24
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
25
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
26
|
+
# See the License for the specific language governing permissions and
|
27
|
+
# limitations under the License.
|
28
|
+
|
29
|
+
require "protobug"
|
30
|
+
|
31
|
+
require "google/api/field_behavior_pb"
|
32
|
+
|
33
|
+
require_relative "../../dsse/envelope_pb"
|
34
|
+
require_relative "../../common/v1/sigstore_common_pb"
|
35
|
+
require_relative "../../rekor/v1/sigstore_rekor_pb"
|
36
|
+
|
37
|
+
module Sigstore
|
38
|
+
module Bundle
|
39
|
+
module V1
|
40
|
+
# Notes on versioning.
|
41
|
+
# The primary message ('Bundle') MUST be versioned, by populating the
|
42
|
+
# 'media_type' field. Semver-ish (only major/minor versions) scheme MUST
|
43
|
+
# be used. The current version as specified by this file is:
|
44
|
+
# application/vnd.dev.sigstore.bundle.v0.3+json
|
45
|
+
# The semantic version is thus '0.3'.
|
46
|
+
|
47
|
+
# Various timestamped counter signatures over the artifacts signature.
|
48
|
+
# Currently only RFC3161 signatures are provided. More formats may be added
|
49
|
+
# in the future.
|
50
|
+
class TimestampVerificationData
|
51
|
+
extend Protobug::Message
|
52
|
+
|
53
|
+
self.full_name = "dev.sigstore.bundle.v1.TimestampVerificationData"
|
54
|
+
|
55
|
+
# A list of RFC3161 signed timestamps provided by the user.
|
56
|
+
# This can be used when the entry has not been stored on a
|
57
|
+
# transparency log, or in conjunction for a stronger trust model.
|
58
|
+
# Clients MUST verify the hashed message in the message imprint
|
59
|
+
# against the signature in the bundle.
|
60
|
+
repeated(
|
61
|
+
1,
|
62
|
+
"rfc3161_timestamps",
|
63
|
+
type: :message,
|
64
|
+
message_type: "dev.sigstore.common.v1.RFC3161SignedTimestamp",
|
65
|
+
json_name: "rfc3161Timestamps"
|
66
|
+
)
|
67
|
+
end
|
68
|
+
|
69
|
+
# VerificationMaterial captures details on the materials used to verify
|
70
|
+
# signatures. This message may be embedded in a DSSE envelope as a signature
|
71
|
+
# extension. Specifically, the `ext` field of the extension will expect this
|
72
|
+
# message when the signature extension is for Sigstore. This is identified by
|
73
|
+
# the `kind` field in the extension, which must be set to
|
74
|
+
# application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore.
|
75
|
+
# When used as a DSSE extension, if the `public_key` field is used to indicate
|
76
|
+
# the key identifier, it MUST match the `keyid` field of the signature the
|
77
|
+
# extension is attached to.
|
78
|
+
class VerificationMaterial
|
79
|
+
extend Protobug::Message
|
80
|
+
|
81
|
+
self.full_name = "dev.sigstore.bundle.v1.VerificationMaterial"
|
82
|
+
|
83
|
+
# The key material for verification purposes.
|
84
|
+
#
|
85
|
+
# This allows key material to be conveyed in one of three forms:
|
86
|
+
#
|
87
|
+
# 1. An unspecified public key identifier, for retrieving a key
|
88
|
+
# from an out-of-band mechanism (such as a keyring);
|
89
|
+
#
|
90
|
+
# 2. A sequence of one or more X.509 certificates, of which the first member
|
91
|
+
# MUST be a leaf certificate conveying the signing key. Subsequent members
|
92
|
+
# SHOULD be in issuing order, meaning that `n + 1` should be an issuer for `n`.
|
93
|
+
#
|
94
|
+
# Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT
|
95
|
+
# include intermediate CA certificates that appear in an independent root of trust
|
96
|
+
# (such as the Public Good Instance's trusted root).
|
97
|
+
#
|
98
|
+
# Verifiers MUST validate the chain carefully to ensure that it chains up
|
99
|
+
# to a CA certificate that they independently trust. Verifiers SHOULD
|
100
|
+
# handle old or non-complying bundles that have superfluous intermediate and/or
|
101
|
+
# root CA certificates by either ignoring them or explicitly considering them
|
102
|
+
# untrusted for the purposes of chain building.
|
103
|
+
#
|
104
|
+
# 3. A single X.509 certificate, which MUST be a leaf certificate conveying
|
105
|
+
# the signing key.
|
106
|
+
#
|
107
|
+
# When used with the Public Good Instance (PGI) of Sigstore for "keyless" signing
|
108
|
+
# via Fulcio, form (1) MUST NOT be used, regardless of bundle version. Form (1)
|
109
|
+
# MAY be used with the PGI for self-managed keys.
|
110
|
+
#
|
111
|
+
# When used in a `0.1` or `0.2` bundle with the PGI and "keyless" signing,
|
112
|
+
# form (2) MUST be used.
|
113
|
+
#
|
114
|
+
# When used in a `0.3` bundle with the PGI and "keyless" signing,
|
115
|
+
# form (3) MUST be used.
|
116
|
+
|
117
|
+
optional(
|
118
|
+
1,
|
119
|
+
"public_key",
|
120
|
+
type: :message,
|
121
|
+
message_type: "dev.sigstore.common.v1.PublicKeyIdentifier",
|
122
|
+
json_name: "publicKey",
|
123
|
+
oneof: :content,
|
124
|
+
proto3_optional: false
|
125
|
+
)
|
126
|
+
optional(
|
127
|
+
2,
|
128
|
+
"x509_certificate_chain",
|
129
|
+
type: :message,
|
130
|
+
message_type: "dev.sigstore.common.v1.X509CertificateChain",
|
131
|
+
json_name: "x509CertificateChain",
|
132
|
+
oneof: :content,
|
133
|
+
proto3_optional: false
|
134
|
+
)
|
135
|
+
optional(
|
136
|
+
5,
|
137
|
+
"certificate",
|
138
|
+
type: :message,
|
139
|
+
message_type: "dev.sigstore.common.v1.X509Certificate",
|
140
|
+
oneof: :content,
|
141
|
+
proto3_optional: false
|
142
|
+
)
|
143
|
+
# An inclusion proof and an optional signed timestamp from the log.
|
144
|
+
# Client verification libraries MAY provide an option to support v0.1
|
145
|
+
# bundles for backwards compatibility, which may contain an inclusion
|
146
|
+
# promise and not an inclusion proof. In this case, the client MUST
|
147
|
+
# validate the promise.
|
148
|
+
# Verifiers SHOULD NOT allow v0.1 bundles if they're used in an
|
149
|
+
# ecosystem which never produced them.
|
150
|
+
repeated(
|
151
|
+
3,
|
152
|
+
"tlog_entries",
|
153
|
+
type: :message,
|
154
|
+
message_type: "dev.sigstore.rekor.v1.TransparencyLogEntry",
|
155
|
+
json_name: "tlogEntries"
|
156
|
+
)
|
157
|
+
# Timestamp may also come from
|
158
|
+
# tlog_entries.inclusion_promise.signed_entry_timestamp.
|
159
|
+
optional(
|
160
|
+
4,
|
161
|
+
"timestamp_verification_data",
|
162
|
+
type: :message,
|
163
|
+
message_type: "dev.sigstore.bundle.v1.TimestampVerificationData",
|
164
|
+
json_name: "timestampVerificationData",
|
165
|
+
proto3_optional: false
|
166
|
+
)
|
167
|
+
end
|
168
|
+
|
169
|
+
class Bundle
|
170
|
+
extend Protobug::Message
|
171
|
+
|
172
|
+
self.full_name = "dev.sigstore.bundle.v1.Bundle"
|
173
|
+
|
174
|
+
# MUST be application/vnd.dev.sigstore.bundle.v0.3+json when
|
175
|
+
# when encoded as JSON.
|
176
|
+
# Clients must to be able to accept media type using the previously
|
177
|
+
# defined formats:
|
178
|
+
# * application/vnd.dev.sigstore.bundle+json;version=0.1
|
179
|
+
# * application/vnd.dev.sigstore.bundle+json;version=0.2
|
180
|
+
# * application/vnd.dev.sigstore.bundle+json;version=0.3
|
181
|
+
optional(
|
182
|
+
1,
|
183
|
+
"media_type",
|
184
|
+
type: :string,
|
185
|
+
json_name: "mediaType",
|
186
|
+
proto3_optional: false
|
187
|
+
)
|
188
|
+
# When a signer is identified by a X.509 certificate, a verifier MUST
|
189
|
+
# verify that the signature was computed at the time the certificate
|
190
|
+
# was valid as described in the Sigstore client spec: "Verification
|
191
|
+
# using a Bundle".
|
192
|
+
# <https://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln>
|
193
|
+
# If the verification material contains a public key identifier
|
194
|
+
# (key hint) and the `content` is a DSSE envelope, the key hints
|
195
|
+
# MUST be exactly the same in the verification material and in the
|
196
|
+
# DSSE envelope.
|
197
|
+
optional(
|
198
|
+
2,
|
199
|
+
"verification_material",
|
200
|
+
type: :message,
|
201
|
+
message_type: "dev.sigstore.bundle.v1.VerificationMaterial",
|
202
|
+
json_name: "verificationMaterial",
|
203
|
+
proto3_optional: false
|
204
|
+
)
|
205
|
+
optional(
|
206
|
+
3,
|
207
|
+
"message_signature",
|
208
|
+
type: :message,
|
209
|
+
message_type: "dev.sigstore.common.v1.MessageSignature",
|
210
|
+
json_name: "messageSignature",
|
211
|
+
oneof: :content,
|
212
|
+
proto3_optional: false
|
213
|
+
)
|
214
|
+
# A DSSE envelope can contain arbitrary payloads.
|
215
|
+
# Verifiers must verify that the payload type is a
|
216
|
+
# supported and expected type. This is part of the DSSE
|
217
|
+
# protocol which is defined here:
|
218
|
+
# <https://github.com/secure-systems-lab/dsse/blob/master/protocol.md>
|
219
|
+
optional(
|
220
|
+
4,
|
221
|
+
"dsse_envelope",
|
222
|
+
type: :message,
|
223
|
+
message_type: "io.intoto.Envelope",
|
224
|
+
json_name: "dsseEnvelope",
|
225
|
+
oneof: :content,
|
226
|
+
proto3_optional: false
|
227
|
+
)
|
228
|
+
|
229
|
+
# Reserved for future additions of artifact types.
|
230
|
+
reserved_range(5...51)
|
231
|
+
end
|
232
|
+
|
233
|
+
def self.register_sigstore_bundle_protos(registry)
|
234
|
+
Google::Api.register_field_behavior_protos(registry)
|
235
|
+
Sigstore::DSSE.register_envelope_protos(registry)
|
236
|
+
Sigstore::Common::V1.register_sigstore_common_protos(registry)
|
237
|
+
Sigstore::Rekor::V1.register_sigstore_rekor_protos(registry)
|
238
|
+
registry.register(Sigstore::Bundle::V1::TimestampVerificationData)
|
239
|
+
registry.register(Sigstore::Bundle::V1::VerificationMaterial)
|
240
|
+
registry.register(Sigstore::Bundle::V1::Bundle)
|
241
|
+
end
|
242
|
+
end
|
243
|
+
end
|
244
|
+
end
|