diff --git a/dev-requirements.txt b/dev-requirements.txt index ea42dd52..03c1d85b 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -1 +1 @@ -betterproto[compiler]==2.0.0b6 +betterproto[compiler]==2.0.0b7 diff --git a/gen/pb-python/pyproject.toml b/gen/pb-python/pyproject.toml index 67ada5ae..1e9496ae 100644 --- a/gen/pb-python/pyproject.toml +++ b/gen/pb-python/pyproject.toml @@ -25,7 +25,7 @@ classifiers = [ "Topic :: Security", "Topic :: Security :: Cryptography", ] -dependencies = ["betterproto==2.0.0b6"] +dependencies = ["betterproto==2.0.0b7"] requires-python = ">=3.8" [project.urls] diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index 8cae55c2..e08307fb 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -17,18 +17,19 @@ class TimestampVerificationData(betterproto.Message): """ Various timestamped counter signatures over the artifacts signature. - Currently only RFC3161 signatures are provided. More formats may be added - in the future. + Currently only RFC3161 signatures are provided. More formats may be added + in the future. """ rfc3161_timestamps: List["__common_v1__.Rfc3161SignedTimestamp"] = ( betterproto.message_field(1) ) """ - A list of RFC3161 signed timestamps provided by the user. This can be used - when the entry has not been stored on a transparency log, or in conjunction - for a stronger trust model. Clients MUST verify the hashed message in the - message imprint against the signature in the bundle. + A list of RFC3161 signed timestamps provided by the user. + This can be used when the entry has not been stored on a + transparency log, or in conjunction for a stronger trust model. + Clients MUST verify the hashed message in the message imprint + against the signature in the bundle. """ @@ -36,14 +37,14 @@ class TimestampVerificationData(betterproto.Message): class VerificationMaterial(betterproto.Message): """ VerificationMaterial captures details on the materials used to verify - signatures. This message may be embedded in a DSSE envelope as a signature - extension. Specifically, the `ext` field of the extension will expect this - message when the signature extension is for Sigstore. This is identified by - the `kind` field in the extension, which must be set to - application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. - When used as a DSSE extension, if the `public_key` field is used to - indicate the key identifier, it MUST match the `keyid` field of the - signature the extension is attached to. + signatures. This message may be embedded in a DSSE envelope as a signature + extension. Specifically, the `ext` field of the extension will expect this + message when the signature extension is for Sigstore. This is identified by + the `kind` field in the extension, which must be set to + application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. + When used as a DSSE extension, if the `public_key` field is used to indicate + the key identifier, it MUST match the `keyid` field of the signature the + extension is attached to. """ public_key: "__common_v1__.PublicKeyIdentifier" = betterproto.message_field( @@ -59,12 +60,13 @@ class VerificationMaterial(betterproto.Message): 3 ) """ - An inclusion proof and an optional signed timestamp from the log. Client - verification libraries MAY provide an option to support v0.1 bundles for - backwards compatibility, which may contain an inclusion promise and not an - inclusion proof. In this case, the client MUST validate the promise. - Verifiers SHOULD NOT allow v0.1 bundles if they're used in an ecosystem - which never produced them. + An inclusion proof and an optional signed timestamp from the log. + Client verification libraries MAY provide an option to support v0.1 + bundles for backwards compatibility, which may contain an inclusion + promise and not an inclusion proof. In this case, the client MUST + validate the promise. + Verifiers SHOULD NOT allow v0.1 bundles if they're used in an + ecosystem which never produced them. """ timestamp_verification_data: "TimestampVerificationData" = ( @@ -72,7 +74,7 @@ class VerificationMaterial(betterproto.Message): ) """ Timestamp may also come from - tlog_entries.inclusion_promise.signed_entry_timestamp. + tlog_entries.inclusion_promise.signed_entry_timestamp. """ @@ -80,23 +82,26 @@ class VerificationMaterial(betterproto.Message): class Bundle(betterproto.Message): media_type: str = betterproto.string_field(1) """ - MUST be application/vnd.dev.sigstore.bundle.v0.3+json when when encoded as - JSON. Clients must to be able to accept media type using the previously - defined formats: * application/vnd.dev.sigstore.bundle+json;version=0.1 * - application/vnd.dev.sigstore.bundle+json;version=0.2 * - application/vnd.dev.sigstore.bundle+json;version=0.3 + MUST be application/vnd.dev.sigstore.bundle.v0.3+json when + when encoded as JSON. + Clients must to be able to accept media type using the previously + defined formats: + * application/vnd.dev.sigstore.bundle+json;version=0.1 + * application/vnd.dev.sigstore.bundle+json;version=0.2 + * application/vnd.dev.sigstore.bundle+json;version=0.3 """ verification_material: "VerificationMaterial" = betterproto.message_field(2) """ - When a signer is identified by a X.509 certificate, a verifier MUST verify - that the signature was computed at the time the certificate was valid as - described in the Sigstore client spec: "Verification using a Bundle". If the verification material contains a - public key identifier (key hint) and the `content` is a DSSE envelope, the - key hints MUST be exactly the same in the verification material and in the - DSSE envelope. + When a signer is identified by a X.509 certificate, a verifier MUST + verify that the signature was computed at the time the certificate + was valid as described in the Sigstore client spec: "Verification + using a Bundle". + + If the verification material contains a public key identifier + (key hint) and the `content` is a DSSE envelope, the key hints + MUST be exactly the same in the verification material and in the + DSSE envelope. """ message_signature: "__common_v1__.MessageSignature" = betterproto.message_field( @@ -106,14 +111,17 @@ class Bundle(betterproto.Message): 4, group="content" ) """ - A DSSE envelope can contain arbitrary payloads. Verifiers must verify that - the payload type is a supported and expected type. This is part of the DSSE - protocol which is defined here: DSSE envelopes in a bundle MUST have - exactly one signture. This is a limitation from the DSSE spec, as it can - contain multiple signatures. There are two primary reasons: 1. It simplfies - the verification logic and policy 2. The bundle (currently) can only - contain a single instance of the required verification materials During - verification a client MUST reject an envelope if the number of signatures - is not equal to one. + A DSSE envelope can contain arbitrary payloads. + Verifiers must verify that the payload type is a + supported and expected type. This is part of the DSSE + protocol which is defined here: + + DSSE envelopes in a bundle MUST have exactly one signture. + This is a limitation from the DSSE spec, as it can contain + multiple signatures. There are two primary reasons: + 1. It simplfies the verification logic and policy + 2. The bundle (currently) can only contain a single + instance of the required verification materials + During verification a client MUST reject an envelope if + the number of signatures is not equal to one. """ diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index 75333527..70d14f2b 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -15,15 +15,16 @@ class HashAlgorithm(betterproto.Enum): """ - Only a subset of the secure hash standard algorithms are supported. See - for more - details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to - force any proto JSON serialization to emit the used hash algorithm, as - default option is to *omit* the default value of an enum (which is the - first value, represented by '0'. + Only a subset of the secure hash standard algorithms are supported. + See for more + details. + UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force + any proto JSON serialization to emit the used hash algorithm, as default + option is to *omit* the default value of an enum (which is the first + value, represented by '0'. """ - HASH_ALGORITHM_UNSPECIFIED = 0 + UNSPECIFIED = 0 SHA2_256 = 1 SHA2_384 = 2 SHA2_512 = 3 @@ -34,18 +35,24 @@ class HashAlgorithm(betterproto.Enum): class PublicKeyDetails(betterproto.Enum): """ Details of a specific public key, capturing the the key encoding method, - and signature algorithm. PublicKeyDetails captures the public key/hash - algorithm combinations recommended in the Sigstore ecosystem. This is - modelled as a linear set as we want to provide a small number of - opinionated options instead of allowing every possible permutation. Any - changes to this enum MUST be reflected in the algorithm registry. See: - docs/algorithm-registry.md To avoid the possibility of contradicting - formats such as PKCS1 with ED25519 the valid permutations are listed as a - linear set instead of a cartesian set (i.e one combined variable instead of - two, one for encoding and one for the signature algorithm). - """ - - PUBLIC_KEY_DETAILS_UNSPECIFIED = 0 + and signature algorithm. + + PublicKeyDetails captures the public key/hash algorithm combinations + recommended in the Sigstore ecosystem. + + This is modelled as a linear set as we want to provide a small number of + opinionated options instead of allowing every possible permutation. + + Any changes to this enum MUST be reflected in the algorithm registry. + See: docs/algorithm-registry.md + + To avoid the possibility of contradicting formats such as PKCS1 with + ED25519 the valid permutations are listed as a linear set instead of a + cartesian set (i.e one combined variable instead of two, one for encoding + and one for the signature algorithm). + """ + + UNSPECIFIED = 0 PKCS1_RSA_PKCS1V5 = 1 """RSA""" @@ -74,43 +81,48 @@ class PublicKeyDetails(betterproto.Enum): PKIX_ED25519_PH = 8 LMS_SHA256 = 14 """ - LMS and LM-OTS These keys and signatures may be used by private Sigstore - deployments, but are not currently supported by the public good instance. - USER WARNING: LMS and LM-OTS are both stateful signature schemes. Using - them correctly requires discretion and careful consideration to ensure that - individual secret keys are not used more than once. In addition, LM-OTS is - a single-use scheme, meaning that it MUST NOT be used for more than one - signature per LM-OTS key. If you cannot maintain these invariants, you MUST - NOT use these schemes. + LMS and LM-OTS + + These keys and signatures may be used by private Sigstore + deployments, but are not currently supported by the public + good instance. + + USER WARNING: LMS and LM-OTS are both stateful signature schemes. + Using them correctly requires discretion and careful consideration + to ensure that individual secret keys are not used more than once. + In addition, LM-OTS is a single-use scheme, meaning that it + MUST NOT be used for more than one signature per LM-OTS key. + If you cannot maintain these invariants, you MUST NOT use these + schemes. """ LMOTS_SHA256 = 15 class SubjectAlternativeNameType(betterproto.Enum): - SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED = 0 + UNSPECIFIED = 0 EMAIL = 1 URI = 2 OTHER_NAME = 3 """ - OID 1.3.6.1.4.1.57264.1.7 See - https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726417 - --othername-san for more details. + OID 1.3.6.1.4.1.57264.1.7 + See https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726417--othername-san + for more details. """ @dataclass(eq=False, repr=False) class HashOutput(betterproto.Message): """ - HashOutput captures a digest of a 'message' (generic octet sequence) and - the corresponding hash algorithm used. + HashOutput captures a digest of a 'message' (generic octet sequence) + and the corresponding hash algorithm used. """ algorithm: "HashAlgorithm" = betterproto.enum_field(1) digest: bytes = betterproto.bytes_field(2) """ - This is the raw octets of the message digest as computed by the hash - algorithm. + This is the raw octets of the message digest as computed by + the hash algorithm. """ @@ -120,20 +132,21 @@ class MessageSignature(betterproto.Message): message_digest: "HashOutput" = betterproto.message_field(1) """ - Message digest can be used to identify the artifact. Clients MUST NOT - attempt to use this digest to verify the associated signature; it is - intended solely for identification. + Message digest can be used to identify the artifact. + Clients MUST NOT attempt to use this digest to verify the associated + signature; it is intended solely for identification. """ signature: bytes = betterproto.bytes_field(2) """ - The raw bytes as returned from the signature algorithm. The signature - algorithm (and so the format of the signature bytes) are determined by the - contents of the 'verification_material', either a key-pair or a - certificate. If using a certificate, the certificate contains the required - information on the signature algorithm. When using a key pair, the - algorithm MUST be part of the public key, which MUST be communicated out- - of-band. + The raw bytes as returned from the signature algorithm. + The signature algorithm (and so the format of the signature bytes) + are determined by the contents of the 'verification_material', + either a key-pair or a certificate. If using a certificate, the + certificate contains the required information on the signature + algorithm. + When using a key pair, the algorithm MUST be part of the public + key, which MUST be communicated out-of-band. """ @@ -151,45 +164,44 @@ class Rfc3161SignedTimestamp(betterproto.Message): signed_timestamp: bytes = betterproto.bytes_field(1) """ - Signed timestamp is the DER encoded TimeStampResponse. See https://www.rfc- - editor.org/rfc/rfc3161.html#section-2.4.2 + Signed timestamp is the DER encoded TimeStampResponse. + See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2 """ @dataclass(eq=False, repr=False) class PublicKey(betterproto.Message): - raw_bytes: Optional[bytes] = betterproto.bytes_field( - 1, optional=True, group="_raw_bytes" - ) + raw_bytes: Optional[bytes] = betterproto.bytes_field(1, optional=True) """ - DER-encoded public key, encoding method is specified by the key_details - attribute. + DER-encoded public key, encoding method is specified by the + key_details attribute. """ key_details: "PublicKeyDetails" = betterproto.enum_field(2) """Key encoding and signature algorithm to use for this key.""" - valid_for: Optional["TimeRange"] = betterproto.message_field( - 3, optional=True, group="_valid_for" - ) + valid_for: Optional["TimeRange"] = betterproto.message_field(3, optional=True) """Optional validity period for this key, *inclusive* of the endpoints.""" @dataclass(eq=False, repr=False) class PublicKeyIdentifier(betterproto.Message): """ - PublicKeyIdentifier can be used to identify an (out of band) delivered key, - to verify a signature. + PublicKeyIdentifier can be used to identify an (out of band) delivered + key, to verify a signature. """ hint: str = betterproto.string_field(1) """ - Optional unauthenticated hint on which key to use. The format of the hint - must be agreed upon out of band by the signer and the verifiers, and so is - not subject to this specification. Example use-case is to specify the - public key to use, from a trusted key-ring. Implementors are RECOMMENDED to - derive the value from the public key as described in RFC 6962. See: - + Optional unauthenticated hint on which key to use. + The format of the hint must be agreed upon out of band by the + signer and the verifiers, and so is not subject to this + specification. + Example use-case is to specify the public key to use, from a + trusted key-ring. + Implementors are RECOMMENDED to derive the value from the public + key as described in RFC 6962. + See: """ @@ -224,7 +236,10 @@ class X509Certificate(betterproto.Message): class SubjectAlternativeName(betterproto.Message): type: "SubjectAlternativeNameType" = betterproto.enum_field(1) regexp: str = betterproto.string_field(2, group="identity") - """A regular expression describing the expected value for the SAN.""" + """ + A regular expression describing the expected value for + the SAN. + """ value: str = betterproto.string_field(3, group="identity") """The exact value to match against.""" @@ -233,27 +248,31 @@ class SubjectAlternativeName(betterproto.Message): @dataclass(eq=False, repr=False) class X509CertificateChain(betterproto.Message): """ - A collection of X.509 certificates. This "chain" can be used in multiple - contexts, such as providing a root CA certificate within a TUF root of - trust or multiple untrusted certificates for the purpose of chain building. + A collection of X.509 certificates. + + This "chain" can be used in multiple contexts, such as providing a root CA + certificate within a TUF root of trust or multiple untrusted certificates for + the purpose of chain building. """ certificates: List["X509Certificate"] = betterproto.message_field(1) """ - One or more DER-encoded certificates. In some contexts (such as - `VerificationMaterial.x509_certificate_chain`), this sequence has an - imposed order. Unless explicitly specified, there is otherwise no - guaranteed order. + One or more DER-encoded certificates. + + In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence + has an imposed order. Unless explicitly specified, there is otherwise no + guaranteed order. """ @dataclass(eq=False, repr=False) class TimeRange(betterproto.Message): """ - The time range is closed and includes both the start and end times, (i.e., - [start, end]). End is optional to be able to capture a period that has - started but has no known end. + The time range is closed and includes both the start and end times, + (i.e., [start, end]). + End is optional to be able to capture a period that has started but + has no known end. """ start: datetime = betterproto.message_field(1) - end: Optional[datetime] = betterproto.message_field(2, optional=True, group="_end") + end: Optional[datetime] = betterproto.message_field(2, optional=True) diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py index 927ed6f2..e8670943 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py @@ -17,8 +17,8 @@ class KindVersion(betterproto.Message): kind: str = betterproto.string_field(1) """ - Kind is the type of entry being stored in the log. See here for a list: - https://github.com/sigstore/rekor/tree/main/pkg/types + Kind is the type of entry being stored in the log. + See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types """ version: str = betterproto.string_field(2) @@ -29,16 +29,15 @@ class KindVersion(betterproto.Message): class Checkpoint(betterproto.Message): """ The checkpoint MUST contain an origin string as a unique log identifier, - the tree size, and the root hash. It MAY also be followed by optional data, - and clients MUST NOT assume optional data. The checkpoint MUST also contain - a signature over the root hash (tree head). The checkpoint MAY contain - additional signatures, but the first SHOULD be the signature from the log. - Checkpoint contents are concatenated with newlines into a single string. - The checkpoint format is described in https://github.com/transparency- - dev/formats/blob/main/log/README.md and - https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example - implementation can be found in - https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go + the tree size, and the root hash. It MAY also be followed by optional data, + and clients MUST NOT assume optional data. The checkpoint MUST also contain + a signature over the root hash (tree head). The checkpoint MAY contain additional + signatures, but the first SHOULD be the signature from the log. Checkpoint contents + are concatenated with newlines into a single string. + The checkpoint format is described in + https://github.com/transparency-dev/formats/blob/main/log/README.md + and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. + An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go """ envelope: str = betterproto.string_field(1) @@ -47,8 +46,8 @@ class Checkpoint(betterproto.Message): @dataclass(eq=False, repr=False) class InclusionProof(betterproto.Message): """ - InclusionProof is the proof returned from the transparency log. Can be used - for offline or online verification against the log. + InclusionProof is the proof returned from the transparency log. Can + be used for offline or online verification against the log. """ log_index: int = betterproto.int64_field(1) @@ -56,8 +55,8 @@ class InclusionProof(betterproto.Message): root_hash: bytes = betterproto.bytes_field(2) """ - The hash digest stored at the root of the merkle tree at the time the proof - was generated. + The hash digest stored at the root of the merkle tree at the time + the proof was generated. """ tree_size: int = betterproto.int64_field(3) @@ -65,16 +64,17 @@ class InclusionProof(betterproto.Message): hashes: List[bytes] = betterproto.bytes_field(4) """ - A list of hashes required to compute the inclusion proof, sorted in order - from leaf to root. Note that leaf and root hashes are not included. The - root hash is available separately in this message, and the leaf hash should - be calculated by the client. + A list of hashes required to compute the inclusion proof, sorted + in order from leaf to root. + Note that leaf and root hashes are not included. + The root hash is available separately in this message, and the + leaf hash should be calculated by the client. """ checkpoint: "Checkpoint" = betterproto.message_field(5) """ - Signature of the tree head, as of the time of this proof was generated. See - above info on 'Checkpoint' for more details. + Signature of the tree head, as of the time of this proof was + generated. See above info on 'Checkpoint' for more details. """ @@ -82,15 +82,15 @@ class InclusionProof(betterproto.Message): class InclusionPromise(betterproto.Message): """ The inclusion promise is calculated by Rekor. It's calculated as a - signature over a canonical JSON serialization of the persisted entry, the - log ID, log index and the integration timestamp. See https://github.com/sig - store/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.g - o#L54 The format of the signature depends on the transparency log's public - key. If the signature algorithm requires a hash function and/or a signature - scheme (e.g. RSA) those has to be retrieved out-of-band from the log's - operators, together with the public key. This is used to verify the - integration timestamp's value and that the log has promised to include the - entry. + signature over a canonical JSON serialization of the persisted entry, the + log ID, log index and the integration timestamp. + See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 + The format of the signature depends on the transparency log's public key. + If the signature algorithm requires a hash function and/or a signature + scheme (e.g. RSA) those has to be retrieved out-of-band from the log's + operators, together with the public key. + This is used to verify the integration timestamp's value and that the log + has promised to include the entry. """ signed_entry_timestamp: bytes = betterproto.bytes_field(1) @@ -100,13 +100,13 @@ class InclusionPromise(betterproto.Message): class TransparencyLogEntry(betterproto.Message): """ TransparencyLogEntry captures all the details required from Rekor to - reconstruct an entry, given that the payload is provided via other means. - This type can easily be created from the existing response from Rekor. - Future iterations could rely on Rekor returning the minimal set of - attributes (excluding the payload) that are required for verifying the - inclusion promise. The inclusion promise (called SignedEntryTimestamp in - the response from Rekor) is similar to a Signed Certificate Timestamp as - described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2. + reconstruct an entry, given that the payload is provided via other means. + This type can easily be created from the existing response from Rekor. + Future iterations could rely on Rekor returning the minimal set of + attributes (excluding the payload) that are required for verifying the + inclusion promise. The inclusion promise (called SignedEntryTimestamp in + the response from Rekor) is similar to a Signed Certificate Timestamp + as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2. """ log_index: int = betterproto.int64_field(1) @@ -117,8 +117,9 @@ class TransparencyLogEntry(betterproto.Message): kind_version: "KindVersion" = betterproto.message_field(3) """ - The kind (type) and version of the object associated with this entry. These - values are required to construct the entry during verification. + The kind (type) and version of the object associated with this + entry. These values are required to construct the entry during + verification. """ integrated_time: int = betterproto.int64_field(4) @@ -126,33 +127,40 @@ class TransparencyLogEntry(betterproto.Message): inclusion_promise: "InclusionPromise" = betterproto.message_field(5) """ - The inclusion promise/signed entry timestamp from the log. Required for - v0.1 bundles, and MUST be verified. Optional for >= v0.2 bundles if another - suitable source of time is present (such as another source of signed time, - or the current system time for long-lived certificates). MUST be verified - if no other suitable source of time is present, and SHOULD be verified - otherwise. + The inclusion promise/signed entry timestamp from the log. + Required for v0.1 bundles, and MUST be verified. + Optional for >= v0.2 bundles if another suitable source of + time is present (such as another source of signed time, + or the current system time for long-lived certificates). + MUST be verified if no other suitable source of time is present, + and SHOULD be verified otherwise. """ inclusion_proof: "InclusionProof" = betterproto.message_field(6) """ - The inclusion proof can be used for offline or online verification that the - entry was appended to the log, and that the log has not been altered. + The inclusion proof can be used for offline or online verification + that the entry was appended to the log, and that the log has not been + altered. """ canonicalized_body: bytes = betterproto.bytes_field(7) """ - Optional. The canonicalized transparency log entry, used to reconstruct the - Signed Entry Timestamp (SET) during verification. The contents of this - field are the same as the `body` field in a Rekor response, meaning that it - does **not** include the "full" canonicalized form (of log index, ID, etc.) - which are exposed as separate fields. The verifier is responsible for - combining the `canonicalized_body`, `log_index`, `log_id`, and - `integrated_time` into the payload that the SET's signature is generated - over. This field is intended to be used in cases where the SET cannot be - produced determinisitically (e.g. inconsistent JSON field ordering, - differing whitespace, etc). If set, clients MUST verify that the signature - referenced in the `canonicalized_body` matches the signature provided in - the `Bundle.content`. If not set, clients are responsible for constructing - an equivalent payload from other sources to verify the signature. + Optional. The canonicalized transparency log entry, used to + reconstruct the Signed Entry Timestamp (SET) during verification. + The contents of this field are the same as the `body` field in + a Rekor response, meaning that it does **not** include the "full" + canonicalized form (of log index, ID, etc.) which are + exposed as separate fields. The verifier is responsible for + combining the `canonicalized_body`, `log_index`, `log_id`, + and `integrated_time` into the payload that the SET's signature + is generated over. + This field is intended to be used in cases where the SET cannot be + produced determinisitically (e.g. inconsistent JSON field ordering, + differing whitespace, etc). + + If set, clients MUST verify that the signature referenced in the + `canonicalized_body` matches the signature provided in the + `Bundle.content`. + If not set, clients are responsible for constructing an equivalent + payload from other sources to verify the signature. """ diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py index 00f73142..4337b19e 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py @@ -15,9 +15,11 @@ class TransparencyLogInstance(betterproto.Message): """ TransparencyLogInstance describes the immutable parameters from a - transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log- - parameters for more details. The included parameters are the minimal set - required to identify a log, and verify an inclusion proof/promise. + transparency log. + See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters + for more details. + The included parameters are the minimal set required to identify a log, + and verify an inclusion proof/promise. """ base_url: str = betterproto.string_field(1) @@ -28,107 +30,123 @@ class TransparencyLogInstance(betterproto.Message): public_key: "__common_v1__.PublicKey" = betterproto.message_field(3) """ - The public key used to verify signatures generated by the log. This - attribute contains the signature algorithm used by the log. + The public key used to verify signatures generated by the log. + This attribute contains the signature algorithm used by the log. """ log_id: "__common_v1__.LogId" = betterproto.message_field(4) """ - The unique identifier for this transparency log. Represented as the SHA-256 - hash of the log's public key, calculated over the DER encoding of the key - represented as SubjectPublicKeyInfo. See https://www.rfc- - editor.org/rfc/rfc6962#section-3.2 + The unique identifier for this transparency log. + Represented as the SHA-256 hash of the log's public key, + calculated over the DER encoding of the key represented as + SubjectPublicKeyInfo. + See https://www.rfc-editor.org/rfc/rfc6962#section-3.2 """ checkpoint_key_id: "__common_v1__.LogId" = betterproto.message_field(5) """ - The checkpoint key identifier for the log used in a checkpoint. Optional, - not provided for logs that do not generate checkpoints. For logs that do - generate checkpoints, if not set, assume log_id equals checkpoint_key_id. - Follows the specification described here for ECDSA and Ed25519 signatures: - https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA - signatures, the key ID will match the ECDSA format, the hashed DER-encoded - SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed - checkpoints, since witnesses do not support RSA signatures. This is - provided for convenience. Clients can also calculate the checkpoint key ID - given the log's public key. SHOULD be set for logs generating Ed25519 - signatures. SHOULD be 4 bytes long, as a truncated hash. + The checkpoint key identifier for the log used in a checkpoint. + Optional, not provided for logs that do not generate checkpoints. + For logs that do generate checkpoints, if not set, assume + log_id equals checkpoint_key_id. + Follows the specification described here + for ECDSA and Ed25519 signatures: + https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures + For RSA signatures, the key ID will match the ECDSA format, the + hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT + use RSA-signed checkpoints, since witnesses do not support + RSA signatures. + This is provided for convenience. Clients can also calculate the + checkpoint key ID given the log's public key. + SHOULD be set for logs generating Ed25519 signatures. + SHOULD be 4 bytes long, as a truncated hash. """ @dataclass(eq=False, repr=False) class CertificateAuthority(betterproto.Message): """ - CertificateAuthority enlists the information required to identify which CA - to use and perform signature verification. + CertificateAuthority enlists the information required to identify which + CA to use and perform signature verification. """ subject: "__common_v1__.DistinguishedName" = betterproto.message_field(1) """ - The root certificate MUST be self-signed, and so the subject and issuer are - the same. + The root certificate MUST be self-signed, and so the subject and + issuer are the same. """ uri: str = betterproto.string_field(2) """ - The URI identifies the certificate authority. It is RECOMMENDED that the - URI is the base URL for the certificate authority, that can be provided to - any SDK/client provided by the certificate authority to interact with the - certificate authority. + The URI identifies the certificate authority. + + It is RECOMMENDED that the URI is the base URL for the certificate + authority, that can be provided to any SDK/client provided + by the certificate authority to interact with the certificate + authority. """ cert_chain: "__common_v1__.X509CertificateChain" = betterproto.message_field(3) """ - The certificate chain for this CA. The last certificate in the chain MUST - be the trust anchor. The trust anchor MAY be a self-signed root CA - certificate or MAY be an intermediate CA certificate. + The certificate chain for this CA. The last certificate in the chain + MUST be the trust anchor. The trust anchor MAY be a self-signed root + CA certificate or MAY be an intermediate CA certificate. """ valid_for: "__common_v1__.TimeRange" = betterproto.message_field(4) """ - The time the *entire* chain was valid. This is at max the longest interval - when *all* certificates in the chain were valid, but it MAY be shorter. - Clients MUST check timestamps against *both* the `valid_for` time range - *and* the entire certificate chain. The TimeRange should be considered - valid *inclusive* of the endpoints. + The time the *entire* chain was valid. This is at max the + longest interval when *all* certificates in the chain were valid, + but it MAY be shorter. Clients MUST check timestamps against *both* + the `valid_for` time range *and* the entire certificate chain. + + The TimeRange should be considered valid *inclusive* of the + endpoints. """ @dataclass(eq=False, repr=False) class TrustedRoot(betterproto.Message): """ - TrustedRoot describes the client's complete set of trusted entities. How - the TrustedRoot is populated is not specified, but can be a combination of - many sources such as TUF repositories, files on disk etc. The TrustedRoot - is not meant to be used for any artifact verification, only to capture the - complete/global set of trusted verification materials. When verifying an - artifact, based on the artifact and policies, a selection of - keys/authorities are expected to be extracted and provided to the - verification function. This way the set of keys/authorities can be kept to - a minimal set by the policy to gain better control over what signatures - that are allowed. The embedded transparency logs, CT logs, CAs and TSAs - MUST include any previously used instance -- otherwise signatures made in - the past cannot be verified. All the listed instances SHOULD be sorted by - the 'valid_for' in ascending order, that is, the oldest instance first. - Only the last instance is allowed to have their 'end' timestamp unset. All - previous instances MUST have a closed interval of validity. The last - instance MAY have a closed interval. Clients MUST accept instances that - overlaps in time, if not clients may experience problems during rotations - of verification materials. To be able to manage planned rotations of either - transparency logs or certificate authorities, clienst MUST accept lists of - instances where the last instance have a 'valid_for' that belongs to the - future. This should not be a problem as clients SHOULD first seek the trust - root for a suitable instance before creating a per artifact trust root - (that is, a sub-set of the complete trust root) that is used for - verification. + TrustedRoot describes the client's complete set of trusted entities. + How the TrustedRoot is populated is not specified, but can be a + combination of many sources such as TUF repositories, files on disk etc. + + The TrustedRoot is not meant to be used for any artifact verification, only + to capture the complete/global set of trusted verification materials. + When verifying an artifact, based on the artifact and policies, a selection + of keys/authorities are expected to be extracted and provided to the + verification function. This way the set of keys/authorities can be kept to + a minimal set by the policy to gain better control over what signatures + that are allowed. + + The embedded transparency logs, CT logs, CAs and TSAs MUST include any + previously used instance -- otherwise signatures made in the past cannot + be verified. + + All the listed instances SHOULD be sorted by the 'valid_for' in ascending + order, that is, the oldest instance first. Only the last instance is + allowed to have their 'end' timestamp unset. All previous instances MUST + have a closed interval of validity. The last instance MAY have a closed + interval. Clients MUST accept instances that overlaps in time, if not + clients may experience problems during rotations of verification + materials. + + To be able to manage planned rotations of either transparency logs or + certificate authorities, clienst MUST accept lists of instances where + the last instance have a 'valid_for' that belongs to the future. + This should not be a problem as clients SHOULD first seek the trust root + for a suitable instance before creating a per artifact trust root (that + is, a sub-set of the complete trust root) that is used for verification. """ media_type: str = betterproto.string_field(1) """ - MUST be application/vnd.dev.sigstore.trustedroot.v0.1+json when encoded as - JSON. Clients MUST be able to process and parse content with the media type - defined in the old format: - application/vnd.dev.sigstore.trustedroot+json;version=0.1 + MUST be application/vnd.dev.sigstore.trustedroot.v0.1+json + when encoded as JSON. + Clients MUST be able to process and parse content with the media + type defined in the old format: + application/vnd.dev.sigstore.trustedroot+json;version=0.1 """ tlogs: List["TransparencyLogInstance"] = betterproto.message_field(2) @@ -136,12 +154,14 @@ class TrustedRoot(betterproto.Message): certificate_authorities: List["CertificateAuthority"] = betterproto.message_field(3) """ - A set of trusted certificate authorities (e.g Fulcio), and any intermediate - certificates they provide. If a CA is issuing multiple intermediate - certificate, each combination shall be represented as separate chain. I.e, - a single root cert may appear in multiple chains but with different - intermediate and/or leaf certificates. The certificates are intended to be - used for verifying artifact signatures. + A set of trusted certificate authorities (e.g Fulcio), and any + intermediate certificates they provide. + If a CA is issuing multiple intermediate certificate, each + combination shall be represented as separate chain. I.e, a single + root cert may appear in multiple chains but with different + intermediate and/or leaf certificates. + The certificates are intended to be used for verifying artifact + signatures. """ ctlogs: List["TransparencyLogInstance"] = betterproto.message_field(4) @@ -155,8 +175,8 @@ class TrustedRoot(betterproto.Message): class SigningConfig(betterproto.Message): """ SigningConfig represents the trusted entities/state needed by Sigstore - signing. In particular, it primarily contains service URLs that a Sigstore - signer may need to connect to for the online aspects of signing. + signing. In particular, it primarily contains service URLs that a Sigstore + signer may need to connect to for the online aspects of signing. """ media_type: str = betterproto.string_field(5) @@ -164,43 +184,49 @@ class SigningConfig(betterproto.Message): ca_url: str = betterproto.string_field(1) """ - A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing - Requests (CSRs) and responding with issued certificates. This URL **MUST** - be the "base" URL for the CA, which clients should construct an appropriate - CSR endpoint on top of. For example, if `ca_url` is - `https://example.com/ca`, then the client **MAY** construct the CSR - endpoint as `https://example.com/ca/api/v2/signingCert`. + A URL to a Fulcio-compatible CA, capable of receiving + Certificate Signing Requests (CSRs) and responding with + issued certificates. + + This URL **MUST** be the "base" URL for the CA, which clients + should construct an appropriate CSR endpoint on top of. + For example, if `ca_url` is `https://example.com/ca`, then + the client **MAY** construct the CSR endpoint as + `https://example.com/ca/api/v2/signingCert`. """ oidc_url: str = betterproto.string_field(2) """ - A URL to an OpenID Connect identity provider. This URL **MUST** be the - "base" URL for the OIDC IdP, which clients should perform well-known OpenID - Connect discovery against. + A URL to an OpenID Connect identity provider. + + This URL **MUST** be the "base" URL for the OIDC IdP, which clients + should perform well-known OpenID Connect discovery against. """ tlog_urls: List[str] = betterproto.string_field(3) """ - One or more URLs to Rekor-compatible transparency log. Each URL **MUST** be - the "base" URL for the transparency log, which clients should construct - appropriate API endpoints on top of. + One or more URLs to Rekor-compatible transparency log. + + Each URL **MUST** be the "base" URL for the transparency log, + which clients should construct appropriate API endpoints on top of. """ tsa_urls: List[str] = betterproto.string_field(4) """ - One ore more URLs to RFC 3161 Time Stamping Authority (TSA). Each URL - **MUST** be the **full** URL for the TSA, meaning that it should be - suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC - 3161. + One ore more URLs to RFC 3161 Time Stamping Authority (TSA). + + Each URL **MUST** be the **full** URL for the TSA, meaning that it + should be suitable for submitting Time Stamp Requests (TSRs) to + via HTTP, per RFC 3161. """ @dataclass(eq=False, repr=False) class ClientTrustConfig(betterproto.Message): """ - ClientTrustConfig describes the complete state needed by a client to - perform both signing and verification operations against a particular - instance of Sigstore. + ClientTrustConfig describes the complete state needed by a client + to perform both signing and verification operations against a particular + instance of Sigstore. """ media_type: str = betterproto.string_field(1) diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py index bd5624b4..296c7f04 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py @@ -26,9 +26,9 @@ class CertificateIdentity(betterproto.Message): san: "__common_v1__.SubjectAlternativeName" = betterproto.message_field(2) oids: List["__common_v1__.ObjectIdentifierValuePair"] = betterproto.message_field(3) """ - An unordered list of OIDs that must be verified. All OID/values provided in - this list MUST exactly match against the values in the certificate for - verification to be successful. + An unordered list of OIDs that must be verified. + All OID/values provided in this list MUST exactly match against + the values in the certificate for verification to be successful. """ @@ -46,7 +46,7 @@ class PublicKeyIdentities(betterproto.Message): class ArtifactVerificationOptions(betterproto.Message): """ A light-weight set of options/policies for identifying trusted signers, - used during verification of a single artifact. + used during verification of a single artifact. """ certificate_identities: "CertificateIdentities" = betterproto.message_field( @@ -54,54 +54,66 @@ class ArtifactVerificationOptions(betterproto.Message): ) public_keys: "PublicKeyIdentities" = betterproto.message_field(2, group="signers") """ - To simplify verification implementation, the logic for bundle verification - should be implemented as a higher-order function, where one of argument - should be an interface over the set of trusted public keys, like this: - `Verify(bytes artifact, bytes signature, string key_id)`. This way the - caller is in full control of mapping the identified (or hinted) key in the - bundle to one of the trusted keys, as this process is inherently - application specific. + To simplify verification implementation, the logic for + bundle verification should be implemented as a + higher-order function, where one of argument should be an + interface over the set of trusted public keys, like this: + `Verify(bytes artifact, bytes signature, string key_id)`. + This way the caller is in full control of mapping the + identified (or hinted) key in the bundle to one of the + trusted keys, as this process is inherently application + specific. """ tlog_options: Optional["ArtifactVerificationOptionsTlogOptions"] = ( - betterproto.message_field(3, optional=True, group="_tlog_options") + betterproto.message_field(3, optional=True) ) """ - Optional options for artifact transparency log verification. If none is - provided, the default verification options are: Threshold: 1 Online - verification: false Disable: false + Optional options for artifact transparency log verification. + If none is provided, the default verification options are: + Threshold: 1 + Online verification: false + Disable: false """ ctlog_options: Optional["ArtifactVerificationOptionsCtlogOptions"] = ( - betterproto.message_field(4, optional=True, group="_ctlog_options") + betterproto.message_field(4, optional=True) ) """ - Optional options for certificate transparency log verification. If none is - provided, the default verification options are: Threshold: 1 Disable: false + Optional options for certificate transparency log verification. + If none is provided, the default verification options are: + Threshold: 1 + Disable: false """ tsa_options: Optional["ArtifactVerificationOptionsTimestampAuthorityOptions"] = ( - betterproto.message_field(5, optional=True, group="_tsa_options") + betterproto.message_field(5, optional=True) ) """ - Optional options for certificate signed timestamp verification. If none is - provided, the default verification options are: Threshold: 0 Disable: true + Optional options for certificate signed timestamp verification. + If none is provided, the default verification options are: + Threshold: 0 + Disable: true """ integrated_ts_options: Optional[ "ArtifactVerificationOptionsTlogIntegratedTimestampOptions" - ] = betterproto.message_field(6, optional=True, group="_integrated_ts_options") + ] = betterproto.message_field(6, optional=True) """ - Optional options for integrated timestamp verification. If none is - provided, the default verification options are: Threshold: 0 Disable: true + Optional options for integrated timestamp verification. + If none is provided, the default verification options are: + Threshold: 0 + Disable: true """ observer_options: Optional[ "ArtifactVerificationOptionsObserverTimestampOptions" - ] = betterproto.message_field(7, optional=True, group="_observer_options") + ] = betterproto.message_field(7, optional=True) """ - Optional options for observed timestamp verification. If none is provided, - the default verification options are: Threshold 1 Disable: false + Optional options for observed timestamp verification. + If none is provided, the default verification options are: + Threshold 1 + Disable: false """ @@ -120,7 +132,10 @@ class ArtifactVerificationOptionsTlogOptions(betterproto.Message): @dataclass(eq=False, repr=False) class ArtifactVerificationOptionsCtlogOptions(betterproto.Message): threshold: int = betterproto.int32_field(1) - """The number of ct transparency logs the certificate must appear on.""" + """ + The number of ct transparency logs the certificate must + appear on. + """ disable: bool = betterproto.bool_field(3) """Disable ct transparency log verification""" @@ -148,9 +163,11 @@ class ArtifactVerificationOptionsTlogIntegratedTimestampOptions(betterproto.Mess class ArtifactVerificationOptionsObserverTimestampOptions(betterproto.Message): threshold: int = betterproto.int32_field(1) """ - The number of external observers of the timestamp. This is a union of - RFC3161 signed timestamps, and integrated timestamps from a transparency - log, that could include additional timestamp sources in the future. + The number of external observers of the timestamp. + This is a union of RFC3161 signed timestamps, and + integrated timestamps from a transparency log, that + could include additional timestamp sources in the + future. """ disable: bool = betterproto.bool_field(2) @@ -170,27 +187,27 @@ class Artifact(betterproto.Message): class Input(betterproto.Message): """ Input captures all that is needed to call the bundle verification method, - to verify a single artifact referenced by the bundle. + to verify a single artifact referenced by the bundle. """ artifact_trust_root: "__trustroot_v1__.TrustedRoot" = betterproto.message_field(1) """ - The verification materials provided during a bundle verification. The - running process is usually preloaded with a "global" - dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to verifying an - artifact (i.e a bundle), and/or based on current policy, some selection is - expected to happen, to filter out the exact certificate authority to use, - which transparency logs are relevant etc. The result should b ecaptured in - the `artifact_trust_root`. + The verification materials provided during a bundle verification. + The running process is usually preloaded with a "global" + dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to + verifying an artifact (i.e a bundle), and/or based on current + policy, some selection is expected to happen, to filter out the + exact certificate authority to use, which transparency logs are + relevant etc. The result should b ecaptured in the + `artifact_trust_root`. """ artifact_verification_options: "ArtifactVerificationOptions" = ( betterproto.message_field(2) ) bundle: "__bundle_v1__.Bundle" = betterproto.message_field(3) - artifact: Optional["Artifact"] = betterproto.message_field( - 4, optional=True, group="_artifact" - ) + artifact: Optional["Artifact"] = betterproto.message_field(4, optional=True) """ - If the bundle contains a message signature, the artifact must be provided. + If the bundle contains a message signature, the artifact must be + provided. """ diff --git a/gen/pb-python/sigstore_protobuf_specs/google/api/__init__.py b/gen/pb-python/sigstore_protobuf_specs/google/api/__init__.py index 9933e9e0..b97fbf18 100644 --- a/gen/pb-python/sigstore_protobuf_specs/google/api/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/google/api/__init__.py @@ -10,53 +10,57 @@ class FieldBehavior(betterproto.Enum): """ - An indicator of the behavior of a given field (for example, that a field is - required in requests, or given as output but ignored as input). This **does - not** change the behavior in protocol buffers itself; it only denotes the - behavior and may affect how API tooling handles the field. Note: This enum - **may** receive new values in the future. + An indicator of the behavior of a given field (for example, that a field + is required in requests, or given as output but ignored as input). + This **does not** change the behavior in protocol buffers itself; it only + denotes the behavior and may affect how API tooling handles the field. + + Note: This enum **may** receive new values in the future. """ - FIELD_BEHAVIOR_UNSPECIFIED = 0 + UNSPECIFIED = 0 """Conventional default for enums. Do not use this.""" OPTIONAL = 1 """ - Specifically denotes a field as optional. While all fields in protocol - buffers are optional, this may be specified for emphasis if appropriate. + Specifically denotes a field as optional. + While all fields in protocol buffers are optional, this may be specified + for emphasis if appropriate. """ REQUIRED = 2 """ - Denotes a field as required. This indicates that the field **must** be - provided as part of the request, and failure to do so will cause an error - (usually `INVALID_ARGUMENT`). + Denotes a field as required. + This indicates that the field **must** be provided as part of the request, + and failure to do so will cause an error (usually `INVALID_ARGUMENT`). """ OUTPUT_ONLY = 3 """ - Denotes a field as output only. This indicates that the field is provided - in responses, but including the field in a request does nothing (the server - *must* ignore it and *must not* throw an error as a result of the field's - presence). + Denotes a field as output only. + This indicates that the field is provided in responses, but including the + field in a request does nothing (the server *must* ignore it and + *must not* throw an error as a result of the field's presence). """ INPUT_ONLY = 4 """ - Denotes a field as input only. This indicates that the field is provided in - requests, and the corresponding field is not included in output. + Denotes a field as input only. + This indicates that the field is provided in requests, and the + corresponding field is not included in output. """ IMMUTABLE = 5 """ - Denotes a field as immutable. This indicates that the field may be set once - in a request to create a resource, but may not be changed thereafter. + Denotes a field as immutable. + This indicates that the field may be set once in a request to create a + resource, but may not be changed thereafter. """ UNORDERED_LIST = 6 """ - Denotes that a (repeated) field is an unordered list. This indicates that - the service may provide the elements of the list in any arbitrary order, - rather than the order the user originally provided. Additionally, the - list's order may or may not be stable. + Denotes that a (repeated) field is an unordered list. + This indicates that the service may provide the elements of the list + in any arbitrary order, rather than the order the user originally + provided. Additionally, the list's order may or may not be stable. """ diff --git a/gen/pb-python/sigstore_protobuf_specs/io/intoto/__init__.py b/gen/pb-python/sigstore_protobuf_specs/io/intoto/__init__.py index 67898b38..eba60a6b 100644 --- a/gen/pb-python/sigstore_protobuf_specs/io/intoto/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/io/intoto/__init__.py @@ -15,29 +15,40 @@ class Envelope(betterproto.Message): payload: bytes = betterproto.bytes_field(1) """ - Message to be signed. (In JSON, this is encoded as base64.) REQUIRED. + Message to be signed. (In JSON, this is encoded as base64.) + REQUIRED. """ payload_type: str = betterproto.string_field(2) - """String unambiguously identifying how to interpret payload. REQUIRED.""" + """ + String unambiguously identifying how to interpret payload. + REQUIRED. + """ signatures: List["Signature"] = betterproto.message_field(3) """ - Signature over: PAE(type, payload) Where PAE is defined as: PAE(type, - payload) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + - payload + = concatenation SP = ASCII space - [0x20] "DSSEv1" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] LEN(s) - = ASCII decimal encoding of the byte length of s, with no leading zeros - REQUIRED (length >= 1). + Signature over: + PAE(type, payload) + Where PAE is defined as: + PAE(type, payload) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload + + = concatenation + SP = ASCII space [0x20] + "DSSEv1" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] + LEN(s) = ASCII decimal encoding of the byte length of s, with no leading zeros + REQUIRED (length >= 1). """ @dataclass(eq=False, repr=False) class Signature(betterproto.Message): sig: bytes = betterproto.bytes_field(1) - """Signature itself. (In JSON, this is encoded as base64.) REQUIRED.""" + """ + Signature itself. (In JSON, this is encoded as base64.) + REQUIRED. + """ keyid: str = betterproto.string_field(2) """ - *Unauthenticated* hint identifying which public key was used. OPTIONAL. + *Unauthenticated* hint identifying which public key was used. + OPTIONAL. """