Support DSSE signature extension for Sigstore

DSSE is adding support for signature extensions where a signature can include signing-ecosystem specific information for each signature. The first extension is for Sigstore. This commit allows for using VerificationMaterial as the structure for the DSSE extension. Signed-off-by: Aditya Sirish <[email protected]>
sigstore · Jan 4, 2024 · 6e53809 · 6e53809
1 parent 8a6fd59
commit 6e53809
Show file tree

Hide file tree

Showing 11 changed files with 50 additions and 22 deletions.
diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json
@@ -94,7 +94,7 @@
                 }
             ],
             "title": "Verification Material",
-            "description": "VerificationMaterial captures details on the materials used to verify signatures."
+            "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
         },
         "dev.sigstore.common.v1.HashOutput": {
             "properties": {

diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
@@ -127,7 +127,7 @@
                 }
             ],
             "title": "Verification Material",
-            "description": "VerificationMaterial captures details on the materials used to verify signatures."
+            "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
         },
         "dev.sigstore.common.v1.DistinguishedName": {
             "properties": {

diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json
@@ -41,7 +41,7 @@
                 }
             ],
             "title": "Verification Material",
-            "description": "VerificationMaterial captures details on the materials used to verify signatures."
+            "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
         },
         "dev.sigstore.bundle.v1.TimestampVerificationData": {
             "properties": {

diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py
diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json
@@ -94,7 +94,7 @@
                 }
             ],
             "title": "Verification Material",
-            "description": "VerificationMaterial captures details on the materials used to verify signatures."
+            "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
         },
         "dev.sigstore.common.v1.HashOutput": {
             "properties": {

diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json
@@ -127,7 +127,7 @@
                 }
             ],
             "title": "Verification Material",
-            "description": "VerificationMaterial captures details on the materials used to verify signatures."
+            "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
         },
         "dev.sigstore.common.v1.DistinguishedName": {
             "properties": {

diff --git a/gen/pb-rust/schemas/VerificationMaterial.schema.json b/gen/pb-rust/schemas/VerificationMaterial.schema.json
@@ -41,7 +41,7 @@
                 }
             ],
             "title": "Verification Material",
-            "description": "VerificationMaterial captures details on the materials used to verify signatures."
+            "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to."
         },
         "dev.sigstore.bundle.v1.TimestampVerificationData": {
             "properties": {

diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts
diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto
@@ -48,7 +48,14 @@ message TimestampVerificationData {
 }
 
 // VerificationMaterial captures details on the materials used to verify
-// signatures.
+// signatures. This message may be embedded in a DSSE envelope as a signature
+// extension. Specifically, the `ext` field of the extension will expect this
+// message when the signature extension is for Sigstore. This is identified by
+// the `kind` field in the extension, which must be set to
+// application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore.
+// When used as a DSSE extension, if the `public_key` field is used to indicate
+// the key identifier, it MUST match the `keyid` field of the signature the
+// extension is attached to.
 message VerificationMaterial {
         oneof content {
                 dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED];