From f30224a955169efefd6ae60cbe0ad1cc0ab67966 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 8 Jan 2024 15:28:04 +0100 Subject: [PATCH 1/6] Added an option for a more generic observer time, and aligned with v0.2 in v0.2 inclusion proofs are preferred over SETs, and so it's now optional to extract the timestamp from the SET. Signed-off-by: Fredrik Skogman --- .../ArtifactVerificationOptions.schema.json | 31 ++- gen/jsonschema/schemas/Input.schema.json | 31 ++- .../v1/sigstore_verification.pb.go | 201 ++++++++++++++---- .../dev/sigstore/verification/v1/__init__.py | 28 ++- gen/pb-ruby/lib/sigstore_verification_pb.rb | 7 + .../ArtifactVerificationOptions.schema.json | 31 ++- gen/pb-rust/schemas/Input.schema.json | 31 ++- .../__generated__/sigstore_verification.ts | 67 +++++- protos/sigstore_verification.proto | 18 ++ 9 files changed, 394 insertions(+), 51 deletions(-) diff --git a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json index a67d26f5..b173f49a 100644 --- a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json @@ -16,7 +16,7 @@ "tlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" + "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false Verify SET Timestamps: true" }, "ctlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", @@ -27,6 +27,11 @@ "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", "additionalProperties": false, "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" + }, + "observerOptions": { + "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", + "additionalProperties": false, + "description": "Optional options for timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" } }, "additionalProperties": false, @@ -56,6 +61,11 @@ "required": [ "tsa_options" ] + }, + { + "required": [ + "observer_options" + ] } ], "title": "Artifact Verification Options", @@ -212,6 +222,21 @@ "type": "object", "title": "Ctlog Options" }, + "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions": { + "properties": { + "threshold": { + "type": "integer", + "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and SETs from a transparency log" + }, + "disable": { + "type": "boolean", + "description": "Disable signed timestamp verification." + } + }, + "additionalProperties": false, + "type": "object", + "title": "Observer Timestamp Options" + }, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": { "properties": { "threshold": { @@ -240,6 +265,10 @@ "disable": { "type": "boolean", "description": "Disable verification for transparency logs." + }, + "verifySetTimestamp": { + "type": "boolean", + "description": "Verify SET timestamps indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain" } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index b5fe5060..1ce21220 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -652,7 +652,7 @@ "tlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" + "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false Verify SET Timestamps: true" }, "ctlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", @@ -663,6 +663,11 @@ "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", "additionalProperties": false, "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" + }, + "observerOptions": { + "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", + "additionalProperties": false, + "description": "Optional options for timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" } }, "additionalProperties": false, @@ -692,6 +697,11 @@ "required": [ "tsa_options" ] + }, + { + "required": [ + "observer_options" + ] } ], "title": "Artifact Verification Options", @@ -712,6 +722,21 @@ "type": "object", "title": "Ctlog Options" }, + "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions": { + "properties": { + "threshold": { + "type": "integer", + "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and SETs from a transparency log" + }, + "disable": { + "type": "boolean", + "description": "Disable signed timestamp verification." + } + }, + "additionalProperties": false, + "type": "object", + "title": "Observer Timestamp Options" + }, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": { "properties": { "threshold": { @@ -740,6 +765,10 @@ "disable": { "type": "boolean", "description": "Disable verification for transparency logs." + }, + "verifySetTimestamp": { + "type": "boolean", + "description": "Verify SET timestamps indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain" } }, "additionalProperties": false, diff --git a/gen/pb-go/verification/v1/sigstore_verification.pb.go b/gen/pb-go/verification/v1/sigstore_verification.pb.go index ea752053..37fb67bd 100644 --- a/gen/pb-go/verification/v1/sigstore_verification.pb.go +++ b/gen/pb-go/verification/v1/sigstore_verification.pb.go @@ -220,6 +220,7 @@ type ArtifactVerificationOptions struct { // Threshold: 1 // Online verification: false // Disable: false + // Verify SET Timestamps: true TlogOptions *ArtifactVerificationOptions_TlogOptions `protobuf:"bytes,3,opt,name=tlog_options,json=tlogOptions,proto3,oneof" json:"tlog_options,omitempty"` // Optional options for certificate transparency log verification. // If none is provided, the default verification options are: @@ -231,6 +232,11 @@ type ArtifactVerificationOptions struct { // Threshold: 1 // Disable: false TsaOptions *ArtifactVerificationOptions_TimestampAuthorityOptions `protobuf:"bytes,5,opt,name=tsa_options,json=tsaOptions,proto3,oneof" json:"tsa_options,omitempty"` + // Optional options for timestamp verification. + // If none is provided, the default verification options are: + // Threshold 1 + // Disable: false + ObserverOptions *ArtifactVerificationOptions_ObserverTimestampOptions `protobuf:"bytes,6,opt,name=observer_options,json=observerOptions,proto3,oneof" json:"observer_options,omitempty"` } func (x *ArtifactVerificationOptions) Reset() { @@ -307,6 +313,13 @@ func (x *ArtifactVerificationOptions) GetTsaOptions() *ArtifactVerificationOptio return nil } +func (x *ArtifactVerificationOptions) GetObserverOptions() *ArtifactVerificationOptions_ObserverTimestampOptions { + if x != nil { + return x.ObserverOptions + } + return nil +} + type isArtifactVerificationOptions_Signers interface { isArtifactVerificationOptions_Signers() } @@ -509,6 +522,10 @@ type ArtifactVerificationOptions_TlogOptions struct { PerformOnlineVerification bool `protobuf:"varint,2,opt,name=perform_online_verification,json=performOnlineVerification,proto3" json:"perform_online_verification,omitempty"` // Disable verification for transparency logs. Disable bool `protobuf:"varint,3,opt,name=disable,proto3" json:"disable,omitempty"` + // Verify SET timestamps indicates that the timestamp from + // the SET should be used when verifying the X.509 + // certifiacte chain + VerifySetTimestamp bool `protobuf:"varint,4,opt,name=verify_set_timestamp,json=verifySetTimestamp,proto3" json:"verify_set_timestamp,omitempty"` } func (x *ArtifactVerificationOptions_TlogOptions) Reset() { @@ -564,6 +581,13 @@ func (x *ArtifactVerificationOptions_TlogOptions) GetDisable() bool { return false } +func (x *ArtifactVerificationOptions_TlogOptions) GetVerifySetTimestamp() bool { + if x != nil { + return x.VerifySetTimestamp + } + return false +} + type ArtifactVerificationOptions_CtlogOptions struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -679,6 +703,65 @@ func (x *ArtifactVerificationOptions_TimestampAuthorityOptions) GetDisable() boo return false } +type ArtifactVerificationOptions_ObserverTimestampOptions struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The number of external ovservers of the timestamp, + // this is a union of RFC3161 signed timestamps, and SETs + // from a transparency log + Threshold int32 `protobuf:"varint,1,opt,name=threshold,proto3" json:"threshold,omitempty"` + // Disable signed timestamp verification. + Disable bool `protobuf:"varint,2,opt,name=disable,proto3" json:"disable,omitempty"` +} + +func (x *ArtifactVerificationOptions_ObserverTimestampOptions) Reset() { + *x = ArtifactVerificationOptions_ObserverTimestampOptions{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ArtifactVerificationOptions_ObserverTimestampOptions) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ArtifactVerificationOptions_ObserverTimestampOptions) ProtoMessage() {} + +func (x *ArtifactVerificationOptions_ObserverTimestampOptions) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[9] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ArtifactVerificationOptions_ObserverTimestampOptions.ProtoReflect.Descriptor instead. +func (*ArtifactVerificationOptions_ObserverTimestampOptions) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{3, 3} +} + +func (x *ArtifactVerificationOptions_ObserverTimestampOptions) GetThreshold() int32 { + if x != nil { + return x.Threshold + } + return 0 +} + +func (x *ArtifactVerificationOptions_ObserverTimestampOptions) GetDisable() bool { + if x != nil { + return x.Disable + } + return false +} + var File_sigstore_verification_proto protoreflect.FileDescriptor var file_sigstore_verification_proto_rawDesc = []byte{ @@ -714,7 +797,7 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, - 0x65, 0x79, 0x73, 0x22, 0xa6, 0x07, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x65, 0x79, 0x73, 0x22, 0xc6, 0x09, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x6c, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, @@ -750,29 +833,47 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x48, 0x03, 0x52, 0x0a, 0x74, 0x73, 0x61, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x88, 0x01, 0x01, 0x1a, 0x85, 0x01, 0x0a, 0x0b, 0x54, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, - 0x64, 0x12, 0x3e, 0x0a, 0x1b, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x5f, 0x6f, 0x6e, 0x6c, - 0x69, 0x6e, 0x65, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x4f, - 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x4c, 0x0a, 0x0c, 0x43, - 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, - 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, - 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, - 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, - 0x62, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x1a, 0x53, 0x0a, 0x19, 0x54, 0x69, 0x6d, - 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x4f, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, - 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, - 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x09, - 0x0a, 0x07, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x73, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x74, 0x6c, - 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x63, - 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0e, 0x0a, 0x0c, - 0x5f, 0x74, 0x73, 0x61, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, + 0x88, 0x01, 0x01, 0x12, 0x82, 0x01, 0x0a, 0x10, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x52, + 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, + 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x48, 0x04, 0x52, 0x0f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4f, 0x70, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x1a, 0xb7, 0x01, 0x0a, 0x0b, 0x54, 0x6c, 0x6f, + 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, + 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, + 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x3e, 0x0a, 0x1b, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, + 0x6d, 0x5f, 0x6f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x70, 0x65, 0x72, + 0x66, 0x6f, 0x72, 0x6d, 0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, + 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, + 0x12, 0x30, 0x0a, 0x14, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x74, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, + 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x53, 0x65, 0x74, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x6d, 0x70, 0x1a, 0x4c, 0x0a, 0x0c, 0x43, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, + 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, + 0x1a, 0x53, 0x0a, 0x19, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, + 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, + 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, + 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, + 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, + 0x73, 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x52, 0x0a, 0x18, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, + 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x09, 0x0a, 0x07, 0x73, 0x69, 0x67, + 0x6e, 0x65, 0x72, 0x73, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x5f, + 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x74, 0x73, 0x61, 0x5f, + 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x6f, 0x62, 0x73, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x12, 0x23, 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, @@ -826,7 +927,7 @@ func file_sigstore_verification_proto_rawDescGZIP() []byte { return file_sigstore_verification_proto_rawDescData } -var file_sigstore_verification_proto_msgTypes = make([]protoimpl.MessageInfo, 9) +var file_sigstore_verification_proto_msgTypes = make([]protoimpl.MessageInfo, 10) var file_sigstore_verification_proto_goTypes = []interface{}{ (*CertificateIdentity)(nil), // 0: dev.sigstore.verification.v1.CertificateIdentity (*CertificateIdentities)(nil), // 1: dev.sigstore.verification.v1.CertificateIdentities @@ -837,31 +938,33 @@ var file_sigstore_verification_proto_goTypes = []interface{}{ (*ArtifactVerificationOptions_TlogOptions)(nil), // 6: dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions (*ArtifactVerificationOptions_CtlogOptions)(nil), // 7: dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions (*ArtifactVerificationOptions_TimestampAuthorityOptions)(nil), // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions - (*v1.SubjectAlternativeName)(nil), // 9: dev.sigstore.common.v1.SubjectAlternativeName - (*v1.ObjectIdentifierValuePair)(nil), // 10: dev.sigstore.common.v1.ObjectIdentifierValuePair - (*v1.PublicKey)(nil), // 11: dev.sigstore.common.v1.PublicKey - (*v11.TrustedRoot)(nil), // 12: dev.sigstore.trustroot.v1.TrustedRoot - (*v12.Bundle)(nil), // 13: dev.sigstore.bundle.v1.Bundle + (*ArtifactVerificationOptions_ObserverTimestampOptions)(nil), // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions + (*v1.SubjectAlternativeName)(nil), // 10: dev.sigstore.common.v1.SubjectAlternativeName + (*v1.ObjectIdentifierValuePair)(nil), // 11: dev.sigstore.common.v1.ObjectIdentifierValuePair + (*v1.PublicKey)(nil), // 12: dev.sigstore.common.v1.PublicKey + (*v11.TrustedRoot)(nil), // 13: dev.sigstore.trustroot.v1.TrustedRoot + (*v12.Bundle)(nil), // 14: dev.sigstore.bundle.v1.Bundle } var file_sigstore_verification_proto_depIdxs = []int32{ - 9, // 0: dev.sigstore.verification.v1.CertificateIdentity.san:type_name -> dev.sigstore.common.v1.SubjectAlternativeName - 10, // 1: dev.sigstore.verification.v1.CertificateIdentity.oids:type_name -> dev.sigstore.common.v1.ObjectIdentifierValuePair + 10, // 0: dev.sigstore.verification.v1.CertificateIdentity.san:type_name -> dev.sigstore.common.v1.SubjectAlternativeName + 11, // 1: dev.sigstore.verification.v1.CertificateIdentity.oids:type_name -> dev.sigstore.common.v1.ObjectIdentifierValuePair 0, // 2: dev.sigstore.verification.v1.CertificateIdentities.identities:type_name -> dev.sigstore.verification.v1.CertificateIdentity - 11, // 3: dev.sigstore.verification.v1.PublicKeyIdentities.public_keys:type_name -> dev.sigstore.common.v1.PublicKey + 12, // 3: dev.sigstore.verification.v1.PublicKeyIdentities.public_keys:type_name -> dev.sigstore.common.v1.PublicKey 1, // 4: dev.sigstore.verification.v1.ArtifactVerificationOptions.certificate_identities:type_name -> dev.sigstore.verification.v1.CertificateIdentities 2, // 5: dev.sigstore.verification.v1.ArtifactVerificationOptions.public_keys:type_name -> dev.sigstore.verification.v1.PublicKeyIdentities 6, // 6: dev.sigstore.verification.v1.ArtifactVerificationOptions.tlog_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions 7, // 7: dev.sigstore.verification.v1.ArtifactVerificationOptions.ctlog_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions 8, // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.tsa_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions - 12, // 9: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot - 3, // 10: dev.sigstore.verification.v1.Input.artifact_verification_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions - 13, // 11: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle - 4, // 12: dev.sigstore.verification.v1.Input.artifact:type_name -> dev.sigstore.verification.v1.Artifact - 13, // [13:13] is the sub-list for method output_type - 13, // [13:13] is the sub-list for method input_type - 13, // [13:13] is the sub-list for extension type_name - 13, // [13:13] is the sub-list for extension extendee - 0, // [0:13] is the sub-list for field type_name + 9, // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.observer_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions + 13, // 10: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot + 3, // 11: dev.sigstore.verification.v1.Input.artifact_verification_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions + 14, // 12: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle + 4, // 13: dev.sigstore.verification.v1.Input.artifact:type_name -> dev.sigstore.verification.v1.Artifact + 14, // [14:14] is the sub-list for method output_type + 14, // [14:14] is the sub-list for method input_type + 14, // [14:14] is the sub-list for extension type_name + 14, // [14:14] is the sub-list for extension extendee + 0, // [0:14] is the sub-list for field type_name } func init() { file_sigstore_verification_proto_init() } @@ -978,6 +1081,18 @@ func file_sigstore_verification_proto_init() { return nil } } + file_sigstore_verification_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ArtifactVerificationOptions_ObserverTimestampOptions); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } } file_sigstore_verification_proto_msgTypes[3].OneofWrappers = []interface{}{ (*ArtifactVerificationOptions_CertificateIdentities)(nil), @@ -994,7 +1109,7 @@ func file_sigstore_verification_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_sigstore_verification_proto_rawDesc, NumEnums: 0, - NumMessages: 9, + NumMessages: 10, NumExtensions: 0, NumServices: 0, }, diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py index 81344696..3ea67d3e 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py @@ -67,7 +67,7 @@ class ArtifactVerificationOptions(betterproto.Message): """ Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online - verification: false Disable: false + verification: false Disable: false Verify SET Timestamps: true """ ctlog_options: Optional["ArtifactVerificationOptionsCtlogOptions"] = ( @@ -86,6 +86,14 @@ class ArtifactVerificationOptions(betterproto.Message): provided, the default verification options are: Threshold: 1 Disable: false """ + observer_options: Optional[ + "ArtifactVerificationOptionsObserverTimestampOptions" + ] = betterproto.message_field(6, optional=True, group="_observer_options") + """ + Optional options for timestamp verification. If none is provided, the + default verification options are: Threshold 1 Disable: false + """ + @dataclass(eq=False, repr=False) class ArtifactVerificationOptionsTlogOptions(betterproto.Message): @@ -98,6 +106,12 @@ class ArtifactVerificationOptionsTlogOptions(betterproto.Message): disable: bool = betterproto.bool_field(3) """Disable verification for transparency logs.""" + verify_set_timestamp: bool = betterproto.bool_field(4) + """ + Verify SET timestamps indicates that the timestamp from the SET should be + used when verifying the X.509 certifiacte chain + """ + @dataclass(eq=False, repr=False) class ArtifactVerificationOptionsCtlogOptions(betterproto.Message): @@ -117,6 +131,18 @@ class ArtifactVerificationOptionsTimestampAuthorityOptions(betterproto.Message): """Disable signed timestamp verification.""" +@dataclass(eq=False, repr=False) +class ArtifactVerificationOptionsObserverTimestampOptions(betterproto.Message): + threshold: int = betterproto.int32_field(1) + """ + The number of external ovservers of the timestamp, this is a union of + RFC3161 signed timestamps, and SETs from a transparency log + """ + + disable: bool = betterproto.bool_field(2) + """Disable signed timestamp verification.""" + + @dataclass(eq=False, repr=False) class Artifact(betterproto.Message): artifact_uri: str = betterproto.string_field(1, group="data") diff --git a/gen/pb-ruby/lib/sigstore_verification_pb.rb b/gen/pb-ruby/lib/sigstore_verification_pb.rb index 5d92821e..91f2c0a7 100644 --- a/gen/pb-ruby/lib/sigstore_verification_pb.rb +++ b/gen/pb-ruby/lib/sigstore_verification_pb.rb @@ -24,6 +24,7 @@ proto3_optional :tlog_options, :message, 3, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions" proto3_optional :ctlog_options, :message, 4, "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions" proto3_optional :tsa_options, :message, 5, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions" + proto3_optional :observer_options, :message, 6, "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions" oneof :signers do optional :certificate_identities, :message, 1, "dev.sigstore.verification.v1.CertificateIdentities" optional :public_keys, :message, 2, "dev.sigstore.verification.v1.PublicKeyIdentities" @@ -33,6 +34,7 @@ optional :threshold, :int32, 1 optional :perform_online_verification, :bool, 2 optional :disable, :bool, 3 + optional :verify_set_timestamp, :bool, 4 end add_message "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions" do optional :threshold, :int32, 1 @@ -42,6 +44,10 @@ optional :threshold, :int32, 1 optional :disable, :bool, 2 end + add_message "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions" do + optional :threshold, :int32, 1 + optional :disable, :bool, 2 + end add_message "dev.sigstore.verification.v1.Artifact" do oneof :data do optional :artifact_uri, :string, 1 @@ -67,6 +73,7 @@ module V1 ArtifactVerificationOptions::TlogOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions").msgclass ArtifactVerificationOptions::CtlogOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions").msgclass ArtifactVerificationOptions::TimestampAuthorityOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions").msgclass + ArtifactVerificationOptions::ObserverTimestampOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions").msgclass Artifact = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.Artifact").msgclass Input = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.Input").msgclass end diff --git a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json index a67d26f5..b173f49a 100644 --- a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json @@ -16,7 +16,7 @@ "tlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" + "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false Verify SET Timestamps: true" }, "ctlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", @@ -27,6 +27,11 @@ "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", "additionalProperties": false, "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" + }, + "observerOptions": { + "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", + "additionalProperties": false, + "description": "Optional options for timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" } }, "additionalProperties": false, @@ -56,6 +61,11 @@ "required": [ "tsa_options" ] + }, + { + "required": [ + "observer_options" + ] } ], "title": "Artifact Verification Options", @@ -212,6 +222,21 @@ "type": "object", "title": "Ctlog Options" }, + "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions": { + "properties": { + "threshold": { + "type": "integer", + "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and SETs from a transparency log" + }, + "disable": { + "type": "boolean", + "description": "Disable signed timestamp verification." + } + }, + "additionalProperties": false, + "type": "object", + "title": "Observer Timestamp Options" + }, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": { "properties": { "threshold": { @@ -240,6 +265,10 @@ "disable": { "type": "boolean", "description": "Disable verification for transparency logs." + }, + "verifySetTimestamp": { + "type": "boolean", + "description": "Verify SET timestamps indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain" } }, "additionalProperties": false, diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index b5fe5060..1ce21220 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -652,7 +652,7 @@ "tlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" + "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false Verify SET Timestamps: true" }, "ctlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", @@ -663,6 +663,11 @@ "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", "additionalProperties": false, "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" + }, + "observerOptions": { + "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", + "additionalProperties": false, + "description": "Optional options for timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" } }, "additionalProperties": false, @@ -692,6 +697,11 @@ "required": [ "tsa_options" ] + }, + { + "required": [ + "observer_options" + ] } ], "title": "Artifact Verification Options", @@ -712,6 +722,21 @@ "type": "object", "title": "Ctlog Options" }, + "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions": { + "properties": { + "threshold": { + "type": "integer", + "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and SETs from a transparency log" + }, + "disable": { + "type": "boolean", + "description": "Disable signed timestamp verification." + } + }, + "additionalProperties": false, + "type": "object", + "title": "Observer Timestamp Options" + }, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": { "properties": { "threshold": { @@ -740,6 +765,10 @@ "disable": { "type": "boolean", "description": "Disable verification for transparency logs." + }, + "verifySetTimestamp": { + "type": "boolean", + "description": "Verify SET timestamps indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain" } }, "additionalProperties": false, diff --git a/gen/pb-typescript/src/__generated__/sigstore_verification.ts b/gen/pb-typescript/src/__generated__/sigstore_verification.ts index c9110ccd..22befae0 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_verification.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_verification.ts @@ -40,6 +40,7 @@ export interface ArtifactVerificationOptions { * Threshold: 1 * Online verification: false * Disable: false + * Verify SET Timestamps: true */ tlogOptions?: | ArtifactVerificationOptions_TlogOptions @@ -59,7 +60,16 @@ export interface ArtifactVerificationOptions { * Threshold: 1 * Disable: false */ - tsaOptions?: ArtifactVerificationOptions_TimestampAuthorityOptions | undefined; + tsaOptions?: + | ArtifactVerificationOptions_TimestampAuthorityOptions + | undefined; + /** + * Optional options for timestamp verification. + * If none is provided, the default verification options are: + * Threshold 1 + * Disable: false + */ + observerOptions?: ArtifactVerificationOptions_ObserverTimestampOptions | undefined; } export interface ArtifactVerificationOptions_TlogOptions { @@ -69,6 +79,12 @@ export interface ArtifactVerificationOptions_TlogOptions { performOnlineVerification: boolean; /** Disable verification for transparency logs. */ disable: boolean; + /** + * Verify SET timestamps indicates that the timestamp from + * the SET should be used when verifying the X.509 + * certifiacte chain + */ + verifySetTimestamp: boolean; } export interface ArtifactVerificationOptions_CtlogOptions { @@ -88,6 +104,17 @@ export interface ArtifactVerificationOptions_TimestampAuthorityOptions { disable: boolean; } +export interface ArtifactVerificationOptions_ObserverTimestampOptions { + /** + * The number of external ovservers of the timestamp, + * this is a union of RFC3161 signed timestamps, and SETs + * from a transparency log + */ + threshold: number; + /** Disable signed timestamp verification. */ + disable: boolean; +} + export interface Artifact { data?: { $case: "artifactUri"; artifactUri: string } | { $case: "artifact"; artifact: Buffer }; } @@ -192,7 +219,13 @@ export const PublicKeyIdentities = { }; function createBaseArtifactVerificationOptions(): ArtifactVerificationOptions { - return { signers: undefined, tlogOptions: undefined, ctlogOptions: undefined, tsaOptions: undefined }; + return { + signers: undefined, + tlogOptions: undefined, + ctlogOptions: undefined, + tsaOptions: undefined, + observerOptions: undefined, + }; } export const ArtifactVerificationOptions = { @@ -215,6 +248,9 @@ export const ArtifactVerificationOptions = { tsaOptions: isSet(object.tsaOptions) ? ArtifactVerificationOptions_TimestampAuthorityOptions.fromJSON(object.tsaOptions) : undefined, + observerOptions: isSet(object.observerOptions) + ? ArtifactVerificationOptions_ObserverTimestampOptions.fromJSON(object.observerOptions) + : undefined, }; }, @@ -236,12 +272,15 @@ export const ArtifactVerificationOptions = { message.tsaOptions !== undefined && (obj.tsaOptions = message.tsaOptions ? ArtifactVerificationOptions_TimestampAuthorityOptions.toJSON(message.tsaOptions) : undefined); + message.observerOptions !== undefined && (obj.observerOptions = message.observerOptions + ? ArtifactVerificationOptions_ObserverTimestampOptions.toJSON(message.observerOptions) + : undefined); return obj; }, }; function createBaseArtifactVerificationOptions_TlogOptions(): ArtifactVerificationOptions_TlogOptions { - return { threshold: 0, performOnlineVerification: false, disable: false }; + return { threshold: 0, performOnlineVerification: false, disable: false, verifySetTimestamp: false }; } export const ArtifactVerificationOptions_TlogOptions = { @@ -252,6 +291,7 @@ export const ArtifactVerificationOptions_TlogOptions = { ? Boolean(object.performOnlineVerification) : false, disable: isSet(object.disable) ? Boolean(object.disable) : false, + verifySetTimestamp: isSet(object.verifySetTimestamp) ? Boolean(object.verifySetTimestamp) : false, }; }, @@ -261,6 +301,7 @@ export const ArtifactVerificationOptions_TlogOptions = { message.performOnlineVerification !== undefined && (obj.performOnlineVerification = message.performOnlineVerification); message.disable !== undefined && (obj.disable = message.disable); + message.verifySetTimestamp !== undefined && (obj.verifySetTimestamp = message.verifySetTimestamp); return obj; }, }; @@ -305,6 +346,26 @@ export const ArtifactVerificationOptions_TimestampAuthorityOptions = { }, }; +function createBaseArtifactVerificationOptions_ObserverTimestampOptions(): ArtifactVerificationOptions_ObserverTimestampOptions { + return { threshold: 0, disable: false }; +} + +export const ArtifactVerificationOptions_ObserverTimestampOptions = { + fromJSON(object: any): ArtifactVerificationOptions_ObserverTimestampOptions { + return { + threshold: isSet(object.threshold) ? Number(object.threshold) : 0, + disable: isSet(object.disable) ? Boolean(object.disable) : false, + }; + }, + + toJSON(message: ArtifactVerificationOptions_ObserverTimestampOptions): unknown { + const obj: any = {}; + message.threshold !== undefined && (obj.threshold = Math.round(message.threshold)); + message.disable !== undefined && (obj.disable = message.disable); + return obj; + }, +}; + function createBaseArtifact(): Artifact { return { data: undefined }; } diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 7233365f..d8a97910 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -54,6 +54,10 @@ message ArtifactVerificationOptions { bool perform_online_verification = 2; // Disable verification for transparency logs. bool disable = 3; + // Verify SET timestamps indicates that the timestamp from + // the SET should be used when verifying the X.509 + // certifiacte chain + bool verify_set_timestamp = 4; } message CtlogOptions { // The number of ct transparency logs the certificate must @@ -69,6 +73,14 @@ message ArtifactVerificationOptions { // Disable signed timestamp verification. bool disable = 2; } + message ObserverTimestampOptions { + // The number of external ovservers of the timestamp, + // this is a union of RFC3161 signed timestamps, and SETs + // from a transparency log + int32 threshold = 1; + // Disable signed timestamp verification. + bool disable = 2; + } // At least one identity MUST be provided. Providing zero identities // is an error. If at least one provided identity is found as a @@ -91,6 +103,7 @@ message ArtifactVerificationOptions { // Threshold: 1 // Online verification: false // Disable: false + // Verify SET Timestamps: true optional TlogOptions tlog_options = 3; // Optional options for certificate transparency log verification. // If none is provided, the default verification options are: @@ -102,6 +115,11 @@ message ArtifactVerificationOptions { // Threshold: 1 // Disable: false optional TimestampAuthorityOptions tsa_options = 5; + // Optional options for timestamp verification. + // If none is provided, the default verification options are: + // Threshold 1 + // Disable: false + optional ObserverTimestampOptions observer_options = 6; } message Artifact { From 067d477af65923986fb002138b9634e5d51ccd21 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 8 Jan 2024 15:30:04 +0100 Subject: [PATCH 2/6] Renamed a field based on PR feed back and clarified the comment. Signed-off-by: Fredrik Skogman --- .../ArtifactVerificationOptions.schema.json | 4 +- gen/jsonschema/schemas/Input.schema.json | 4 +- .../v1/sigstore_verification.pb.go | 138 +++++++++--------- .../dev/sigstore/verification/v1/__init__.py | 8 +- gen/pb-ruby/lib/sigstore_verification_pb.rb | 2 +- .../ArtifactVerificationOptions.schema.json | 4 +- gen/pb-rust/schemas/Input.schema.json | 4 +- .../__generated__/sigstore_verification.ts | 14 +- protos/sigstore_verification.proto | 8 +- 9 files changed, 96 insertions(+), 90 deletions(-) diff --git a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json index b173f49a..7a83ede7 100644 --- a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json @@ -266,9 +266,9 @@ "type": "boolean", "description": "Disable verification for transparency logs." }, - "verifySetTimestamp": { + "verifySet": { "type": "boolean", - "description": "Verify SET timestamps indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain" + "description": "Verify SET indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) are optional in a bundle, and so requiring SET may render bundles invalid during verification if SET is not present." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 1ce21220..6179e9d0 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -766,9 +766,9 @@ "type": "boolean", "description": "Disable verification for transparency logs." }, - "verifySetTimestamp": { + "verifySet": { "type": "boolean", - "description": "Verify SET timestamps indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain" + "description": "Verify SET indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) are optional in a bundle, and so requiring SET may render bundles invalid during verification if SET is not present." } }, "additionalProperties": false, diff --git a/gen/pb-go/verification/v1/sigstore_verification.pb.go b/gen/pb-go/verification/v1/sigstore_verification.pb.go index 37fb67bd..93af27af 100644 --- a/gen/pb-go/verification/v1/sigstore_verification.pb.go +++ b/gen/pb-go/verification/v1/sigstore_verification.pb.go @@ -522,10 +522,12 @@ type ArtifactVerificationOptions_TlogOptions struct { PerformOnlineVerification bool `protobuf:"varint,2,opt,name=perform_online_verification,json=performOnlineVerification,proto3" json:"perform_online_verification,omitempty"` // Disable verification for transparency logs. Disable bool `protobuf:"varint,3,opt,name=disable,proto3" json:"disable,omitempty"` - // Verify SET timestamps indicates that the timestamp from + // Verify SET indicates that the timestamp from // the SET should be used when verifying the X.509 - // certifiacte chain - VerifySetTimestamp bool `protobuf:"varint,4,opt,name=verify_set_timestamp,json=verifySetTimestamp,proto3" json:"verify_set_timestamp,omitempty"` + // certifiacte chain. Note that inclusion promises (SETs) + // are optional in a bundle, and so requiring SET may render + // bundles invalid during verification if SET is not present. + VerifySet bool `protobuf:"varint,4,opt,name=verify_set,json=verifySet,proto3" json:"verify_set,omitempty"` } func (x *ArtifactVerificationOptions_TlogOptions) Reset() { @@ -581,9 +583,9 @@ func (x *ArtifactVerificationOptions_TlogOptions) GetDisable() bool { return false } -func (x *ArtifactVerificationOptions_TlogOptions) GetVerifySetTimestamp() bool { +func (x *ArtifactVerificationOptions_TlogOptions) GetVerifySet() bool { if x != nil { - return x.VerifySetTimestamp + return x.VerifySet } return false } @@ -797,7 +799,7 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, - 0x65, 0x79, 0x73, 0x22, 0xc6, 0x09, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x65, 0x79, 0x73, 0x22, 0xb3, 0x09, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x6c, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, @@ -841,7 +843,7 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x48, 0x04, 0x52, 0x0f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4f, 0x70, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x1a, 0xb7, 0x01, 0x0a, 0x0b, 0x54, 0x6c, 0x6f, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x1a, 0xa4, 0x01, 0x0a, 0x0b, 0x54, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x3e, 0x0a, 0x1b, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, @@ -850,69 +852,67 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x66, 0x6f, 0x72, 0x6d, 0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, - 0x12, 0x30, 0x0a, 0x14, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x74, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, - 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x53, 0x65, 0x74, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, - 0x6d, 0x70, 0x1a, 0x4c, 0x0a, 0x0c, 0x43, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, - 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, - 0x1a, 0x53, 0x0a, 0x19, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, - 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, - 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, - 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, - 0x73, 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x52, 0x0a, 0x18, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, - 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, - 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x09, 0x0a, 0x07, 0x73, 0x69, 0x67, - 0x6e, 0x65, 0x72, 0x73, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x5f, - 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x74, 0x73, 0x61, 0x5f, - 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x6f, 0x62, 0x73, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, - 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x12, 0x23, 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, - 0x66, 0x61, 0x63, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, - 0x52, 0x0b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, - 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, - 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, 0x06, 0x0a, 0x04, 0x64, - 0x61, 0x74, 0x61, 0x22, 0xec, 0x02, 0x0a, 0x05, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x56, 0x0a, - 0x13, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, - 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, - 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, - 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, - 0x6f, 0x74, 0x52, 0x11, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x54, 0x72, 0x75, 0x73, - 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x7d, 0x0a, 0x1d, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, - 0x74, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6f, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x64, - 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, - 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x1b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x12, 0x1d, 0x0a, 0x0a, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x53, 0x65, 0x74, 0x1a, + 0x4c, 0x0a, 0x0c, 0x43, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, + 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, + 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, + 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x1a, 0x53, 0x0a, + 0x19, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, + 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, + 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, + 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, + 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, + 0x6c, 0x65, 0x1a, 0x52, 0x0a, 0x18, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x69, + 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, + 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, + 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, + 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x09, 0x0a, 0x07, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x72, + 0x73, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x74, 0x73, 0x61, 0x5f, 0x6f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, 0x41, 0x72, 0x74, + 0x69, 0x66, 0x61, 0x63, 0x74, 0x12, 0x23, 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, + 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, 0x08, 0x61, 0x72, + 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, + 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, 0x06, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, + 0x22, 0xec, 0x02, 0x0a, 0x05, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x56, 0x0a, 0x13, 0x61, 0x72, + 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x72, 0x6f, 0x6f, + 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, + 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x52, + 0x11, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, + 0x6f, 0x74, 0x12, 0x7d, 0x0a, 0x1d, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x76, + 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x36, 0x0a, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x75, - 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x08, - 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, - 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, - 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, - 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, - 0x63, 0x74, 0x88, 0x01, 0x01, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, - 0x63, 0x74, 0x42, 0x94, 0x01, 0x0a, 0x22, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x11, 0x56, 0x65, 0x72, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3c, - 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, - 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x76, 0x65, 0x72, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x1a, 0x53, - 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x33, + 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x1b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x36, 0x0a, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1e, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, + 0x65, 0x52, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x08, 0x61, 0x72, 0x74, + 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, + 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, + 0x61, 0x63, 0x74, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x88, + 0x01, 0x01, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, + 0x94, 0x01, 0x0a, 0x22, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x11, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3c, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, + 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x1a, 0x53, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py index 3ea67d3e..0e65b540 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py @@ -106,10 +106,12 @@ class ArtifactVerificationOptionsTlogOptions(betterproto.Message): disable: bool = betterproto.bool_field(3) """Disable verification for transparency logs.""" - verify_set_timestamp: bool = betterproto.bool_field(4) + verify_set: bool = betterproto.bool_field(4) """ - Verify SET timestamps indicates that the timestamp from the SET should be - used when verifying the X.509 certifiacte chain + Verify SET indicates that the timestamp from the SET should be used when + verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) + are optional in a bundle, and so requiring SET may render bundles invalid + during verification if SET is not present. """ diff --git a/gen/pb-ruby/lib/sigstore_verification_pb.rb b/gen/pb-ruby/lib/sigstore_verification_pb.rb index 91f2c0a7..0388e82b 100644 --- a/gen/pb-ruby/lib/sigstore_verification_pb.rb +++ b/gen/pb-ruby/lib/sigstore_verification_pb.rb @@ -34,7 +34,7 @@ optional :threshold, :int32, 1 optional :perform_online_verification, :bool, 2 optional :disable, :bool, 3 - optional :verify_set_timestamp, :bool, 4 + optional :verify_set, :bool, 4 end add_message "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions" do optional :threshold, :int32, 1 diff --git a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json index b173f49a..7a83ede7 100644 --- a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json @@ -266,9 +266,9 @@ "type": "boolean", "description": "Disable verification for transparency logs." }, - "verifySetTimestamp": { + "verifySet": { "type": "boolean", - "description": "Verify SET timestamps indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain" + "description": "Verify SET indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) are optional in a bundle, and so requiring SET may render bundles invalid during verification if SET is not present." } }, "additionalProperties": false, diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index 1ce21220..6179e9d0 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -766,9 +766,9 @@ "type": "boolean", "description": "Disable verification for transparency logs." }, - "verifySetTimestamp": { + "verifySet": { "type": "boolean", - "description": "Verify SET timestamps indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain" + "description": "Verify SET indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) are optional in a bundle, and so requiring SET may render bundles invalid during verification if SET is not present." } }, "additionalProperties": false, diff --git a/gen/pb-typescript/src/__generated__/sigstore_verification.ts b/gen/pb-typescript/src/__generated__/sigstore_verification.ts index 22befae0..9b8816c2 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_verification.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_verification.ts @@ -80,11 +80,13 @@ export interface ArtifactVerificationOptions_TlogOptions { /** Disable verification for transparency logs. */ disable: boolean; /** - * Verify SET timestamps indicates that the timestamp from + * Verify SET indicates that the timestamp from * the SET should be used when verifying the X.509 - * certifiacte chain + * certifiacte chain. Note that inclusion promises (SETs) + * are optional in a bundle, and so requiring SET may render + * bundles invalid during verification if SET is not present. */ - verifySetTimestamp: boolean; + verifySet: boolean; } export interface ArtifactVerificationOptions_CtlogOptions { @@ -280,7 +282,7 @@ export const ArtifactVerificationOptions = { }; function createBaseArtifactVerificationOptions_TlogOptions(): ArtifactVerificationOptions_TlogOptions { - return { threshold: 0, performOnlineVerification: false, disable: false, verifySetTimestamp: false }; + return { threshold: 0, performOnlineVerification: false, disable: false, verifySet: false }; } export const ArtifactVerificationOptions_TlogOptions = { @@ -291,7 +293,7 @@ export const ArtifactVerificationOptions_TlogOptions = { ? Boolean(object.performOnlineVerification) : false, disable: isSet(object.disable) ? Boolean(object.disable) : false, - verifySetTimestamp: isSet(object.verifySetTimestamp) ? Boolean(object.verifySetTimestamp) : false, + verifySet: isSet(object.verifySet) ? Boolean(object.verifySet) : false, }; }, @@ -301,7 +303,7 @@ export const ArtifactVerificationOptions_TlogOptions = { message.performOnlineVerification !== undefined && (obj.performOnlineVerification = message.performOnlineVerification); message.disable !== undefined && (obj.disable = message.disable); - message.verifySetTimestamp !== undefined && (obj.verifySetTimestamp = message.verifySetTimestamp); + message.verifySet !== undefined && (obj.verifySet = message.verifySet); return obj; }, }; diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index d8a97910..4bc40157 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -54,10 +54,12 @@ message ArtifactVerificationOptions { bool perform_online_verification = 2; // Disable verification for transparency logs. bool disable = 3; - // Verify SET timestamps indicates that the timestamp from + // Verify SET indicates that the timestamp from // the SET should be used when verifying the X.509 - // certifiacte chain - bool verify_set_timestamp = 4; + // certifiacte chain. Note that inclusion promises (SETs) + // are optional in a bundle, and so requiring SET may render + // bundles invalid during verification if SET is not present. + bool verify_set = 4; } message CtlogOptions { // The number of ct transparency logs the certificate must From 0b45c3813b86a6a82786ea34bb008207b20e3c66 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 19 Dec 2023 12:52:43 +0100 Subject: [PATCH 3/6] Update protos/sigstore_verification.proto Co-authored-by: William Woodruff Signed-off-by: Fredrik Skogman --- protos/sigstore_verification.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 4bc40157..9c66b9f5 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -56,7 +56,7 @@ message ArtifactVerificationOptions { bool disable = 3; // Verify SET indicates that the timestamp from // the SET should be used when verifying the X.509 - // certifiacte chain. Note that inclusion promises (SETs) + // certificate chain. Note that inclusion promises (SETs) // are optional in a bundle, and so requiring SET may render // bundles invalid during verification if SET is not present. bool verify_set = 4; From ace5c19687ff6dac2bf4a68280695afce0e3409b Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 8 Jan 2024 15:31:07 +0100 Subject: [PATCH 4/6] Updated verification options for tlog integrated time Signed-off-by: Fredrik Skogman --- .../ArtifactVerificationOptions.schema.json | 6 +- gen/jsonschema/schemas/Input.schema.json | 6 +- .../v1/sigstore_verification.pb.go | 269 +++++++++++------- .../dev/sigstore/verification/v1/__init__.py | 20 +- gen/pb-ruby/lib/sigstore_verification_pb.rb | 6 +- .../ArtifactVerificationOptions.schema.json | 6 +- gen/pb-rust/schemas/Input.schema.json | 6 +- .../__generated__/sigstore_verification.ts | 43 ++- protos/sigstore_verification.proto | 16 +- 9 files changed, 223 insertions(+), 155 deletions(-) diff --git a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json index 7a83ede7..4b558a86 100644 --- a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json @@ -226,7 +226,7 @@ "properties": { "threshold": { "type": "integer", - "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and SETs from a transparency log" + "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log" }, "disable": { "type": "boolean", @@ -265,10 +265,6 @@ "disable": { "type": "boolean", "description": "Disable verification for transparency logs." - }, - "verifySet": { - "type": "boolean", - "description": "Verify SET indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) are optional in a bundle, and so requiring SET may render bundles invalid during verification if SET is not present." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 6179e9d0..2226a291 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -726,7 +726,7 @@ "properties": { "threshold": { "type": "integer", - "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and SETs from a transparency log" + "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log" }, "disable": { "type": "boolean", @@ -765,10 +765,6 @@ "disable": { "type": "boolean", "description": "Disable verification for transparency logs." - }, - "verifySet": { - "type": "boolean", - "description": "Verify SET indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) are optional in a bundle, and so requiring SET may render bundles invalid during verification if SET is not present." } }, "additionalProperties": false, diff --git a/gen/pb-go/verification/v1/sigstore_verification.pb.go b/gen/pb-go/verification/v1/sigstore_verification.pb.go index 93af27af..4d0122aa 100644 --- a/gen/pb-go/verification/v1/sigstore_verification.pb.go +++ b/gen/pb-go/verification/v1/sigstore_verification.pb.go @@ -522,12 +522,6 @@ type ArtifactVerificationOptions_TlogOptions struct { PerformOnlineVerification bool `protobuf:"varint,2,opt,name=perform_online_verification,json=performOnlineVerification,proto3" json:"perform_online_verification,omitempty"` // Disable verification for transparency logs. Disable bool `protobuf:"varint,3,opt,name=disable,proto3" json:"disable,omitempty"` - // Verify SET indicates that the timestamp from - // the SET should be used when verifying the X.509 - // certifiacte chain. Note that inclusion promises (SETs) - // are optional in a bundle, and so requiring SET may render - // bundles invalid during verification if SET is not present. - VerifySet bool `protobuf:"varint,4,opt,name=verify_set,json=verifySet,proto3" json:"verify_set,omitempty"` } func (x *ArtifactVerificationOptions_TlogOptions) Reset() { @@ -583,13 +577,6 @@ func (x *ArtifactVerificationOptions_TlogOptions) GetDisable() bool { return false } -func (x *ArtifactVerificationOptions_TlogOptions) GetVerifySet() bool { - if x != nil { - return x.VerifySet - } - return false -} - type ArtifactVerificationOptions_CtlogOptions struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -705,14 +692,71 @@ func (x *ArtifactVerificationOptions_TimestampAuthorityOptions) GetDisable() boo return false } +type ArtifactVerificationOptions_TlogIntegratedTimestampOptions struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The number of integrated timestamps that are expected. + Threshold int32 `protobuf:"varint,1,opt,name=threshold,proto3" json:"threshold,omitempty"` + // Disable integrated timestamp verification. + Disable bool `protobuf:"varint,2,opt,name=disable,proto3" json:"disable,omitempty"` +} + +func (x *ArtifactVerificationOptions_TlogIntegratedTimestampOptions) Reset() { + *x = ArtifactVerificationOptions_TlogIntegratedTimestampOptions{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ArtifactVerificationOptions_TlogIntegratedTimestampOptions) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ArtifactVerificationOptions_TlogIntegratedTimestampOptions) ProtoMessage() {} + +func (x *ArtifactVerificationOptions_TlogIntegratedTimestampOptions) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[9] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ArtifactVerificationOptions_TlogIntegratedTimestampOptions.ProtoReflect.Descriptor instead. +func (*ArtifactVerificationOptions_TlogIntegratedTimestampOptions) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{3, 3} +} + +func (x *ArtifactVerificationOptions_TlogIntegratedTimestampOptions) GetThreshold() int32 { + if x != nil { + return x.Threshold + } + return 0 +} + +func (x *ArtifactVerificationOptions_TlogIntegratedTimestampOptions) GetDisable() bool { + if x != nil { + return x.Disable + } + return false +} + type ArtifactVerificationOptions_ObserverTimestampOptions struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields // The number of external ovservers of the timestamp, - // this is a union of RFC3161 signed timestamps, and SETs - // from a transparency log + // this is a union of RFC3161 signed timestamps, and + // integrated timestamps from a transparency log Threshold int32 `protobuf:"varint,1,opt,name=threshold,proto3" json:"threshold,omitempty"` // Disable signed timestamp verification. Disable bool `protobuf:"varint,2,opt,name=disable,proto3" json:"disable,omitempty"` @@ -721,7 +765,7 @@ type ArtifactVerificationOptions_ObserverTimestampOptions struct { func (x *ArtifactVerificationOptions_ObserverTimestampOptions) Reset() { *x = ArtifactVerificationOptions_ObserverTimestampOptions{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_verification_proto_msgTypes[9] + mi := &file_sigstore_verification_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -734,7 +778,7 @@ func (x *ArtifactVerificationOptions_ObserverTimestampOptions) String() string { func (*ArtifactVerificationOptions_ObserverTimestampOptions) ProtoMessage() {} func (x *ArtifactVerificationOptions_ObserverTimestampOptions) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_verification_proto_msgTypes[9] + mi := &file_sigstore_verification_proto_msgTypes[10] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -747,7 +791,7 @@ func (x *ArtifactVerificationOptions_ObserverTimestampOptions) ProtoReflect() pr // Deprecated: Use ArtifactVerificationOptions_ObserverTimestampOptions.ProtoReflect.Descriptor instead. func (*ArtifactVerificationOptions_ObserverTimestampOptions) Descriptor() ([]byte, []int) { - return file_sigstore_verification_proto_rawDescGZIP(), []int{3, 3} + return file_sigstore_verification_proto_rawDescGZIP(), []int{3, 4} } func (x *ArtifactVerificationOptions_ObserverTimestampOptions) GetThreshold() int32 { @@ -799,7 +843,7 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, - 0x65, 0x79, 0x73, 0x22, 0xb3, 0x09, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x65, 0x79, 0x73, 0x22, 0xee, 0x09, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x6c, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, @@ -843,7 +887,7 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x48, 0x04, 0x52, 0x0f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4f, 0x70, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x1a, 0xa4, 0x01, 0x0a, 0x0b, 0x54, 0x6c, 0x6f, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x1a, 0x85, 0x01, 0x0a, 0x0b, 0x54, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x3e, 0x0a, 0x1b, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, @@ -852,67 +896,71 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x66, 0x6f, 0x72, 0x6d, 0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, - 0x12, 0x1d, 0x0a, 0x0a, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x04, - 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x53, 0x65, 0x74, 0x1a, - 0x4c, 0x0a, 0x0c, 0x43, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, - 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, - 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, - 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x1a, 0x53, 0x0a, - 0x19, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, - 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, - 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, - 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, - 0x6c, 0x65, 0x1a, 0x52, 0x0a, 0x18, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, - 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, - 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, - 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x09, 0x0a, 0x07, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x72, - 0x73, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x74, 0x73, 0x61, 0x5f, 0x6f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, 0x41, 0x72, 0x74, - 0x69, 0x66, 0x61, 0x63, 0x74, 0x12, 0x23, 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, - 0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, - 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, 0x08, 0x61, 0x72, - 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, - 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, 0x06, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, - 0x22, 0xec, 0x02, 0x0a, 0x05, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x56, 0x0a, 0x13, 0x61, 0x72, - 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x72, 0x6f, 0x6f, - 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, - 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, - 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x52, - 0x11, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, - 0x6f, 0x74, 0x12, 0x7d, 0x0a, 0x1d, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x76, - 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6f, 0x70, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x64, 0x65, 0x76, 0x2e, - 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, - 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x1b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, - 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x12, 0x36, 0x0a, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1e, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, - 0x65, 0x52, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x08, 0x61, 0x72, 0x74, - 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, - 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, - 0x61, 0x63, 0x74, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x88, - 0x01, 0x01, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, - 0x94, 0x01, 0x0a, 0x22, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x11, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3c, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, - 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x1a, 0x53, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x1a, 0x4c, 0x0a, 0x0c, 0x43, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, + 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, + 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x1a, 0x53, + 0x0a, 0x19, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, + 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, + 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, + 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, + 0x62, 0x6c, 0x65, 0x1a, 0x58, 0x0a, 0x1e, 0x54, 0x6c, 0x6f, 0x67, 0x49, 0x6e, 0x74, 0x65, 0x67, + 0x72, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, + 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, + 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x52, 0x0a, + 0x18, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, + 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, + 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, + 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, + 0x65, 0x42, 0x09, 0x0a, 0x07, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x73, 0x42, 0x0f, 0x0a, 0x0d, + 0x5f, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x10, 0x0a, + 0x0e, 0x5f, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, + 0x0e, 0x0a, 0x0c, 0x5f, 0x74, 0x73, 0x61, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, + 0x13, 0x0a, 0x11, 0x5f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x12, 0x23, 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x75, 0x72, 0x69, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, + 0x63, 0x74, 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, + 0x61, 0x63, 0x74, 0x42, 0x06, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xec, 0x02, 0x0a, 0x05, + 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x56, 0x0a, 0x13, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x74, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, + 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x52, 0x11, 0x61, 0x72, 0x74, 0x69, + 0x66, 0x61, 0x63, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x7d, 0x0a, + 0x1d, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, + 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, + 0x1b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x36, 0x0a, 0x06, + 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, + 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x06, 0x62, 0x75, + 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x48, 0x00, + 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x88, 0x01, 0x01, 0x42, 0x0b, 0x0a, + 0x09, 0x5f, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, 0x94, 0x01, 0x0a, 0x22, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x42, 0x11, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, + 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, + 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x1a, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, + 0x3a, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, + 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -927,38 +975,39 @@ func file_sigstore_verification_proto_rawDescGZIP() []byte { return file_sigstore_verification_proto_rawDescData } -var file_sigstore_verification_proto_msgTypes = make([]protoimpl.MessageInfo, 10) +var file_sigstore_verification_proto_msgTypes = make([]protoimpl.MessageInfo, 11) var file_sigstore_verification_proto_goTypes = []interface{}{ - (*CertificateIdentity)(nil), // 0: dev.sigstore.verification.v1.CertificateIdentity - (*CertificateIdentities)(nil), // 1: dev.sigstore.verification.v1.CertificateIdentities - (*PublicKeyIdentities)(nil), // 2: dev.sigstore.verification.v1.PublicKeyIdentities - (*ArtifactVerificationOptions)(nil), // 3: dev.sigstore.verification.v1.ArtifactVerificationOptions - (*Artifact)(nil), // 4: dev.sigstore.verification.v1.Artifact - (*Input)(nil), // 5: dev.sigstore.verification.v1.Input - (*ArtifactVerificationOptions_TlogOptions)(nil), // 6: dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions - (*ArtifactVerificationOptions_CtlogOptions)(nil), // 7: dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions - (*ArtifactVerificationOptions_TimestampAuthorityOptions)(nil), // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions - (*ArtifactVerificationOptions_ObserverTimestampOptions)(nil), // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions - (*v1.SubjectAlternativeName)(nil), // 10: dev.sigstore.common.v1.SubjectAlternativeName - (*v1.ObjectIdentifierValuePair)(nil), // 11: dev.sigstore.common.v1.ObjectIdentifierValuePair - (*v1.PublicKey)(nil), // 12: dev.sigstore.common.v1.PublicKey - (*v11.TrustedRoot)(nil), // 13: dev.sigstore.trustroot.v1.TrustedRoot - (*v12.Bundle)(nil), // 14: dev.sigstore.bundle.v1.Bundle + (*CertificateIdentity)(nil), // 0: dev.sigstore.verification.v1.CertificateIdentity + (*CertificateIdentities)(nil), // 1: dev.sigstore.verification.v1.CertificateIdentities + (*PublicKeyIdentities)(nil), // 2: dev.sigstore.verification.v1.PublicKeyIdentities + (*ArtifactVerificationOptions)(nil), // 3: dev.sigstore.verification.v1.ArtifactVerificationOptions + (*Artifact)(nil), // 4: dev.sigstore.verification.v1.Artifact + (*Input)(nil), // 5: dev.sigstore.verification.v1.Input + (*ArtifactVerificationOptions_TlogOptions)(nil), // 6: dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions + (*ArtifactVerificationOptions_CtlogOptions)(nil), // 7: dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions + (*ArtifactVerificationOptions_TimestampAuthorityOptions)(nil), // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions + (*ArtifactVerificationOptions_TlogIntegratedTimestampOptions)(nil), // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions + (*ArtifactVerificationOptions_ObserverTimestampOptions)(nil), // 10: dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions + (*v1.SubjectAlternativeName)(nil), // 11: dev.sigstore.common.v1.SubjectAlternativeName + (*v1.ObjectIdentifierValuePair)(nil), // 12: dev.sigstore.common.v1.ObjectIdentifierValuePair + (*v1.PublicKey)(nil), // 13: dev.sigstore.common.v1.PublicKey + (*v11.TrustedRoot)(nil), // 14: dev.sigstore.trustroot.v1.TrustedRoot + (*v12.Bundle)(nil), // 15: dev.sigstore.bundle.v1.Bundle } var file_sigstore_verification_proto_depIdxs = []int32{ - 10, // 0: dev.sigstore.verification.v1.CertificateIdentity.san:type_name -> dev.sigstore.common.v1.SubjectAlternativeName - 11, // 1: dev.sigstore.verification.v1.CertificateIdentity.oids:type_name -> dev.sigstore.common.v1.ObjectIdentifierValuePair + 11, // 0: dev.sigstore.verification.v1.CertificateIdentity.san:type_name -> dev.sigstore.common.v1.SubjectAlternativeName + 12, // 1: dev.sigstore.verification.v1.CertificateIdentity.oids:type_name -> dev.sigstore.common.v1.ObjectIdentifierValuePair 0, // 2: dev.sigstore.verification.v1.CertificateIdentities.identities:type_name -> dev.sigstore.verification.v1.CertificateIdentity - 12, // 3: dev.sigstore.verification.v1.PublicKeyIdentities.public_keys:type_name -> dev.sigstore.common.v1.PublicKey + 13, // 3: dev.sigstore.verification.v1.PublicKeyIdentities.public_keys:type_name -> dev.sigstore.common.v1.PublicKey 1, // 4: dev.sigstore.verification.v1.ArtifactVerificationOptions.certificate_identities:type_name -> dev.sigstore.verification.v1.CertificateIdentities 2, // 5: dev.sigstore.verification.v1.ArtifactVerificationOptions.public_keys:type_name -> dev.sigstore.verification.v1.PublicKeyIdentities 6, // 6: dev.sigstore.verification.v1.ArtifactVerificationOptions.tlog_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions 7, // 7: dev.sigstore.verification.v1.ArtifactVerificationOptions.ctlog_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions 8, // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.tsa_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions - 9, // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.observer_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions - 13, // 10: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot + 10, // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.observer_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions + 14, // 10: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot 3, // 11: dev.sigstore.verification.v1.Input.artifact_verification_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions - 14, // 12: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle + 15, // 12: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle 4, // 13: dev.sigstore.verification.v1.Input.artifact:type_name -> dev.sigstore.verification.v1.Artifact 14, // [14:14] is the sub-list for method output_type 14, // [14:14] is the sub-list for method input_type @@ -1082,6 +1131,18 @@ func file_sigstore_verification_proto_init() { } } file_sigstore_verification_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ArtifactVerificationOptions_TlogIntegratedTimestampOptions); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*ArtifactVerificationOptions_ObserverTimestampOptions); i { case 0: return &v.state @@ -1109,7 +1170,7 @@ func file_sigstore_verification_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_sigstore_verification_proto_rawDesc, NumEnums: 0, - NumMessages: 10, + NumMessages: 11, NumExtensions: 0, NumServices: 0, }, diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py index 0e65b540..25e456de 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py @@ -106,14 +106,6 @@ class ArtifactVerificationOptionsTlogOptions(betterproto.Message): disable: bool = betterproto.bool_field(3) """Disable verification for transparency logs.""" - verify_set: bool = betterproto.bool_field(4) - """ - Verify SET indicates that the timestamp from the SET should be used when - verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) - are optional in a bundle, and so requiring SET may render bundles invalid - during verification if SET is not present. - """ - @dataclass(eq=False, repr=False) class ArtifactVerificationOptionsCtlogOptions(betterproto.Message): @@ -133,12 +125,22 @@ class ArtifactVerificationOptionsTimestampAuthorityOptions(betterproto.Message): """Disable signed timestamp verification.""" +@dataclass(eq=False, repr=False) +class ArtifactVerificationOptionsTlogIntegratedTimestampOptions(betterproto.Message): + threshold: int = betterproto.int32_field(1) + """The number of integrated timestamps that are expected.""" + + disable: bool = betterproto.bool_field(2) + """Disable integrated timestamp verification.""" + + @dataclass(eq=False, repr=False) class ArtifactVerificationOptionsObserverTimestampOptions(betterproto.Message): threshold: int = betterproto.int32_field(1) """ The number of external ovservers of the timestamp, this is a union of - RFC3161 signed timestamps, and SETs from a transparency log + RFC3161 signed timestamps, and integrated timestamps from a transparency + log """ disable: bool = betterproto.bool_field(2) diff --git a/gen/pb-ruby/lib/sigstore_verification_pb.rb b/gen/pb-ruby/lib/sigstore_verification_pb.rb index 0388e82b..5b537c1a 100644 --- a/gen/pb-ruby/lib/sigstore_verification_pb.rb +++ b/gen/pb-ruby/lib/sigstore_verification_pb.rb @@ -34,7 +34,6 @@ optional :threshold, :int32, 1 optional :perform_online_verification, :bool, 2 optional :disable, :bool, 3 - optional :verify_set, :bool, 4 end add_message "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions" do optional :threshold, :int32, 1 @@ -44,6 +43,10 @@ optional :threshold, :int32, 1 optional :disable, :bool, 2 end + add_message "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions" do + optional :threshold, :int32, 1 + optional :disable, :bool, 2 + end add_message "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions" do optional :threshold, :int32, 1 optional :disable, :bool, 2 @@ -73,6 +76,7 @@ module V1 ArtifactVerificationOptions::TlogOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions").msgclass ArtifactVerificationOptions::CtlogOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions").msgclass ArtifactVerificationOptions::TimestampAuthorityOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions").msgclass + ArtifactVerificationOptions::TlogIntegratedTimestampOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions").msgclass ArtifactVerificationOptions::ObserverTimestampOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions").msgclass Artifact = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.Artifact").msgclass Input = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.verification.v1.Input").msgclass diff --git a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json index 7a83ede7..4b558a86 100644 --- a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json @@ -226,7 +226,7 @@ "properties": { "threshold": { "type": "integer", - "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and SETs from a transparency log" + "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log" }, "disable": { "type": "boolean", @@ -265,10 +265,6 @@ "disable": { "type": "boolean", "description": "Disable verification for transparency logs." - }, - "verifySet": { - "type": "boolean", - "description": "Verify SET indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) are optional in a bundle, and so requiring SET may render bundles invalid during verification if SET is not present." } }, "additionalProperties": false, diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index 6179e9d0..2226a291 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -726,7 +726,7 @@ "properties": { "threshold": { "type": "integer", - "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and SETs from a transparency log" + "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log" }, "disable": { "type": "boolean", @@ -765,10 +765,6 @@ "disable": { "type": "boolean", "description": "Disable verification for transparency logs." - }, - "verifySet": { - "type": "boolean", - "description": "Verify SET indicates that the timestamp from the SET should be used when verifying the X.509 certifiacte chain. Note that inclusion promises (SETs) are optional in a bundle, and so requiring SET may render bundles invalid during verification if SET is not present." } }, "additionalProperties": false, diff --git a/gen/pb-typescript/src/__generated__/sigstore_verification.ts b/gen/pb-typescript/src/__generated__/sigstore_verification.ts index 9b8816c2..134a38d1 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_verification.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_verification.ts @@ -79,14 +79,6 @@ export interface ArtifactVerificationOptions_TlogOptions { performOnlineVerification: boolean; /** Disable verification for transparency logs. */ disable: boolean; - /** - * Verify SET indicates that the timestamp from - * the SET should be used when verifying the X.509 - * certifiacte chain. Note that inclusion promises (SETs) - * are optional in a bundle, and so requiring SET may render - * bundles invalid during verification if SET is not present. - */ - verifySet: boolean; } export interface ArtifactVerificationOptions_CtlogOptions { @@ -106,11 +98,18 @@ export interface ArtifactVerificationOptions_TimestampAuthorityOptions { disable: boolean; } +export interface ArtifactVerificationOptions_TlogIntegratedTimestampOptions { + /** The number of integrated timestamps that are expected. */ + threshold: number; + /** Disable integrated timestamp verification. */ + disable: boolean; +} + export interface ArtifactVerificationOptions_ObserverTimestampOptions { /** * The number of external ovservers of the timestamp, - * this is a union of RFC3161 signed timestamps, and SETs - * from a transparency log + * this is a union of RFC3161 signed timestamps, and + * integrated timestamps from a transparency log */ threshold: number; /** Disable signed timestamp verification. */ @@ -282,7 +281,7 @@ export const ArtifactVerificationOptions = { }; function createBaseArtifactVerificationOptions_TlogOptions(): ArtifactVerificationOptions_TlogOptions { - return { threshold: 0, performOnlineVerification: false, disable: false, verifySet: false }; + return { threshold: 0, performOnlineVerification: false, disable: false }; } export const ArtifactVerificationOptions_TlogOptions = { @@ -293,7 +292,6 @@ export const ArtifactVerificationOptions_TlogOptions = { ? Boolean(object.performOnlineVerification) : false, disable: isSet(object.disable) ? Boolean(object.disable) : false, - verifySet: isSet(object.verifySet) ? Boolean(object.verifySet) : false, }; }, @@ -303,7 +301,6 @@ export const ArtifactVerificationOptions_TlogOptions = { message.performOnlineVerification !== undefined && (obj.performOnlineVerification = message.performOnlineVerification); message.disable !== undefined && (obj.disable = message.disable); - message.verifySet !== undefined && (obj.verifySet = message.verifySet); return obj; }, }; @@ -348,6 +345,26 @@ export const ArtifactVerificationOptions_TimestampAuthorityOptions = { }, }; +function createBaseArtifactVerificationOptions_TlogIntegratedTimestampOptions(): ArtifactVerificationOptions_TlogIntegratedTimestampOptions { + return { threshold: 0, disable: false }; +} + +export const ArtifactVerificationOptions_TlogIntegratedTimestampOptions = { + fromJSON(object: any): ArtifactVerificationOptions_TlogIntegratedTimestampOptions { + return { + threshold: isSet(object.threshold) ? Number(object.threshold) : 0, + disable: isSet(object.disable) ? Boolean(object.disable) : false, + }; + }, + + toJSON(message: ArtifactVerificationOptions_TlogIntegratedTimestampOptions): unknown { + const obj: any = {}; + message.threshold !== undefined && (obj.threshold = Math.round(message.threshold)); + message.disable !== undefined && (obj.disable = message.disable); + return obj; + }, +}; + function createBaseArtifactVerificationOptions_ObserverTimestampOptions(): ArtifactVerificationOptions_ObserverTimestampOptions { return { threshold: 0, disable: false }; } diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 9c66b9f5..534d901e 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -54,12 +54,6 @@ message ArtifactVerificationOptions { bool perform_online_verification = 2; // Disable verification for transparency logs. bool disable = 3; - // Verify SET indicates that the timestamp from - // the SET should be used when verifying the X.509 - // certificate chain. Note that inclusion promises (SETs) - // are optional in a bundle, and so requiring SET may render - // bundles invalid during verification if SET is not present. - bool verify_set = 4; } message CtlogOptions { // The number of ct transparency logs the certificate must @@ -75,10 +69,16 @@ message ArtifactVerificationOptions { // Disable signed timestamp verification. bool disable = 2; } + message TlogIntegratedTimestampOptions{ + // The number of integrated timestamps that are expected. + int32 threshold = 1; + // Disable integrated timestamp verification. + bool disable = 2; + } message ObserverTimestampOptions { // The number of external ovservers of the timestamp, - // this is a union of RFC3161 signed timestamps, and SETs - // from a transparency log + // this is a union of RFC3161 signed timestamps, and + // integrated timestamps from a transparency log int32 threshold = 1; // Disable signed timestamp verification. bool disable = 2; From c32e36847854efc1fdf0aa28c142a6d61fabaf41 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 8 Jan 2024 14:51:46 +0100 Subject: [PATCH 5/6] Update protos/sigstore_verification.proto Co-authored-by: Hayden B Signed-off-by: Fredrik Skogman --- protos/sigstore_verification.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 534d901e..e29de245 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -76,7 +76,7 @@ message ArtifactVerificationOptions { bool disable = 2; } message ObserverTimestampOptions { - // The number of external ovservers of the timestamp, + // The number of external observers of the timestamp. // this is a union of RFC3161 signed timestamps, and // integrated timestamps from a transparency log int32 threshold = 1; From f6af7d3a4df73ef97653e1a73b29d93782560c39 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 8 Jan 2024 15:32:42 +0100 Subject: [PATCH 6/6] Updated timestamp options: default is to only require one observer of any kind. added missing options to the ArtifactVerificationOptions Signed-off-by: Fredrik Skogman --- .../ArtifactVerificationOptions.schema.json | 35 ++- gen/jsonschema/schemas/Input.schema.json | 35 ++- .../v1/sigstore_verification.pb.go | 219 ++++++++++-------- .../dev/sigstore/verification/v1/__init__.py | 24 +- gen/pb-ruby/lib/sigstore_verification_pb.rb | 3 +- .../ArtifactVerificationOptions.schema.json | 35 ++- gen/pb-rust/schemas/Input.schema.json | 35 ++- .../__generated__/sigstore_verification.ts | 33 ++- protos/sigstore_verification.proto | 22 +- 9 files changed, 299 insertions(+), 142 deletions(-) diff --git a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json index 4b558a86..a36bcb98 100644 --- a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json @@ -16,7 +16,7 @@ "tlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false Verify SET Timestamps: true" + "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" }, "ctlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", @@ -26,12 +26,17 @@ "tsaOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", "additionalProperties": false, - "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" + "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" + }, + "integratedTsOptions": { + "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions", + "additionalProperties": false, + "description": "Optional options for integrated timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" }, "observerOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", "additionalProperties": false, - "description": "Optional options for timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" + "description": "Optional options for observed timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" } }, "additionalProperties": false, @@ -62,6 +67,11 @@ "tsa_options" ] }, + { + "required": [ + "integrated_ts_options" + ] + }, { "required": [ "observer_options" @@ -226,11 +236,11 @@ "properties": { "threshold": { "type": "integer", - "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log" + "description": "The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log, that could include additional timestamp sources in the future." }, "disable": { "type": "boolean", - "description": "Disable signed timestamp verification." + "description": "Disable observer timestamp verification." } }, "additionalProperties": false, @@ -252,6 +262,21 @@ "type": "object", "title": "Timestamp Authority Options" }, + "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions": { + "properties": { + "threshold": { + "type": "integer", + "description": "The number of integrated timestamps that are expected." + }, + "disable": { + "type": "boolean", + "description": "Disable integrated timestamp verification." + } + }, + "additionalProperties": false, + "type": "object", + "title": "Tlog Integrated Timestamp Options" + }, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": { "properties": { "threshold": { diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 2226a291..83a625e6 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -652,7 +652,7 @@ "tlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false Verify SET Timestamps: true" + "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" }, "ctlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", @@ -662,12 +662,17 @@ "tsaOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", "additionalProperties": false, - "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" + "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" + }, + "integratedTsOptions": { + "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions", + "additionalProperties": false, + "description": "Optional options for integrated timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" }, "observerOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", "additionalProperties": false, - "description": "Optional options for timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" + "description": "Optional options for observed timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" } }, "additionalProperties": false, @@ -698,6 +703,11 @@ "tsa_options" ] }, + { + "required": [ + "integrated_ts_options" + ] + }, { "required": [ "observer_options" @@ -726,11 +736,11 @@ "properties": { "threshold": { "type": "integer", - "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log" + "description": "The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log, that could include additional timestamp sources in the future." }, "disable": { "type": "boolean", - "description": "Disable signed timestamp verification." + "description": "Disable observer timestamp verification." } }, "additionalProperties": false, @@ -752,6 +762,21 @@ "type": "object", "title": "Timestamp Authority Options" }, + "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions": { + "properties": { + "threshold": { + "type": "integer", + "description": "The number of integrated timestamps that are expected." + }, + "disable": { + "type": "boolean", + "description": "Disable integrated timestamp verification." + } + }, + "additionalProperties": false, + "type": "object", + "title": "Tlog Integrated Timestamp Options" + }, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": { "properties": { "threshold": { diff --git a/gen/pb-go/verification/v1/sigstore_verification.pb.go b/gen/pb-go/verification/v1/sigstore_verification.pb.go index 4d0122aa..95099784 100644 --- a/gen/pb-go/verification/v1/sigstore_verification.pb.go +++ b/gen/pb-go/verification/v1/sigstore_verification.pb.go @@ -220,7 +220,6 @@ type ArtifactVerificationOptions struct { // Threshold: 1 // Online verification: false // Disable: false - // Verify SET Timestamps: true TlogOptions *ArtifactVerificationOptions_TlogOptions `protobuf:"bytes,3,opt,name=tlog_options,json=tlogOptions,proto3,oneof" json:"tlog_options,omitempty"` // Optional options for certificate transparency log verification. // If none is provided, the default verification options are: @@ -229,14 +228,19 @@ type ArtifactVerificationOptions struct { CtlogOptions *ArtifactVerificationOptions_CtlogOptions `protobuf:"bytes,4,opt,name=ctlog_options,json=ctlogOptions,proto3,oneof" json:"ctlog_options,omitempty"` // Optional options for certificate signed timestamp verification. // If none is provided, the default verification options are: - // Threshold: 1 - // Disable: false + // Threshold: 0 + // Disable: true TsaOptions *ArtifactVerificationOptions_TimestampAuthorityOptions `protobuf:"bytes,5,opt,name=tsa_options,json=tsaOptions,proto3,oneof" json:"tsa_options,omitempty"` - // Optional options for timestamp verification. + // Optional options for integrated timestamp verification. + // If none is provided, the default verification options are: + // Threshold: 0 + // Disable: true + IntegratedTsOptions *ArtifactVerificationOptions_TlogIntegratedTimestampOptions `protobuf:"bytes,6,opt,name=integrated_ts_options,json=integratedTsOptions,proto3,oneof" json:"integrated_ts_options,omitempty"` + // Optional options for observed timestamp verification. // If none is provided, the default verification options are: // Threshold 1 // Disable: false - ObserverOptions *ArtifactVerificationOptions_ObserverTimestampOptions `protobuf:"bytes,6,opt,name=observer_options,json=observerOptions,proto3,oneof" json:"observer_options,omitempty"` + ObserverOptions *ArtifactVerificationOptions_ObserverTimestampOptions `protobuf:"bytes,7,opt,name=observer_options,json=observerOptions,proto3,oneof" json:"observer_options,omitempty"` } func (x *ArtifactVerificationOptions) Reset() { @@ -313,6 +317,13 @@ func (x *ArtifactVerificationOptions) GetTsaOptions() *ArtifactVerificationOptio return nil } +func (x *ArtifactVerificationOptions) GetIntegratedTsOptions() *ArtifactVerificationOptions_TlogIntegratedTimestampOptions { + if x != nil { + return x.IntegratedTsOptions + } + return nil +} + func (x *ArtifactVerificationOptions) GetObserverOptions() *ArtifactVerificationOptions_ObserverTimestampOptions { if x != nil { return x.ObserverOptions @@ -754,11 +765,13 @@ type ArtifactVerificationOptions_ObserverTimestampOptions struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // The number of external ovservers of the timestamp, - // this is a union of RFC3161 signed timestamps, and - // integrated timestamps from a transparency log + // The number of external observers of the timestamp. + // This is a union of RFC3161 signed timestamps, and + // integrated timestamps from a transparency log, that + // could include additional timestamp sources in the + // future. Threshold int32 `protobuf:"varint,1,opt,name=threshold,proto3" json:"threshold,omitempty"` - // Disable signed timestamp verification. + // Disable observer timestamp verification. Disable bool `protobuf:"varint,2,opt,name=disable,proto3" json:"disable,omitempty"` } @@ -843,7 +856,7 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, - 0x65, 0x79, 0x73, 0x22, 0xee, 0x09, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x65, 0x79, 0x73, 0x22, 0x9c, 0x0b, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x6c, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, @@ -879,88 +892,99 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x48, 0x03, 0x52, 0x0a, 0x74, 0x73, 0x61, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x88, 0x01, 0x01, 0x12, 0x82, 0x01, 0x0a, 0x10, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x52, - 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, - 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, - 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x48, 0x04, 0x52, 0x0f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4f, 0x70, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x1a, 0x85, 0x01, 0x0a, 0x0b, 0x54, 0x6c, 0x6f, - 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, - 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, - 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x3e, 0x0a, 0x1b, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, - 0x6d, 0x5f, 0x6f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x70, 0x65, 0x72, - 0x66, 0x6f, 0x72, 0x6d, 0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, - 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, - 0x1a, 0x4c, 0x0a, 0x0c, 0x43, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, - 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, - 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x1a, 0x53, - 0x0a, 0x19, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, - 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, - 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, - 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, - 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, - 0x62, 0x6c, 0x65, 0x1a, 0x58, 0x0a, 0x1e, 0x54, 0x6c, 0x6f, 0x67, 0x49, 0x6e, 0x74, 0x65, 0x67, - 0x72, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, - 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, - 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x52, 0x0a, - 0x18, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x88, 0x01, 0x01, 0x12, 0x91, 0x01, 0x0a, 0x15, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, + 0x65, 0x64, 0x5f, 0x74, 0x73, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x06, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x58, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x54, + 0x6c, 0x6f, 0x67, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, + 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x48, 0x04, 0x52, + 0x13, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64, 0x54, 0x73, 0x4f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x12, 0x82, 0x01, 0x0a, 0x10, 0x6f, 0x62, 0x73, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x52, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x4f, 0x62, + 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, + 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x48, 0x05, 0x52, 0x0f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x1a, 0x85, 0x01, 0x0a, + 0x0b, 0x54, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, + 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, + 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x3e, 0x0a, 0x1b, 0x70, 0x65, + 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x5f, 0x6f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x76, 0x65, 0x72, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x19, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x56, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, + 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, + 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x4c, 0x0a, 0x0c, 0x43, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, + 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x02, + 0x10, 0x03, 0x1a, 0x53, 0x0a, 0x19, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, + 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, + 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, + 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x58, 0x0a, 0x1e, 0x54, 0x6c, 0x6f, 0x67, 0x49, + 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, - 0x65, 0x42, 0x09, 0x0a, 0x07, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x73, 0x42, 0x0f, 0x0a, 0x0d, - 0x5f, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x10, 0x0a, - 0x0e, 0x5f, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, - 0x0e, 0x0a, 0x0c, 0x5f, 0x74, 0x73, 0x61, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, - 0x13, 0x0a, 0x11, 0x5f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, - 0x12, 0x23, 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x75, 0x72, 0x69, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, - 0x63, 0x74, 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, - 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, - 0x61, 0x63, 0x74, 0x42, 0x06, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xec, 0x02, 0x0a, 0x05, - 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x56, 0x0a, 0x13, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, - 0x74, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, - 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, - 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x52, 0x11, 0x61, 0x72, 0x74, 0x69, - 0x66, 0x61, 0x63, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x7d, 0x0a, - 0x1d, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, + 0x65, 0x1a, 0x52, 0x0a, 0x18, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x69, 0x6d, + 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, + 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, + 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, + 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, + 0x73, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x09, 0x0a, 0x07, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x73, + 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x74, 0x73, 0x61, 0x5f, 0x6f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x42, 0x18, 0x0a, 0x16, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, + 0x65, 0x64, 0x5f, 0x74, 0x73, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x13, 0x0a, + 0x11, 0x5f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x12, 0x23, + 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x74, 0x42, 0x06, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xec, 0x02, 0x0a, 0x05, 0x49, 0x6e, + 0x70, 0x75, 0x74, 0x12, 0x56, 0x0a, 0x13, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, + 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x75, + 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x52, 0x11, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, + 0x63, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x7d, 0x0a, 0x1d, 0x61, + 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x1b, 0x61, + 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x36, 0x0a, 0x06, 0x62, 0x75, + 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x64, 0x65, 0x76, + 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, + 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x06, 0x62, 0x75, 0x6e, 0x64, + 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, - 0x1b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x36, 0x0a, 0x06, - 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x64, - 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, - 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x06, 0x62, 0x75, - 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, - 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x48, 0x00, - 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x88, 0x01, 0x01, 0x42, 0x0b, 0x0a, - 0x09, 0x5f, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, 0x94, 0x01, 0x0a, 0x22, 0x64, - 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, - 0x31, 0x42, 0x11, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, - 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, - 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, - 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x1a, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, - 0x3a, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, - 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x48, 0x00, 0x52, 0x08, + 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x88, 0x01, 0x01, 0x42, 0x0b, 0x0a, 0x09, 0x5f, + 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, 0x94, 0x01, 0x0a, 0x22, 0x64, 0x65, 0x76, + 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, + 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, + 0x11, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, + 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, + 0x67, 0x6f, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, + 0x76, 0x31, 0xea, 0x02, 0x1a, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x56, + 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, + 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -1004,16 +1028,17 @@ var file_sigstore_verification_proto_depIdxs = []int32{ 6, // 6: dev.sigstore.verification.v1.ArtifactVerificationOptions.tlog_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions 7, // 7: dev.sigstore.verification.v1.ArtifactVerificationOptions.ctlog_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions 8, // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.tsa_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions - 10, // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.observer_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions - 14, // 10: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot - 3, // 11: dev.sigstore.verification.v1.Input.artifact_verification_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions - 15, // 12: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle - 4, // 13: dev.sigstore.verification.v1.Input.artifact:type_name -> dev.sigstore.verification.v1.Artifact - 14, // [14:14] is the sub-list for method output_type - 14, // [14:14] is the sub-list for method input_type - 14, // [14:14] is the sub-list for extension type_name - 14, // [14:14] is the sub-list for extension extendee - 0, // [0:14] is the sub-list for field type_name + 9, // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.integrated_ts_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions + 10, // 10: dev.sigstore.verification.v1.ArtifactVerificationOptions.observer_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions + 14, // 11: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot + 3, // 12: dev.sigstore.verification.v1.Input.artifact_verification_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions + 15, // 13: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle + 4, // 14: dev.sigstore.verification.v1.Input.artifact:type_name -> dev.sigstore.verification.v1.Artifact + 15, // [15:15] is the sub-list for method output_type + 15, // [15:15] is the sub-list for method input_type + 15, // [15:15] is the sub-list for extension type_name + 15, // [15:15] is the sub-list for extension extendee + 0, // [0:15] is the sub-list for field type_name } func init() { file_sigstore_verification_proto_init() } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py index 25e456de..ffebc310 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py @@ -67,7 +67,7 @@ class ArtifactVerificationOptions(betterproto.Message): """ Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online - verification: false Disable: false Verify SET Timestamps: true + verification: false Disable: false """ ctlog_options: Optional["ArtifactVerificationOptionsCtlogOptions"] = ( @@ -83,15 +83,23 @@ class ArtifactVerificationOptions(betterproto.Message): ) """ Optional options for certificate signed timestamp verification. If none is - provided, the default verification options are: Threshold: 1 Disable: false + provided, the default verification options are: Threshold: 0 Disable: true + """ + + integrated_ts_options: Optional[ + "ArtifactVerificationOptionsTlogIntegratedTimestampOptions" + ] = betterproto.message_field(6, optional=True, group="_integrated_ts_options") + """ + Optional options for integrated timestamp verification. If none is + provided, the default verification options are: Threshold: 0 Disable: true """ observer_options: Optional[ "ArtifactVerificationOptionsObserverTimestampOptions" - ] = betterproto.message_field(6, optional=True, group="_observer_options") + ] = betterproto.message_field(7, optional=True, group="_observer_options") """ - Optional options for timestamp verification. If none is provided, the - default verification options are: Threshold 1 Disable: false + Optional options for observed timestamp verification. If none is provided, + the default verification options are: Threshold 1 Disable: false """ @@ -138,13 +146,13 @@ class ArtifactVerificationOptionsTlogIntegratedTimestampOptions(betterproto.Mess class ArtifactVerificationOptionsObserverTimestampOptions(betterproto.Message): threshold: int = betterproto.int32_field(1) """ - The number of external ovservers of the timestamp, this is a union of + The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency - log + log, that could include additional timestamp sources in the future. """ disable: bool = betterproto.bool_field(2) - """Disable signed timestamp verification.""" + """Disable observer timestamp verification.""" @dataclass(eq=False, repr=False) diff --git a/gen/pb-ruby/lib/sigstore_verification_pb.rb b/gen/pb-ruby/lib/sigstore_verification_pb.rb index 5b537c1a..56a88150 100644 --- a/gen/pb-ruby/lib/sigstore_verification_pb.rb +++ b/gen/pb-ruby/lib/sigstore_verification_pb.rb @@ -24,7 +24,8 @@ proto3_optional :tlog_options, :message, 3, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions" proto3_optional :ctlog_options, :message, 4, "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions" proto3_optional :tsa_options, :message, 5, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions" - proto3_optional :observer_options, :message, 6, "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions" + proto3_optional :integrated_ts_options, :message, 6, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions" + proto3_optional :observer_options, :message, 7, "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions" oneof :signers do optional :certificate_identities, :message, 1, "dev.sigstore.verification.v1.CertificateIdentities" optional :public_keys, :message, 2, "dev.sigstore.verification.v1.PublicKeyIdentities" diff --git a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json index 4b558a86..a36bcb98 100644 --- a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json @@ -16,7 +16,7 @@ "tlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false Verify SET Timestamps: true" + "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" }, "ctlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", @@ -26,12 +26,17 @@ "tsaOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", "additionalProperties": false, - "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" + "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" + }, + "integratedTsOptions": { + "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions", + "additionalProperties": false, + "description": "Optional options for integrated timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" }, "observerOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", "additionalProperties": false, - "description": "Optional options for timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" + "description": "Optional options for observed timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" } }, "additionalProperties": false, @@ -62,6 +67,11 @@ "tsa_options" ] }, + { + "required": [ + "integrated_ts_options" + ] + }, { "required": [ "observer_options" @@ -226,11 +236,11 @@ "properties": { "threshold": { "type": "integer", - "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log" + "description": "The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log, that could include additional timestamp sources in the future." }, "disable": { "type": "boolean", - "description": "Disable signed timestamp verification." + "description": "Disable observer timestamp verification." } }, "additionalProperties": false, @@ -252,6 +262,21 @@ "type": "object", "title": "Timestamp Authority Options" }, + "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions": { + "properties": { + "threshold": { + "type": "integer", + "description": "The number of integrated timestamps that are expected." + }, + "disable": { + "type": "boolean", + "description": "Disable integrated timestamp verification." + } + }, + "additionalProperties": false, + "type": "object", + "title": "Tlog Integrated Timestamp Options" + }, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": { "properties": { "threshold": { diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index 2226a291..83a625e6 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -652,7 +652,7 @@ "tlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false Verify SET Timestamps: true" + "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" }, "ctlogOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", @@ -662,12 +662,17 @@ "tsaOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", "additionalProperties": false, - "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" + "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" + }, + "integratedTsOptions": { + "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions", + "additionalProperties": false, + "description": "Optional options for integrated timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" }, "observerOptions": { "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", "additionalProperties": false, - "description": "Optional options for timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" + "description": "Optional options for observed timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" } }, "additionalProperties": false, @@ -698,6 +703,11 @@ "tsa_options" ] }, + { + "required": [ + "integrated_ts_options" + ] + }, { "required": [ "observer_options" @@ -726,11 +736,11 @@ "properties": { "threshold": { "type": "integer", - "description": "The number of external ovservers of the timestamp, this is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log" + "description": "The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log, that could include additional timestamp sources in the future." }, "disable": { "type": "boolean", - "description": "Disable signed timestamp verification." + "description": "Disable observer timestamp verification." } }, "additionalProperties": false, @@ -752,6 +762,21 @@ "type": "object", "title": "Timestamp Authority Options" }, + "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions": { + "properties": { + "threshold": { + "type": "integer", + "description": "The number of integrated timestamps that are expected." + }, + "disable": { + "type": "boolean", + "description": "Disable integrated timestamp verification." + } + }, + "additionalProperties": false, + "type": "object", + "title": "Tlog Integrated Timestamp Options" + }, "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": { "properties": { "threshold": { diff --git a/gen/pb-typescript/src/__generated__/sigstore_verification.ts b/gen/pb-typescript/src/__generated__/sigstore_verification.ts index 134a38d1..b7620398 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_verification.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_verification.ts @@ -40,7 +40,6 @@ export interface ArtifactVerificationOptions { * Threshold: 1 * Online verification: false * Disable: false - * Verify SET Timestamps: true */ tlogOptions?: | ArtifactVerificationOptions_TlogOptions @@ -57,14 +56,23 @@ export interface ArtifactVerificationOptions { /** * Optional options for certificate signed timestamp verification. * If none is provided, the default verification options are: - * Threshold: 1 - * Disable: false + * Threshold: 0 + * Disable: true */ tsaOptions?: | ArtifactVerificationOptions_TimestampAuthorityOptions | undefined; /** - * Optional options for timestamp verification. + * Optional options for integrated timestamp verification. + * If none is provided, the default verification options are: + * Threshold: 0 + * Disable: true + */ + integratedTsOptions?: + | ArtifactVerificationOptions_TlogIntegratedTimestampOptions + | undefined; + /** + * Optional options for observed timestamp verification. * If none is provided, the default verification options are: * Threshold 1 * Disable: false @@ -107,12 +115,14 @@ export interface ArtifactVerificationOptions_TlogIntegratedTimestampOptions { export interface ArtifactVerificationOptions_ObserverTimestampOptions { /** - * The number of external ovservers of the timestamp, - * this is a union of RFC3161 signed timestamps, and - * integrated timestamps from a transparency log + * The number of external observers of the timestamp. + * This is a union of RFC3161 signed timestamps, and + * integrated timestamps from a transparency log, that + * could include additional timestamp sources in the + * future. */ threshold: number; - /** Disable signed timestamp verification. */ + /** Disable observer timestamp verification. */ disable: boolean; } @@ -225,6 +235,7 @@ function createBaseArtifactVerificationOptions(): ArtifactVerificationOptions { tlogOptions: undefined, ctlogOptions: undefined, tsaOptions: undefined, + integratedTsOptions: undefined, observerOptions: undefined, }; } @@ -249,6 +260,9 @@ export const ArtifactVerificationOptions = { tsaOptions: isSet(object.tsaOptions) ? ArtifactVerificationOptions_TimestampAuthorityOptions.fromJSON(object.tsaOptions) : undefined, + integratedTsOptions: isSet(object.integratedTsOptions) + ? ArtifactVerificationOptions_TlogIntegratedTimestampOptions.fromJSON(object.integratedTsOptions) + : undefined, observerOptions: isSet(object.observerOptions) ? ArtifactVerificationOptions_ObserverTimestampOptions.fromJSON(object.observerOptions) : undefined, @@ -273,6 +287,9 @@ export const ArtifactVerificationOptions = { message.tsaOptions !== undefined && (obj.tsaOptions = message.tsaOptions ? ArtifactVerificationOptions_TimestampAuthorityOptions.toJSON(message.tsaOptions) : undefined); + message.integratedTsOptions !== undefined && (obj.integratedTsOptions = message.integratedTsOptions + ? ArtifactVerificationOptions_TlogIntegratedTimestampOptions.toJSON(message.integratedTsOptions) + : undefined); message.observerOptions !== undefined && (obj.observerOptions = message.observerOptions ? ArtifactVerificationOptions_ObserverTimestampOptions.toJSON(message.observerOptions) : undefined); diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index e29de245..7f811dd2 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -77,10 +77,12 @@ message ArtifactVerificationOptions { } message ObserverTimestampOptions { // The number of external observers of the timestamp. - // this is a union of RFC3161 signed timestamps, and - // integrated timestamps from a transparency log + // This is a union of RFC3161 signed timestamps, and + // integrated timestamps from a transparency log, that + // could include additional timestamp sources in the + // future. int32 threshold = 1; - // Disable signed timestamp verification. + // Disable observer timestamp verification. bool disable = 2; } @@ -105,7 +107,6 @@ message ArtifactVerificationOptions { // Threshold: 1 // Online verification: false // Disable: false - // Verify SET Timestamps: true optional TlogOptions tlog_options = 3; // Optional options for certificate transparency log verification. // If none is provided, the default verification options are: @@ -114,14 +115,19 @@ message ArtifactVerificationOptions { optional CtlogOptions ctlog_options = 4; // Optional options for certificate signed timestamp verification. // If none is provided, the default verification options are: - // Threshold: 1 - // Disable: false + // Threshold: 0 + // Disable: true optional TimestampAuthorityOptions tsa_options = 5; - // Optional options for timestamp verification. + // Optional options for integrated timestamp verification. + // If none is provided, the default verification options are: + // Threshold: 0 + // Disable: true + optional TlogIntegratedTimestampOptions integrated_ts_options = 6; + // Optional options for observed timestamp verification. // If none is provided, the default verification options are: // Threshold 1 // Disable: false - optional ObserverTimestampOptions observer_options = 6; + optional ObserverTimestampOptions observer_options = 7; } message Artifact {