From 83aff1bd8ce15d1cbd2205f7b56ebbb6cc75cc2a Mon Sep 17 00:00:00 2001 From: Samuel Giddins Date: Mon, 30 Sep 2024 10:13:39 -0700 Subject: [PATCH] Allow specificy Artifact as a HashOutput Useful for allowing verifying over an artifact digest without needing to have the whole artifact available locally just to be digested Signed-off-by: Samuel Giddins --- gen/jsonschema/schemas/Artifact.schema.json | 37 ++++++++++++ gen/jsonschema/schemas/Input.schema.json | 10 ++++ .../v1/sigstore_verification.pb.go | 55 +++++++++++++----- .../dev/sigstore/verification/v1/__init__.py | 5 ++ gen/pb-ruby/lib/sigstore_verification_pb.rb | 1 + .../generated/dev.sigstore.verification.v1.rs | 5 +- .../src/generated/file_descriptor_set.bin | Bin 118708 -> 118873 bytes .../__generated__/sigstore_verification.ts | 11 +++- protos/sigstore_verification.proto | 2 + 9 files changed, 107 insertions(+), 19 deletions(-) diff --git a/gen/jsonschema/schemas/Artifact.schema.json b/gen/jsonschema/schemas/Artifact.schema.json index 1ed0ed69..49263fcd 100644 --- a/gen/jsonschema/schemas/Artifact.schema.json +++ b/gen/jsonschema/schemas/Artifact.schema.json @@ -13,6 +13,11 @@ "description": "The raw bytes of the artifact", "format": "binary", "binaryEncoding": "base64" + }, + "artifactDigest": { + "$ref": "#/definitions/dev.sigstore.common.v1.HashOutput", + "additionalProperties": false, + "description": "Digest of the artifact" } }, "additionalProperties": false, @@ -27,9 +32,41 @@ "required": [ "artifact" ] + }, + { + "required": [ + "artifact_digest" + ] } ], "title": "Artifact" + }, + "dev.sigstore.common.v1.HashOutput": { + "properties": { + "algorithm": { + "enum": [ + "HASH_ALGORITHM_UNSPECIFIED", + "SHA2_256", + "SHA2_384", + "SHA2_512", + "SHA3_256", + "SHA3_384" + ], + "type": "string", + "title": "This package defines commonly used message types within the Sigstore\n community.", + "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." + }, + "digest": { + "type": "string", + "description": "This is the raw octets of the message digest as computed by the hash algorithm.", + "format": "binary", + "binaryEncoding": "base64" + } + }, + "additionalProperties": false, + "type": "object", + "title": "Hash Output", + "description": "HashOutput captures a digest of a 'message' (generic octet sequence) and the corresponding hash algorithm used." } } } \ No newline at end of file diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 1e9e8421..dcfdd4a7 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -653,6 +653,11 @@ "description": "The raw bytes of the artifact", "format": "binary", "binaryEncoding": "base64" + }, + "artifactDigest": { + "$ref": "#/definitions/dev.sigstore.common.v1.HashOutput", + "additionalProperties": false, + "description": "Digest of the artifact" } }, "additionalProperties": false, @@ -667,6 +672,11 @@ "required": [ "artifact" ] + }, + { + "required": [ + "artifact_digest" + ] } ], "title": "Artifact" diff --git a/gen/pb-go/verification/v1/sigstore_verification.pb.go b/gen/pb-go/verification/v1/sigstore_verification.pb.go index 95099784..59dd7427 100644 --- a/gen/pb-go/verification/v1/sigstore_verification.pb.go +++ b/gen/pb-go/verification/v1/sigstore_verification.pb.go @@ -365,6 +365,7 @@ type Artifact struct { // // *Artifact_ArtifactUri // *Artifact_Artifact + // *Artifact_ArtifactDigest Data isArtifact_Data `protobuf_oneof:"data"` } @@ -421,6 +422,13 @@ func (x *Artifact) GetArtifact() []byte { return nil } +func (x *Artifact) GetArtifactDigest() *v1.HashOutput { + if x, ok := x.GetData().(*Artifact_ArtifactDigest); ok { + return x.ArtifactDigest + } + return nil +} + type isArtifact_Data interface { isArtifact_Data() } @@ -435,10 +443,17 @@ type Artifact_Artifact struct { Artifact []byte `protobuf:"bytes,2,opt,name=artifact,proto3,oneof"` } +type Artifact_ArtifactDigest struct { + // Digest of the artifact + ArtifactDigest *v1.HashOutput `protobuf:"bytes,3,opt,name=artifact_digest,json=artifactDigest,proto3,oneof"` +} + func (*Artifact_ArtifactUri) isArtifact_Data() {} func (*Artifact_Artifact) isArtifact_Data() {} +func (*Artifact_ArtifactDigest) isArtifact_Data() {} + // Input captures all that is needed to call the bundle verification method, // to verify a single artifact referenced by the bundle. type Input struct { @@ -946,11 +961,16 @@ var file_sigstore_verification_proto_rawDesc = []byte{ 0x6f, 0x6e, 0x73, 0x42, 0x18, 0x0a, 0x16, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x73, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x12, 0x23, - 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, - 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x6e, 0x73, 0x22, 0xa4, 0x01, 0x0a, 0x08, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x12, + 0x23, 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x74, 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, + 0x63, 0x74, 0x12, 0x4d, 0x0a, 0x0f, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x64, + 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x64, 0x65, + 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x48, + 0x00, 0x52, 0x0e, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x42, 0x06, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xec, 0x02, 0x0a, 0x05, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x56, 0x0a, 0x13, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x72, 0x6f, 0x6f, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, @@ -1015,8 +1035,9 @@ var file_sigstore_verification_proto_goTypes = []interface{}{ (*v1.SubjectAlternativeName)(nil), // 11: dev.sigstore.common.v1.SubjectAlternativeName (*v1.ObjectIdentifierValuePair)(nil), // 12: dev.sigstore.common.v1.ObjectIdentifierValuePair (*v1.PublicKey)(nil), // 13: dev.sigstore.common.v1.PublicKey - (*v11.TrustedRoot)(nil), // 14: dev.sigstore.trustroot.v1.TrustedRoot - (*v12.Bundle)(nil), // 15: dev.sigstore.bundle.v1.Bundle + (*v1.HashOutput)(nil), // 14: dev.sigstore.common.v1.HashOutput + (*v11.TrustedRoot)(nil), // 15: dev.sigstore.trustroot.v1.TrustedRoot + (*v12.Bundle)(nil), // 16: dev.sigstore.bundle.v1.Bundle } var file_sigstore_verification_proto_depIdxs = []int32{ 11, // 0: dev.sigstore.verification.v1.CertificateIdentity.san:type_name -> dev.sigstore.common.v1.SubjectAlternativeName @@ -1030,15 +1051,16 @@ var file_sigstore_verification_proto_depIdxs = []int32{ 8, // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.tsa_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions 9, // 9: dev.sigstore.verification.v1.ArtifactVerificationOptions.integrated_ts_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions 10, // 10: dev.sigstore.verification.v1.ArtifactVerificationOptions.observer_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions - 14, // 11: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot - 3, // 12: dev.sigstore.verification.v1.Input.artifact_verification_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions - 15, // 13: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle - 4, // 14: dev.sigstore.verification.v1.Input.artifact:type_name -> dev.sigstore.verification.v1.Artifact - 15, // [15:15] is the sub-list for method output_type - 15, // [15:15] is the sub-list for method input_type - 15, // [15:15] is the sub-list for extension type_name - 15, // [15:15] is the sub-list for extension extendee - 0, // [0:15] is the sub-list for field type_name + 14, // 11: dev.sigstore.verification.v1.Artifact.artifact_digest:type_name -> dev.sigstore.common.v1.HashOutput + 15, // 12: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot + 3, // 13: dev.sigstore.verification.v1.Input.artifact_verification_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions + 16, // 14: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle + 4, // 15: dev.sigstore.verification.v1.Input.artifact:type_name -> dev.sigstore.verification.v1.Artifact + 16, // [16:16] is the sub-list for method output_type + 16, // [16:16] is the sub-list for method input_type + 16, // [16:16] is the sub-list for extension type_name + 16, // [16:16] is the sub-list for extension extendee + 0, // [0:16] is the sub-list for field type_name } func init() { file_sigstore_verification_proto_init() } @@ -1187,6 +1209,7 @@ func file_sigstore_verification_proto_init() { file_sigstore_verification_proto_msgTypes[4].OneofWrappers = []interface{}{ (*Artifact_ArtifactUri)(nil), (*Artifact_Artifact)(nil), + (*Artifact_ArtifactDigest)(nil), } file_sigstore_verification_proto_msgTypes[5].OneofWrappers = []interface{}{} type x struct{} diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py index 296c7f04..a40f153b 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/v1/__init__.py @@ -182,6 +182,11 @@ class Artifact(betterproto.Message): artifact: bytes = betterproto.bytes_field(2, group="data") """The raw bytes of the artifact""" + artifact_digest: "__common_v1__.HashOutput" = betterproto.message_field( + 3, group="data" + ) + """Digest of the artifact""" + @dataclass(eq=False, repr=False) class Input(betterproto.Message): diff --git a/gen/pb-ruby/lib/sigstore_verification_pb.rb b/gen/pb-ruby/lib/sigstore_verification_pb.rb index 56a88150..24bb06ce 100644 --- a/gen/pb-ruby/lib/sigstore_verification_pb.rb +++ b/gen/pb-ruby/lib/sigstore_verification_pb.rb @@ -56,6 +56,7 @@ oneof :data do optional :artifact_uri, :string, 1 optional :artifact, :bytes, 2 + optional :artifact_digest, :message, 3, "dev.sigstore.common.v1.HashOutput" end end add_message "dev.sigstore.verification.v1.Input" do diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.verification.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.verification.v1.rs index f67aa991..3e739cfa 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.verification.v1.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.verification.v1.rs @@ -247,7 +247,7 @@ pub mod artifact_verification_options { #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] pub struct Artifact { - #[prost(oneof = "artifact::Data", tags = "1, 2")] + #[prost(oneof = "artifact::Data", tags = "1, 2, 3")] pub data: ::core::option::Option, } /// Nested message and enum types in `Artifact`. @@ -265,6 +265,9 @@ pub mod artifact { /// The raw bytes of the artifact #[prost(bytes, tag = "2")] Artifact(::prost::alloc::vec::Vec), + /// Digest of the artifact + #[prost(message, tag = "3")] + ArtifactDigest(super::super::super::common::v1::HashOutput), } } /// Input captures all that is needed to call the bundle verification method, diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin index 1585c0a08280846cd917afbb1201d18061561a84..76cfb527e1af3981cec82cf5305738c2c644c335 100644 GIT binary patch delta 459 zcmYL^Jxjw-6o&iWCTYCbnnoyX5h>bs^0UQ3oP-)&x(H4prGC;$t(mLND%j~lT1ZfF z>KF+A0H;MHe0XjO$3RN7GT@?>22XBAwi02a;wQXU7aAM8FY%ZzCnAn_mcusl)}Ha5 z#H~p8F@+nk(#K1x$R$Z)OqZ^q8QF9$@J&(cBVA@nFka?yF8d+)SXvJ;>SJYtx51et z>q;9DM<@f_X>F)+{vM@jnMHKT@}36xz=Z{MK9FfjT^1IGU4+zS`Ca3ILysM(#wZI~ zgK##);58qrAhq+a(j{G}!d=RgBy&7MJ)=@GX%orr)r;YD3jV cnJ87*NM=H$1{>L#5Pb)Q;+}HaJTXtofA@J+tN;K2 delta 338 zcmYL?Jxc>Y6h-&W&g_muqRDoOh-i|^uV7^vFg9YDN^Gp`qGGQIHl~PHlPqi$EKRv# zuokNrEJQ@q|Ki(W2g`HsJ@0+phv{8-k>Y#EKAYxuh=&j@eVJmr;Lt18e<;U`f7}q!YvfzA_}_j2Kw<8H>ECQQN8<$bHTib_ss4DA2{zp zuBxIESqh4=)^O-&xZP9*>rmN;+{sG>7MC5`w&GNf+W%Ks#AC>MzGb8mRxMTpW8}uD xt+<-p80#Bq-@YYE^z$1Iwi3uvzVYcqg7U0Gx{zRQ$zkT8T00DmPupkh%|GXHJQV-{ diff --git a/gen/pb-typescript/src/__generated__/sigstore_verification.ts b/gen/pb-typescript/src/__generated__/sigstore_verification.ts index b7620398..88a2cb49 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_verification.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_verification.ts @@ -1,6 +1,6 @@ /* eslint-disable */ import { Bundle } from "./sigstore_bundle"; -import { ObjectIdentifierValuePair, PublicKey, SubjectAlternativeName } from "./sigstore_common"; +import { HashOutput, ObjectIdentifierValuePair, PublicKey, SubjectAlternativeName } from "./sigstore_common"; import { TrustedRoot } from "./sigstore_trustroot"; /** The identity of a X.509 Certificate signer. */ @@ -127,7 +127,10 @@ export interface ArtifactVerificationOptions_ObserverTimestampOptions { } export interface Artifact { - data?: { $case: "artifactUri"; artifactUri: string } | { $case: "artifact"; artifact: Buffer }; + data?: { $case: "artifactUri"; artifactUri: string } | { $case: "artifact"; artifact: Buffer } | { + $case: "artifactDigest"; + artifactDigest: HashOutput; + }; } /** @@ -413,6 +416,8 @@ export const Artifact = { ? { $case: "artifactUri", artifactUri: String(object.artifactUri) } : isSet(object.artifact) ? { $case: "artifact", artifact: Buffer.from(bytesFromBase64(object.artifact)) } + : isSet(object.artifactDigest) + ? { $case: "artifactDigest", artifactDigest: HashOutput.fromJSON(object.artifactDigest) } : undefined, }; }, @@ -422,6 +427,8 @@ export const Artifact = { message.data?.$case === "artifactUri" && (obj.artifactUri = message.data?.artifactUri); message.data?.$case === "artifact" && (obj.artifact = message.data?.artifact !== undefined ? base64FromBytes(message.data?.artifact) : undefined); + message.data?.$case === "artifactDigest" && + (obj.artifactDigest = message.data?.artifactDigest ? HashOutput.toJSON(message.data?.artifactDigest) : undefined); return obj; }, }; diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 7f811dd2..c00cbdd9 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -136,6 +136,8 @@ message Artifact { string artifact_uri = 1; // The raw bytes of the artifact bytes artifact = 2; + // Digest of the artifact + dev.sigstore.common.v1.HashOutput artifact_digest = 3; } }