Documentation
¶
Index ¶
- Variables
- type Bundle
- func (*Bundle) Descriptor() ([]byte, []int)deprecated
- func (m *Bundle) GetContent() isBundle_Content
- func (x *Bundle) GetDsseEnvelope() *dsse.Envelope
- func (x *Bundle) GetMediaType() string
- func (x *Bundle) GetMessageSignature() *v1.MessageSignature
- func (x *Bundle) GetVerificationMaterial() *VerificationMaterial
- func (*Bundle) ProtoMessage()
- func (x *Bundle) ProtoReflect() protoreflect.Message
- func (x *Bundle) Reset()
- func (x *Bundle) String() string
- type Bundle_DsseEnvelope
- type Bundle_MessageSignature
- type TimestampVerificationData
- func (*TimestampVerificationData) Descriptor() ([]byte, []int)deprecated
- func (x *TimestampVerificationData) GetRfc3161Timestamps() []*v1.RFC3161SignedTimestamp
- func (*TimestampVerificationData) ProtoMessage()
- func (x *TimestampVerificationData) ProtoReflect() protoreflect.Message
- func (x *TimestampVerificationData) Reset()
- func (x *TimestampVerificationData) String() string
- type VerificationMaterial
- func (*VerificationMaterial) Descriptor() ([]byte, []int)deprecated
- func (x *VerificationMaterial) GetCertificate() *v1.X509Certificate
- func (m *VerificationMaterial) GetContent() isVerificationMaterial_Content
- func (x *VerificationMaterial) GetPublicKey() *v1.PublicKeyIdentifier
- func (x *VerificationMaterial) GetTimestampVerificationData() *TimestampVerificationData
- func (x *VerificationMaterial) GetTlogEntries() []*v11.TransparencyLogEntry
- func (x *VerificationMaterial) GetX509CertificateChain() *v1.X509CertificateChain
- func (*VerificationMaterial) ProtoMessage()
- func (x *VerificationMaterial) ProtoReflect() protoreflect.Message
- func (x *VerificationMaterial) Reset()
- func (x *VerificationMaterial) String() string
- type VerificationMaterial_Certificate
- type VerificationMaterial_PublicKey
- type VerificationMaterial_X509CertificateChain
Constants ¶
This section is empty.
Variables ¶
View Source
var File_sigstore_bundle_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type Bundle ¶
type Bundle struct {
// MUST be application/vnd.dev.sigstore.bundle.v0.3+json when
// when encoded as JSON.
// Clients must to be able to accept media type using the previously
// defined formats:
// * application/vnd.dev.sigstore.bundle+json;version=0.1
// * application/vnd.dev.sigstore.bundle+json;version=0.2
// * application/vnd.dev.sigstore.bundle+json;version=0.3
MediaType string `protobuf:"bytes,1,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"`
// When a signer is identified by a X.509 certificate, a verifier MUST
// verify that the signature was computed at the time the certificate
// was valid as described in the Sigstore client spec: "Verification
// using a Bundle".
// <https://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln>
// If the verification material contains a public key identifier
// (key hint) and the `content` is a DSSE envelope, the key hints
// MUST be exactly the same in the verification material and in the
// DSSE envelope.
VerificationMaterial *VerificationMaterial `protobuf:"bytes,2,opt,name=verification_material,json=verificationMaterial,proto3" json:"verification_material,omitempty"`
// Types that are assignable to Content:
//
// *Bundle_MessageSignature
// *Bundle_DsseEnvelope
Content isBundle_Content `protobuf_oneof:"content"`
// contains filtered or unexported fields
}
func (*Bundle) Descriptor
deprecated
func (*Bundle) GetContent ¶
func (m *Bundle) GetContent() isBundle_Content
func (*Bundle) GetDsseEnvelope ¶
func (*Bundle) GetMediaType ¶
func (*Bundle) GetMessageSignature ¶
func (x *Bundle) GetMessageSignature() *v1.MessageSignature
func (*Bundle) GetVerificationMaterial ¶
func (x *Bundle) GetVerificationMaterial() *VerificationMaterial
func (*Bundle) ProtoMessage ¶
func (*Bundle) ProtoMessage()
func (*Bundle) ProtoReflect ¶
func (x *Bundle) ProtoReflect() protoreflect.Message
type Bundle_DsseEnvelope ¶
type Bundle_DsseEnvelope struct {
// A DSSE envelope can contain arbitrary payloads.
// Verifiers must verify that the payload type is a
// supported and expected type. This is part of the DSSE
// protocol which is defined here:
// <https://github.com/secure-systems-lab/dsse/blob/master/protocol.md>
// DSSE envelopes in a bundle MUST have exactly one signture.
// This is a limitation from the DSSE spec, as it can contain
// multiple signatures. There are two primary reasons:
// 1. It simplfies the verification logic and policy
// 2. The bundle (currently) can only contain a single
// instance of the required verification materials
//
// During verification a client MUST reject an envelope if
// the number of signatures is not equal to one.
DsseEnvelope *dsse.Envelope `protobuf:"bytes,4,opt,name=dsse_envelope,json=dsseEnvelope,proto3,oneof"`
}
type Bundle_MessageSignature ¶
type Bundle_MessageSignature struct {
MessageSignature *v1.MessageSignature `protobuf:"bytes,3,opt,name=message_signature,json=messageSignature,proto3,oneof"`
}
type TimestampVerificationData ¶
type TimestampVerificationData struct {
// A list of RFC3161 signed timestamps provided by the user.
// This can be used when the entry has not been stored on a
// transparency log, or in conjunction for a stronger trust model.
// Clients MUST verify the hashed message in the message imprint
// against the signature in the bundle.
Rfc3161Timestamps []*v1.RFC3161SignedTimestamp `protobuf:"bytes,1,rep,name=rfc3161_timestamps,json=rfc3161Timestamps,proto3" json:"rfc3161_timestamps,omitempty"`
// contains filtered or unexported fields
}
Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future.
func (*TimestampVerificationData) Descriptor
deprecated
func (*TimestampVerificationData) Descriptor() ([]byte, []int)
Deprecated: Use TimestampVerificationData.ProtoReflect.Descriptor instead.
func (*TimestampVerificationData) GetRfc3161Timestamps ¶
func (x *TimestampVerificationData) GetRfc3161Timestamps() []*v1.RFC3161SignedTimestamp
func (*TimestampVerificationData) ProtoMessage ¶
func (*TimestampVerificationData) ProtoMessage()
func (*TimestampVerificationData) ProtoReflect ¶
func (x *TimestampVerificationData) ProtoReflect() protoreflect.Message
func (*TimestampVerificationData) Reset ¶
func (x *TimestampVerificationData) Reset()
func (*TimestampVerificationData) String ¶
func (x *TimestampVerificationData) String() string
type VerificationMaterial ¶
type VerificationMaterial struct {
// The key material for verification purposes.
//
// This allows key material to be conveyed in one of three forms:
//
// 1. An unspecified public key identifier, for retrieving a key
// from an out-of-band mechanism (such as a keyring);
//
// 2. A sequence of one or more X.509 certificates, of which the first member
// MUST be a leaf certificate conveying the signing key. Subsequent members
// SHOULD be in issuing order, meaning that `n + 1` should be an issuer for `n`.
//
// Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT
// include intermediate CA certificates that appear in an independent root of trust
// (such as the Public Good Instance's trusted root).
//
// Verifiers MUST validate the chain carefully to ensure that it chains up
// to a CA certificate that they independently trust. Verifiers SHOULD
// handle old or non-complying bundles that have superfluous intermediate and/or
// root CA certificates by either ignoring them or explicitly considering them
// untrusted for the purposes of chain building.
//
// 3. A single X.509 certificate, which MUST be a leaf certificate conveying
// the signing key.
//
// When used with the Public Good Instance (PGI) of Sigstore for "keyless" signing
// via Fulcio, form (1) MUST NOT be used, regardless of bundle version. Form (1)
// MAY be used with the PGI for self-managed keys.
//
// When used in a `0.1` or `0.2` bundle with the PGI and "keyless" signing,
// form (2) MUST be used.
//
// When used in a `0.3` bundle with the PGI and "keyless" signing,
// form (3) MUST be used.
//
// Types that are assignable to Content:
//
// *VerificationMaterial_PublicKey
// *VerificationMaterial_X509CertificateChain
// *VerificationMaterial_Certificate
Content isVerificationMaterial_Content `protobuf_oneof:"content"`
// An inclusion proof and an optional signed timestamp from the log.
// Client verification libraries MAY provide an option to support v0.1
// bundles for backwards compatibility, which may contain an inclusion
// promise and not an inclusion proof. In this case, the client MUST
// validate the promise.
// Verifiers SHOULD NOT allow v0.1 bundles if they're used in an
// ecosystem which never produced them.
TlogEntries []*v11.TransparencyLogEntry `protobuf:"bytes,3,rep,name=tlog_entries,json=tlogEntries,proto3" json:"tlog_entries,omitempty"`
// Timestamp may also come from
// tlog_entries.inclusion_promise.signed_entry_timestamp.
TimestampVerificationData *TimestampVerificationData `` /* 138-byte string literal not displayed */
// contains filtered or unexported fields
}
VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to.
func (*VerificationMaterial) Descriptor
deprecated
func (*VerificationMaterial) Descriptor() ([]byte, []int)
Deprecated: Use VerificationMaterial.ProtoReflect.Descriptor instead.
func (*VerificationMaterial) GetCertificate ¶ added in v0.3.0
func (x *VerificationMaterial) GetCertificate() *v1.X509Certificate
func (*VerificationMaterial) GetContent ¶
func (m *VerificationMaterial) GetContent() isVerificationMaterial_Content
func (*VerificationMaterial) GetPublicKey ¶
func (x *VerificationMaterial) GetPublicKey() *v1.PublicKeyIdentifier
func (*VerificationMaterial) GetTimestampVerificationData ¶
func (x *VerificationMaterial) GetTimestampVerificationData() *TimestampVerificationData
func (*VerificationMaterial) GetTlogEntries ¶
func (x *VerificationMaterial) GetTlogEntries() []*v11.TransparencyLogEntry
func (*VerificationMaterial) GetX509CertificateChain ¶
func (x *VerificationMaterial) GetX509CertificateChain() *v1.X509CertificateChain
func (*VerificationMaterial) ProtoMessage ¶
func (*VerificationMaterial) ProtoMessage()
func (*VerificationMaterial) ProtoReflect ¶
func (x *VerificationMaterial) ProtoReflect() protoreflect.Message
func (*VerificationMaterial) Reset ¶
func (x *VerificationMaterial) Reset()
func (*VerificationMaterial) String ¶
func (x *VerificationMaterial) String() string
type VerificationMaterial_Certificate ¶ added in v0.3.0
type VerificationMaterial_Certificate struct {
Certificate *v1.X509Certificate `protobuf:"bytes,5,opt,name=certificate,proto3,oneof"`
}
type VerificationMaterial_PublicKey ¶
type VerificationMaterial_PublicKey struct {
PublicKey *v1.PublicKeyIdentifier `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3,oneof"`
}
type VerificationMaterial_X509CertificateChain ¶
type VerificationMaterial_X509CertificateChain struct {
X509CertificateChain *v1.X509CertificateChain `protobuf:"bytes,2,opt,name=x509_certificate_chain,json=x509CertificateChain,proto3,oneof"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.