Documentation ¶
Index ¶
- Variables
- type Checkpoint
- type InclusionPromise
- func (*InclusionPromise) Descriptor() ([]byte, []int)deprecated
- func (x *InclusionPromise) GetSignedEntryTimestamp() []byte
- func (*InclusionPromise) ProtoMessage()
- func (x *InclusionPromise) ProtoReflect() protoreflect.Message
- func (x *InclusionPromise) Reset()
- func (x *InclusionPromise) String() string
- type InclusionProof
- func (*InclusionProof) Descriptor() ([]byte, []int)deprecated
- func (x *InclusionProof) GetCheckpoint() *Checkpoint
- func (x *InclusionProof) GetHashes() [][]byte
- func (x *InclusionProof) GetLogIndex() int64
- func (x *InclusionProof) GetRootHash() []byte
- func (x *InclusionProof) GetTreeSize() int64
- func (*InclusionProof) ProtoMessage()
- func (x *InclusionProof) ProtoReflect() protoreflect.Message
- func (x *InclusionProof) Reset()
- func (x *InclusionProof) String() string
- type KindVersion
- func (*KindVersion) Descriptor() ([]byte, []int)deprecated
- func (x *KindVersion) GetKind() string
- func (x *KindVersion) GetVersion() string
- func (*KindVersion) ProtoMessage()
- func (x *KindVersion) ProtoReflect() protoreflect.Message
- func (x *KindVersion) Reset()
- func (x *KindVersion) String() string
- type TransparencyLogEntry
- func (*TransparencyLogEntry) Descriptor() ([]byte, []int)deprecated
- func (x *TransparencyLogEntry) GetCanonicalizedBody() []byte
- func (x *TransparencyLogEntry) GetInclusionPromise() *InclusionPromise
- func (x *TransparencyLogEntry) GetInclusionProof() *InclusionProof
- func (x *TransparencyLogEntry) GetIntegratedTime() int64
- func (x *TransparencyLogEntry) GetKindVersion() *KindVersion
- func (x *TransparencyLogEntry) GetLogId() *v1.LogId
- func (x *TransparencyLogEntry) GetLogIndex() int64
- func (*TransparencyLogEntry) ProtoMessage()
- func (x *TransparencyLogEntry) ProtoReflect() protoreflect.Message
- func (x *TransparencyLogEntry) Reset()
- func (x *TransparencyLogEntry) String() string
Constants ¶
This section is empty.
Variables ¶
var File_sigstore_rekor_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type Checkpoint ¶
type Checkpoint struct { Envelope string `protobuf:"bytes,1,opt,name=envelope,proto3" json:"envelope,omitempty"` // contains filtered or unexported fields }
The checkpoint MUST contain a signature of the tree head (root hash), size of the tree and the transparency log's unique identifier (log ID). It MAY also be followed by any optional data. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details.
func (*Checkpoint) Descriptor
deprecated
func (*Checkpoint) Descriptor() ([]byte, []int)
Deprecated: Use Checkpoint.ProtoReflect.Descriptor instead.
func (*Checkpoint) GetEnvelope ¶
func (x *Checkpoint) GetEnvelope() string
func (*Checkpoint) ProtoMessage ¶
func (*Checkpoint) ProtoMessage()
func (*Checkpoint) ProtoReflect ¶
func (x *Checkpoint) ProtoReflect() protoreflect.Message
func (*Checkpoint) Reset ¶
func (x *Checkpoint) Reset()
func (*Checkpoint) String ¶
func (x *Checkpoint) String() string
type InclusionPromise ¶
type InclusionPromise struct { SignedEntryTimestamp []byte `protobuf:"bytes,1,opt,name=signed_entry_timestamp,json=signedEntryTimestamp,proto3" json:"signed_entry_timestamp,omitempty"` // contains filtered or unexported fields }
The inclusion promise is calculated by Rekor. It's calculated as a signature over a canonical JSON serialization of the persisted entry, the log ID, log index and the integration timestamp. See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 The format of the signature depends on the transparency log's public key. If the signature algorithm requires a hash function and/or a signature scheme (e.g. RSA) those has to be retrieved out-of-band from the log's operators, together with the public key. This is used to verify the integration timestamp's value and that the log has promised to include the entry.
func (*InclusionPromise) Descriptor
deprecated
func (*InclusionPromise) Descriptor() ([]byte, []int)
Deprecated: Use InclusionPromise.ProtoReflect.Descriptor instead.
func (*InclusionPromise) GetSignedEntryTimestamp ¶
func (x *InclusionPromise) GetSignedEntryTimestamp() []byte
func (*InclusionPromise) ProtoMessage ¶
func (*InclusionPromise) ProtoMessage()
func (*InclusionPromise) ProtoReflect ¶
func (x *InclusionPromise) ProtoReflect() protoreflect.Message
func (*InclusionPromise) Reset ¶
func (x *InclusionPromise) Reset()
func (*InclusionPromise) String ¶
func (x *InclusionPromise) String() string
type InclusionProof ¶
type InclusionProof struct { // The index of the entry in the tree it was written to. LogIndex int64 `protobuf:"varint,1,opt,name=log_index,json=logIndex,proto3" json:"log_index,omitempty"` // The hash digest stored at the root of the merkle tree at the time // the proof was generated. RootHash []byte `protobuf:"bytes,2,opt,name=root_hash,json=rootHash,proto3" json:"root_hash,omitempty"` // The size of the merkle tree at the time the proof was generated. TreeSize int64 `protobuf:"varint,3,opt,name=tree_size,json=treeSize,proto3" json:"tree_size,omitempty"` // A list of hashes required to compute the inclusion proof, sorted // in order from leaf to root. // Note that leaf and root hashes are not included. // The root hash is available separately in this message, and the // leaf hash should be calculated by the client. Hashes [][]byte `protobuf:"bytes,4,rep,name=hashes,proto3" json:"hashes,omitempty"` // Signature of the tree head, as of the time of this proof was // generated. See above info on 'Checkpoint' for more details. Checkpoint *Checkpoint `protobuf:"bytes,5,opt,name=checkpoint,proto3" json:"checkpoint,omitempty"` // contains filtered or unexported fields }
InclusionProof is the proof returned from the transparency log. Can be used for offline or online verification against the log.
func (*InclusionProof) Descriptor
deprecated
func (*InclusionProof) Descriptor() ([]byte, []int)
Deprecated: Use InclusionProof.ProtoReflect.Descriptor instead.
func (*InclusionProof) GetCheckpoint ¶
func (x *InclusionProof) GetCheckpoint() *Checkpoint
func (*InclusionProof) GetHashes ¶
func (x *InclusionProof) GetHashes() [][]byte
func (*InclusionProof) GetLogIndex ¶
func (x *InclusionProof) GetLogIndex() int64
func (*InclusionProof) GetRootHash ¶
func (x *InclusionProof) GetRootHash() []byte
func (*InclusionProof) GetTreeSize ¶
func (x *InclusionProof) GetTreeSize() int64
func (*InclusionProof) ProtoMessage ¶
func (*InclusionProof) ProtoMessage()
func (*InclusionProof) ProtoReflect ¶
func (x *InclusionProof) ProtoReflect() protoreflect.Message
func (*InclusionProof) Reset ¶
func (x *InclusionProof) Reset()
func (*InclusionProof) String ¶
func (x *InclusionProof) String() string
type KindVersion ¶
type KindVersion struct { // Kind is the type of entry being stored in the log. // See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"` // The specific api version of the type. Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"` // contains filtered or unexported fields }
KindVersion contains the entry's kind and api version.
func (*KindVersion) Descriptor
deprecated
func (*KindVersion) Descriptor() ([]byte, []int)
Deprecated: Use KindVersion.ProtoReflect.Descriptor instead.
func (*KindVersion) GetKind ¶
func (x *KindVersion) GetKind() string
func (*KindVersion) GetVersion ¶
func (x *KindVersion) GetVersion() string
func (*KindVersion) ProtoMessage ¶
func (*KindVersion) ProtoMessage()
func (*KindVersion) ProtoReflect ¶
func (x *KindVersion) ProtoReflect() protoreflect.Message
func (*KindVersion) Reset ¶
func (x *KindVersion) Reset()
func (*KindVersion) String ¶
func (x *KindVersion) String() string
type TransparencyLogEntry ¶
type TransparencyLogEntry struct { // The global index of the entry, used when querying the log by index. LogIndex int64 `protobuf:"varint,1,opt,name=log_index,json=logIndex,proto3" json:"log_index,omitempty"` // The unique identifier of the log. LogId *v1.LogId `protobuf:"bytes,2,opt,name=log_id,json=logId,proto3" json:"log_id,omitempty"` // The kind (type) and version of the object associated with this // entry. These values are required to construct the entry during // verification. KindVersion *KindVersion `protobuf:"bytes,3,opt,name=kind_version,json=kindVersion,proto3" json:"kind_version,omitempty"` // The UNIX timestamp from the log when the entry was persisted. IntegratedTime int64 `protobuf:"varint,4,opt,name=integrated_time,json=integratedTime,proto3" json:"integrated_time,omitempty"` // The inclusion promise/signed entry timestamp from the log. // Required for v0.1 bundles, and MUST be verified. // Optional for >= v0.2 bundles, and SHOULD be verified when present. // Also may be used as a signed timestamp. InclusionPromise *InclusionPromise `protobuf:"bytes,5,opt,name=inclusion_promise,json=inclusionPromise,proto3" json:"inclusion_promise,omitempty"` // The inclusion proof can be used for offline or online verification // that the entry was appended to the log, and that the log has not been // altered. InclusionProof *InclusionProof `protobuf:"bytes,6,opt,name=inclusion_proof,json=inclusionProof,proto3" json:"inclusion_proof,omitempty"` // Optional. The canonicalized transparency log entry, used to // reconstruct the Signed Entry Timestamp (SET) during verification. // The contents of this field are the same as the `body` field in // a Rekor response, meaning that it does **not** include the "full" // canonicalized form (of log index, ID, etc.) which are // exposed as separate fields. The verifier is responsible for // combining the `canonicalized_body`, `log_index`, `log_id`, // and `integrated_time` into the payload that the SET's signature // is generated over. // This field is intended to be used in cases where the SET cannot be // produced determinisitically (e.g. inconsistent JSON field ordering, // differing whitespace, etc). // // If set, clients MUST verify that the signature referenced in the // `canonicalized_body` matches the signature provided in the // `Bundle.content`. // If not set, clients are responsible for constructing an equivalent // payload from other sources to verify the signature. CanonicalizedBody []byte `protobuf:"bytes,7,opt,name=canonicalized_body,json=canonicalizedBody,proto3" json:"canonicalized_body,omitempty"` // contains filtered or unexported fields }
TransparencyLogEntry captures all the details required from Rekor to reconstruct an entry, given that the payload is provided via other means. This type can easily be created from the existing response from Rekor. Future iterations could rely on Rekor returning the minimal set of attributes (excluding the payload) that are required for verifying the inclusion promise. The inclusion promise (called SignedEntryTimestamp in the response from Rekor) is similar to a Signed Certificate Timestamp as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2.
func (*TransparencyLogEntry) Descriptor
deprecated
func (*TransparencyLogEntry) Descriptor() ([]byte, []int)
Deprecated: Use TransparencyLogEntry.ProtoReflect.Descriptor instead.
func (*TransparencyLogEntry) GetCanonicalizedBody ¶
func (x *TransparencyLogEntry) GetCanonicalizedBody() []byte
func (*TransparencyLogEntry) GetInclusionPromise ¶
func (x *TransparencyLogEntry) GetInclusionPromise() *InclusionPromise
func (*TransparencyLogEntry) GetInclusionProof ¶
func (x *TransparencyLogEntry) GetInclusionProof() *InclusionProof
func (*TransparencyLogEntry) GetIntegratedTime ¶
func (x *TransparencyLogEntry) GetIntegratedTime() int64
func (*TransparencyLogEntry) GetKindVersion ¶
func (x *TransparencyLogEntry) GetKindVersion() *KindVersion
func (*TransparencyLogEntry) GetLogId ¶
func (x *TransparencyLogEntry) GetLogId() *v1.LogId
func (*TransparencyLogEntry) GetLogIndex ¶
func (x *TransparencyLogEntry) GetLogIndex() int64
func (*TransparencyLogEntry) ProtoMessage ¶
func (*TransparencyLogEntry) ProtoMessage()
func (*TransparencyLogEntry) ProtoReflect ¶
func (x *TransparencyLogEntry) ProtoReflect() protoreflect.Message
func (*TransparencyLogEntry) Reset ¶
func (x *TransparencyLogEntry) Reset()
func (*TransparencyLogEntry) String ¶
func (x *TransparencyLogEntry) String() string