From b5b97ecab7bc4f59d27429ba40114b86588ad157 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 9 May 2024 17:49:12 +0200 Subject: [PATCH] Clairified that a DSSE envelope in a sigstore bundle MUST have exactly one signature (#318) * Clairified that a DSSE envelope in a sigstore bundle MUST have exactly one signature. * Fixed a spelling error caught during review --- gen/jsonschema/schemas/Bundle.schema.json | 2 +- gen/jsonschema/schemas/Input.schema.json | 2 +- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 9 +++++++++ .../dev/sigstore/bundle/v1/__init__.py | 8 +++++++- .../src/generated/dev.sigstore.bundle.v1.rs | 8 ++++++++ .../src/generated/file_descriptor_set.bin | Bin 117953 -> 118386 bytes protos/sigstore_bundle.proto | 8 ++++++++ 7 files changed, 34 insertions(+), 3 deletions(-) diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index 90d82ad2..5d2c83a1 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -20,7 +20,7 @@ "dsseEnvelope": { "$ref": "#/definitions/io.intoto.Envelope", "additionalProperties": false, - "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e" + "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e DSSE envelopes in a bundle MUST have exactly one signture. This is a limitation from the DSSE spec, as it can contain multiple signatures. There are two primary reasons: 1. It simplfies the verification logic and policy 2. The bundle (currently) can only contain a single instance of the required verification materials During verification a client MUST reject an envelope if the number of signatures is not equal to one." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 68ffe779..3e65bf5d 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -53,7 +53,7 @@ "dsseEnvelope": { "$ref": "#/definitions/io.intoto.Envelope", "additionalProperties": false, - "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e" + "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e DSSE envelopes in a bundle MUST have exactly one signture. This is a limitation from the DSSE spec, as it can contain multiple signatures. There are two primary reasons: 1. It simplfies the verification logic and policy 2. The bundle (currently) can only contain a single instance of the required verification materials During verification a client MUST reject an envelope if the number of signatures is not equal to one." } }, "additionalProperties": false, diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index 6ba51cfe..b3f44d1f 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -367,6 +367,15 @@ type Bundle_DsseEnvelope struct { // supported and expected type. This is part of the DSSE // protocol which is defined here: // + // DSSE envelopes in a bundle MUST have exactly one signture. + // This is a limitation from the DSSE spec, as it can contain + // multiple signatures. There are two primary reasons: + // 1. It simplfies the verification logic and policy + // 2. The bundle (currently) can only contain a single + // instance of the required verification materials + // + // During verification a client MUST reject an envelope if + // the number of signatures is not equal to one. DsseEnvelope *dsse.Envelope `protobuf:"bytes,4,opt,name=dsse_envelope,json=dsseEnvelope,proto3,oneof"` } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index 4acd86c8..8cae55c2 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -109,5 +109,11 @@ class Bundle(betterproto.Message): A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: + lab/dsse/blob/master/protocol.md> DSSE envelopes in a bundle MUST have + exactly one signture. This is a limitation from the DSSE spec, as it can + contain multiple signatures. There are two primary reasons: 1. It simplfies + the verification logic and policy 2. The bundle (currently) can only + contain a single instance of the required verification materials During + verification a client MUST reject an envelope if the number of signatures + is not equal to one. """ diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs index b542a92d..cb9253ec 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs @@ -190,6 +190,14 @@ pub mod bundle { /// supported and expected type. This is part of the DSSE /// protocol which is defined here: /// <> + /// DSSE envelopes in a bundle MUST have exactly one signture. + /// This is a limitation from the DSSE spec, as it can contain + /// multiple signatures. There are two primary reasons: + /// 1. It simplfies the verification logic and policy + /// 2. The bundle (currently) can only contain a single + /// instance of the required verification materials + /// During verification a client MUST reject an envelope if + /// the number of signatures is not equal to one. #[prost(message, tag = "4")] DsseEnvelope(super::super::super::super::super::io::intoto::Envelope), } diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin index c8da0f5ad3da5349c68b983738cd37d95abc1d0f..71a7c58b33af146dd4824fc3346ec27214dc9215 100644 GIT binary patch delta 633 zcmY*W!HN?>5KT`eCTUQzIf!_%P!9?k)?L?wAd9#jL_B4^snF?El3shdXM1|0@vzA! zD7zRI_9ql!ZbHufhacd&Rt+ANz#4>1jg8M8_BiZM6frVlXq6~0ys`#H z&L-d|SSe>I%3C1ln+GWjNNc=MhC`BTuhKc$1VIrLvmPm;LlAWR8w;sZiEuM;C^BoZ z`yB4{;E5+jlIoG7c7x9pof;`wxobOC5`-B-YPFIx4qK(_I@1lAJBNnC+zkC}QzXju zrz;AQDKpl{fsQhn7e*r3QR(CGFjo$T%grNpah`G5%N_mx-(P^#iu9}DIXpn=shz(Q z1~uZPn#q#^x}g0pf0(7Q9>_>&@HWi5$N72Q2&+3+?(S*@A4PQ*@U_i#xm@k`-8F25 z>ds5v;jKV!owaJ=<=zXv%j>k|fw&!-!zBdGah8&+-k(dF2u^m(6hZzfia0`yKWX^wg6+#_L)_T zDlCkh)A!Xe<_S(<;$mT8Vqz9z>0lIylWJtzZd=dD$QZ%J%f$*3X9G(p!MKbduCf7) z3)W_A0^@RkWKCna1h_ardO7BBFn~nNVz}(Nm|2)Og;=_$yEid9%6BsgN + // DSSE envelopes in a bundle MUST have exactly one signture. + // This is a limitation from the DSSE spec, as it can contain + // multiple signatures. There are two primary reasons: + // 1. It simplfies the verification logic and policy + // 2. The bundle (currently) can only contain a single + // instance of the required verification materials + // During verification a client MUST reject an envelope if + // the number of signatures is not equal to one. io.intoto.Envelope dsse_envelope = 4 [(google.api.field_behavior) = REQUIRED]; } // Reserved for future additions of artifact types.