update signature bundle format

.github/workflows/build-sign-verify.yml

@@ -83,7 +83,7 @@ jobs:
         npm pack
     - name: Sign package
       run: |
-        ./bin/sigstore.js sign sigstore-0.0.0.tgz > artifact.sig
+        ./bin/sigstore.js sign sigstore-0.0.0.tgz > bundle.sigstore
     - name: Archive package
       uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3
       with:
@@ -92,13 +92,8 @@ jobs:
     - name: Archive signature
       uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3
       with:
-        name: signature
-        path: artifact.sig
-    - name: Archive certificate
-      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3
-      with:
-        name: certificate
-        path: signingcert.pem
+        name: bundle
+        path: bundle.sigstore
 
   verify-signature:
     name: Verify Signature
@@ -121,14 +116,10 @@ jobs:
     - name: Download signature
       uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3
       with:
-        name: signature
-    - name: Download certificate
-      uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3
-      with:
-        name: certificate
+        name: bundle
     - name: Compile sigstore
       run: |
         npm run build
     - name: Verify artifact signature
       run: |
-        ./bin/sigstore.js verify sigstore-0.0.0.tgz artifact.sig signingcert.pem
+        ./bin/sigstore.js verify sigstore-0.0.0.tgz bundle.sigstore

README.md

@@ -75,20 +75,34 @@ https://rekor.sigstore.dev/api/v1/log/entries/43553c769cd0bd99aee4350d2e78ca3fb0
 
 You should see that a browser window is opened to the Sigstore OAuth page.
 After authenticating with one of the available idenity providers, a signature
-will be generated and written to the file named "signature".
+bundle will be generated and written to the file named "signature".
 
 ```
-$ cat signature
+$ cat signature | jq
 
-MEUCIQC7Rrrjmrwdxuc2qvWiWzaoUdV8+VFv+fvDquvAGmxr3AIgaPEqQ5YvxjfeqgXYXvISzgyVA8y/Zw+G/LDYlt2RHMk=
+{
+  "attestationType": "attestation/blob",
+  "attestation": {
+    "payloadHash": "3ad055f2b0d850290fbe0ce63f8c60adf492901c5950ac01e0893ebb47bea4d8",
+    "payloadAlgorithm": "sha256",
+    "base64Signature": "MEUCIQC7Rrrjmrwdxuc2qvWiWzaoUdV8+VFv+fvDquvAGmxr3AIgaPEqQ5YvxjfeqgXYXvISzgyVA8y/Zw+G/LDYlt2RHMk="
+  },
+  "cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvakNDQWllZ0F3SUJBZ0lVQkswdTBRdWF3dkVJWm82YS9keGVzbEthZU9jd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpJd09ERTJNVFEwTVRJd1doY05Nakl3T0RFMk1UUTFNVEl3V2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVFRWlrR2hsMXdzSzFLMStSYTBQRU9SQzh5SXE4bTBWM0VXSSsKbDIrY2w3aUFyM0xrc292Nk5qUmtyc3VjUVVpMmRmSi9uUlZlYi9rREw1WTJYbS9VTGFPQ0FVWXdnZ0ZDTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVnNUtlCk9JWnRvRktnd3ZKVjZSSHB6M2hWcTFjd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0h3WURWUjBSQVFIL0JCVXdFNEVSWW5KcFlXNUFaR1ZvWVcxbGNpNWpiMjB3TEFZS0t3WUJCQUdEdnpBQgpBUVFlYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJ4dloybHVMMjloZFhSb01JR0xCZ29yQmdFRUFkWjVBZ1FDCkJIMEVld0I1QUhjQUNHQ1M4Q2hTLzJoRjBkRnJKNFNjUldjWXJCWTl3empTYmVhOElnWTJiM0lBQUFHQ3B4b1YKNVFBQUJBTUFTREJHQWlFQWtSZ1kxczlQajNFbjI1d3o0aHpXbEQzeStBYXVBSmRXd2tvWFdUZmlYd2NDSVFEMgo2a1JBU1BPbzBhdDIzNy9zTVVrd1YvSEhEQ0lBNkVnZzl2eG1pUEJqbURBS0JnZ3Foa2pPUFFRREF3TnBBREJtCkFqRUF6eDBYU3hMSkdKT29OWjN6Zk02RkUxbUZZZ3daQUJIRTFBb2xFd3ZYdTdZNUdFMkU2RWxzVjRHVDR2YlkKd2FOVUFqRUFqZzhaZlA3WXR0L1RIOVBXV1hqYkhpR3laamlpMHFpVVpTZGthTVJseGx0aC9QNXpGaHdkRTN2cQpoL1Z0UUNCdwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlDR2pDQ0FhR2dBd0lCQWdJVUFMblZpVmZuVTBickphc21Sa0hybi9VbmZhUXdDZ1lJS29aSXpqMEVBd013CktqRVZNQk1HQTFVRUNoTU1jMmxuYzNSdmNtVXVaR1YyTVJFd0R3WURWUVFERXdoemFXZHpkRzl5WlRBZUZ3MHkKTWpBME1UTXlNREEyTVRWYUZ3MHpNVEV3TURVeE16VTJOVGhhTURjeEZUQVRCZ05WQkFvVERITnBaM04wYjNKbApMbVJsZGpFZU1Cd0dBMVVFQXhNVmMybG5jM1J2Y21VdGFXNTBaWEp0WldScFlYUmxNSFl3RUFZSEtvWkl6ajBDCkFRWUZLNEVFQUNJRFlnQUU4UlZTL3lzSCtOT3Z1RFp5UEladGlsZ1VGOU5sYXJZcEFkOUhQMXZCQkgxVTVDVjcKN0xTUzdzMFppSDRuRTdIdjdwdFM2THZ2Ui9TVGs3OThMVmdNekxsSjRIZUlmRjN0SFNhZXhMY1lwU0FTcjFrUwowTi9SZ0JKei85aldDaVhubzNzd2VUQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0V3WURWUjBsQkF3d0NnWUlLd1lCCkJRVUhBd013RWdZRFZSMFRBUUgvQkFnd0JnRUIvd0lCQURBZEJnTlZIUTRFRmdRVTM5UHB6MVlrRVpiNXFOanAKS0ZXaXhpNFlaRDh3SHdZRFZSMGpCQmd3Rm9BVVdNQWVYNUZGcFdhcGVzeVFvWk1pMENyRnhmb3dDZ1lJS29aSQp6ajBFQXdNRFp3QXdaQUl3UENzUUs0RFlpWllEUElhRGk1SEZLbmZ4WHg2QVNTVm1FUmZzeW5ZQmlYMlg2U0pSCm5aVTg0LzlEWmRuRnZ2eG1BakJPdDZRcEJsYzRKLzBEeHZrVENxcGNsdnppTDZCQ0NQbmpkbElCM1B1M0J4c1AKbXlnVVk3SWkyemJkQ2RsaWlvdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJQjl6Q0NBWHlnQXdJQkFnSVVBTFpOQVBGZHhIUHdqZURsb0R3eVlDaEFPLzR3Q2dZSUtvWkl6ajBFQXdNdwpLakVWTUJNR0ExVUVDaE1NYzJsbmMzUnZjbVV1WkdWMk1SRXdEd1lEVlFRREV3aHphV2R6ZEc5eVpUQWVGdzB5Ck1URXdNRGN4TXpVMk5UbGFGdzB6TVRFd01EVXhNelUyTlRoYU1Db3hGVEFUQmdOVkJBb1RESE5wWjNOMGIzSmwKTG1SbGRqRVJNQThHQTFVRUF4TUljMmxuYzNSdmNtVXdkakFRQmdjcWhrak9QUUlCQmdVcmdRUUFJZ05pQUFUNwpYZUZUNHJiM1BRR3dTNElhanRMazMvT2xucGdhbmdhQmNsWXBzWUJyNWkrNHluQjA3Y2ViM0xQME9JT1pkeGV4Clg2OWM1aVZ1eUpSUStIejA1eWkrVUYzdUJXQWxIcGlTNXNoMCtIMkdIRTdTWHJrMUVDNW0xVHIxOUw5Z2c5MmoKWXpCaE1BNEdBMVVkRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSWQp3QjVma1VXbFpxbDZ6SkNoa3lMUUtzWEYrakFmQmdOVkhTTUVHREFXZ0JSWXdCNWZrVVdsWnFsNnpKQ2hreUxRCktzWEYrakFLQmdncWhrak9QUVFEQXdOcEFEQm1BakVBajFuSGVYWnArMTNOV0JOYStFRHNEUDhHMVdXZzF0Q00KV1AvV0hQcXBhVm8wamhzd2VORlpnU3MwZUU3d1lJNHFBakVBMldCOW90OThzSWtvRjN2WllkZDMvVnRXQjViOQpUTk1lYTdJeC9zdEo1VGZjTExlQUJMRTRCTkpPc1E0dm5CSEoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==",
+  "signedEntryTimestamp": "MEUCIQDLVDIXVubRBoS6tXXWptNEQNUuwPpnflrd93uBCsm3QAIgPZA5pyWhPpv9hftq0dk8b7ipjNCBzM5yIaSVXyokXbU=",
+  "integratedTime": 1655485921,
+  "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d",
+  "logIndex": 2698234
+}
 ```
 
-The Fulcio signing certificate will be written to a file named
-`signingcert.pem`. You can inspect the contents of the signing certificate with
-the following:
+You'll see that the signature bundle contains the SHA256 digest of the
+artifact, the signature, the signing certificate and metadata about the
+entry which was made in Rekor.
 
+You can extract and view the signing certificate with the following:
 ```
-$ openssl x509 -in signingcert.pem -text
+$ cat signature | jq --raw-output '.cert' | base64 -d | openssl x509 -text
+
 Certificate:
     Data:
         Version: 3 (0x2)

src/cli/index.ts

@@ -26,10 +26,10 @@ async function cli(args: string[]) {
       await signDSSE(args[1], args[2]);
       break;
     case 'verify':
-      await verify(args[1], args[2], args[3]);
+      await verify(args[1], args[2]);
       break;
     case 'verify-dsse':
-      await verifyDSSE(args[1], args[2]);
+      await verifyDSSE(args[1]);
       break;
     default:
       throw 'Unknown command';
@@ -43,27 +43,24 @@ const signOptions = {
 
 async function sign(artifactPath: string) {
   const buffer = fs.readFileSync(artifactPath);
-  const signature = await sigstore.sign(buffer, signOptions);
-  const cert = base64Decode(signature.cert);
-  await fs.writeFileSync('signingcert.pem', cert, { flag: 'wx' });
-  console.log(signature.base64Signature);
+  const bundle = await sigstore.sign(buffer, signOptions);
+  console.log(JSON.stringify(bundle));
 }
 
 async function signDSSE(artifactPath: string, payloadType: string) {
   const buffer = fs.readFileSync(artifactPath);
-  const envelope = await dsse.sign(buffer, payloadType, signOptions);
-  console.log(JSON.stringify(envelope));
+  const bundle = await dsse.sign(buffer, payloadType, signOptions);
+  console.log(JSON.stringify(bundle));
 }
 
-async function verify(
-  artifactPath: string,
-  signaturePath: string,
-  certPath: string
-) {
+async function verify(artifactPath: string, bundlePath: string) {
   const payload = fs.readFileSync(artifactPath);
-  const sig = fs.readFileSync(signaturePath);
-  const cert = fs.readFileSync(certPath);
-  const result = await sigstore.verify(payload, sig.toString('utf8'), cert);
+  const bundleFile = fs.readFileSync(bundlePath);
+  const bundle = JSON.parse(bundleFile.toString('utf-8'));
+
+  const sig = bundle.attestation.base64Signature;
+  const cert = base64Decode(bundle.cert);
+  const result = await sigstore.verify(payload, sig, cert);
 
   if (result) {
     console.error('Verified OK');
@@ -72,13 +69,11 @@ async function verify(
   }
 }
 
-async function verifyDSSE(artifactPath: string, certPath: string) {
-  const envelope = fs.readFileSync(artifactPath);
-  const cert = fs.readFileSync(certPath);
-  const result = await dsse.verify(
-    JSON.parse(envelope.toString('utf-8')),
-    cert
-  );
+async function verifyDSSE(bundlePath: string) {
+  const bundleFile = fs.readFileSync(bundlePath);
+  const bundle = JSON.parse(bundleFile.toString('utf-8'));
+  const cert = base64Decode(bundle.cert);
+  const result = await dsse.verify(bundle.attestation, cert);
 
   if (result) {
     console.error('Verified OK');

src/dsse.test.ts

@@ -15,7 +15,7 @@ limitations under the License.
 */
 import nock from 'nock';
 import * as dsse from './dsse';
-import { base64Decode } from './util';
+import { base64Decode, base64Encode } from './util';
 
 describe('sign', () => {
   const fulcioBaseURL = 'http://localhost:8001';
@@ -104,19 +104,24 @@ describe('sign', () => {
           .reply(201, rekorEntry);
       });
 
-      it('returns an envelope', async () => {
-        const envelope = await dsse.sign(payload, payloadType, options);
-
-        expect(envelope).toEqual({
-          payload: payload.toString('base64'),
-          payloadType: payloadType,
-          signatures: [
-            {
-              keyid: '',
-              sig: expect.any(String),
-            },
-          ],
+      it('returns a DSSE bundle', async () => {
+        const bundle = await dsse.sign(payload, payloadType, options);
+
+        expect(bundle.attestationType).toEqual('attestation/dsse');
+        expect(bundle.attestation.payload).toEqual(payload.toString('base64'));
+        expect(bundle.attestation.payloadType).toEqual(payloadType);
+        expect(bundle.attestation.signatures).toHaveLength(1);
+        expect(bundle.attestation.signatures[0]).toEqual({
+          keyid: '',
+          sig: expect.any(String),
         });
+        expect(bundle.cert).toEqual(base64Encode(certificate));
+        expect(bundle.integratedTime).toEqual(rekorEntry[uuid].integratedTime);
+        expect(bundle.signedEntryTimestamp).toEqual(
+          rekorEntry[uuid].verification.signedEntryTimestamp
+        );
+        expect(bundle.logID).toEqual(rekorEntry[uuid].logID);
+        expect(bundle.logIndex).toEqual(rekorEntry[uuid].logIndex);
       });
     });
 

src/dsse.ts

@@ -27,26 +27,46 @@ export interface Envelope {
   signatures: Signature[];
 }
 
+export interface DSSEBundle {
+  attestationType: string;
+  attestation: Envelope;
+  cert: string;
+  signedEntryTimestamp: string;
+  integratedTime: number;
+  logIndex: number;
+  logID: string;
+}
+
 export async function sign(
   payload: Buffer,
   payloadType: string,
   options: sigstore.SignOptions = {}
-): Promise<Envelope> {
+): Promise<DSSEBundle> {
   const paeBuffer = pae(payloadType, payload);
-  const signedPayload = await sigstore.sign(paeBuffer, options);
+  const bundle = await sigstore.sign(paeBuffer, options);
 
   const envelope: Envelope = {
     payloadType: payloadType,
     payload: payload.toString('base64'),
     signatures: [
       {
         keyid: '',
-        sig: signedPayload.base64Signature,
+        sig: bundle.attestation.base64Signature,
       },
     ],
   };
 
-  return envelope;
+  const dsseBundle: DSSEBundle = {
+    attestationType: 'attestation/dsse',
+    attestation: envelope,
+    cert: bundle.cert,
+    signedEntryTimestamp: bundle.signedEntryTimestamp,
+    integratedTime: bundle.integratedTime,
+    logIndex: bundle.logIndex,
+    logID: bundle.logID,
+  };
+
+  return dsseBundle;
 }
 
 export async function verify(

src/sign.test.ts

@@ -16,6 +16,7 @@ limitations under the License.
 import nock from 'nock';
 import { Fulcio, Rekor } from './client';
 import { Signer } from './sign';
+import { base64Encode } from './util';
 
 describe('Signer', () => {
   const fulcioBaseURL = 'http://localhost:8001';
@@ -129,12 +130,20 @@ describe('Signer', () => {
         });
 
         it('returns a signature bundle', async () => {
-          const signedPayload = await subject.sign(payload);
-
-          expect(signedPayload).toBeTruthy();
-          expect(signedPayload.base64Signature).toBeTruthy();
-          expect(signedPayload.cert).toBe(b64Cert);
-          expect(signedPayload.bundle).toBeDefined();
+          const bundle = await subject.sign(payload);
+
+          expect(bundle).toBeTruthy();
+          expect(bundle.attestationType).toBe('attestation/blob');
+          expect(bundle.attestation.payloadHash).toBeTruthy();
+          expect(bundle.attestation.payloadAlgorithm).toBe('sha256');
+          expect(bundle.attestation.base64Signature).toBeTruthy();
+          expect(bundle.cert).toBe(base64Encode(certificate));
+          expect(bundle.integratedTime).toBe(rekorEntry[uuid].integratedTime);
+          expect(bundle.logIndex).toBe(rekorEntry[uuid].logIndex);
+          expect(bundle.logID).toBe(rekorEntry[uuid].logID);
+          expect(bundle.signedEntryTimestamp).toBe(
+            rekorEntry[uuid].verification.signedEntryTimestamp
+          );
         });
       });
 

src/sign.ts

@@ -13,30 +13,22 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import { Entry, Fulcio, Rekor } from './client';
+import { Fulcio, Rekor } from './client';
 import { generateKeyPair, hash, signBlob } from './crypto';
 import { Provider } from './identity';
-import { base64Decode, base64Encode, extractJWTSubject } from './util';
+import { base64Encode, extractJWTSubject } from './util';
 
 export interface SignOptions {
   fulcio: Fulcio;
   rekor: Rekor;
   identityProviders: Provider[];
 }
 
-export interface SignedPayload {
-  base64Signature: string;
+export interface SigstoreBundle {
+  attestationType: string;
+  attestation: Record<string, string>;
   cert: string;
-  bundle?: RekorBundle;
-}
-
-export interface RekorBundle {
   signedEntryTimestamp: string;
-  payload: RekorPayload;
-}
-
-export interface RekorPayload {
-  body: object;
   integratedTime: number;
   logIndex: number;
   logID: string;
@@ -54,7 +46,7 @@ export class Signer {
     this.identityProviders = options.identityProviders;
   }
 
-  public async sign(payload: Buffer): Promise<SignedPayload> {
+  public async sign(payload: Buffer): Promise<SigstoreBundle> {
     // Create emphemeral key pair
     const keypair = generateKeyPair();
 
@@ -98,12 +90,21 @@ export class Signer {
       `https://rekor.sigstore.dev/api/v1/log/entries/${entry.uuid}`
     );
 
-    const signedPayload: SignedPayload = {
-      base64Signature: signature,
+    const bundle: SigstoreBundle = {
+      attestationType: 'attestation/blob',
+      attestation: {
+        payloadHash: digest,
+        payloadAlgorithm: 'sha256',
+        base64Signature: signature,
+      },
       cert: b64Certificate,
-      bundle: entryToBundle(entry),
+      signedEntryTimestamp: entry.verification.signedEntryTimestamp,
+      integratedTime: entry.integratedTime,
+      logID: entry.logID,
+      logIndex: entry.logIndex,
     };
-    return signedPayload;
+
+    return bundle;
   }
 
   private async getIdentityToken(): Promise<string> {
@@ -123,19 +124,3 @@ export class Signer {
     throw new Error(`Identity token providers failed: ${aggErrs}`);
   }
 }
-
-function entryToBundle(entry: Entry): RekorBundle | undefined {
-  if (!entry.verification) {
-    return;
-  }
-
-  return {
-    signedEntryTimestamp: entry.verification.signedEntryTimestamp,
-    payload: {
-      body: JSON.parse(base64Decode(entry.body)),
-      integratedTime: entry.integratedTime,
-      logIndex: entry.logIndex,
-      logID: entry.logID,
-    },
-  };
-}

src/sigstore.ts

@@ -16,7 +16,7 @@ limitations under the License.
 import { KeyLike } from 'crypto';
 import { Fulcio, Rekor } from './client';
 import identity, { Provider } from './identity';
-import { SignedPayload, Signer } from './sign';
+import { Signer, SigstoreBundle } from './sign';
 import { Verifier } from './verify';
 
 export interface SignOptions {
@@ -40,7 +40,7 @@ type IdentityProviderOptions = Pick<
 export async function sign(
   payload: Buffer,
   options: SignOptions = {}
-): Promise<SignedPayload> {
+): Promise<SigstoreBundle> {
   const fulcio = new Fulcio({ baseURL: options.fulcioBaseURL });
   const rekor = new Rekor({ baseURL: options.rekorBaseURL });
   const idps = configureIdentityProviders(options);