Merge remote-tracking branch 'upstream/main' into ww/lms-registry

Signed-off-by: William Woodruff <[email protected]>

.github/workflows/gradle-wrapper-validation.yml

@@ -7,4 +7,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # v1.1.0
+      - uses: gradle/wrapper-validation-action@27152f6fa06a6b8062ef7195c795692e51fc2c81 # v2.0.0

.github/workflows/java-build-for-release.yml

@@ -50,7 +50,7 @@ jobs:
           sha256sum ./*
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
         with:
           name: project-release-artifacts
           path: ./java/build/release/

.github/workflows/java-build.yml

@@ -48,7 +48,7 @@ jobs:
 
     # make sure jar generation works and tests/checks pass
     - name: Test
-      uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 # v2.11.1
+      uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa # v2.12.0
       with:
         arguments: build
         build-root-directory: java

.github/workflows/ruby-build.yml

@@ -47,7 +47,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Set up Ruby ${{ matrix.python-version }}
-        uses: ruby/setup-ruby@b203567269b5bbc256dbc1c84f7495913f977353 # v1.167.0
+        uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 # v1.171.0
         with:
           ruby-version: ${{ matrix.python-version }}
 

.github/workflows/ruby-release.yml

@@ -31,7 +31,7 @@ jobs:
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-    - uses: ruby/setup-ruby@b203567269b5bbc256dbc1c84f7495913f977353 # v1.167.0
+    - uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 # v1.171.0
       with:
         ruby-version: '3.2'
 

Dockerfile.jsonschema

@@ -1,5 +1,5 @@
 # 3.18.2
-FROM alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
+FROM alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
 RUN apk add --update protoc protobuf-dev go git
 RUN go install github.com/chrusty/protoc-gen-jsonschema/cmd/[email protected]
 # This is required to get the field_behavior.proto file

docs/algorithm-registry.md

@@ -2,7 +2,7 @@
 
 This file is designed to act as a source of truth regarding what signing
 algorithms are recommended across the Sigstore ecosystem. Any changes to this
-file **must** be reflected in the `KnownSignatureAlgorithm` enumeration in
+file **must** be reflected in the `PublicKeyDetails` enumeration in
 [sigstore_common.proto](../protos/sigstore_common.proto).
 
 Note that Sigstore clients and services aren't required support all algorithms

gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json

@@ -127,13 +127,21 @@
                         "PKCS1_RSA_PSS",
                         "PKIX_RSA_PKCS1V5",
                         "PKIX_RSA_PSS",
-                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_RSA_PKCS1_2048_SHA256",
+                        "PKIX_RSA_PKCS1_3072_SHA256",
+                        "PKIX_RSA_PKCS1_4096_SHA256",
                         "PKIX_ECDSA_P256_HMAC_SHA_256",
-                        "PKIX_ED25519"
+                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_ECDSA_P384_SHA_384",
+                        "PKIX_ECDSA_P521_SHA_512",
+                        "PKIX_ED25519",
+                        "PKIX_ED25519_PH",
+                        "EXPERIMENTAL_LMS_SHA256",
+                        "EXPERIMENTAL_LMOTS_SHA256"
                     ],
                     "type": "string",
                     "title": "Public Key Details",
-                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
+                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",

gen/jsonschema/schemas/Input.schema.json

@@ -257,13 +257,21 @@
                         "PKCS1_RSA_PSS",
                         "PKIX_RSA_PKCS1V5",
                         "PKIX_RSA_PSS",
-                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_RSA_PKCS1_2048_SHA256",
+                        "PKIX_RSA_PKCS1_3072_SHA256",
+                        "PKIX_RSA_PKCS1_4096_SHA256",
                         "PKIX_ECDSA_P256_HMAC_SHA_256",
-                        "PKIX_ED25519"
+                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_ECDSA_P384_SHA_384",
+                        "PKIX_ECDSA_P521_SHA_512",
+                        "PKIX_ED25519",
+                        "PKIX_ED25519_PH",
+                        "EXPERIMENTAL_LMS_SHA256",
+                        "EXPERIMENTAL_LMOTS_SHA256"
                     ],
                     "type": "string",
                     "title": "Public Key Details",
-                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
+                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",

gen/jsonschema/schemas/PublicKey.schema.json

@@ -17,13 +17,21 @@
                         "PKCS1_RSA_PSS",
                         "PKIX_RSA_PKCS1V5",
                         "PKIX_RSA_PSS",
-                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_RSA_PKCS1_2048_SHA256",
+                        "PKIX_RSA_PKCS1_3072_SHA256",
+                        "PKIX_RSA_PKCS1_4096_SHA256",
                         "PKIX_ECDSA_P256_HMAC_SHA_256",
-                        "PKIX_ED25519"
+                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_ECDSA_P384_SHA_384",
+                        "PKIX_ECDSA_P521_SHA_512",
+                        "PKIX_ED25519",
+                        "PKIX_ED25519_PH",
+                        "EXPERIMENTAL_LMS_SHA256",
+                        "EXPERIMENTAL_LMOTS_SHA256"
                     ],
                     "type": "string",
                     "title": "Public Key Details",
-                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
+                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",

gen/jsonschema/schemas/PublicKeyIdentities.schema.json

@@ -31,13 +31,21 @@
                         "PKCS1_RSA_PSS",
                         "PKIX_RSA_PKCS1V5",
                         "PKIX_RSA_PSS",
-                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_RSA_PKCS1_2048_SHA256",
+                        "PKIX_RSA_PKCS1_3072_SHA256",
+                        "PKIX_RSA_PKCS1_4096_SHA256",
                         "PKIX_ECDSA_P256_HMAC_SHA_256",
-                        "PKIX_ED25519"
+                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_ECDSA_P384_SHA_384",
+                        "PKIX_ECDSA_P521_SHA_512",
+                        "PKIX_ED25519",
+                        "PKIX_ED25519_PH",
+                        "EXPERIMENTAL_LMS_SHA256",
+                        "EXPERIMENTAL_LMOTS_SHA256"
                     ],
                     "type": "string",
                     "title": "Public Key Details",
-                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
+                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",

gen/jsonschema/schemas/TransparencyLogInstance.schema.json

@@ -66,13 +66,21 @@
                         "PKCS1_RSA_PSS",
                         "PKIX_RSA_PKCS1V5",
                         "PKIX_RSA_PSS",
-                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_RSA_PKCS1_2048_SHA256",
+                        "PKIX_RSA_PKCS1_3072_SHA256",
+                        "PKIX_RSA_PKCS1_4096_SHA256",
                         "PKIX_ECDSA_P256_HMAC_SHA_256",
-                        "PKIX_ED25519"
+                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_ECDSA_P384_SHA_384",
+                        "PKIX_ECDSA_P521_SHA_512",
+                        "PKIX_ED25519",
+                        "PKIX_ED25519_PH",
+                        "EXPERIMENTAL_LMS_SHA256",
+                        "EXPERIMENTAL_LMOTS_SHA256"
                     ],
                     "type": "string",
                     "title": "Public Key Details",
-                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
+                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",

gen/jsonschema/schemas/TrustedRoot.schema.json

@@ -88,13 +88,21 @@
                         "PKCS1_RSA_PSS",
                         "PKIX_RSA_PKCS1V5",
                         "PKIX_RSA_PSS",
-                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_RSA_PKCS1_2048_SHA256",
+                        "PKIX_RSA_PKCS1_3072_SHA256",
+                        "PKIX_RSA_PKCS1_4096_SHA256",
                         "PKIX_ECDSA_P256_HMAC_SHA_256",
-                        "PKIX_ED25519"
+                        "PKIX_ECDSA_P256_SHA_256",
+                        "PKIX_ECDSA_P384_SHA_384",
+                        "PKIX_ECDSA_P521_SHA_512",
+                        "PKIX_ED25519",
+                        "PKIX_ED25519_PH",
+                        "EXPERIMENTAL_LMS_SHA256",
+                        "EXPERIMENTAL_LMOTS_SHA256"
                     ],
                     "type": "string",
                     "title": "Public Key Details",
-                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
+                    "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",