diff --git a/.github/workflows/rust-build.yml b/.github/workflows/rust-build.yml index e16cdb78..8756c43a 100644 --- a/.github/workflows/rust-build.yml +++ b/.github/workflows/rust-build.yml @@ -45,8 +45,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }} - run: | - cd gen/pb-rust - cargo build --verbose + make rust test: runs-on: ubuntu-latest @@ -59,5 +58,4 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }} - run: | - cd gen/pb-rust - cargo test + make rust RUST_ACTION=test diff --git a/.github/workflows/rust-release.yml b/.github/workflows/rust-release.yml index 08cb2e26..88eba827 100644 --- a/.github/workflows/rust-release.yml +++ b/.github/workflows/rust-release.yml @@ -24,13 +24,10 @@ jobs: publish: name: Publish to crates.io runs-on: ubuntu-latest - defaults: - run: - working-directory: gen/pb-rust steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - run: cargo publish + - run: make rust RUST_ACTION=publish env: CARGO_REGISTRY_TOKEN: "${{ secrets.CARGO_REGISTRY_TOKEN }}" diff --git a/Makefile b/Makefile index ec1be44f..11ff54a0 100644 --- a/Makefile +++ b/Makefile @@ -13,8 +13,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -PROTOC_IMAGE=protobuf-specs-build -JSONSCHEMA_IMAGE=jsonschema-specs-build +PROTOC_IMAGE = protobuf-specs-build +JSONSCHEMA_IMAGE = jsonschema-specs-build + +RUST_ACTION ?= build # generate all language protobuf code all: go python typescript ruby rust jsonschema @@ -58,17 +60,15 @@ jsonschema: docker-image-jsonschema ${JSONSCHEMA_IMAGE} \ -c "cd defs/gen/jsonschema && ./jsonschema.sh -I ../../protos -I /googleapis/ --jsonschema_out=schemas ../../protos/*.proto" -gen/pb-rust/schemas: jsonschema - cp -r gen/jsonschema/schemas gen/pb-rust - -rust: docker-image gen/pb-rust/schemas - @echo "Generating rust protobuf files" +rust: docker-image + @echo "Running `cargo ${RUST_ACTION}`" docker run \ --platform linux/amd64 \ -v ${PWD}:/defs \ -e "RUST_BACKTRACE=1" \ + -e "CARGO_REGISTRY_TOKEN" \ --entrypoint bash ${PROTOC_IMAGE} \ - -c "cd gen/pb-rust && cargo build" + -c "cd gen/pb-rust && cargo ${RUST_ACTION}" # docker already does its own caching so we can attempt a build every time .PHONY: docker-image @@ -95,7 +95,6 @@ clean: gen/pb-typescript/src/__generated__ \ gen/pb-python/sigstore_protobuf_specs/dev \ gen/pb-python/sigstore_protobuf_specs/io \ - gen/pb-rust/schemas \ gen/pb-rust/target docker rmi -f ${PROTOC_IMAGE} diff --git a/gen/pb-rust/Cargo.lock b/gen/pb-rust/Cargo.lock index 1fb9b72d..21cabb7b 100644 --- a/gen/pb-rust/Cargo.lock +++ b/gen/pb-rust/Cargo.lock @@ -3,87 +3,331 @@ version = 3 [[package]] -name = "Inflector" -version = "0.11.4" +name = "aho-corasick" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe438c63458706e03479442743baae6c88256498e6431708f6dfc520a26515d3" +checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0" dependencies = [ - "lazy_static", - "regex", + "memchr", ] [[package]] -name = "aho-corasick" -version = "1.0.2" +name = "anyhow" +version = "1.0.79" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "080e9890a082662b09c1ad45f567faeeb47f22b5fb23895fbe1e651e718e25ca" + +[[package]] +name = "autocfg" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" + +[[package]] +name = "base64" +version = "0.21.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" + +[[package]] +name = "bitflags" +version = "2.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43f6cb1bf222025340178f382c426f13757b2960e89779dfcb319c32542a5a41" +checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" + +[[package]] +name = "bytes" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223" + +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + +[[package]] +name = "derive" +version = "0.1.0" dependencies = [ - "memchr", + "quote", + "syn", ] [[package]] -name = "diff" -version = "0.1.13" +name = "either" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8" +checksum = "11157ac094ffbdde99aa67b23417ebdd801842852b500e395a45a9c0aac03e4a" [[package]] -name = "fnv" -version = "1.0.7" +name = "equivalent" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" + +[[package]] +name = "errno" +version = "0.3.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" +dependencies = [ + "libc", + "windows-sys", +] + +[[package]] +name = "fastrand" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" + +[[package]] +name = "fixedbitset" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" + +[[package]] +name = "glob" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" + +[[package]] +name = "hashbrown" +version = "0.14.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" + +[[package]] +name = "heck" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" + +[[package]] +name = "home" +version = "0.5.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5" +dependencies = [ + "windows-sys", +] + +[[package]] +name = "indexmap" +version = "2.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "233cf39063f058ea2caae4091bf4a3ef70a653afbc026f5c4a4135d114e3c177" +dependencies = [ + "equivalent", + "hashbrown", +] + +[[package]] +name = "itertools" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b1c173a5686ce8bfa551b3563d0c2170bf24ca44da99c7ca4bfdab5418c3fe57" +dependencies = [ + "either", +] [[package]] name = "itoa" -version = "1.0.9" +version = "1.0.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" + +[[package]] +name = "libc" +version = "0.2.153" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" +checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" [[package]] -name = "lazy_static" -version = "1.4.0" +name = "linux-raw-sys" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" + +[[package]] +name = "log" +version = "0.4.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f" [[package]] name = "memchr" -version = "2.5.0" +version = "2.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149" + +[[package]] +name = "multimap" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" + +[[package]] +name = "num-traits" +version = "0.2.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a" +dependencies = [ + "autocfg", +] + +[[package]] +name = "once_cell" +version = "1.19.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" + +[[package]] +name = "ordered-float" +version = "2.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c" +dependencies = [ + "num-traits", +] + +[[package]] +name = "petgraph" +version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" +checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" +dependencies = [ + "fixedbitset", + "indexmap", +] [[package]] -name = "pretty_assertions" -version = "1.4.0" +name = "prettyplease" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af7cee1a6c8a5b9208b3cb1061f10c0cb689087b3d8ce85fb9d2dd7a29b6ba66" +checksum = "a41cf62165e97c7f814d2221421dbb9afcbcdb0a88068e5ea206e19951c2cbb5" dependencies = [ - "diff", - "yansi", + "proc-macro2", + "syn", ] [[package]] name = "proc-macro2" -version = "1.0.66" +version = "1.0.78" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9" +checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" dependencies = [ "unicode-ident", ] +[[package]] +name = "prost" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "146c289cda302b98a28d40c8b3b90498d6e526dd24ac2ecea73e4e491685b94a" +dependencies = [ + "bytes", + "prost-derive", +] + +[[package]] +name = "prost-build" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c55e02e35260070b6f716a2423c2ff1c3bb1642ddca6f99e1f26d06268a0e2d2" +dependencies = [ + "bytes", + "heck", + "itertools", + "log", + "multimap", + "once_cell", + "petgraph", + "prettyplease", + "prost", + "prost-types", + "regex", + "syn", + "tempfile", + "which 4.4.2", +] + +[[package]] +name = "prost-derive" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "efb6c9a1dd1def8e2124d17e83a20af56f1570d6c2d2bd9e266ccb768df3840e" +dependencies = [ + "anyhow", + "itertools", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "prost-reflect" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "057237efdb71cf4b3f9396302a3d6599a92fa94063ba537b66130980ea9909f3" +dependencies = [ + "base64", + "once_cell", + "prost", + "prost-reflect-derive", + "prost-types", + "serde", + "serde-value", +] + +[[package]] +name = "prost-reflect-build" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4d0aa0c82e0fc36214c77b4dabe00750b3c41be45055baf2631cbbb7769b8ca" +dependencies = [ + "prost-build", + "prost-reflect", +] + +[[package]] +name = "prost-reflect-derive" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "172da1212c02be2c94901440cb27183cd92bff00ebacca5c323bf7520b8f9c04" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "prost-types" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "193898f59edcf43c26227dcd4c8427f00d99d61e95dcde58dabd49fa291d470e" +dependencies = [ + "prost", +] + [[package]] name = "quote" -version = "1.0.32" +version = "1.0.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50f3b39ccfb720540debaa0164757101c08ecb8d326b15358ce76a62c7e85965" +checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" dependencies = [ "proc-macro2", ] [[package]] name = "regex" -version = "1.9.1" +version = "1.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2eae68fc220f7cf2532e4494aded17545fce192d59cd996e0fe7887f4ceb575" +checksum = "b62dbe01f0b06f9d8dc7d49e05a0785f153b00b2c227856282f671e0318c9b15" dependencies = [ "aho-corasick", "memchr", @@ -93,9 +337,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.3.4" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b7b6d6190b7594385f61bd3911cd1be99dfddcfc365a4160cc2ab5bff4aed294" +checksum = "5bb987efffd3c6d0d8f5f89510bb458559eab11e4f869acb20bf845e016259cd" dependencies = [ "aho-corasick", "memchr", @@ -104,117 +348,92 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.7.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5ea92a5b6195c6ef2a0295ea818b312502c6fc94dde986c5553242e18fd4ce2" - -[[package]] -name = "ryu" -version = "1.0.15" +version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741" +checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f" [[package]] -name = "schemafy" -version = "0.6.0" +name = "rustix" +version = "0.38.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9725c16a64e85972fcb3630677be83fef699a1cd8e4bfbdcf3b3c6675f838a19" +checksum = "6ea3e1a662af26cd7a3ba09c0297a31af215563ecf42817c98df621387f4e949" dependencies = [ - "Inflector", - "schemafy_core", - "schemafy_lib", - "serde", - "serde_derive", - "serde_json", - "serde_repr", - "syn 1.0.109", + "bitflags", + "errno", + "libc", + "linux-raw-sys", + "windows-sys", ] [[package]] -name = "schemafy_core" -version = "0.6.0" +name = "ryu" +version = "1.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2bec29dddcfe60f92f3c0d422707b8b56473983ef0481df8d5236ed3ab8fdf24" -dependencies = [ - "serde", - "serde_json", -] +checksum = "f98d2aa92eebf49b69786be48e4477826b256916e84a57ff2a4f21923b48eb4c" [[package]] -name = "schemafy_lib" -version = "0.6.0" +name = "serde" +version = "1.0.196" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af3d87f1df246a9b7e2bfd1f4ee5f88e48b11ef9cfc62e63f0dead255b1a6f5f" +checksum = "870026e60fa08c69f064aa766c10f10b1d62db9ccd4d0abb206472bee0ce3b32" dependencies = [ - "Inflector", - "proc-macro2", - "quote", - "schemafy_core", - "serde", "serde_derive", - "serde_json", - "syn 1.0.109", - "uriparse", ] [[package]] -name = "serde" -version = "1.0.180" +name = "serde-value" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ea67f183f058fe88a4e3ec6e2788e003840893b91bac4559cabedd00863b3ed" +checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c" dependencies = [ - "serde_derive", + "ordered-float", + "serde", ] [[package]] name = "serde_derive" -version = "1.0.180" +version = "1.0.196" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24e744d7782b686ab3b73267ef05697159cc0e5abbed3f47f9933165e5219036" +checksum = "33c85360c95e7d137454dc81d9a4ed2b8efd8fbe19cee57357b32b9771fccb67" dependencies = [ "proc-macro2", "quote", - "syn 2.0.28", + "syn", ] [[package]] name = "serde_json" -version = "1.0.104" +version = "1.0.113" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "076066c5f1078eac5b722a31827a8832fe108bed65dfa75e233c89f8206e976c" +checksum = "69801b70b1c3dac963ecb03a364ba0ceda9cf60c71cfe475e99864759c8b8a79" dependencies = [ "itoa", "ryu", "serde", ] -[[package]] -name = "serde_repr" -version = "0.1.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8725e1dfadb3a50f7e5ce0b1a540466f6ed3fe7a0fca2ac2b8b831d31316bd00" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.28", -] - [[package]] name = "sigstore_protobuf_specs" version = "0.3.0" dependencies = [ - "pretty_assertions", - "schemafy", - "schemafy_core", + "anyhow", + "derive", + "glob", + "prost", + "prost-build", + "prost-reflect", + "prost-reflect-build", + "prost-types", "serde", "serde_json", + "which 6.0.0", ] [[package]] name = "syn" -version = "1.0.109" +version = "2.0.48" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" +checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f" dependencies = [ "proc-macro2", "quote", @@ -222,34 +441,110 @@ dependencies = [ ] [[package]] -name = "syn" -version = "2.0.28" +name = "tempfile" +version = "3.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04361975b3f5e348b2189d8dc55bc942f278b2d482a6a0365de5bdd62d351567" +checksum = "a365e8cd18e44762ef95d87f284f4b5cd04107fec2ff3052bd6a3e6069669e67" dependencies = [ - "proc-macro2", - "quote", - "unicode-ident", + "cfg-if", + "fastrand", + "rustix", + "windows-sys", ] [[package]] name = "unicode-ident" -version = "1.0.11" +version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c" +checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] -name = "uriparse" -version = "0.6.4" +name = "which" +version = "4.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7" +dependencies = [ + "either", + "home", + "once_cell", + "rustix", +] + +[[package]] +name = "which" +version = "6.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7fa5e0c10bf77f44aac573e498d1a82d5fbd5e91f6fc0a99e7be4b38e85e101c" +dependencies = [ + "either", + "home", + "once_cell", + "rustix", + "windows-sys", +] + +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets", +] + +[[package]] +name = "windows-targets" +version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0200d0fc04d809396c2ad43f3c95da3582a2556eba8d453c1087f4120ee352ff" +checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd" dependencies = [ - "fnv", - "lazy_static", + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", ] [[package]] -name = "yansi" -version = "0.5.1" +name = "windows_aarch64_gnullvm" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef" + +[[package]] +name = "windows_i686_gnu" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313" + +[[package]] +name = "windows_i686_msvc" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09041cd90cf85f7f8b2df60c646f853b7f535ce68f85244eb6731cf89fa498ec" +checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" diff --git a/gen/pb-rust/Cargo.toml b/gen/pb-rust/Cargo.toml index 8a169e00..2400777c 100644 --- a/gen/pb-rust/Cargo.toml +++ b/gen/pb-rust/Cargo.toml @@ -1,22 +1,6 @@ -[package] -name = "sigstore_protobuf_specs" -version = "0.3.0" -exclude = ["codegen/"] -authors = ["Sigstore Authors "] -edition = "2021" -homepage = "https://github.com/sigstore/protobuf-specs" -repository = "https://github.com/sigstore/protobuf-specs" -description = "A library for serializing and deserializing Sigstore messages" -readme = "README.md" -license-file = "LICENSE" -keywords = ["sigstore"] -categories = ["encoding", "parser-implementations"] - -[dependencies] -schemafy = "0.6" -schemafy_core = "0.6" -serde = "1.0" -serde_json = "1.0" - -[dev-dependencies] -pretty_assertions = "1.4.0" \ No newline at end of file +[workspace] +resolver = "2" +members = [ + "sigstore-protobuf-specs", + "derive" +] diff --git a/gen/pb-rust/derive/Cargo.toml b/gen/pb-rust/derive/Cargo.toml new file mode 100644 index 00000000..4b7214a9 --- /dev/null +++ b/gen/pb-rust/derive/Cargo.toml @@ -0,0 +1,13 @@ +[package] +name = "derive" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +syn = "2.0" +quote = "1.0" + +[lib] +proc-macro = true diff --git a/gen/pb-rust/derive/src/lib.rs b/gen/pb-rust/derive/src/lib.rs new file mode 100644 index 00000000..cff0eb64 --- /dev/null +++ b/gen/pb-rust/derive/src/lib.rs @@ -0,0 +1,56 @@ +use proc_macro::TokenStream; +use quote::quote; +use syn::{parse_macro_input, DeriveInput}; + +#[proc_macro_derive(Serialize_proto)] +pub fn derive_serialize(input: TokenStream) -> TokenStream { + let input = parse_macro_input!(input as DeriveInput); + let ident = input.ident; + + match input.data { + syn::Data::Struct(_) => (), + _ => return Default::default(), + }; + + let expanded = quote! { + impl serde::Serialize for #ident { + fn serialize(&self, serializer: S) -> Result + where + S: serde::Serializer, + { + let message = prost_reflect::ReflectMessage::transcode_to_dynamic(self); + serde::Serialize::serialize(&message, serializer) + } + } + }; + + TokenStream::from(expanded) +} + +#[proc_macro_derive(Deserialize_proto)] +pub fn derive_deserialize(input: TokenStream) -> TokenStream { + let input = parse_macro_input!(input as DeriveInput); + let ident = input.ident; + + match input.data { + syn::Data::Struct(_) => (), + _ => return Default::default(), + }; + + let expanded = quote! { + impl<'de> serde::Deserialize<'de> for #ident { + fn deserialize(deserializer: D) -> Result<#ident, D::Error> + where + D: serde::Deserializer<'de>, + { + let concrete_msg: #ident = Default::default(); + let descriptor = prost_reflect::ReflectMessage::descriptor(&concrete_msg); + let dynamic_msg = prost_reflect::DynamicMessage::deserialize(descriptor, deserializer)?; + + Ok(dynamic_msg.transcode_to().expect("failed to convert DynamicMessage to concrete Message!")) + } + } + }; + + TokenStream::from(expanded) +} diff --git a/gen/pb-rust/schemas/Artifact.schema.json b/gen/pb-rust/schemas/Artifact.schema.json deleted file mode 100644 index 1ed0ed69..00000000 --- a/gen/pb-rust/schemas/Artifact.schema.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/Artifact", - "definitions": { - "Artifact": { - "properties": { - "artifactUri": { - "type": "string", - "description": "Location of the artifact" - }, - "artifact": { - "type": "string", - "description": "The raw bytes of the artifact", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "artifact_uri" - ] - }, - { - "required": [ - "artifact" - ] - } - ], - "title": "Artifact" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json deleted file mode 100644 index 6a16a1ce..00000000 --- a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json +++ /dev/null @@ -1,363 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/ArtifactVerificationOptions", - "definitions": { - "ArtifactVerificationOptions": { - "properties": { - "certificateIdentities": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentities", - "additionalProperties": false - }, - "publicKeys": { - "$ref": "#/definitions/dev.sigstore.verification.v1.PublicKeyIdentities", - "additionalProperties": false, - "description": "To simplify verification implementation, the logic for bundle verification should be implemented as a higher-order function, where one of argument should be an interface over the set of trusted public keys, like this: `Verify(bytes artifact, bytes signature, string key_id)`. This way the caller is in full control of mapping the identified (or hinted) key in the bundle to one of the trusted keys, as this process is inherently application specific." - }, - "tlogOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", - "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" - }, - "ctlogOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", - "additionalProperties": false, - "description": "Optional options for certificate transparency log verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" - }, - "tsaOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", - "additionalProperties": false, - "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" - }, - "integratedTsOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions", - "additionalProperties": false, - "description": "Optional options for integrated timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" - }, - "observerOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", - "additionalProperties": false, - "description": "Optional options for observed timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "certificate_identities" - ] - }, - { - "required": [ - "public_keys" - ] - }, - { - "required": [ - "tlog_options" - ] - }, - { - "required": [ - "ctlog_options" - ] - }, - { - "required": [ - "tsa_options" - ] - }, - { - "required": [ - "integrated_ts_options" - ] - }, - { - "required": [ - "observer_options" - ] - } - ], - "title": "Artifact Verification Options", - "description": "A light-weight set of options/policies for identifying trusted signers, used during verification of a single artifact." - }, - "dev.sigstore.common.v1.ObjectIdentifier": { - "properties": { - "id": { - "items": { - "type": "integer" - }, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier", - "description": "An ASN.1 OBJECT IDENTIFIER" - }, - "dev.sigstore.common.v1.ObjectIdentifierValuePair": { - "properties": { - "oid": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifier", - "additionalProperties": false - }, - "value": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier Value Pair", - "description": "An OID and the corresponding (byte) value." - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1V15_2048_SHA256", - "PKIX_RSA_PKCS1V15_3072_SHA256", - "PKIX_RSA_PKCS1V15_4096_SHA256", - "PKIX_RSA_PSS_2048_SHA256", - "PKIX_RSA_PSS_3072_SHA256", - "PKIX_RSA_PSS_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH", - "LMS_SHA256", - "LMOTS_SHA256" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.SubjectAlternativeName": { - "properties": { - "type": { - "enum": [ - "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED", - "EMAIL", - "URI", - "OTHER_NAME" - ], - "type": "string", - "title": "Subject Alternative Name Type" - }, - "regexp": { - "type": "string", - "description": "A regular expression describing the expected value for the SAN." - }, - "value": { - "type": "string", - "description": "The exact value to match against." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "regexp" - ] - }, - { - "required": [ - "value" - ] - } - ], - "title": "Subject Alternative Name" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of ct transparency logs the certificate must appear on." - }, - "disable": { - "type": "boolean", - "description": "Disable ct transparency log verification" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Ctlog Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log, that could include additional timestamp sources in the future." - }, - "disable": { - "type": "boolean", - "description": "Disable observer timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Observer Timestamp Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of signed timestamps that are expected." - }, - "disable": { - "type": "boolean", - "description": "Disable signed timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Timestamp Authority Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of integrated timestamps that are expected." - }, - "disable": { - "type": "boolean", - "description": "Disable integrated timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Tlog Integrated Timestamp Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "Number of transparency logs the entry must appear on." - }, - "performOnlineVerification": { - "type": "boolean", - "description": "Perform an online inclusion proof." - }, - "disable": { - "type": "boolean", - "description": "Disable verification for transparency logs." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Tlog Options" - }, - "dev.sigstore.verification.v1.CertificateIdentities": { - "properties": { - "identities": { - "items": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentity" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identities" - }, - "dev.sigstore.verification.v1.CertificateIdentity": { - "properties": { - "issuer": { - "type": "string", - "description": "The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1)" - }, - "san": { - "$ref": "#/definitions/dev.sigstore.common.v1.SubjectAlternativeName", - "additionalProperties": false - }, - "oids": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifierValuePair" - }, - "additionalProperties": false, - "type": "array", - "description": "An unordered list of OIDs that must be verified. All OID/values provided in this list MUST exactly match against the values in the certificate for verification to be successful." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identity", - "description": "The identity of a X.509 Certificate signer." - }, - "dev.sigstore.verification.v1.PublicKeyIdentities": { - "properties": { - "publicKeys": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identities" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json deleted file mode 100644 index 4391b2c0..00000000 --- a/gen/pb-rust/schemas/Bundle.schema.json +++ /dev/null @@ -1,385 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/Bundle", - "definitions": { - "Bundle": { - "properties": { - "mediaType": { - "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." - }, - "verificationMaterial": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", - "additionalProperties": false, - "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e If the verification material contains a public key identifier (key hint) and the `content` is a DSSE envelope, the key hints MUST be exactly the same in the verification material and in the DSSE envelope." - }, - "messageSignature": { - "$ref": "#/definitions/dev.sigstore.common.v1.MessageSignature", - "additionalProperties": false - }, - "dsseEnvelope": { - "$ref": "#/definitions/io.intoto.Envelope", - "additionalProperties": false, - "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "message_signature" - ] - }, - { - "required": [ - "dsse_envelope" - ] - } - ], - "title": "Bundle" - }, - "dev.sigstore.bundle.v1.TimestampVerificationData": { - "properties": { - "rfc3161Timestamps": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.RFC3161SignedTimestamp" - }, - "additionalProperties": false, - "type": "array", - "description": "A list of RFC3161 signed timestamps provided by the user. This can be used when the entry has not been stored on a transparency log, or in conjunction for a stronger trust model. Clients MUST verify the hashed message in the message imprint against the signature in the bundle." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." - }, - "dev.sigstore.bundle.v1.VerificationMaterial": { - "properties": { - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKeyIdentifier", - "additionalProperties": false - }, - "x509CertificateChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false - }, - "certificate": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", - "additionalProperties": false - }, - "tlogEntries": { - "items": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" - }, - "additionalProperties": false, - "type": "array", - "description": "An inclusion proof and an optional signed timestamp from the log. Client verification libraries MAY provide an option to support v0.1 bundles for backwards compatibility, which may contain an inclusion promise and not an inclusion proof. In this case, the client MUST validate the promise. Verifiers SHOULD NOT allow v0.1 bundles if they're used in an ecosystem which never produced them." - }, - "timestampVerificationData": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.TimestampVerificationData", - "additionalProperties": false, - "description": "Timestamp may also come from tlog_entries.inclusion_promise.signed_entry_timestamp." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "public_key" - ] - }, - { - "required": [ - "x509_certificate_chain" - ] - }, - { - "required": [ - "certificate" - ] - } - ], - "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." - }, - "dev.sigstore.common.v1.HashOutput": { - "properties": { - "algorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "digest": { - "type": "string", - "description": "This is the raw octets of the message digest as computed by the hash algorithm.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Hash Output", - "description": "HashOutput captures a digest of a 'message' (generic octet sequence) and the corresponding hash algorithm used." - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.common.v1.MessageSignature": { - "properties": { - "messageDigest": { - "$ref": "#/definitions/dev.sigstore.common.v1.HashOutput", - "additionalProperties": false, - "description": "Message digest can be used to identify the artifact. Clients MUST NOT attempt to use this digest to verify the associated signature; it is intended solely for identification." - }, - "signature": { - "type": "string", - "description": "The raw bytes as returned from the signature algorithm. The signature algorithm (and so the format of the signature bytes) are determined by the contents of the 'verification_material', either a key-pair or a certificate. If using a certificate, the certificate contains the required information on the signature algorithm. When using a key pair, the algorithm MUST be part of the public key, which MUST be communicated out-of-band.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Message Signature", - "description": "MessageSignature stores the computed signature over a message." - }, - "dev.sigstore.common.v1.PublicKeyIdentifier": { - "properties": { - "hint": { - "type": "string", - "description": "Optional unauthenticated hint on which key to use. The format of the hint must be agreed upon out of band by the signer and the verifiers, and so is not subject to this specification. Example use-case is to specify the public key to use, from a trusted key-ring. Implementors are RECOMMENDED to derive the value from the public key as described in RFC 6962. See: \u003chttps://www.rfc-editor.org/rfc/rfc6962#section-3.2\u003e" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identifier", - "description": "PublicKeyIdentifier can be used to identify an (out of band) delivered key, to verify a signature." - }, - "dev.sigstore.common.v1.RFC3161SignedTimestamp": { - "properties": { - "signedTimestamp": { - "type": "string", - "description": "Signed timestamp is the DER encoded TimeStampResponse. See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "RFC 3161 Signed Timestamp", - "description": "This message holds a RFC 3161 timestamp." - }, - "dev.sigstore.common.v1.X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - }, - "dev.sigstore.common.v1.X509CertificateChain": { - "properties": { - "certificates": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate" - }, - "additionalProperties": false, - "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." - }, - "dev.sigstore.rekor.v1.Checkpoint": { - "properties": { - "envelope": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Checkpoint", - "description": "The checkpoint contains a signature of the tree head (root hash), size of the tree, the transparency log's unique identifier (log ID), hostname and the current time. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." - }, - "dev.sigstore.rekor.v1.InclusionPromise": { - "properties": { - "signedEntryTimestamp": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Promise", - "description": "The inclusion promise is calculated by Rekor. It's calculated as a signature over a canonical JSON serialization of the persisted entry, the log ID, log index and the integration timestamp. See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 The format of the signature depends on the transparency log's public key. If the signature algorithm requires a hash function and/or a signature scheme (e.g. RSA) those has to be retrieved out-of-band from the log's operators, together with the public key. This is used to verify the integration timestamp's value and that the log has promised to include the entry." - }, - "dev.sigstore.rekor.v1.InclusionProof": { - "properties": { - "logIndex": { - "type": "string", - "description": "The index of the entry in the tree it was written to." - }, - "rootHash": { - "type": "string", - "description": "The hash digest stored at the root of the merkle tree at the time the proof was generated.", - "format": "binary", - "binaryEncoding": "base64" - }, - "treeSize": { - "type": "string", - "description": "The size of the merkle tree at the time the proof was generated." - }, - "hashes": { - "items": { - "type": "string" - }, - "type": "array", - "description": "A list of hashes required to compute the inclusion proof, sorted in order from leaf to root. Note that leaf and root hashes are not included. The root hash is available separately in this message, and the leaf hash should be calculated by the client.", - "format": "binary", - "binaryEncoding": "base64" - }, - "checkpoint": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.Checkpoint", - "additionalProperties": false, - "description": "Signature of the tree head, as of the time of this proof was generated. See above info on 'Checkpoint' for more details." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Proof", - "description": "InclusionProof is the proof returned from the transparency log. Can be used for offline or online verification against the log." - }, - "dev.sigstore.rekor.v1.KindVersion": { - "properties": { - "kind": { - "type": "string", - "description": "Kind is the type of entry being stored in the log. See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types" - }, - "version": { - "type": "string", - "description": "The specific api version of the type." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Kind Version", - "description": "KindVersion contains the entry's kind and api version." - }, - "dev.sigstore.rekor.v1.TransparencyLogEntry": { - "properties": { - "logIndex": { - "type": "string", - "description": "The global index of the entry, used when querying the log by index." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier of the log." - }, - "kindVersion": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.KindVersion", - "additionalProperties": false, - "description": "The kind (type) and version of the object associated with this entry. These values are required to construct the entry during verification." - }, - "integratedTime": { - "type": "string", - "description": "The UNIX timestamp from the log when the entry was persisted." - }, - "inclusionPromise": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise", - "additionalProperties": false, - "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp." - }, - "inclusionProof": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof", - "additionalProperties": false, - "description": "The inclusion proof can be used for offline or online verification that the entry was appended to the log, and that the log has not been altered." - }, - "canonicalizedBody": { - "type": "string", - "description": "Optional. The canonicalized transparency log entry, used to reconstruct the Signed Entry Timestamp (SET) during verification. The contents of this field are the same as the `body` field in a Rekor response, meaning that it does **not** include the \"full\" canonicalized form (of log index, ID, etc.) which are exposed as separate fields. The verifier is responsible for combining the `canonicalized_body`, `log_index`, `log_id`, and `integrated_time` into the payload that the SET's signature is generated over. This field is intended to be used in cases where the SET cannot be produced determinisitically (e.g. inconsistent JSON field ordering, differing whitespace, etc). If set, clients MUST verify that the signature referenced in the `canonicalized_body` matches the signature provided in the `Bundle.content`. If not set, clients are responsible for constructing an equivalent payload from other sources to verify the signature.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Entry", - "description": "TransparencyLogEntry captures all the details required from Rekor to reconstruct an entry, given that the payload is provided via other means. This type can easily be created from the existing response from Rekor. Future iterations could rely on Rekor returning the minimal set of attributes (excluding the payload) that are required for verifying the inclusion promise. The inclusion promise (called SignedEntryTimestamp in the response from Rekor) is similar to a Signed Certificate Timestamp as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2." - }, - "io.intoto.Envelope": { - "properties": { - "payload": { - "type": "string", - "description": "Message to be signed. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "payloadType": { - "type": "string", - "description": "String unambiguously identifying how to interpret payload. REQUIRED." - }, - "signatures": { - "items": { - "$ref": "#/definitions/io.intoto.Signature" - }, - "additionalProperties": false, - "type": "array", - "description": "Signature over: PAE(type, payload) Where PAE is defined as: PAE(type, payload) = \"DSSEv1\" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload + = concatenation SP = ASCII space [0x20] \"DSSEv1\" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] LEN(s) = ASCII decimal encoding of the byte length of s, with no leading zeros REQUIRED (length \u003e= 1)." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Envelope", - "description": "An authenticated message of arbitrary type." - }, - "io.intoto.Signature": { - "properties": { - "sig": { - "type": "string", - "description": "Signature itself. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyid": { - "type": "string", - "description": "*Unauthenticated* hint identifying which public key was used. OPTIONAL." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Signature" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/CertificateAuthority.schema.json b/gen/pb-rust/schemas/CertificateAuthority.schema.json deleted file mode 100644 index f8bbffad..00000000 --- a/gen/pb-rust/schemas/CertificateAuthority.schema.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/CertificateAuthority", - "definitions": { - "CertificateAuthority": { - "properties": { - "subject": { - "$ref": "#/definitions/dev.sigstore.common.v1.DistinguishedName", - "additionalProperties": false, - "description": "The root certificate MUST be self-signed, and so the subject and issuer are the same." - }, - "uri": { - "type": "string", - "description": "The URI identifies the certificate authority. It is RECOMMENDED that the URI is the base URL for the certificate authority, that can be provided to any SDK/client provided by the certificate authority to interact with the certificate authority." - }, - "certChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false, - "description": "The certificate chain for this CA." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "The time the *entire* chain was valid. This is at max the longest interval when *all* certificates in the chain were valid, but it MAY be shorter. Clients MUST check timestamps against *both* the `valid_for` time range *and* the entire certificate chain. The TimeRange should be considered valid *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Authority", - "description": "CertificateAuthority enlists the information required to identify which CA to use and perform signature verification." - }, - "dev.sigstore.common.v1.DistinguishedName": { - "properties": { - "organization": { - "type": "string" - }, - "commonName": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Distinguished Name" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - }, - "dev.sigstore.common.v1.X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - }, - "dev.sigstore.common.v1.X509CertificateChain": { - "properties": { - "certificates": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate" - }, - "additionalProperties": false, - "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/CertificateIdentities.schema.json b/gen/pb-rust/schemas/CertificateIdentities.schema.json deleted file mode 100644 index 31a7a32b..00000000 --- a/gen/pb-rust/schemas/CertificateIdentities.schema.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/CertificateIdentities", - "definitions": { - "CertificateIdentities": { - "properties": { - "identities": { - "items": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentity" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identities" - }, - "dev.sigstore.common.v1.ObjectIdentifier": { - "properties": { - "id": { - "items": { - "type": "integer" - }, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier", - "description": "An ASN.1 OBJECT IDENTIFIER" - }, - "dev.sigstore.common.v1.ObjectIdentifierValuePair": { - "properties": { - "oid": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifier", - "additionalProperties": false - }, - "value": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier Value Pair", - "description": "An OID and the corresponding (byte) value." - }, - "dev.sigstore.common.v1.SubjectAlternativeName": { - "properties": { - "type": { - "enum": [ - "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED", - "EMAIL", - "URI", - "OTHER_NAME" - ], - "type": "string", - "title": "Subject Alternative Name Type" - }, - "regexp": { - "type": "string", - "description": "A regular expression describing the expected value for the SAN." - }, - "value": { - "type": "string", - "description": "The exact value to match against." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "regexp" - ] - }, - { - "required": [ - "value" - ] - } - ], - "title": "Subject Alternative Name" - }, - "dev.sigstore.verification.v1.CertificateIdentity": { - "properties": { - "issuer": { - "type": "string", - "description": "The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1)" - }, - "san": { - "$ref": "#/definitions/dev.sigstore.common.v1.SubjectAlternativeName", - "additionalProperties": false - }, - "oids": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifierValuePair" - }, - "additionalProperties": false, - "type": "array", - "description": "An unordered list of OIDs that must be verified. All OID/values provided in this list MUST exactly match against the values in the certificate for verification to be successful." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identity", - "description": "The identity of a X.509 Certificate signer." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/CertificateIdentity.schema.json b/gen/pb-rust/schemas/CertificateIdentity.schema.json deleted file mode 100644 index 14a515f4..00000000 --- a/gen/pb-rust/schemas/CertificateIdentity.schema.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/CertificateIdentity", - "definitions": { - "CertificateIdentity": { - "properties": { - "issuer": { - "type": "string", - "description": "The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1)" - }, - "san": { - "$ref": "#/definitions/dev.sigstore.common.v1.SubjectAlternativeName", - "additionalProperties": false - }, - "oids": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifierValuePair" - }, - "additionalProperties": false, - "type": "array", - "description": "An unordered list of OIDs that must be verified. All OID/values provided in this list MUST exactly match against the values in the certificate for verification to be successful." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identity", - "description": "The identity of a X.509 Certificate signer." - }, - "dev.sigstore.common.v1.ObjectIdentifier": { - "properties": { - "id": { - "items": { - "type": "integer" - }, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier", - "description": "An ASN.1 OBJECT IDENTIFIER" - }, - "dev.sigstore.common.v1.ObjectIdentifierValuePair": { - "properties": { - "oid": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifier", - "additionalProperties": false - }, - "value": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier Value Pair", - "description": "An OID and the corresponding (byte) value." - }, - "dev.sigstore.common.v1.SubjectAlternativeName": { - "properties": { - "type": { - "enum": [ - "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED", - "EMAIL", - "URI", - "OTHER_NAME" - ], - "type": "string", - "title": "Subject Alternative Name Type" - }, - "regexp": { - "type": "string", - "description": "A regular expression describing the expected value for the SAN." - }, - "value": { - "type": "string", - "description": "The exact value to match against." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "regexp" - ] - }, - { - "required": [ - "value" - ] - } - ], - "title": "Subject Alternative Name" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/Checkpoint.schema.json b/gen/pb-rust/schemas/Checkpoint.schema.json deleted file mode 100644 index e2180700..00000000 --- a/gen/pb-rust/schemas/Checkpoint.schema.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/Checkpoint", - "definitions": { - "Checkpoint": { - "properties": { - "envelope": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Checkpoint", - "description": "The checkpoint contains a signature of the tree head (root hash), size of the tree, the transparency log's unique identifier (log ID), hostname and the current time. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/CloudEvent.schema.json b/gen/pb-rust/schemas/CloudEvent.schema.json deleted file mode 100644 index 3d49521d..00000000 --- a/gen/pb-rust/schemas/CloudEvent.schema.json +++ /dev/null @@ -1,146 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/CloudEvent", - "definitions": { - "CloudEvent": { - "properties": { - "id": { - "type": "string", - "title": "-- CloudEvent Context Attributes", - "description": "-- CloudEvent Context Attributes Required Attributes" - }, - "source": { - "type": "string", - "description": "URI-reference" - }, - "specVersion": { - "type": "string" - }, - "type": { - "type": "string" - }, - "attributes": { - "additionalProperties": { - "$ref": "#/definitions/dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue", - "additionalProperties": false - }, - "type": "object", - "description": "Optional \u0026 Extension Attributes" - }, - "binaryData": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - }, - "textData": { - "type": "string" - }, - "protoData": { - "properties": { - "typeUrl": { - "type": "string", - "description": "A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL's path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics." - }, - "value": { - "type": "string", - "description": "Must be a valid serialized protocol buffer of the above specified type.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "binary_data" - ] - }, - { - "required": [ - "text_data" - ] - }, - { - "required": [ - "proto_data" - ] - } - ], - "title": "Cloud Event" - }, - "dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue": { - "properties": { - "ceBoolean": { - "type": "boolean" - }, - "ceInteger": { - "type": "integer" - }, - "ceString": { - "type": "string" - }, - "ceBytes": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - }, - "ceUri": { - "type": "string" - }, - "ceUriRef": { - "type": "string" - }, - "ceTimestamp": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "ce_boolean" - ] - }, - { - "required": [ - "ce_integer" - ] - }, - { - "required": [ - "ce_string" - ] - }, - { - "required": [ - "ce_bytes" - ] - }, - { - "required": [ - "ce_uri" - ] - }, - { - "required": [ - "ce_uri_ref" - ] - }, - { - "required": [ - "ce_timestamp" - ] - } - ], - "title": "*\n The CloudEvent specification defines\n seven attribute value types...", - "description": "* The CloudEvent specification defines seven attribute value types..." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/CloudEventBatch.schema.json b/gen/pb-rust/schemas/CloudEventBatch.schema.json deleted file mode 100644 index 106b1700..00000000 --- a/gen/pb-rust/schemas/CloudEventBatch.schema.json +++ /dev/null @@ -1,161 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/CloudEventBatch", - "definitions": { - "CloudEventBatch": { - "properties": { - "events": { - "items": { - "$ref": "#/definitions/dev.sigstore.events.v1.CloudEvent" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "*\n CloudEvent Protobuf Batch Format", - "description": "* CloudEvent Protobuf Batch Format" - }, - "dev.sigstore.events.v1.CloudEvent": { - "properties": { - "id": { - "type": "string", - "title": "-- CloudEvent Context Attributes", - "description": "-- CloudEvent Context Attributes Required Attributes" - }, - "source": { - "type": "string", - "description": "URI-reference" - }, - "specVersion": { - "type": "string" - }, - "type": { - "type": "string" - }, - "attributes": { - "additionalProperties": { - "$ref": "#/definitions/dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue", - "additionalProperties": false - }, - "type": "object", - "description": "Optional \u0026 Extension Attributes" - }, - "binaryData": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - }, - "textData": { - "type": "string" - }, - "protoData": { - "properties": { - "typeUrl": { - "type": "string", - "description": "A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL's path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics." - }, - "value": { - "type": "string", - "description": "Must be a valid serialized protocol buffer of the above specified type.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "binary_data" - ] - }, - { - "required": [ - "text_data" - ] - }, - { - "required": [ - "proto_data" - ] - } - ], - "title": "Cloud Event" - }, - "dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue": { - "properties": { - "ceBoolean": { - "type": "boolean" - }, - "ceInteger": { - "type": "integer" - }, - "ceString": { - "type": "string" - }, - "ceBytes": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - }, - "ceUri": { - "type": "string" - }, - "ceUriRef": { - "type": "string" - }, - "ceTimestamp": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "ce_boolean" - ] - }, - { - "required": [ - "ce_integer" - ] - }, - { - "required": [ - "ce_string" - ] - }, - { - "required": [ - "ce_bytes" - ] - }, - { - "required": [ - "ce_uri" - ] - }, - { - "required": [ - "ce_uri_ref" - ] - }, - { - "required": [ - "ce_timestamp" - ] - } - ], - "title": "*\n The CloudEvent specification defines\n seven attribute value types...", - "description": "* The CloudEvent specification defines seven attribute value types..." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/DistinguishedName.schema.json b/gen/pb-rust/schemas/DistinguishedName.schema.json deleted file mode 100644 index ee6bf51c..00000000 --- a/gen/pb-rust/schemas/DistinguishedName.schema.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/DistinguishedName", - "definitions": { - "DistinguishedName": { - "properties": { - "organization": { - "type": "string" - }, - "commonName": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Distinguished Name" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/Envelope.schema.json b/gen/pb-rust/schemas/Envelope.schema.json deleted file mode 100644 index b6e49891..00000000 --- a/gen/pb-rust/schemas/Envelope.schema.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/Envelope", - "definitions": { - "Envelope": { - "properties": { - "payload": { - "type": "string", - "description": "Message to be signed. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "payloadType": { - "type": "string", - "description": "String unambiguously identifying how to interpret payload. REQUIRED." - }, - "signatures": { - "items": { - "$ref": "#/definitions/io.intoto.Signature" - }, - "additionalProperties": false, - "type": "array", - "description": "Signature over: PAE(type, payload) Where PAE is defined as: PAE(type, payload) = \"DSSEv1\" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload + = concatenation SP = ASCII space [0x20] \"DSSEv1\" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] LEN(s) = ASCII decimal encoding of the byte length of s, with no leading zeros REQUIRED (length \u003e= 1)." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Envelope", - "description": "An authenticated message of arbitrary type." - }, - "io.intoto.Signature": { - "properties": { - "sig": { - "type": "string", - "description": "Signature itself. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyid": { - "type": "string", - "description": "*Unauthenticated* hint identifying which public key was used. OPTIONAL." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Signature" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/HashOutput.schema.json b/gen/pb-rust/schemas/HashOutput.schema.json deleted file mode 100644 index ca1f0413..00000000 --- a/gen/pb-rust/schemas/HashOutput.schema.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/HashOutput", - "definitions": { - "HashOutput": { - "properties": { - "algorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "digest": { - "type": "string", - "description": "This is the raw octets of the message digest as computed by the hash algorithm.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Hash Output", - "description": "HashOutput captures a digest of a 'message' (generic octet sequence) and the corresponding hash algorithm used." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/InclusionPromise.schema.json b/gen/pb-rust/schemas/InclusionPromise.schema.json deleted file mode 100644 index 1142d619..00000000 --- a/gen/pb-rust/schemas/InclusionPromise.schema.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/InclusionPromise", - "definitions": { - "InclusionPromise": { - "properties": { - "signedEntryTimestamp": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Promise", - "description": "The inclusion promise is calculated by Rekor. It's calculated as a signature over a canonical JSON serialization of the persisted entry, the log ID, log index and the integration timestamp. See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 The format of the signature depends on the transparency log's public key. If the signature algorithm requires a hash function and/or a signature scheme (e.g. RSA) those has to be retrieved out-of-band from the log's operators, together with the public key. This is used to verify the integration timestamp's value and that the log has promised to include the entry." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/InclusionProof.schema.json b/gen/pb-rust/schemas/InclusionProof.schema.json deleted file mode 100644 index ff26b70b..00000000 --- a/gen/pb-rust/schemas/InclusionProof.schema.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/InclusionProof", - "definitions": { - "InclusionProof": { - "properties": { - "logIndex": { - "type": "string", - "description": "The index of the entry in the tree it was written to." - }, - "rootHash": { - "type": "string", - "description": "The hash digest stored at the root of the merkle tree at the time the proof was generated.", - "format": "binary", - "binaryEncoding": "base64" - }, - "treeSize": { - "type": "string", - "description": "The size of the merkle tree at the time the proof was generated." - }, - "hashes": { - "items": { - "type": "string" - }, - "type": "array", - "description": "A list of hashes required to compute the inclusion proof, sorted in order from leaf to root. Note that leaf and root hashes are not included. The root hash is available separately in this message, and the leaf hash should be calculated by the client.", - "format": "binary", - "binaryEncoding": "base64" - }, - "checkpoint": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.Checkpoint", - "additionalProperties": false, - "description": "Signature of the tree head, as of the time of this proof was generated. See above info on 'Checkpoint' for more details." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Proof", - "description": "InclusionProof is the proof returned from the transparency log. Can be used for offline or online verification against the log." - }, - "dev.sigstore.rekor.v1.Checkpoint": { - "properties": { - "envelope": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Checkpoint", - "description": "The checkpoint contains a signature of the tree head (root hash), size of the tree, the transparency log's unique identifier (log ID), hostname and the current time. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json deleted file mode 100644 index 2fefe663..00000000 --- a/gen/pb-rust/schemas/Input.schema.json +++ /dev/null @@ -1,923 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/Input", - "definitions": { - "Input": { - "properties": { - "artifactTrustRoot": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TrustedRoot", - "additionalProperties": false, - "description": "The verification materials provided during a bundle verification. The running process is usually preloaded with a \"global\" dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to verifying an artifact (i.e a bundle), and/or based on current policy, some selection is expected to happen, to filter out the exact certificate authority to use, which transparency logs are relevant etc. The result should b ecaptured in the `artifact_trust_root`." - }, - "artifactVerificationOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions", - "additionalProperties": false - }, - "bundle": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.Bundle", - "additionalProperties": false - }, - "artifact": { - "$ref": "#/definitions/dev.sigstore.verification.v1.Artifact", - "additionalProperties": false, - "description": "If the bundle contains a message signature, the artifact must be provided." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "artifact" - ] - } - ], - "title": "Input", - "description": "Input captures all that is needed to call the bundle verification method, to verify a single artifact referenced by the bundle." - }, - "dev.sigstore.bundle.v1.Bundle": { - "properties": { - "mediaType": { - "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." - }, - "verificationMaterial": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", - "additionalProperties": false, - "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e If the verification material contains a public key identifier (key hint) and the `content` is a DSSE envelope, the key hints MUST be exactly the same in the verification material and in the DSSE envelope." - }, - "messageSignature": { - "$ref": "#/definitions/dev.sigstore.common.v1.MessageSignature", - "additionalProperties": false - }, - "dsseEnvelope": { - "$ref": "#/definitions/io.intoto.Envelope", - "additionalProperties": false, - "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "message_signature" - ] - }, - { - "required": [ - "dsse_envelope" - ] - } - ], - "title": "Bundle" - }, - "dev.sigstore.bundle.v1.TimestampVerificationData": { - "properties": { - "rfc3161Timestamps": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.RFC3161SignedTimestamp" - }, - "additionalProperties": false, - "type": "array", - "description": "A list of RFC3161 signed timestamps provided by the user. This can be used when the entry has not been stored on a transparency log, or in conjunction for a stronger trust model. Clients MUST verify the hashed message in the message imprint against the signature in the bundle." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." - }, - "dev.sigstore.bundle.v1.VerificationMaterial": { - "properties": { - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKeyIdentifier", - "additionalProperties": false - }, - "x509CertificateChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false - }, - "certificate": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", - "additionalProperties": false - }, - "tlogEntries": { - "items": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" - }, - "additionalProperties": false, - "type": "array", - "description": "An inclusion proof and an optional signed timestamp from the log. Client verification libraries MAY provide an option to support v0.1 bundles for backwards compatibility, which may contain an inclusion promise and not an inclusion proof. In this case, the client MUST validate the promise. Verifiers SHOULD NOT allow v0.1 bundles if they're used in an ecosystem which never produced them." - }, - "timestampVerificationData": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.TimestampVerificationData", - "additionalProperties": false, - "description": "Timestamp may also come from tlog_entries.inclusion_promise.signed_entry_timestamp." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "public_key" - ] - }, - { - "required": [ - "x509_certificate_chain" - ] - }, - { - "required": [ - "certificate" - ] - } - ], - "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." - }, - "dev.sigstore.common.v1.DistinguishedName": { - "properties": { - "organization": { - "type": "string" - }, - "commonName": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Distinguished Name" - }, - "dev.sigstore.common.v1.HashOutput": { - "properties": { - "algorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "digest": { - "type": "string", - "description": "This is the raw octets of the message digest as computed by the hash algorithm.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Hash Output", - "description": "HashOutput captures a digest of a 'message' (generic octet sequence) and the corresponding hash algorithm used." - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.common.v1.MessageSignature": { - "properties": { - "messageDigest": { - "$ref": "#/definitions/dev.sigstore.common.v1.HashOutput", - "additionalProperties": false, - "description": "Message digest can be used to identify the artifact. Clients MUST NOT attempt to use this digest to verify the associated signature; it is intended solely for identification." - }, - "signature": { - "type": "string", - "description": "The raw bytes as returned from the signature algorithm. The signature algorithm (and so the format of the signature bytes) are determined by the contents of the 'verification_material', either a key-pair or a certificate. If using a certificate, the certificate contains the required information on the signature algorithm. When using a key pair, the algorithm MUST be part of the public key, which MUST be communicated out-of-band.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Message Signature", - "description": "MessageSignature stores the computed signature over a message." - }, - "dev.sigstore.common.v1.ObjectIdentifier": { - "properties": { - "id": { - "items": { - "type": "integer" - }, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier", - "description": "An ASN.1 OBJECT IDENTIFIER" - }, - "dev.sigstore.common.v1.ObjectIdentifierValuePair": { - "properties": { - "oid": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifier", - "additionalProperties": false - }, - "value": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier Value Pair", - "description": "An OID and the corresponding (byte) value." - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1V15_2048_SHA256", - "PKIX_RSA_PKCS1V15_3072_SHA256", - "PKIX_RSA_PKCS1V15_4096_SHA256", - "PKIX_RSA_PSS_2048_SHA256", - "PKIX_RSA_PSS_3072_SHA256", - "PKIX_RSA_PSS_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH", - "LMS_SHA256", - "LMOTS_SHA256" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.PublicKeyIdentifier": { - "properties": { - "hint": { - "type": "string", - "description": "Optional unauthenticated hint on which key to use. The format of the hint must be agreed upon out of band by the signer and the verifiers, and so is not subject to this specification. Example use-case is to specify the public key to use, from a trusted key-ring. Implementors are RECOMMENDED to derive the value from the public key as described in RFC 6962. See: \u003chttps://www.rfc-editor.org/rfc/rfc6962#section-3.2\u003e" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identifier", - "description": "PublicKeyIdentifier can be used to identify an (out of band) delivered key, to verify a signature." - }, - "dev.sigstore.common.v1.RFC3161SignedTimestamp": { - "properties": { - "signedTimestamp": { - "type": "string", - "description": "Signed timestamp is the DER encoded TimeStampResponse. See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "RFC 3161 Signed Timestamp", - "description": "This message holds a RFC 3161 timestamp." - }, - "dev.sigstore.common.v1.SubjectAlternativeName": { - "properties": { - "type": { - "enum": [ - "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED", - "EMAIL", - "URI", - "OTHER_NAME" - ], - "type": "string", - "title": "Subject Alternative Name Type" - }, - "regexp": { - "type": "string", - "description": "A regular expression describing the expected value for the SAN." - }, - "value": { - "type": "string", - "description": "The exact value to match against." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "regexp" - ] - }, - { - "required": [ - "value" - ] - } - ], - "title": "Subject Alternative Name" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - }, - "dev.sigstore.common.v1.X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - }, - "dev.sigstore.common.v1.X509CertificateChain": { - "properties": { - "certificates": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate" - }, - "additionalProperties": false, - "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." - }, - "dev.sigstore.rekor.v1.Checkpoint": { - "properties": { - "envelope": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Checkpoint", - "description": "The checkpoint contains a signature of the tree head (root hash), size of the tree, the transparency log's unique identifier (log ID), hostname and the current time. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." - }, - "dev.sigstore.rekor.v1.InclusionPromise": { - "properties": { - "signedEntryTimestamp": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Promise", - "description": "The inclusion promise is calculated by Rekor. It's calculated as a signature over a canonical JSON serialization of the persisted entry, the log ID, log index and the integration timestamp. See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 The format of the signature depends on the transparency log's public key. If the signature algorithm requires a hash function and/or a signature scheme (e.g. RSA) those has to be retrieved out-of-band from the log's operators, together with the public key. This is used to verify the integration timestamp's value and that the log has promised to include the entry." - }, - "dev.sigstore.rekor.v1.InclusionProof": { - "properties": { - "logIndex": { - "type": "string", - "description": "The index of the entry in the tree it was written to." - }, - "rootHash": { - "type": "string", - "description": "The hash digest stored at the root of the merkle tree at the time the proof was generated.", - "format": "binary", - "binaryEncoding": "base64" - }, - "treeSize": { - "type": "string", - "description": "The size of the merkle tree at the time the proof was generated." - }, - "hashes": { - "items": { - "type": "string" - }, - "type": "array", - "description": "A list of hashes required to compute the inclusion proof, sorted in order from leaf to root. Note that leaf and root hashes are not included. The root hash is available separately in this message, and the leaf hash should be calculated by the client.", - "format": "binary", - "binaryEncoding": "base64" - }, - "checkpoint": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.Checkpoint", - "additionalProperties": false, - "description": "Signature of the tree head, as of the time of this proof was generated. See above info on 'Checkpoint' for more details." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Proof", - "description": "InclusionProof is the proof returned from the transparency log. Can be used for offline or online verification against the log." - }, - "dev.sigstore.rekor.v1.KindVersion": { - "properties": { - "kind": { - "type": "string", - "description": "Kind is the type of entry being stored in the log. See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types" - }, - "version": { - "type": "string", - "description": "The specific api version of the type." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Kind Version", - "description": "KindVersion contains the entry's kind and api version." - }, - "dev.sigstore.rekor.v1.TransparencyLogEntry": { - "properties": { - "logIndex": { - "type": "string", - "description": "The global index of the entry, used when querying the log by index." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier of the log." - }, - "kindVersion": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.KindVersion", - "additionalProperties": false, - "description": "The kind (type) and version of the object associated with this entry. These values are required to construct the entry during verification." - }, - "integratedTime": { - "type": "string", - "description": "The UNIX timestamp from the log when the entry was persisted." - }, - "inclusionPromise": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise", - "additionalProperties": false, - "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp." - }, - "inclusionProof": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof", - "additionalProperties": false, - "description": "The inclusion proof can be used for offline or online verification that the entry was appended to the log, and that the log has not been altered." - }, - "canonicalizedBody": { - "type": "string", - "description": "Optional. The canonicalized transparency log entry, used to reconstruct the Signed Entry Timestamp (SET) during verification. The contents of this field are the same as the `body` field in a Rekor response, meaning that it does **not** include the \"full\" canonicalized form (of log index, ID, etc.) which are exposed as separate fields. The verifier is responsible for combining the `canonicalized_body`, `log_index`, `log_id`, and `integrated_time` into the payload that the SET's signature is generated over. This field is intended to be used in cases where the SET cannot be produced determinisitically (e.g. inconsistent JSON field ordering, differing whitespace, etc). If set, clients MUST verify that the signature referenced in the `canonicalized_body` matches the signature provided in the `Bundle.content`. If not set, clients are responsible for constructing an equivalent payload from other sources to verify the signature.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Entry", - "description": "TransparencyLogEntry captures all the details required from Rekor to reconstruct an entry, given that the payload is provided via other means. This type can easily be created from the existing response from Rekor. Future iterations could rely on Rekor returning the minimal set of attributes (excluding the payload) that are required for verifying the inclusion promise. The inclusion promise (called SignedEntryTimestamp in the response from Rekor) is similar to a Signed Certificate Timestamp as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2." - }, - "dev.sigstore.trustroot.v1.CertificateAuthority": { - "properties": { - "subject": { - "$ref": "#/definitions/dev.sigstore.common.v1.DistinguishedName", - "additionalProperties": false, - "description": "The root certificate MUST be self-signed, and so the subject and issuer are the same." - }, - "uri": { - "type": "string", - "description": "The URI identifies the certificate authority. It is RECOMMENDED that the URI is the base URL for the certificate authority, that can be provided to any SDK/client provided by the certificate authority to interact with the certificate authority." - }, - "certChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false, - "description": "The certificate chain for this CA." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "The time the *entire* chain was valid. This is at max the longest interval when *all* certificates in the chain were valid, but it MAY be shorter. Clients MUST check timestamps against *both* the `valid_for` time range *and* the entire certificate chain. The TimeRange should be considered valid *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Authority", - "description": "CertificateAuthority enlists the information required to identify which CA to use and perform signature verification." - }, - "dev.sigstore.trustroot.v1.TransparencyLogInstance": { - "properties": { - "baseUrl": { - "type": "string", - "description": "The base URL at which can be used to URLs for the client." - }, - "hashAlgorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey", - "additionalProperties": false, - "description": "The public key used to verify signatures generated by the log. This attribute contains the signature algorithm used by the log." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier for this transparency log." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Instance", - "description": "TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise." - }, - "dev.sigstore.trustroot.v1.TrustedRoot": { - "properties": { - "mediaType": { - "type": "string", - "description": "MUST be application/vnd.dev.sigstore.trustedroot+json;version=0.1" - }, - "tlogs": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TransparencyLogInstance" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted Rekor servers." - }, - "certificateAuthorities": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.CertificateAuthority" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted certificate authorities (e.g Fulcio), and any intermediate certificates they provide. If a CA is issuing multiple intermediate certificate, each combination shall be represented as separate chain. I.e, a single root cert may appear in multiple chains but with different intermediate and/or leaf certificates. The certificates are intended to be used for verifying artifact signatures." - }, - "ctlogs": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TransparencyLogInstance" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted certificate transparency logs." - }, - "timestampAuthorities": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.CertificateAuthority" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted timestamping authorities." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Trusted Root", - "description": "TrustedRoot describes the client's complete set of trusted entities. How the TrustedRoot is populated is not specified, but can be a combination of many sources such as TUF repositories, files on disk etc. The TrustedRoot is not meant to be used for any artifact verification, only to capture the complete/global set of trusted verification materials. When verifying an artifact, based on the artifact and policies, a selection of keys/authorities are expected to be extracted and provided to the verification function. This way the set of keys/authorities can be kept to a minimal set by the policy to gain better control over what signatures that are allowed. The embedded transparency logs, CT logs, CAs and TSAs MUST include any previously used instance -- otherwise signatures made in the past cannot be verified. All the listed instances SHOULD be sorted by the 'valid_for' in ascending order, that is, the oldest instance first. Only the last instance is allowed to have their 'end' timestamp unset. All previous instances MUST have a closed interval of validity. The last instance MAY have a closed interval. Clients MUST accept instances that overlaps in time, if not clients may experience problems during rotations of verification materials. To be able to manage planned rotations of either transparency logs or certificate authorities, clienst MUST accept lists of instances where the last instance have a 'valid_for' that belongs to the future. This should not be a problem as clients SHOULD first seek the trust root for a suitable instance before creating a per artifact trust root (that is, a sub-set of the complete trust root) that is used for verification." - }, - "dev.sigstore.verification.v1.Artifact": { - "properties": { - "artifactUri": { - "type": "string", - "description": "Location of the artifact" - }, - "artifact": { - "type": "string", - "description": "The raw bytes of the artifact", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "artifact_uri" - ] - }, - { - "required": [ - "artifact" - ] - } - ], - "title": "Artifact" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions": { - "properties": { - "certificateIdentities": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentities", - "additionalProperties": false - }, - "publicKeys": { - "$ref": "#/definitions/dev.sigstore.verification.v1.PublicKeyIdentities", - "additionalProperties": false, - "description": "To simplify verification implementation, the logic for bundle verification should be implemented as a higher-order function, where one of argument should be an interface over the set of trusted public keys, like this: `Verify(bytes artifact, bytes signature, string key_id)`. This way the caller is in full control of mapping the identified (or hinted) key in the bundle to one of the trusted keys, as this process is inherently application specific." - }, - "tlogOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", - "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" - }, - "ctlogOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", - "additionalProperties": false, - "description": "Optional options for certificate transparency log verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" - }, - "tsaOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", - "additionalProperties": false, - "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" - }, - "integratedTsOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions", - "additionalProperties": false, - "description": "Optional options for integrated timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" - }, - "observerOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", - "additionalProperties": false, - "description": "Optional options for observed timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "certificate_identities" - ] - }, - { - "required": [ - "public_keys" - ] - }, - { - "required": [ - "tlog_options" - ] - }, - { - "required": [ - "ctlog_options" - ] - }, - { - "required": [ - "tsa_options" - ] - }, - { - "required": [ - "integrated_ts_options" - ] - }, - { - "required": [ - "observer_options" - ] - } - ], - "title": "Artifact Verification Options", - "description": "A light-weight set of options/policies for identifying trusted signers, used during verification of a single artifact." - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of ct transparency logs the certificate must appear on." - }, - "disable": { - "type": "boolean", - "description": "Disable ct transparency log verification" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Ctlog Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log, that could include additional timestamp sources in the future." - }, - "disable": { - "type": "boolean", - "description": "Disable observer timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Observer Timestamp Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of signed timestamps that are expected." - }, - "disable": { - "type": "boolean", - "description": "Disable signed timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Timestamp Authority Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of integrated timestamps that are expected." - }, - "disable": { - "type": "boolean", - "description": "Disable integrated timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Tlog Integrated Timestamp Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "Number of transparency logs the entry must appear on." - }, - "performOnlineVerification": { - "type": "boolean", - "description": "Perform an online inclusion proof." - }, - "disable": { - "type": "boolean", - "description": "Disable verification for transparency logs." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Tlog Options" - }, - "dev.sigstore.verification.v1.CertificateIdentities": { - "properties": { - "identities": { - "items": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentity" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identities" - }, - "dev.sigstore.verification.v1.CertificateIdentity": { - "properties": { - "issuer": { - "type": "string", - "description": "The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1)" - }, - "san": { - "$ref": "#/definitions/dev.sigstore.common.v1.SubjectAlternativeName", - "additionalProperties": false - }, - "oids": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifierValuePair" - }, - "additionalProperties": false, - "type": "array", - "description": "An unordered list of OIDs that must be verified. All OID/values provided in this list MUST exactly match against the values in the certificate for verification to be successful." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identity", - "description": "The identity of a X.509 Certificate signer." - }, - "dev.sigstore.verification.v1.PublicKeyIdentities": { - "properties": { - "publicKeys": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identities" - }, - "io.intoto.Envelope": { - "properties": { - "payload": { - "type": "string", - "description": "Message to be signed. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "payloadType": { - "type": "string", - "description": "String unambiguously identifying how to interpret payload. REQUIRED." - }, - "signatures": { - "items": { - "$ref": "#/definitions/io.intoto.Signature" - }, - "additionalProperties": false, - "type": "array", - "description": "Signature over: PAE(type, payload) Where PAE is defined as: PAE(type, payload) = \"DSSEv1\" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload + = concatenation SP = ASCII space [0x20] \"DSSEv1\" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] LEN(s) = ASCII decimal encoding of the byte length of s, with no leading zeros REQUIRED (length \u003e= 1)." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Envelope", - "description": "An authenticated message of arbitrary type." - }, - "io.intoto.Signature": { - "properties": { - "sig": { - "type": "string", - "description": "Signature itself. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyid": { - "type": "string", - "description": "*Unauthenticated* hint identifying which public key was used. OPTIONAL." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Signature" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/KindVersion.schema.json b/gen/pb-rust/schemas/KindVersion.schema.json deleted file mode 100644 index 6b6cbe05..00000000 --- a/gen/pb-rust/schemas/KindVersion.schema.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/KindVersion", - "definitions": { - "KindVersion": { - "properties": { - "kind": { - "type": "string", - "description": "Kind is the type of entry being stored in the log. See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types" - }, - "version": { - "type": "string", - "description": "The specific api version of the type." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Kind Version", - "description": "KindVersion contains the entry's kind and api version." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/LogId.schema.json b/gen/pb-rust/schemas/LogId.schema.json deleted file mode 100644 index 7056b6ad..00000000 --- a/gen/pb-rust/schemas/LogId.schema.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/LogId", - "definitions": { - "LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/MessageSignature.schema.json b/gen/pb-rust/schemas/MessageSignature.schema.json deleted file mode 100644 index afb66873..00000000 --- a/gen/pb-rust/schemas/MessageSignature.schema.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/MessageSignature", - "definitions": { - "MessageSignature": { - "properties": { - "messageDigest": { - "$ref": "#/definitions/dev.sigstore.common.v1.HashOutput", - "additionalProperties": false, - "description": "Message digest can be used to identify the artifact. Clients MUST NOT attempt to use this digest to verify the associated signature; it is intended solely for identification." - }, - "signature": { - "type": "string", - "description": "The raw bytes as returned from the signature algorithm. The signature algorithm (and so the format of the signature bytes) are determined by the contents of the 'verification_material', either a key-pair or a certificate. If using a certificate, the certificate contains the required information on the signature algorithm. When using a key pair, the algorithm MUST be part of the public key, which MUST be communicated out-of-band.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Message Signature", - "description": "MessageSignature stores the computed signature over a message." - }, - "dev.sigstore.common.v1.HashOutput": { - "properties": { - "algorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "digest": { - "type": "string", - "description": "This is the raw octets of the message digest as computed by the hash algorithm.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Hash Output", - "description": "HashOutput captures a digest of a 'message' (generic octet sequence) and the corresponding hash algorithm used." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/ObjectIdentifier.schema.json b/gen/pb-rust/schemas/ObjectIdentifier.schema.json deleted file mode 100644 index 109a0d23..00000000 --- a/gen/pb-rust/schemas/ObjectIdentifier.schema.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/ObjectIdentifier", - "definitions": { - "ObjectIdentifier": { - "properties": { - "id": { - "items": { - "type": "integer" - }, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier", - "description": "An ASN.1 OBJECT IDENTIFIER" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/ObjectIdentifierValuePair.schema.json b/gen/pb-rust/schemas/ObjectIdentifierValuePair.schema.json deleted file mode 100644 index b1c5488e..00000000 --- a/gen/pb-rust/schemas/ObjectIdentifierValuePair.schema.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/ObjectIdentifierValuePair", - "definitions": { - "ObjectIdentifierValuePair": { - "properties": { - "oid": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifier", - "additionalProperties": false - }, - "value": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier Value Pair", - "description": "An OID and the corresponding (byte) value." - }, - "dev.sigstore.common.v1.ObjectIdentifier": { - "properties": { - "id": { - "items": { - "type": "integer" - }, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier", - "description": "An ASN.1 OBJECT IDENTIFIER" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/PublicKey.schema.json b/gen/pb-rust/schemas/PublicKey.schema.json deleted file mode 100644 index a2768483..00000000 --- a/gen/pb-rust/schemas/PublicKey.schema.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/PublicKey", - "definitions": { - "PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1V15_2048_SHA256", - "PKIX_RSA_PKCS1V15_3072_SHA256", - "PKIX_RSA_PKCS1V15_4096_SHA256", - "PKIX_RSA_PSS_2048_SHA256", - "PKIX_RSA_PSS_3072_SHA256", - "PKIX_RSA_PSS_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH", - "LMS_SHA256", - "LMOTS_SHA256" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/PublicKeyIdentifier.schema.json b/gen/pb-rust/schemas/PublicKeyIdentifier.schema.json deleted file mode 100644 index 663bf2d2..00000000 --- a/gen/pb-rust/schemas/PublicKeyIdentifier.schema.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/PublicKeyIdentifier", - "definitions": { - "PublicKeyIdentifier": { - "properties": { - "hint": { - "type": "string", - "description": "Optional unauthenticated hint on which key to use. The format of the hint must be agreed upon out of band by the signer and the verifiers, and so is not subject to this specification. Example use-case is to specify the public key to use, from a trusted key-ring. Implementors are RECOMMENDED to derive the value from the public key as described in RFC 6962. See: \u003chttps://www.rfc-editor.org/rfc/rfc6962#section-3.2\u003e" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identifier", - "description": "PublicKeyIdentifier can be used to identify an (out of band) delivered key, to verify a signature." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/PublicKeyIdentities.schema.json b/gen/pb-rust/schemas/PublicKeyIdentities.schema.json deleted file mode 100644 index 2586a1d8..00000000 --- a/gen/pb-rust/schemas/PublicKeyIdentities.schema.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/PublicKeyIdentities", - "definitions": { - "PublicKeyIdentities": { - "properties": { - "publicKeys": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identities" - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1V15_2048_SHA256", - "PKIX_RSA_PKCS1V15_3072_SHA256", - "PKIX_RSA_PKCS1V15_4096_SHA256", - "PKIX_RSA_PSS_2048_SHA256", - "PKIX_RSA_PSS_3072_SHA256", - "PKIX_RSA_PSS_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH", - "LMS_SHA256", - "LMOTS_SHA256" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/RFC3161SignedTimestamp.schema.json b/gen/pb-rust/schemas/RFC3161SignedTimestamp.schema.json deleted file mode 100644 index 8a36b450..00000000 --- a/gen/pb-rust/schemas/RFC3161SignedTimestamp.schema.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/RFC3161SignedTimestamp", - "definitions": { - "RFC3161SignedTimestamp": { - "properties": { - "signedTimestamp": { - "type": "string", - "description": "Signed timestamp is the DER encoded TimeStampResponse. See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "RFC 3161 Signed Timestamp", - "description": "This message holds a RFC 3161 timestamp." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/Signature.schema.json b/gen/pb-rust/schemas/Signature.schema.json deleted file mode 100644 index a78066c2..00000000 --- a/gen/pb-rust/schemas/Signature.schema.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/Signature", - "definitions": { - "Signature": { - "properties": { - "sig": { - "type": "string", - "description": "Signature itself. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyid": { - "type": "string", - "description": "*Unauthenticated* hint identifying which public key was used. OPTIONAL." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Signature" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/SubjectAlternativeName.schema.json b/gen/pb-rust/schemas/SubjectAlternativeName.schema.json deleted file mode 100644 index 967cfe61..00000000 --- a/gen/pb-rust/schemas/SubjectAlternativeName.schema.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/SubjectAlternativeName", - "definitions": { - "SubjectAlternativeName": { - "properties": { - "type": { - "enum": [ - "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED", - "EMAIL", - "URI", - "OTHER_NAME" - ], - "type": "string", - "title": "Subject Alternative Name Type" - }, - "regexp": { - "type": "string", - "description": "A regular expression describing the expected value for the SAN." - }, - "value": { - "type": "string", - "description": "The exact value to match against." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "regexp" - ] - }, - { - "required": [ - "value" - ] - } - ], - "title": "Subject Alternative Name" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/TimeRange.schema.json b/gen/pb-rust/schemas/TimeRange.schema.json deleted file mode 100644 index 4928e9e0..00000000 --- a/gen/pb-rust/schemas/TimeRange.schema.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/TimeRange", - "definitions": { - "TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/TimestampVerificationData.schema.json b/gen/pb-rust/schemas/TimestampVerificationData.schema.json deleted file mode 100644 index d47fe95e..00000000 --- a/gen/pb-rust/schemas/TimestampVerificationData.schema.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/TimestampVerificationData", - "definitions": { - "TimestampVerificationData": { - "properties": { - "rfc3161Timestamps": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.RFC3161SignedTimestamp" - }, - "additionalProperties": false, - "type": "array", - "description": "A list of RFC3161 signed timestamps provided by the user. This can be used when the entry has not been stored on a transparency log, or in conjunction for a stronger trust model. Clients MUST verify the hashed message in the message imprint against the signature in the bundle." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." - }, - "dev.sigstore.common.v1.RFC3161SignedTimestamp": { - "properties": { - "signedTimestamp": { - "type": "string", - "description": "Signed timestamp is the DER encoded TimeStampResponse. See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "RFC 3161 Signed Timestamp", - "description": "This message holds a RFC 3161 timestamp." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/TransparencyLogEntry.schema.json b/gen/pb-rust/schemas/TransparencyLogEntry.schema.json deleted file mode 100644 index 19e9b83b..00000000 --- a/gen/pb-rust/schemas/TransparencyLogEntry.schema.json +++ /dev/null @@ -1,138 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/TransparencyLogEntry", - "definitions": { - "TransparencyLogEntry": { - "properties": { - "logIndex": { - "type": "string", - "description": "The global index of the entry, used when querying the log by index." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier of the log." - }, - "kindVersion": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.KindVersion", - "additionalProperties": false, - "description": "The kind (type) and version of the object associated with this entry. These values are required to construct the entry during verification." - }, - "integratedTime": { - "type": "string", - "description": "The UNIX timestamp from the log when the entry was persisted." - }, - "inclusionPromise": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise", - "additionalProperties": false, - "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp." - }, - "inclusionProof": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof", - "additionalProperties": false, - "description": "The inclusion proof can be used for offline or online verification that the entry was appended to the log, and that the log has not been altered." - }, - "canonicalizedBody": { - "type": "string", - "description": "Optional. The canonicalized transparency log entry, used to reconstruct the Signed Entry Timestamp (SET) during verification. The contents of this field are the same as the `body` field in a Rekor response, meaning that it does **not** include the \"full\" canonicalized form (of log index, ID, etc.) which are exposed as separate fields. The verifier is responsible for combining the `canonicalized_body`, `log_index`, `log_id`, and `integrated_time` into the payload that the SET's signature is generated over. This field is intended to be used in cases where the SET cannot be produced determinisitically (e.g. inconsistent JSON field ordering, differing whitespace, etc). If set, clients MUST verify that the signature referenced in the `canonicalized_body` matches the signature provided in the `Bundle.content`. If not set, clients are responsible for constructing an equivalent payload from other sources to verify the signature.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Entry", - "description": "TransparencyLogEntry captures all the details required from Rekor to reconstruct an entry, given that the payload is provided via other means. This type can easily be created from the existing response from Rekor. Future iterations could rely on Rekor returning the minimal set of attributes (excluding the payload) that are required for verifying the inclusion promise. The inclusion promise (called SignedEntryTimestamp in the response from Rekor) is similar to a Signed Certificate Timestamp as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2." - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.rekor.v1.Checkpoint": { - "properties": { - "envelope": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Checkpoint", - "description": "The checkpoint contains a signature of the tree head (root hash), size of the tree, the transparency log's unique identifier (log ID), hostname and the current time. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." - }, - "dev.sigstore.rekor.v1.InclusionPromise": { - "properties": { - "signedEntryTimestamp": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Promise", - "description": "The inclusion promise is calculated by Rekor. It's calculated as a signature over a canonical JSON serialization of the persisted entry, the log ID, log index and the integration timestamp. See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 The format of the signature depends on the transparency log's public key. If the signature algorithm requires a hash function and/or a signature scheme (e.g. RSA) those has to be retrieved out-of-band from the log's operators, together with the public key. This is used to verify the integration timestamp's value and that the log has promised to include the entry." - }, - "dev.sigstore.rekor.v1.InclusionProof": { - "properties": { - "logIndex": { - "type": "string", - "description": "The index of the entry in the tree it was written to." - }, - "rootHash": { - "type": "string", - "description": "The hash digest stored at the root of the merkle tree at the time the proof was generated.", - "format": "binary", - "binaryEncoding": "base64" - }, - "treeSize": { - "type": "string", - "description": "The size of the merkle tree at the time the proof was generated." - }, - "hashes": { - "items": { - "type": "string" - }, - "type": "array", - "description": "A list of hashes required to compute the inclusion proof, sorted in order from leaf to root. Note that leaf and root hashes are not included. The root hash is available separately in this message, and the leaf hash should be calculated by the client.", - "format": "binary", - "binaryEncoding": "base64" - }, - "checkpoint": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.Checkpoint", - "additionalProperties": false, - "description": "Signature of the tree head, as of the time of this proof was generated. See above info on 'Checkpoint' for more details." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Proof", - "description": "InclusionProof is the proof returned from the transparency log. Can be used for offline or online verification against the log." - }, - "dev.sigstore.rekor.v1.KindVersion": { - "properties": { - "kind": { - "type": "string", - "description": "Kind is the type of entry being stored in the log. See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types" - }, - "version": { - "type": "string", - "description": "The specific api version of the type." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Kind Version", - "description": "KindVersion contains the entry's kind and api version." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/TransparencyLogInstance.schema.json b/gen/pb-rust/schemas/TransparencyLogInstance.schema.json deleted file mode 100644 index db691db2..00000000 --- a/gen/pb-rust/schemas/TransparencyLogInstance.schema.json +++ /dev/null @@ -1,134 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/TransparencyLogInstance", - "definitions": { - "TransparencyLogInstance": { - "properties": { - "baseUrl": { - "type": "string", - "description": "The base URL at which can be used to URLs for the client." - }, - "hashAlgorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey", - "additionalProperties": false, - "description": "The public key used to verify signatures generated by the log. This attribute contains the signature algorithm used by the log." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier for this transparency log." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Instance", - "description": "TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise." - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1V15_2048_SHA256", - "PKIX_RSA_PKCS1V15_3072_SHA256", - "PKIX_RSA_PKCS1V15_4096_SHA256", - "PKIX_RSA_PSS_2048_SHA256", - "PKIX_RSA_PSS_3072_SHA256", - "PKIX_RSA_PSS_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH", - "LMS_SHA256", - "LMOTS_SHA256" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/TrustedRoot.schema.json b/gen/pb-rust/schemas/TrustedRoot.schema.json deleted file mode 100644 index d03bacd5..00000000 --- a/gen/pb-rust/schemas/TrustedRoot.schema.json +++ /dev/null @@ -1,247 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/TrustedRoot", - "definitions": { - "TrustedRoot": { - "properties": { - "mediaType": { - "type": "string", - "description": "MUST be application/vnd.dev.sigstore.trustedroot+json;version=0.1" - }, - "tlogs": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TransparencyLogInstance" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted Rekor servers." - }, - "certificateAuthorities": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.CertificateAuthority" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted certificate authorities (e.g Fulcio), and any intermediate certificates they provide. If a CA is issuing multiple intermediate certificate, each combination shall be represented as separate chain. I.e, a single root cert may appear in multiple chains but with different intermediate and/or leaf certificates. The certificates are intended to be used for verifying artifact signatures." - }, - "ctlogs": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TransparencyLogInstance" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted certificate transparency logs." - }, - "timestampAuthorities": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.CertificateAuthority" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted timestamping authorities." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Trusted Root", - "description": "TrustedRoot describes the client's complete set of trusted entities. How the TrustedRoot is populated is not specified, but can be a combination of many sources such as TUF repositories, files on disk etc. The TrustedRoot is not meant to be used for any artifact verification, only to capture the complete/global set of trusted verification materials. When verifying an artifact, based on the artifact and policies, a selection of keys/authorities are expected to be extracted and provided to the verification function. This way the set of keys/authorities can be kept to a minimal set by the policy to gain better control over what signatures that are allowed. The embedded transparency logs, CT logs, CAs and TSAs MUST include any previously used instance -- otherwise signatures made in the past cannot be verified. All the listed instances SHOULD be sorted by the 'valid_for' in ascending order, that is, the oldest instance first. Only the last instance is allowed to have their 'end' timestamp unset. All previous instances MUST have a closed interval of validity. The last instance MAY have a closed interval. Clients MUST accept instances that overlaps in time, if not clients may experience problems during rotations of verification materials. To be able to manage planned rotations of either transparency logs or certificate authorities, clienst MUST accept lists of instances where the last instance have a 'valid_for' that belongs to the future. This should not be a problem as clients SHOULD first seek the trust root for a suitable instance before creating a per artifact trust root (that is, a sub-set of the complete trust root) that is used for verification." - }, - "dev.sigstore.common.v1.DistinguishedName": { - "properties": { - "organization": { - "type": "string" - }, - "commonName": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Distinguished Name" - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1V15_2048_SHA256", - "PKIX_RSA_PKCS1V15_3072_SHA256", - "PKIX_RSA_PKCS1V15_4096_SHA256", - "PKIX_RSA_PSS_2048_SHA256", - "PKIX_RSA_PSS_3072_SHA256", - "PKIX_RSA_PSS_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH", - "LMS_SHA256", - "LMOTS_SHA256" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - }, - "dev.sigstore.common.v1.X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - }, - "dev.sigstore.common.v1.X509CertificateChain": { - "properties": { - "certificates": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate" - }, - "additionalProperties": false, - "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." - }, - "dev.sigstore.trustroot.v1.CertificateAuthority": { - "properties": { - "subject": { - "$ref": "#/definitions/dev.sigstore.common.v1.DistinguishedName", - "additionalProperties": false, - "description": "The root certificate MUST be self-signed, and so the subject and issuer are the same." - }, - "uri": { - "type": "string", - "description": "The URI identifies the certificate authority. It is RECOMMENDED that the URI is the base URL for the certificate authority, that can be provided to any SDK/client provided by the certificate authority to interact with the certificate authority." - }, - "certChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false, - "description": "The certificate chain for this CA." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "The time the *entire* chain was valid. This is at max the longest interval when *all* certificates in the chain were valid, but it MAY be shorter. Clients MUST check timestamps against *both* the `valid_for` time range *and* the entire certificate chain. The TimeRange should be considered valid *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Authority", - "description": "CertificateAuthority enlists the information required to identify which CA to use and perform signature verification." - }, - "dev.sigstore.trustroot.v1.TransparencyLogInstance": { - "properties": { - "baseUrl": { - "type": "string", - "description": "The base URL at which can be used to URLs for the client." - }, - "hashAlgorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey", - "additionalProperties": false, - "description": "The public key used to verify signatures generated by the log. This attribute contains the signature algorithm used by the log." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier for this transparency log." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Instance", - "description": "TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/VerificationMaterial.schema.json b/gen/pb-rust/schemas/VerificationMaterial.schema.json deleted file mode 100644 index 6120e4b8..00000000 --- a/gen/pb-rust/schemas/VerificationMaterial.schema.json +++ /dev/null @@ -1,259 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/VerificationMaterial", - "definitions": { - "VerificationMaterial": { - "properties": { - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKeyIdentifier", - "additionalProperties": false - }, - "x509CertificateChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false - }, - "certificate": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", - "additionalProperties": false - }, - "tlogEntries": { - "items": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" - }, - "additionalProperties": false, - "type": "array", - "description": "An inclusion proof and an optional signed timestamp from the log. Client verification libraries MAY provide an option to support v0.1 bundles for backwards compatibility, which may contain an inclusion promise and not an inclusion proof. In this case, the client MUST validate the promise. Verifiers SHOULD NOT allow v0.1 bundles if they're used in an ecosystem which never produced them." - }, - "timestampVerificationData": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.TimestampVerificationData", - "additionalProperties": false, - "description": "Timestamp may also come from tlog_entries.inclusion_promise.signed_entry_timestamp." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "public_key" - ] - }, - { - "required": [ - "x509_certificate_chain" - ] - }, - { - "required": [ - "certificate" - ] - } - ], - "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." - }, - "dev.sigstore.bundle.v1.TimestampVerificationData": { - "properties": { - "rfc3161Timestamps": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.RFC3161SignedTimestamp" - }, - "additionalProperties": false, - "type": "array", - "description": "A list of RFC3161 signed timestamps provided by the user. This can be used when the entry has not been stored on a transparency log, or in conjunction for a stronger trust model. Clients MUST verify the hashed message in the message imprint against the signature in the bundle." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.common.v1.PublicKeyIdentifier": { - "properties": { - "hint": { - "type": "string", - "description": "Optional unauthenticated hint on which key to use. The format of the hint must be agreed upon out of band by the signer and the verifiers, and so is not subject to this specification. Example use-case is to specify the public key to use, from a trusted key-ring. Implementors are RECOMMENDED to derive the value from the public key as described in RFC 6962. See: \u003chttps://www.rfc-editor.org/rfc/rfc6962#section-3.2\u003e" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identifier", - "description": "PublicKeyIdentifier can be used to identify an (out of band) delivered key, to verify a signature." - }, - "dev.sigstore.common.v1.RFC3161SignedTimestamp": { - "properties": { - "signedTimestamp": { - "type": "string", - "description": "Signed timestamp is the DER encoded TimeStampResponse. See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "RFC 3161 Signed Timestamp", - "description": "This message holds a RFC 3161 timestamp." - }, - "dev.sigstore.common.v1.X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - }, - "dev.sigstore.common.v1.X509CertificateChain": { - "properties": { - "certificates": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate" - }, - "additionalProperties": false, - "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." - }, - "dev.sigstore.rekor.v1.Checkpoint": { - "properties": { - "envelope": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Checkpoint", - "description": "The checkpoint contains a signature of the tree head (root hash), size of the tree, the transparency log's unique identifier (log ID), hostname and the current time. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." - }, - "dev.sigstore.rekor.v1.InclusionPromise": { - "properties": { - "signedEntryTimestamp": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Promise", - "description": "The inclusion promise is calculated by Rekor. It's calculated as a signature over a canonical JSON serialization of the persisted entry, the log ID, log index and the integration timestamp. See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 The format of the signature depends on the transparency log's public key. If the signature algorithm requires a hash function and/or a signature scheme (e.g. RSA) those has to be retrieved out-of-band from the log's operators, together with the public key. This is used to verify the integration timestamp's value and that the log has promised to include the entry." - }, - "dev.sigstore.rekor.v1.InclusionProof": { - "properties": { - "logIndex": { - "type": "string", - "description": "The index of the entry in the tree it was written to." - }, - "rootHash": { - "type": "string", - "description": "The hash digest stored at the root of the merkle tree at the time the proof was generated.", - "format": "binary", - "binaryEncoding": "base64" - }, - "treeSize": { - "type": "string", - "description": "The size of the merkle tree at the time the proof was generated." - }, - "hashes": { - "items": { - "type": "string" - }, - "type": "array", - "description": "A list of hashes required to compute the inclusion proof, sorted in order from leaf to root. Note that leaf and root hashes are not included. The root hash is available separately in this message, and the leaf hash should be calculated by the client.", - "format": "binary", - "binaryEncoding": "base64" - }, - "checkpoint": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.Checkpoint", - "additionalProperties": false, - "description": "Signature of the tree head, as of the time of this proof was generated. See above info on 'Checkpoint' for more details." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Proof", - "description": "InclusionProof is the proof returned from the transparency log. Can be used for offline or online verification against the log." - }, - "dev.sigstore.rekor.v1.KindVersion": { - "properties": { - "kind": { - "type": "string", - "description": "Kind is the type of entry being stored in the log. See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types" - }, - "version": { - "type": "string", - "description": "The specific api version of the type." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Kind Version", - "description": "KindVersion contains the entry's kind and api version." - }, - "dev.sigstore.rekor.v1.TransparencyLogEntry": { - "properties": { - "logIndex": { - "type": "string", - "description": "The global index of the entry, used when querying the log by index." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier of the log." - }, - "kindVersion": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.KindVersion", - "additionalProperties": false, - "description": "The kind (type) and version of the object associated with this entry. These values are required to construct the entry during verification." - }, - "integratedTime": { - "type": "string", - "description": "The UNIX timestamp from the log when the entry was persisted." - }, - "inclusionPromise": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise", - "additionalProperties": false, - "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp." - }, - "inclusionProof": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof", - "additionalProperties": false, - "description": "The inclusion proof can be used for offline or online verification that the entry was appended to the log, and that the log has not been altered." - }, - "canonicalizedBody": { - "type": "string", - "description": "Optional. The canonicalized transparency log entry, used to reconstruct the Signed Entry Timestamp (SET) during verification. The contents of this field are the same as the `body` field in a Rekor response, meaning that it does **not** include the \"full\" canonicalized form (of log index, ID, etc.) which are exposed as separate fields. The verifier is responsible for combining the `canonicalized_body`, `log_index`, `log_id`, and `integrated_time` into the payload that the SET's signature is generated over. This field is intended to be used in cases where the SET cannot be produced determinisitically (e.g. inconsistent JSON field ordering, differing whitespace, etc). If set, clients MUST verify that the signature referenced in the `canonicalized_body` matches the signature provided in the `Bundle.content`. If not set, clients are responsible for constructing an equivalent payload from other sources to verify the signature.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Entry", - "description": "TransparencyLogEntry captures all the details required from Rekor to reconstruct an entry, given that the payload is provided via other means. This type can easily be created from the existing response from Rekor. Future iterations could rely on Rekor returning the minimal set of attributes (excluding the payload) that are required for verifying the inclusion promise. The inclusion promise (called SignedEntryTimestamp in the response from Rekor) is similar to a Signed Certificate Timestamp as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/X509Certificate.schema.json b/gen/pb-rust/schemas/X509Certificate.schema.json deleted file mode 100644 index f98f9984..00000000 --- a/gen/pb-rust/schemas/X509Certificate.schema.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/X509Certificate", - "definitions": { - "X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/X509CertificateChain.schema.json b/gen/pb-rust/schemas/X509CertificateChain.schema.json deleted file mode 100644 index a1a130c2..00000000 --- a/gen/pb-rust/schemas/X509CertificateChain.schema.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/X509CertificateChain", - "definitions": { - "X509CertificateChain": { - "properties": { - "certificates": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate" - }, - "additionalProperties": false, - "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." - }, - "dev.sigstore.common.v1.X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/sigstore-protobuf-specs/Cargo.lock b/gen/pb-rust/sigstore-protobuf-specs/Cargo.lock new file mode 100644 index 00000000..17881eaa --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/Cargo.lock @@ -0,0 +1,557 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "aho-corasick" +version = "1.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0" +dependencies = [ + "memchr", +] + +[[package]] +name = "anyhow" +version = "1.0.72" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3b13c32d80ecc7ab747b80c3784bce54ee8a7a0cc4fbda9bf4cda2cf6fe90854" + +[[package]] +name = "autocfg" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" + +[[package]] +name = "base64" +version = "0.21.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" + +[[package]] +name = "bitflags" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" + +[[package]] +name = "bitflags" +version = "2.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" + +[[package]] +name = "bytes" +version = "1.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "89b2fd2a0dcf38d7971e2194b6b6eebab45ae01067456a7fd93d5547a61b70be" + +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + +[[package]] +name = "either" +version = "1.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07" + +[[package]] +name = "equivalent" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" + +[[package]] +name = "errno" +version = "0.3.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" +dependencies = [ + "libc", + "windows-sys", +] + +[[package]] +name = "fastrand" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" + +[[package]] +name = "fixedbitset" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" + +[[package]] +name = "glob" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" + +[[package]] +name = "hashbrown" +version = "0.14.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" + +[[package]] +name = "heck" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" + +[[package]] +name = "home" +version = "0.5.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5" +dependencies = [ + "windows-sys", +] + +[[package]] +name = "indexmap" +version = "2.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d530e1a18b1cb4c484e6e34556a0d948706958449fca0cab753d649f2bce3d1f" +dependencies = [ + "equivalent", + "hashbrown", +] + +[[package]] +name = "itertools" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" +dependencies = [ + "either", +] + +[[package]] +name = "itoa" +version = "1.0.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" + +[[package]] +name = "libc" +version = "0.2.152" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7" + +[[package]] +name = "linux-raw-sys" +version = "0.4.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" + +[[package]] +name = "log" +version = "0.4.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f" + +[[package]] +name = "memchr" +version = "2.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149" + +[[package]] +name = "multimap" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" + +[[package]] +name = "num-traits" +version = "0.2.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c" +dependencies = [ + "autocfg", +] + +[[package]] +name = "once_cell" +version = "1.19.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" + +[[package]] +name = "ordered-float" +version = "2.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c" +dependencies = [ + "num-traits", +] + +[[package]] +name = "petgraph" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" +dependencies = [ + "fixedbitset", + "indexmap", +] + +[[package]] +name = "prettyplease" +version = "0.2.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a41cf62165e97c7f814d2221421dbb9afcbcdb0a88068e5ea206e19951c2cbb5" +dependencies = [ + "proc-macro2", + "syn", +] + +[[package]] +name = "proc-macro2" +version = "1.0.78" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "prost" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "146c289cda302b98a28d40c8b3b90498d6e526dd24ac2ecea73e4e491685b94a" +dependencies = [ + "bytes", + "prost-derive", +] + +[[package]] +name = "prost-build" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c55e02e35260070b6f716a2423c2ff1c3bb1642ddca6f99e1f26d06268a0e2d2" +dependencies = [ + "bytes", + "heck", + "itertools", + "log", + "multimap", + "once_cell", + "petgraph", + "prettyplease", + "prost", + "prost-types", + "regex", + "syn", + "tempfile", + "which 4.4.2", +] + +[[package]] +name = "prost-derive" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "efb6c9a1dd1def8e2124d17e83a20af56f1570d6c2d2bd9e266ccb768df3840e" +dependencies = [ + "anyhow", + "itertools", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "prost-reflect" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "057237efdb71cf4b3f9396302a3d6599a92fa94063ba537b66130980ea9909f3" +dependencies = [ + "base64", + "once_cell", + "prost", + "prost-reflect-derive", + "prost-types", + "serde", + "serde-value", +] + +[[package]] +name = "prost-reflect-build" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4d0aa0c82e0fc36214c77b4dabe00750b3c41be45055baf2631cbbb7769b8ca" +dependencies = [ + "prost-build", + "prost-reflect", +] + +[[package]] +name = "prost-reflect-derive" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "172da1212c02be2c94901440cb27183cd92bff00ebacca5c323bf7520b8f9c04" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "prost-types" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "193898f59edcf43c26227dcd4c8427f00d99d61e95dcde58dabd49fa291d470e" +dependencies = [ + "prost", +] + +[[package]] +name = "quote" +version = "1.0.35" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "redox_syscall" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" +dependencies = [ + "bitflags 1.3.2", +] + +[[package]] +name = "regex" +version = "1.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b62dbe01f0b06f9d8dc7d49e05a0785f153b00b2c227856282f671e0318c9b15" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata", + "regex-syntax", +] + +[[package]] +name = "regex-automata" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5bb987efffd3c6d0d8f5f89510bb458559eab11e4f869acb20bf845e016259cd" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax", +] + +[[package]] +name = "regex-syntax" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f" + +[[package]] +name = "rustix" +version = "0.38.30" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "322394588aaf33c24007e8bb3238ee3e4c5c09c084ab32bc73890b99ff326bca" +dependencies = [ + "bitflags 2.4.2", + "errno", + "libc", + "linux-raw-sys", + "windows-sys", +] + +[[package]] +name = "ryu" +version = "1.0.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741" + +[[package]] +name = "serde" +version = "1.0.171" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "30e27d1e4fd7659406c492fd6cfaf2066ba8773de45ca75e855590f856dc34a9" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde-value" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c" +dependencies = [ + "ordered-float", + "serde", +] + +[[package]] +name = "serde_derive" +version = "1.0.171" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "389894603bd18c46fa56231694f8d827779c0951a667087194cf9de94ed24682" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.103" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d03b412469450d4404fe8499a268edd7f8b79fecb074b0d812ad64ca21f4031b" +dependencies = [ + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "sigstore_protobuf_specs" +version = "0.1.0-rc.2" +dependencies = [ + "anyhow", + "glob", + "prost", + "prost-build", + "prost-reflect", + "prost-reflect-build", + "prost-types", + "serde", + "serde_json", + "which 6.0.0", +] + +[[package]] +name = "syn" +version = "2.0.48" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "tempfile" +version = "3.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01ce4141aa927a6d1bd34a041795abd0db1cccba5d5f24b009f694bdf3a1f3fa" +dependencies = [ + "cfg-if", + "fastrand", + "redox_syscall", + "rustix", + "windows-sys", +] + +[[package]] +name = "unicode-ident" +version = "1.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c" + +[[package]] +name = "which" +version = "4.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7" +dependencies = [ + "either", + "home", + "once_cell", + "rustix", +] + +[[package]] +name = "which" +version = "6.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7fa5e0c10bf77f44aac573e498d1a82d5fbd5e91f6fc0a99e7be4b38e85e101c" +dependencies = [ + "either", + "home", + "once_cell", + "rustix", + "windows-sys", +] + +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets", +] + +[[package]] +name = "windows-targets" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd" +dependencies = [ + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", +] + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef" + +[[package]] +name = "windows_i686_gnu" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313" + +[[package]] +name = "windows_i686_msvc" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" diff --git a/gen/pb-rust/sigstore-protobuf-specs/Cargo.toml b/gen/pb-rust/sigstore-protobuf-specs/Cargo.toml new file mode 100644 index 00000000..1b242727 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/Cargo.toml @@ -0,0 +1,28 @@ +[package] +name = "sigstore_protobuf_specs" +version = "0.3.0" +exclude = ["codegen/"] +authors = ["Sigstore Authors "] +edition = "2021" +homepage = "https://github.com/sigstore/protobuf-specs" +repository = "https://github.com/sigstore/protobuf-specs" +description = "A library for serializing and deserializing Sigstore messages" +readme = "README.md" +license-file = "LICENSE" +keywords = ["sigstore"] +categories = ["encoding", "parser-implementations"] + +[dependencies] +prost-types = "0.12.3" +prost = "0.12.3" +prost-reflect = { version = "0.12.0", features = ["serde", "derive"] } +serde = {version = "1.0", features = ["derive"]} +serde_json = "1.0" +derive = { path = "../derive" } + +[build-dependencies] +anyhow = "1.0.72" +glob = "0.3" +prost-build = "0.12.3" +prost-reflect-build = "0.12.0" +which = "6.0.0" diff --git a/gen/pb-rust/sigstore-protobuf-specs/assets/a.txt b/gen/pb-rust/sigstore-protobuf-specs/assets/a.txt new file mode 100644 index 00000000..870fdd2b --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/assets/a.txt @@ -0,0 +1,5 @@ +DO NOT MODIFY ME! + +this is "a.txt", a sample input for sigstore-protobuf-specs' test suite. + +DO NOT MODIFY ME! diff --git a/gen/pb-rust/sigstore-protobuf-specs/assets/a.txt.sigstore b/gen/pb-rust/sigstore-protobuf-specs/assets/a.txt.sigstore new file mode 100644 index 00000000..225ce0fa --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/assets/a.txt.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.2", "verificationMaterial": {"x509CertificateChain": {"certificates": [{"rawBytes": "MIICyjCCAk+gAwIBAgIUShApN6D/p2nhkAUYXANZuDspU40wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwMTI2MTkzNTI5WhcNMjQwMTI2MTk0NTI5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETlg64yErozlmXokHJcyN7OjHDBfIS1BXvukXd9PNxYTDkp1j5NdQnm+yH6HqvYLcylvga5iIK7KSprRX6M99I6OCAW4wggFqMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeMzvd2GyzazwDGhInM+jtU130QAwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wGAYDVR0RAQH/BA4wDIEKYUB0bnkudG93bjAsBgorBgEEAYO/MAEBBB5odHRwczovL2dpdGh1Yi5jb20vbG9naW4vb2F1dGgwLgYKKwYBBAGDvzABCAQgDB5odHRwczovL2dpdGh1Yi5jb20vbG9naW4vb2F1dGgwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAY1HRSMSAAAEAwBHMEUCIQDODo1nxR9++rHfAZP+AyqwwmikJ27VcHPNPU+Gnq3S5wIgRjGJri32fkFxwf405Kmp3zNcx+s7kEdqV3Q6IUxTxQEwCgYIKoZIzj0EAwMDaQAwZgIxAMBcoQCOXt24cBBo5kCzF3j/SInrNCb4YivLyWrj5/rC5ych+Rygw/FgInM6kOROvAIxAJMiU4OFWWWAjaed8IS1DhG9YFNZnGWdwy7FFhLwwOa6qf4QsXAlUj+YPyrRkwfdng=="}]}, "tlogEntries": [{"logIndex": "66794718", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1706297730", "inclusionPromise": {"signedEntryTimestamp": "MEQCIA8KjI3qM1FojdnBSPXyII/7Q8NUgRQ0ji86ZNNWT1XqAiAA0msqxS4rN9xCo6jKcjGaKwFuHEwa5Mw1JCwBzLt1gw=="}, "inclusionProof": {"logIndex": "62631287", "rootHash": "1fx8bMb9/1d0q/PdLBgr5EVIs5kz2Shwpy4TFo8Uhis=", "treeSize": "62631288", "hashes": ["A6hYJrNwNazA1eoJIpV498CX76QaBgJWNoCRt1X74JE=", "f9+1RSu6Acof0xeSFOubv4ka3FdHBtpSVrdSbIAjMsQ=", "3ooji9Ujxw5HG1h56HHfj87vS4MOVVFUjVGuvJtW81M=", "HEgnXDufRCuJISdHCQjKnv3wP0PRUtE+AiYjdvZWaxw=", "/FEizqX7NOhA4OdohRvVtM2N5URHa6uesg3p4vEoQ4E=", "WoINPf5XzzezzULe1uVrKF5yQxRALb2KxRHOKi7Dttk=", "FpQhnaN+UmxzFqCood81DHl9WxyOOSpBMfD2FpNVk3k=", "WPXbPb4ACE/BbpP8q1dpTjRmTu4OFOse4d5YHP34YjA=", "+eTYHIbql8gaQnVj1zBqRSbN8d5uLSwQCZSNEu1IEQc=", "Dl6tJTXUpFc8TLlVlAbs+hrhujOBSxEW6PE/3+PwQIc=", "AGGlRS/pLuSZMVaGq6mY5uZswBtCoNSuaHM6P5twGuE=", "8v5YV3W9gmSnYBkC5JADJ4j3NA7GuFPPkPXA9OPNmTg=", "GgcbvbmxENRIPRbgqtWIgdwahX7JwKNl+o6XN+NdICM=", "v6TgT0lJE8lEEO1hEJGAUugTK5CNAqqixlVK80tmkb0=", "HjoTzYu7nFqxAa9lTSDZxoA4a1wJ4P8BT2/QyLM8PH4=", "IsLbMqrjdeHhyZ6XODgAs95aU12MJIbe9XB6kXaMDYw=", "UeXYBoLMUKvbOS7ToMsaoblG4fS/8QPQTTFGIBVeE70=", "mMSG/rXYcJKnikbEtb4EhoZUkAr/wuhv+yAHTcc6iDo=", "aWnEm9c/Gb8operqvTMd3WBQLe+yzT2W4Xt0HICt7Gw="], "checkpoint": {"envelope": "rekor.sigstore.dev - 2605736670972794746\n62631288\n1fx8bMb9/1d0q/PdLBgr5EVIs5kz2Shwpy4TFo8Uhis=\nTimestamp: 1706297730413822848\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAncCOrkCPoSXfFZt5jqL654xXX/OK7spQ8tkP9NTkexwIgY1HfG6TWamNSwNslbt5TXjgp4cxLiAYBG+n1/fpzu1U=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2MzI1NzliNTE4M2Q0MThmZjNkYzQ0Mzk5NGZkMzVlMGUxYTJhNmNlODlhMWVlMjJmZGNhNTc3ZjhlOGJjOWMzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUURVdWt0dTZjckpBVHRRZ29Ra2FIb0hxRld0K1h2RGQ0UHZKbERRNWFLbVhBSWdDS1VPOHFjdUxUSTA4UER3NkYwUlNsaEJVamdtQ01FbFgrWENlU2FDanBnPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVha05EUVdzclowRjNTVUpCWjBsVlUyaEJjRTQyUkM5d01tNW9hMEZWV1ZoQlRscDFSSE53VlRRd2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDFVU1RKTlZHdDZUbFJKTlZkb1kwNU5hbEYzVFZSSk1rMVVhekJPVkVrMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZVYkdjMk5IbEZjbTk2YkcxWWIydElTbU41VGpkUGFraEVRbVpKVXpGQ1dIWjFhMWdLWkRsUVRuaFpWRVJyY0RGcU5VNWtVVzV0SzNsSU5raHhkbGxNWTNsc2RtZGhOV2xKU3pkTFUzQnlVbGcyVFRrNVNUWlBRMEZYTkhkblowWnhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZsVFhwMkNtUXlSM2w2WVhwM1JFZG9TVzVOSzJwMFZURXpNRkZCZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBkQldVUldVakJTUVZGSUwwSkJOSGRFU1VWTFdWVkNNR0p1YTNWa1J6a3pZbXBCYzBKbmIzSkNaMFZGUVZsUEwwMUJSVUpDUWpWdlpFaFNkd3BqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZG1KSE9XNWhWelIyWWpKR01XUkhaM2RNWjFsTFMzZFpRa0pCUjBSMmVrRkNRMEZSWjBSQ05XOWtTRkozQ21ONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMllrYzVibUZYTkhaaU1rWXhaRWRuZDJkWmIwZERhWE5IUVZGUlFqRnVhME5DUVVsRlprRlNOa0ZJWjBFS1pHZEVaRkJVUW5GNGMyTlNUVzFOV2tob2VWcGFlbU5EYjJ0d1pYVk9ORGh5Wml0SWFXNUxRVXg1Ym5WcVowRkJRVmt4U0ZKVFRWTkJRVUZGUVhkQ1NBcE5SVlZEU1ZGRVQwUnZNVzU0VWprckszSklaa0ZhVUN0QmVYRjNkMjFwYTBveU4xWmpTRkJPVUZVclIyNXhNMU0xZDBsblVtcEhTbkpwTXpKbWEwWjRDbmRtTkRBMVMyMXdNM3BPWTNncmN6ZHJSV1J4VmpOUk5rbFZlRlI0VVVWM1EyZFpTVXR2V2tsNmFqQkZRWGROUkdGUlFYZGFaMGw0UVUxQ1kyOVJRMDhLV0hReU5HTkNRbTgxYTBONlJqTnFMMU5KYm5KT1EySTBXV2wyVEhsWGNtbzFMM0pETlhsamFDdFNlV2QzTDBablNXNU5ObXRQVWs5MlFVbDRRVXBOYVFwVk5FOUdWMWRYUVdwaFpXUTRTVk14UkdoSE9WbEdUbHB1UjFka2QzazNSa1pvVEhkM1QyRTJjV1kwVVhOWVFXeFZhaXRaVUhseVVtdDNabVJ1WnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "YyV5tRg9QY/z3EQ5lP014OGips6Joe4i/cpXf46LycM="}, "signature": "MEUCIQDUuktu6crJATtQgoQkaHoHqFWt+XvDd4PvJlDQ5aKmXAIgCKUO8qcuLTI08PDw6F0RSlhBUjgmCMElX+XCeSaCjpg="}} diff --git a/gen/pb-rust/sigstore-protobuf-specs/build.rs b/gen/pb-rust/sigstore-protobuf-specs/build.rs new file mode 100644 index 00000000..7f68a907 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/build.rs @@ -0,0 +1,46 @@ +/// Find the standard protobuf include directory. +fn protobuf_include_path() -> String { + let mut protobuf_root = which::which("protoc") + .ok() + // dirname(/bin/protoc) / ../ + .and_then(|path| path.ancestors().nth(2).map(|p| p.to_path_buf())) + .expect("protobuf installation directory not found!"); + protobuf_root.push("include"); + protobuf_root.to_str().unwrap().to_owned() +} + +fn main() -> anyhow::Result<()> { + let includes = vec![ + concat!(env!("CARGO_MANIFEST_DIR"), "/../../../protos").to_owned(), + // WKTs path + protobuf_include_path(), + // googleapi types path + std::env::var("SIGSTORE_PROTOBUF_EXTRA_INCLUDE").unwrap_or("/opt/include".to_owned()), + ]; + + let mut config = prost_build::Config::new(); + config + .include_file("mod.rs") + .type_attribute( + ".", + "#[derive(derive::Deserialize_proto, derive::Serialize_proto)]", + ) + // Disable problematic comments interpreted as doctests. + .disable_comments([".io.intoto.Envelope"]); + + prost_reflect_build::Builder::new() + .file_descriptor_set_bytes("crate::FILE_DESCRIPTOR_SET_BYTES") + .compile_protos_with_config( + config, + &glob::glob(concat!( + env!("CARGO_MANIFEST_DIR"), + "/../../../protos/*.proto" + )) + .expect("no protos found!") + .flatten() + .collect::>(), + &includes, + )?; + + Ok(()) +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/lib.rs b/gen/pb-rust/sigstore-protobuf-specs/src/lib.rs new file mode 100644 index 00000000..c2b4a954 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/lib.rs @@ -0,0 +1,4 @@ +static FILE_DESCRIPTOR_SET_BYTES: &'static [u8] = + include_bytes!(concat!(env!("OUT_DIR"), "/file_descriptor_set.bin")); + +include!(concat!(env!("OUT_DIR"), "/mod.rs")); diff --git a/gen/pb-rust/sigstore-protobuf-specs/tests/integration.rs b/gen/pb-rust/sigstore-protobuf-specs/tests/integration.rs new file mode 100644 index 00000000..4d13e46c --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/tests/integration.rs @@ -0,0 +1,73 @@ +use std::io; + +use sigstore_protobuf_specs::dev::sigstore::bundle::v1::Bundle; + +macro_rules! include_asset { + ($path:literal) => { + include_str!(concat!(env!("CARGO_MANIFEST_DIR"), "/assets/", $path)) + }; +} + +struct SpaceSeparatorFormatter; + +impl serde_json::ser::Formatter for SpaceSeparatorFormatter { + fn begin_array_value(&mut self, writer: &mut W, first: bool) -> io::Result<()> + where + W: ?Sized + io::Write, + { + if first { + Ok(()) + } else { + writer.write_all(b", ") + } + } + + fn begin_object_value(&mut self, writer: &mut W) -> io::Result<()> + where + W: ?Sized + io::Write, + { + writer.write_all(b": ") + } + + fn begin_object_key(&mut self, writer: &mut W, first: bool) -> io::Result<()> + where + W: ?Sized + io::Write, + { + if first { + Ok(()) + } else { + writer.write_all(b", ") + } + } + + fn write_string_fragment(&mut self, writer: &mut W, fragment: &str) -> io::Result<()> + where + W: ?Sized + io::Write, + { + // Replace em-dashes with a unicode escape. serde_json unescapes it. + writer.write_all(fragment.replace("\u{2014}", "\\u2014").as_bytes()) + } +} + +/// Test re-serializing a known-good bundle from sigstore-python. +#[test] +fn bundle_roundtrip() { + // Deserialize bundle, trimming trailing whitespace. + let input = include_asset!("a.txt.sigstore").trim_end(); + let bundle: Bundle = serde_json::from_str(input).expect("failed to deserialize Bundle!"); + + // Re-serialize bundle with our python-like formatter. + let formatter = SpaceSeparatorFormatter {}; + let mut result = Vec::new(); + let mut ser = serde_json::Serializer::with_formatter(&mut result, formatter); + serde::Serialize::serialize(&bundle, &mut ser).expect("failed to re-serialize Bundle!"); + + // Notwithstanding the workarounds above, our serialized bundle should be + // byte-for-byte identical to the input bundle. + let result = std::str::from_utf8(&result).unwrap(); + assert_eq!( + input, + &result[..], + "re-serialized Bundle does not match original!" + ); +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/tests/unit.rs b/gen/pb-rust/sigstore-protobuf-specs/tests/unit.rs new file mode 100644 index 00000000..3f4f4b21 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/tests/unit.rs @@ -0,0 +1,68 @@ +use sigstore_protobuf_specs::dev::sigstore::common::v1::{HashOutput, LogId, MessageSignature}; + +/// HashOutput, a structure using only primitive types +#[test] +fn primitives() { + let hash_output_json = r#"{"digest":"AQID"}"#; + let hash_output_rs = HashOutput { + algorithm: 0i32, + digest: vec![1u8, 2u8, 3u8], + }; + + let serialize = serde_json::to_string(&hash_output_rs); + assert!(serialize.is_ok()); + assert_eq!(serialize.unwrap(), hash_output_json); + + let deserialize = serde_json::from_str::(hash_output_json); + assert!(deserialize.is_ok()); + assert_eq!(deserialize.unwrap(), hash_output_rs); +} + +/// LogId, a structure with a field using camelCase +#[test] +fn camel_case() { + let log_id_json = r#"{"keyId":"AA=="}"#; + let log_id_rs = LogId { key_id: vec![0] }; + + let serialize = serde_json::to_string(&log_id_rs); + assert!(serialize.is_ok()); + assert_eq!(serialize.unwrap(), log_id_json); + + let deserialize = serde_json::from_str::(log_id_json); + assert!(deserialize.is_ok()); + assert_eq!(deserialize.unwrap(), log_id_rs); +} + +/// MessageSignature, nested structure +#[test] +fn nested() { + let message_signature_json = r#"{ + "messageDigest": { + "algorithm": "SHA2_256", + "digest": "AQID" + }, + "signature": "AQ==" + }"#; + + let message_signature_rs = MessageSignature { + message_digest: Some(HashOutput { + algorithm: 1i32, + digest: vec![1u8, 2u8, 3u8], + }), + signature: vec![1u8], + }; + + let serialize = serde_json::to_string(&message_signature_rs); + assert!(serialize.is_ok()); + assert_eq!( + serialize.unwrap(), + message_signature_json + .chars() + .filter(|c| !c.is_whitespace()) + .collect::() + ); + + let deserialize = serde_json::from_str::(&message_signature_json); + assert!(deserialize.is_ok()); + assert_eq!(deserialize.unwrap(), message_signature_rs); +} diff --git a/gen/pb-rust/src/lib.rs b/gen/pb-rust/src/lib.rs deleted file mode 100644 index 33a379d6..00000000 --- a/gen/pb-rust/src/lib.rs +++ /dev/null @@ -1,25 +0,0 @@ -/// NOTE(jleightcap): a method to include all JSON schemas is not immediately obvious to me: -/// -/// - `schemafy!` is a direct 1:1 compilation to Rust structures of each definition in "defintions", -/// - each schema is 'standalone': including definitions of all it's dependencies, -/// as a result, the Rust generated structures have name collisions if included in the same module scope. -/// -/// prefixing works, -/// -/// ```ignore -/// mod CertificateIdentity { -/// schemafy::schemafy!("schemas/CertificateIdentity.shema.json") -/// } -/// mod CertificateIdentities { -/// schemafy::schemafy!("schemas/CertificateIdentities.schema.json") -/// } -/// ``` -/// but is clunky to use and manual to generate. -/// -/// a more general approach is to 'flatten' each JSON Schema, -/// unioning all of the "defintions" fields. -/// -/// Since standardized bundles is the singular motiviation for these Rust bindings, -/// for now we're punting this issue. -use serde::{Deserialize, Serialize}; -schemafy::schemafy!("schemas/Bundle.schema.json"); diff --git a/gen/pb-rust/tests/bundle.txt.sigstore b/gen/pb-rust/tests/bundle.txt.sigstore deleted file mode 100644 index fac453e0..00000000 --- a/gen/pb-rust/tests/bundle.txt.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1", "verificationMaterial": {"x509CertificateChain": {"certificates": [{"rawBytes": "MIIC5zCCAmygAwIBAgIUJ3vpewdf6e91rgjqCqagstF4qn8wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNDI2MDAyMTA4WhcNMjMwNDI2MDAzMTA4WjAAMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2sd6+lOBcn5MXtnbwca7zcwpprl7GUZiKTO9IWpAUfVTtx+BXGHQCRwsFy/d7dLlf4hurIqhzMD5yaC2kcU9/8c9G55JyBXF8Dx5SQm9y2rPWFIdm29Ql9A3I3yyEFyPo4IBbjCCAWowDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBTlaUfjpiXGhBP3hOCW0JJZDSPxgzAfBgNVHSMEGDAWgBRxhjCmFHxib/n31vQFGn9f/+tvrDAYBgNVHREBAf8EDjAMgQphQHRueS50b3duMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2ACswvNxoiMni4dgmKV50H0g5MZYC8pwzy15DQP6yrIZ6AAABh7rveBsAAAQDAEcwRQIhAKOZPMN9Q9qO1HXigHBPt+Ic16yy2Zgv2KQ23i5WLj16AiAzrFpuayGXdoK+hYePl9dEeXjG/vB2jK/E3sEsIrXtETAKBggqhkjOPQQDAwNpADBmAjEAgmhg80mI/Scr0isBnD5FYXZ8WxA8tnBBPmdf4aNGForGazGXaFQVPXgBVPv+YGI/AjEA0QzPC5dHD/WWXW2GbEC4dpwFk8OGRkiExMOy/+CqabbVg+/lx1N9VGBTlUTft45d"}]}, "tlogEntries": [{"logIndex": "7390977", "logId": {"keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1682468469", "inclusionPromise": {"signedEntryTimestamp": "MEUCICSJs5PgN4W3Lku3ybrwfNLAKMWaOvffg2tnqm19VrWEAiEA16MVPsWDoaAljsxGefpQazpvYfs1pv8lzdgZQ0I4rH0="}, "inclusionProof": {"logIndex": "7376158", "rootHash": "LE67t2Zlc0g35az81xMg0cgM2DULj8fNsGGHTcRthcs=", "treeSize": "7376159", "hashes": ["zgesNHwk09VvW4IDaPrJMtX59glNyyLPzeJO1Gw1hCI=", "lJiFr9ZP5FO8BjqLAUQ16A/0/LoOOQ0gfeNhdxaxO2w=", "sMImd51DBHQnH1tz4sGk8gXB+FjWyusVXbP0GmpFnB4=", "cDU1nEpl0WCRlxLi/gNVzykDzobU4qG/7BQZxn0qDgU=", "4CRqWzG3qpxKvlHuZg5O6QjQiwOzerbjwsAh30EVlA8=", "Ru0p3GE/zB2zub2/xR5rY/aM4J+5VJmiIuIl2enF/ws=", "2W+NG5yGR68lrLGcw4gn9CSCfeQF98d3LMfdo8tPyok=", "bEs1eYxy9R6hR2veGEwYW4PEdrZKrdqZ7uDlmmNtlas=", "sgQMnwcK7VxxAi+fygxq8iJ+zWqShjXm07/AWobWcXU=", "y4BESazXFcefRzxpN1PfJHoqRaKnPJPM5H/jotx0QY8=", "xiNEdLOpmGQERCR+DCEFVRK+Ns6G0BLV9M6sQQkRhik="], "checkpoint": {"envelope": "rekor.sigstage.dev - 8050909264565447525\n7376159\nLE67t2Zlc0g35az81xMg0cgM2DULj8fNsGGHTcRthcs=\nTimestamp: 1682468469199678948\n\n\u2014 rekor.sigstage.dev 0y8wozBEAiBbAodz3dBqJjGMhnZEkbaTDVxc8+tBEPKbaWUZoqxFvwIgGtYzFgFaM3UXBRHmzgmcrCxA145dpQ2YD0yFqiPHO7U=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4MDJkZDYwZmY4ODMzMzgwMmYyNTg1ZTczMDQzYmQyMWMzNDEyODVlMTk5MmZlNWIzMTc1NWUxY2FkZWFlMzBlIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1HVUNNUUNPT0pxVFk2WFdnQjY0aXpLMldWUDA3YjBTRzlNNVdQQ3dLaGZUUHdNdnRzZ1VpOEtlUkd3UWt2dkxZYktIZHFVQ01FYk9YRkcwTk1xRVF4V1ZiNnJtR25leGRBRHVHZjZKbDhxQUM4dG42N3AzUWZWb1h6TXZGQTYxUHp4d1Z3dmI4Zz09IiwicHVibGljS2V5Ijp7ImNvbnRlbnQiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VNMWVrTkRRVzE1WjBGM1NVSkJaMGxWU2pOMmNHVjNaR1kyWlRreGNtZHFjVU54WVdkemRFWTBjVzQ0ZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwTmQwNUVTVEpOUkVGNVRWUkJORmRvWTA1TmFrMTNUa1JKTWsxRVFYcE5WRUUwVjJwQlFVMUlXWGRGUVZsSUNrdHZXa2w2YWpCRFFWRlpSa3MwUlVWQlEwbEVXV2RCUlRKelpEWXJiRTlDWTI0MVRWaDBibUozWTJFM2VtTjNjSEJ5YkRkSFZWcHBTMVJQT1VsWGNFRUtWV1pXVkhSNEswSllSMGhSUTFKM2MwWjVMMlEzWkV4c1pqUm9kWEpKY1doNlRVUTFlV0ZETW10alZUa3ZPR001UnpVMVNubENXRVk0UkhnMVUxRnRPUXA1TW5KUVYwWkpaRzB5T1ZGc09VRXpTVE41ZVVWR2VWQnZORWxDWW1wRFEwRlhiM2RFWjFsRVZsSXdVRUZSU0M5Q1FWRkVRV2RsUVUxQ1RVZEJNVlZrQ2twUlVVMU5RVzlIUTBOelIwRlJWVVpDZDAxRVRVSXdSMEV4VldSRVoxRlhRa0pVYkdGVlptcHdhVmhIYUVKUU0yaFBRMWN3U2twYVJGTlFlR2Q2UVdZS1FtZE9Wa2hUVFVWSFJFRlhaMEpTZUdocVEyMUdTSGhwWWk5dU16RjJVVVpIYmpsbUx5dDBkbkpFUVZsQ1owNVdTRkpGUWtGbU9FVkVha0ZOWjFGd2FBcFJTRkoxWlZNMU1HSXpaSFZOUTNkSFEybHpSMEZSVVVKbk56aDNRVkZGUlVodGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndDbUpwT1haWldGWXdZVVJCZFVKbmIzSkNaMFZGUVZsUEwwMUJSVWxDUTBGTlNHMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWMySXlaSEFLWW1rNWRsbFlWakJoUkVOQ2FXZFpTMHQzV1VKQ1FVaFhaVkZKUlVGblVqaENTRzlCWlVGQ01rRkRjM2QyVG5odmFVMXVhVFJrWjIxTFZqVXdTREJuTlFwTldsbERPSEIzZW5reE5VUlJVRFo1Y2tsYU5rRkJRVUpvTjNKMlpVSnpRVUZCVVVSQlJXTjNVbEZKYUVGTFQxcFFUVTQ1VVRseFR6RklXR2xuU0VKUUNuUXJTV014Tm5sNU1scG5kakpMVVRJemFUVlhUR294TmtGcFFYcHlSbkIxWVhsSFdHUnZTeXRvV1dWUWJEbGtSV1ZZYWtjdmRrSXlha3N2UlROelJYTUtTWEpZZEVWVVFVdENaMmR4YUd0cVQxQlJVVVJCZDA1d1FVUkNiVUZxUlVGbmJXaG5PREJ0U1M5VFkzSXdhWE5DYmtRMVJsbFlXamhYZUVFNGRHNUNRZ3BRYldSbU5HRk9SMFp2Y2tkaGVrZFlZVVpSVmxCWVowSldVSFlyV1VkSkwwRnFSVUV3VVhwUVF6VmtTRVF2VjFkWVZ6SkhZa1ZETkdSd2QwWnJPRTlIQ2xKcmFVVjRUVTk1THl0RGNXRmlZbFpuS3k5c2VERk9PVlpIUWxSc1ZWUm1kRFExWkFvdExTMHRMVVZPUkNCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2c9PSJ9fX19"}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "gC3WD/iDM4AvJYXnMEO9IcNBKF4Zkv5bMXVeHK3q4w4="}, "signature": "MGUCMQCOOJqTY6XWgB64izK2WVP07b0SG9M5WPCwKhfTPwMvtsgUi8KeRGwQkvvLYbKHdqUCMEbOXFG0NMqEQxWVb6rmGnexdADuGf6Jl8qAC8tn67p3QfVoXzMvFA61PzxwVwvb8g=="}} diff --git a/gen/pb-rust/tests/integration.rs b/gen/pb-rust/tests/integration.rs deleted file mode 100644 index 99760fc3..00000000 --- a/gen/pb-rust/tests/integration.rs +++ /dev/null @@ -1,85 +0,0 @@ -use pretty_assertions::assert_eq; -use serde_json; -use sigstore_protobuf_specs::{ - Bundle, DevSigstoreBundleV1VerificationMaterial as VerificationMaterial, - DevSigstoreCommonV1HashOutput as HashOutput, DevSigstoreCommonV1LogId as LogId, - DevSigstoreCommonV1MessageSignature as MessageSignature, - DevSigstoreCommonV1X509Certificate as X509Certificate, - DevSigstoreCommonV1X509CertificateChain as X509CertificateChain, - DevSigstoreRekorV1Checkpoint as Checkpoint, - DevSigstoreRekorV1InclusionPromise as InclusionPromise, - DevSigstoreRekorV1InclusionProof as InclusionProof, - DevSigstoreRekorV1KindVersion as KindVersion, - DevSigstoreRekorV1TransparencyLogEntry as TransparencyLogEntry, -}; - -#[test] -fn bundle() { - let bundle_json = std::fs::read_to_string("tests/bundle.txt.sigstore").unwrap(); - let bundle = serde_json::from_str::(&bundle_json); - - assert!(bundle.is_ok()); - assert_eq!( - bundle.unwrap(), - Bundle { - media_type: Some(String::from("application/vnd.dev.sigstore.bundle+json;version=0.1")), - verification_material: Some(VerificationMaterial{ - public_key: None, - certificate: None, - x_509_certificate_chain: Some(X509CertificateChain{ - certificates: Some(vec![ - X509Certificate{ - raw_bytes: Some(String::from("MIIC5zCCAmygAwIBAgIUJ3vpewdf6e91rgjqCqagstF4qn8wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNDI2MDAyMTA4WhcNMjMwNDI2MDAzMTA4WjAAMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2sd6+lOBcn5MXtnbwca7zcwpprl7GUZiKTO9IWpAUfVTtx+BXGHQCRwsFy/d7dLlf4hurIqhzMD5yaC2kcU9/8c9G55JyBXF8Dx5SQm9y2rPWFIdm29Ql9A3I3yyEFyPo4IBbjCCAWowDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBTlaUfjpiXGhBP3hOCW0JJZDSPxgzAfBgNVHSMEGDAWgBRxhjCmFHxib/n31vQFGn9f/+tvrDAYBgNVHREBAf8EDjAMgQphQHRueS50b3duMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2ACswvNxoiMni4dgmKV50H0g5MZYC8pwzy15DQP6yrIZ6AAABh7rveBsAAAQDAEcwRQIhAKOZPMN9Q9qO1HXigHBPt+Ic16yy2Zgv2KQ23i5WLj16AiAzrFpuayGXdoK+hYePl9dEeXjG/vB2jK/E3sEsIrXtETAKBggqhkjOPQQDAwNpADBmAjEAgmhg80mI/Scr0isBnD5FYXZ8WxA8tnBBPmdf4aNGForGazGXaFQVPXgBVPv+YGI/AjEA0QzPC5dHD/WWXW2GbEC4dpwFk8OGRkiExMOy/+CqabbVg+/lx1N9VGBTlUTft45d")) - } - ]), - }), - tlog_entries: Some(vec![ - TransparencyLogEntry{ - log_index: Some(String::from("7390977")), - log_id: Some(LogId{ - key_id: Some(String::from("0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY=")) - }), - kind_version: Some(KindVersion{ - kind: Some(String::from("hashedrekord")), - version: Some(String::from("0.0.1")) - }), - integrated_time: Some(String::from("1682468469")), - inclusion_promise: Some(InclusionPromise{ - signed_entry_timestamp: Some(String::from("MEUCICSJs5PgN4W3Lku3ybrwfNLAKMWaOvffg2tnqm19VrWEAiEA16MVPsWDoaAljsxGefpQazpvYfs1pv8lzdgZQ0I4rH0=")) - }), - inclusion_proof: Some(InclusionProof{ - log_index: Some(String::from("7376158")), - root_hash: Some(String::from("LE67t2Zlc0g35az81xMg0cgM2DULj8fNsGGHTcRthcs=")), - tree_size: Some(String::from("7376159")), - hashes: Some(vec![ - String::from("zgesNHwk09VvW4IDaPrJMtX59glNyyLPzeJO1Gw1hCI="), - String::from("lJiFr9ZP5FO8BjqLAUQ16A/0/LoOOQ0gfeNhdxaxO2w="), - String::from("sMImd51DBHQnH1tz4sGk8gXB+FjWyusVXbP0GmpFnB4="), - String::from("cDU1nEpl0WCRlxLi/gNVzykDzobU4qG/7BQZxn0qDgU="), - String::from("4CRqWzG3qpxKvlHuZg5O6QjQiwOzerbjwsAh30EVlA8="), - String::from("Ru0p3GE/zB2zub2/xR5rY/aM4J+5VJmiIuIl2enF/ws="), - String::from("2W+NG5yGR68lrLGcw4gn9CSCfeQF98d3LMfdo8tPyok="), - String::from("bEs1eYxy9R6hR2veGEwYW4PEdrZKrdqZ7uDlmmNtlas="), - String::from("sgQMnwcK7VxxAi+fygxq8iJ+zWqShjXm07/AWobWcXU="), - String::from("y4BESazXFcefRzxpN1PfJHoqRaKnPJPM5H/jotx0QY8="), - String::from("xiNEdLOpmGQERCR+DCEFVRK+Ns6G0BLV9M6sQQkRhik=") - ]), - checkpoint: Some(Checkpoint{ - envelope: Some(String::from("rekor.sigstage.dev - 8050909264565447525\n7376159\nLE67t2Zlc0g35az81xMg0cgM2DULj8fNsGGHTcRthcs=\nTimestamp: 1682468469199678948\n\n\u{2014} rekor.sigstage.dev 0y8wozBEAiBbAodz3dBqJjGMhnZEkbaTDVxc8+tBEPKbaWUZoqxFvwIgGtYzFgFaM3UXBRHmzgmcrCxA145dpQ2YD0yFqiPHO7U=\n")) - }), - }), - canonicalized_body: Some(String::from("eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4MDJkZDYwZmY4ODMzMzgwMmYyNTg1ZTczMDQzYmQyMWMzNDEyODVlMTk5MmZlNWIzMTc1NWUxY2FkZWFlMzBlIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1HVUNNUUNPT0pxVFk2WFdnQjY0aXpLMldWUDA3YjBTRzlNNVdQQ3dLaGZUUHdNdnRzZ1VpOEtlUkd3UWt2dkxZYktIZHFVQ01FYk9YRkcwTk1xRVF4V1ZiNnJtR25leGRBRHVHZjZKbDhxQUM4dG42N3AzUWZWb1h6TXZGQTYxUHp4d1Z3dmI4Zz09IiwicHVibGljS2V5Ijp7ImNvbnRlbnQiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VNMWVrTkRRVzE1WjBGM1NVSkJaMGxWU2pOMmNHVjNaR1kyWlRreGNtZHFjVU54WVdkemRFWTBjVzQ0ZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwTmQwNUVTVEpOUkVGNVRWUkJORmRvWTA1TmFrMTNUa1JKTWsxRVFYcE5WRUUwVjJwQlFVMUlXWGRGUVZsSUNrdHZXa2w2YWpCRFFWRlpSa3MwUlVWQlEwbEVXV2RCUlRKelpEWXJiRTlDWTI0MVRWaDBibUozWTJFM2VtTjNjSEJ5YkRkSFZWcHBTMVJQT1VsWGNFRUtWV1pXVkhSNEswSllSMGhSUTFKM2MwWjVMMlEzWkV4c1pqUm9kWEpKY1doNlRVUTFlV0ZETW10alZUa3ZPR001UnpVMVNubENXRVk0UkhnMVUxRnRPUXA1TW5KUVYwWkpaRzB5T1ZGc09VRXpTVE41ZVVWR2VWQnZORWxDWW1wRFEwRlhiM2RFWjFsRVZsSXdVRUZSU0M5Q1FWRkVRV2RsUVUxQ1RVZEJNVlZrQ2twUlVVMU5RVzlIUTBOelIwRlJWVVpDZDAxRVRVSXdSMEV4VldSRVoxRlhRa0pVYkdGVlptcHdhVmhIYUVKUU0yaFBRMWN3U2twYVJGTlFlR2Q2UVdZS1FtZE9Wa2hUVFVWSFJFRlhaMEpTZUdocVEyMUdTSGhwWWk5dU16RjJVVVpIYmpsbUx5dDBkbkpFUVZsQ1owNVdTRkpGUWtGbU9FVkVha0ZOWjFGd2FBcFJTRkoxWlZNMU1HSXpaSFZOUTNkSFEybHpSMEZSVVVKbk56aDNRVkZGUlVodGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndDbUpwT1haWldGWXdZVVJCZFVKbmIzSkNaMFZGUVZsUEwwMUJSVWxDUTBGTlNHMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWMySXlaSEFLWW1rNWRsbFlWakJoUkVOQ2FXZFpTMHQzV1VKQ1FVaFhaVkZKUlVGblVqaENTRzlCWlVGQ01rRkRjM2QyVG5odmFVMXVhVFJrWjIxTFZqVXdTREJuTlFwTldsbERPSEIzZW5reE5VUlJVRFo1Y2tsYU5rRkJRVUpvTjNKMlpVSnpRVUZCVVVSQlJXTjNVbEZKYUVGTFQxcFFUVTQ1VVRseFR6RklXR2xuU0VKUUNuUXJTV014Tm5sNU1scG5kakpMVVRJemFUVlhUR294TmtGcFFYcHlSbkIxWVhsSFdHUnZTeXRvV1dWUWJEbGtSV1ZZYWtjdmRrSXlha3N2UlROelJYTUtTWEpZZEVWVVFVdENaMmR4YUd0cVQxQlJVVVJCZDA1d1FVUkNiVUZxUlVGbmJXaG5PREJ0U1M5VFkzSXdhWE5DYmtRMVJsbFlXamhYZUVFNGRHNUNRZ3BRYldSbU5HRk9SMFp2Y2tkaGVrZFlZVVpSVmxCWVowSldVSFlyV1VkSkwwRnFSVUV3VVhwUVF6VmtTRVF2VjFkWVZ6SkhZa1ZETkdSd2QwWnJPRTlIQ2xKcmFVVjRUVTk1THl0RGNXRmlZbFpuS3k5c2VERk9PVlpIUWxSc1ZWUm1kRFExWkFvdExTMHRMVVZPUkNCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2c9PSJ9fX19")) - } - ]), - timestamp_verification_data: None, - }), - message_signature: Some(MessageSignature { - message_digest: Some(HashOutput{ - algorithm: Some(String::from("SHA2_256")), - digest: Some(String::from("gC3WD/iDM4AvJYXnMEO9IcNBKF4Zkv5bMXVeHK3q4w4=")) - }), - signature: Some(String::from("MGUCMQCOOJqTY6XWgB64izK2WVP07b0SG9M5WPCwKhfTPwMvtsgUi8KeRGwQkvvLYbKHdqUCMEbOXFG0NMqEQxWVb6rmGnexdADuGf6Jl8qAC8tn67p3QfVoXzMvFA61PzxwVwvb8g==")) - }), - dsse_envelope: None - }); -} diff --git a/gen/pb-rust/tests/unit.rs b/gen/pb-rust/tests/unit.rs deleted file mode 100644 index f6346a4e..00000000 --- a/gen/pb-rust/tests/unit.rs +++ /dev/null @@ -1,39 +0,0 @@ -use sigstore_protobuf_specs::{ - DevSigstoreCommonV1HashOutput as HashOutput, - DevSigstoreCommonV1MessageSignature as MessageSignature, -}; - -/// HashOutput, a structure using only primitive types -#[test] -fn primitives() { - let hash_output = HashOutput { - algorithm: Some(String::from("SHA2_256")), - digest: Some(String::from("gC3WD/iDM4AvJYXnMEO9IcNBKF4Zkv5bMXVeHK3q4w4=")), - }; - - assert_eq!( - hash_output, - serde_json::to_string(&hash_output) - .and_then(|s| serde_json::from_str(&s)) - .unwrap() - ) -} - -/// MessageSignature, nested structure -#[test] -fn nested() { - let message_signature= MessageSignature { - message_digest: Some(HashOutput { - algorithm: Some(String::from("SHA_256")), - digest: Some(String::from("gC3WD/iDM4AvJYXnMEO9IcNBKF4Zkv5bMXVeHK3q4w4=")), - }), - signature: Some(String::from("MGUCMQCOOJqTY6XWgB64izK2WVP07b0SG9M5WPCwKhfTPwMvtsgUi8KeRGwQkvvLYbKHdqUCMEbOXFG0NMqEQxWVb6rmGnexdADuGf6Jl8qAC8tn67p3QfVoXzMvFA61PzxwVwvb8g==")) - }; - - assert_eq!( - message_signature, - serde_json::to_string(&message_signature) - .and_then(|s| serde_json::from_str(&s)) - .unwrap() - ) -}