├── .gitignore ├── gen ├── pb-rust │ ├── .gitignore │ ├── sigstore-protobuf-specs │ │ ├── assets │ │ │ ├── a.txt │ │ │ └── a.txt.sigstore │ │ ├── src │ │ │ ├── generated │ │ │ │ ├── file_descriptor_set.bin │ │ │ │ ├── mod.rs │ │ │ │ ├── io.intoto.rs │ │ │ │ ├── dev.sigstore.events.v1.rs │ │ │ │ └── google.api.rs │ │ │ └── lib.rs │ │ ├── Cargo.toml │ │ └── tests │ │ │ ├── unit.rs │ │ │ └── integration.rs │ ├── Cargo.toml │ ├── README.md │ ├── sigstore-protobuf-specs-codegen │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ └── sigstore-protobuf-specs-derive │ │ ├── Cargo.toml │ │ └── src │ │ └── lib.rs ├── pb-python │ ├── sigstore_protobuf_specs │ │ ├── py.typed │ │ ├── __init__.py │ │ ├── dev │ │ │ ├── __init__.py │ │ │ └── sigstore │ │ │ │ ├── __init__.py │ │ │ │ ├── rekor │ │ │ │ ├── __init__.py │ │ │ │ └── v2 │ │ │ │ │ └── __init__.py │ │ │ │ ├── bundle │ │ │ │ ├── __init__.py │ │ │ │ └── v1 │ │ │ │ │ └── __init__.py │ │ │ │ ├── common │ │ │ │ └── __init__.py │ │ │ │ ├── events │ │ │ │ ├── __init__.py │ │ │ │ └── v1 │ │ │ │ │ └── __init__.py │ │ │ │ ├── trustroot │ │ │ │ └── __init__.py │ │ │ │ └── verification │ │ │ │ └── __init__.py │ │ ├── io │ │ │ ├── __init__.py │ │ │ └── intoto │ │ │ │ └── __init__.py │ │ └── google │ │ │ ├── __init__.py │ │ │ └── api │ │ │ └── __init__.py │ ├── README.md │ ├── Makefile │ └── pyproject.toml ├── pb-typescript │ ├── .gitignore │ ├── README.md │ ├── tsconfig.json │ ├── src │ │ ├── rekor │ │ │ └── v2 │ │ │ │ └── index.ts │ │ ├── index.ts │ │ └── __generated__ │ │ │ ├── rekor │ │ │ └── v2 │ │ │ │ ├── dsse.ts │ │ │ │ ├── hashedrekord.ts │ │ │ │ ├── verifier.ts │ │ │ │ └── entry.ts │ │ │ ├── envelope.ts │ │ │ └── google │ │ │ ├── api │ │ │ └── field_behavior.ts │ │ │ └── protobuf │ │ │ ├── any.ts │ │ │ └── timestamp.ts │ ├── package.json │ └── package-lock.json └── pb-ruby │ ├── lib │ ├── sigstore_protobuf_specs │ │ └── version.rb │ ├── sigstore_protobuf_specs.rb │ ├── envelope_pb.rb │ ├── rekor │ │ └── v2 │ │ │ ├── dsse_pb.rb │ │ │ ├── hashedrekord_pb.rb │ │ │ ├── verifier_pb.rb │ │ │ └── entry_pb.rb │ ├── events_pb.rb │ ├── sigstore_bundle_pb.rb │ ├── sigstore_rekor_pb.rb │ ├── sigstore_trustroot_pb.rb │ ├── sigstore_verification_pb.rb │ └── sigstore_common_pb.rb │ ├── README.md │ └── sigstore_protobuf_specs.gemspec ├── CODEOWNERS ├── java ├── gradle.properties ├── .gitignore ├── gradle │ └── wrapper │ │ ├── gradle-wrapper.jar │ │ └── gradle-wrapper.properties ├── .gitattributes ├── settings.gradle.kts ├── README.md ├── gradlew.bat └── build.gradle.kts ├── .gitattributes ├── protoc-builder ├── hack │ ├── dev-requirements.txt │ ├── Dockerfile.protobuf │ ├── package.json │ └── go │ │ ├── go.mod │ │ └── go.sum ├── Dockerfile.ruby ├── Dockerfile.rust ├── Dockerfile.services ├── Dockerfile.python ├── Dockerfile.go ├── Dockerfile.typescript ├── versions.mk └── Dockerfile.protoc ├── service-protos ├── README.md ├── sync-rekor-tiles.sh └── rekor │ └── v2 │ ├── hashedrekord.proto │ ├── dsse.proto │ ├── verifier.proto │ └── entry.proto ├── go.mod ├── .github ├── workflows │ ├── gradle-wrapper-validation.yml │ ├── python-release.yml │ ├── rust-release.yml │ ├── generate.yml │ ├── java-build.yml │ ├── ruby-build.yml │ ├── python-build.yml │ ├── typescript-build.yml │ ├── typescript-publish.yml │ ├── protobuf-update.yml │ ├── rust-build.yml │ ├── ruby-release.yml │ ├── container-release.yml │ ├── java-release.yml │ └── googleapis-update.yml ├── ISSUE_TEMPLATE │ └── release-checklist.md └── dependabot.yml ├── COPYRIGHT.txt ├── go.sum ├── protos ├── envelope.proto └── events.proto ├── README.md ├── CODE_OF_CONDUCT.md └── RELEASE.md /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | -------------------------------------------------------------------------------- /gen/pb-rust/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/py.typed: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @sigstore/protobuf-specs-codeowners 2 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/io/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/google/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /gen/pb-typescript/.gitignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | node_modules/ 3 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /java/gradle.properties: -------------------------------------------------------------------------------- 1 | group=dev.sigstore 2 | version=SNAPSHOT 3 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/events/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.pb.go linguist-generated 2 | /gen/** linguist-generated 3 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/verification/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /java/.gitignore: -------------------------------------------------------------------------------- 1 | .gradle 2 | /build 3 | 4 | !gradle-wrapper.jar 5 | 6 | /.idea 7 | 8 | -------------------------------------------------------------------------------- /protoc-builder/hack/dev-requirements.txt: -------------------------------------------------------------------------------- 1 | betterproto[compiler]==2.0.0b7 2 | mypy-protobuf==3.6.0 3 | -------------------------------------------------------------------------------- /java/gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/protobuf-specs/HEAD/java/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/assets/a.txt: -------------------------------------------------------------------------------- 1 | DO NOT MODIFY ME! 2 | 3 | this is "a.txt", a sample input for sigstore-protobuf-specs' test suite. 4 | 5 | DO NOT MODIFY ME! 6 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/protobuf-specs/HEAD/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin -------------------------------------------------------------------------------- /service-protos/README.md: -------------------------------------------------------------------------------- 1 | ## Service Protos 2 | 3 | A mirror of proto defintions from various sigstore services 4 | - `./rekor/v2`: `https://github.com/sigstore/rekor-tiles/api/proto/"rekor/v2/*.proto"` 5 | -------------------------------------------------------------------------------- /gen/pb-rust/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | resolver = "2" 3 | members = [ 4 | "sigstore-protobuf-specs", 5 | "sigstore-protobuf-specs-codegen", 6 | "sigstore-protobuf-specs-derive", 7 | ] 8 | license = "Apache-2.0" 9 | -------------------------------------------------------------------------------- /gen/pb-typescript/README.md: -------------------------------------------------------------------------------- 1 | # @sigstore/protobuf-specs 2 | 3 | TypeScript language bindings for Sigstore's protobuf specs. 4 | 5 | See the [repository's README](https://github.com/sigstore/protobuf-specs) for more information. 6 | -------------------------------------------------------------------------------- /gen/pb-rust/README.md: -------------------------------------------------------------------------------- 1 | sigstore-protobuf-specs 2 | ======================= 3 | 4 | Rust language bindings for Sigstore's protobuf specs. 5 | 6 | See the [sigstore's protobuf-specs](https://github.com/sigstore/protobuf-specs) 7 | for more information. 8 | -------------------------------------------------------------------------------- /gen/pb-python/README.md: -------------------------------------------------------------------------------- 1 | sigstore-protobuf-specs 2 | ======================= 3 | 4 | These are the Python language bindings for Sigstore's protobuf specs. 5 | 6 | See the [repository's README](https://github.com/sigstore/protobuf-specs) 7 | for more information. 8 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/src/lib.rs: -------------------------------------------------------------------------------- 1 | static FILE_DESCRIPTOR_SET_BYTES: &'static [u8] = include_bytes!(concat!( 2 | env!("CARGO_MANIFEST_DIR"), 3 | "/src/generated/file_descriptor_set.bin" 4 | )); 5 | 6 | mod generated; 7 | pub use generated::*; 8 | -------------------------------------------------------------------------------- /java/.gitattributes: -------------------------------------------------------------------------------- 1 | # 2 | # https://help.github.com/articles/dealing-with-line-endings/ 3 | # 4 | # Linux start script should use lf 5 | /gradlew text eol=lf 6 | 7 | # These are Windows script files and should use crlf 8 | *.bat text eol=crlf 9 | 10 | -------------------------------------------------------------------------------- /gen/pb-typescript/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": "@tsconfig/node18/tsconfig.json", 3 | "compilerOptions": { 4 | "declaration": true, 5 | "noImplicitAny": true, 6 | "outDir": "./dist" 7 | }, 8 | "include": ["src/**/*"], 9 | "exclude": ["node_modules"] 10 | } 11 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs-codegen/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "sigstore-protobuf-specs-codegen" 3 | version = "0.0.1" 4 | edition = "2021" 5 | 6 | [dependencies] 7 | anyhow = "1.0.100" 8 | glob = "0.3" 9 | prost-build = "0.14.1" 10 | prost-reflect-build = "0.16.0" 11 | which = "8.0.0" 12 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/sigstore/protobuf-specs 2 | 3 | go 1.23 4 | 5 | require ( 6 | google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e 7 | google.golang.org/protobuf v1.36.10 8 | ) 9 | 10 | require google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 // indirect 11 | -------------------------------------------------------------------------------- /java/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.0-bin.zip 4 | networkTimeout=10000 5 | validateDistributionUrl=true 6 | zipStoreBase=GRADLE_USER_HOME 7 | zipStorePath=wrapper/dists 8 | -------------------------------------------------------------------------------- /protoc-builder/hack/Dockerfile.protobuf: -------------------------------------------------------------------------------- 1 | # This Dockerfile exists to allow Dependabot to watch Homebrew builds of protobuf for triggering updates 2 | # We don't actually use the content of this image in the repo, as this is a dynamically linked version of protoc 3 | FROM ghcr.io/homebrew/core/protobuf:33.1@sha256:c838ca2ff1fd9eebb2bc7d0eeaad0498192a3e904aea3bae94a35d87df35ad9c 4 | -------------------------------------------------------------------------------- /protoc-builder/Dockerfile.ruby: -------------------------------------------------------------------------------- 1 | FROM gcr.io/distroless/static-debian13:nonroot@sha256:423ba16a9ec162509175cb6904f703d3c8a5a3a58cff9b0b4fb2684bb74162c5 2 | 3 | COPY --from=protoc-base:ruby /protobuf/bin/protoc /usr/local/bin/ 4 | COPY --from=protoc-base:ruby /protobuf/include/google /opt/include/google 5 | COPY --from=protoc-base:ruby /googleapis /googleapis 6 | 7 | ENTRYPOINT [ "/usr/local/bin/protoc" ] 8 | -------------------------------------------------------------------------------- /protoc-builder/hack/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hack", 3 | "description": "hack to leverage dependabot updates for protobuf typescript generation utilities", 4 | "version": "0.0.1", 5 | "dependencies": { 6 | "grpc_tools_node_protoc_ts": "5.3.3", 7 | "grpc-tools": "1.13.0", 8 | "protoc-gen-grpc-web": "1.5.0", 9 | "ts-proto": "2.8.3" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /java/settings.gradle.kts: -------------------------------------------------------------------------------- 1 | /* 2 | * This file was generated by the Gradle 'init' task. 3 | * 4 | * The settings file is used to specify which projects to include in your build. 5 | * 6 | * Detailed information about configuring a multi-project build in Gradle can be found 7 | * in the user manual at https://docs.gradle.org/7.5.1/userguide/multi_project_builds.html 8 | */ 9 | 10 | rootProject.name = "protobuf-specs" 11 | -------------------------------------------------------------------------------- /protoc-builder/Dockerfile.rust: -------------------------------------------------------------------------------- 1 | FROM rust:1.91.1@sha256:4a29b0db5c961cd530f39276ece3eb6e66925b59599324c8c19723b72a423615 2 | 3 | COPY --from=protoc-base:rust /protobuf/bin/protoc /usr/local/bin/ 4 | COPY --from=protoc-base:rust /protobuf/include/google /opt/include/google 5 | COPY --from=protoc-base:rust /googleapis /googleapis 6 | 7 | # this is not protoc because we will call Rust's prost crate to do the compilation 8 | ENTRYPOINT [ "/bin/bash" ] 9 | -------------------------------------------------------------------------------- /gen/pb-python/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all 2 | all: 3 | @echo "Run my targets individually!" 4 | 5 | env/pyvenv.cfg: pyproject.toml 6 | # Create our Python 3 virtual environment 7 | rm -rf env 8 | python3 -m venv env 9 | ./env/bin/python -m pip install --upgrade pip 10 | ./env/bin/python -m pip install -e .[dev] 11 | 12 | .PHONY: dev 13 | dev: env/pyvenv.cfg 14 | 15 | .PHONY: package 16 | package: env/pyvenv.cfg 17 | ./env/bin/python -m build 18 | -------------------------------------------------------------------------------- /.github/workflows/gradle-wrapper-validation.yml: -------------------------------------------------------------------------------- 1 | name: "Validate Gradle Wrapper" 2 | on: [push, pull_request] 3 | 4 | permissions: {} 5 | 6 | jobs: 7 | validation: 8 | name: "Validation" 9 | runs-on: ubuntu-latest 10 | permissions: 11 | contents: read 12 | 13 | steps: 14 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 15 | with: 16 | persist-credentials: false 17 | - uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 18 | -------------------------------------------------------------------------------- /COPYRIGHT.txt: -------------------------------------------------------------------------------- 1 | 2 | Copyright 2022 The Sigstore Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | -------------------------------------------------------------------------------- /protoc-builder/Dockerfile.services: -------------------------------------------------------------------------------- 1 | ARG GO_BASE # no default 2 | 3 | FROM ${GO_BASE} 4 | 5 | COPY /protos /protobuf-specs 6 | COPY --from=protoc-base:go /grpc-gateway /grpc-gateway 7 | 8 | # just add the plugins for grpc-gateway and openapiv2 into the entrypoint 9 | ENTRYPOINT ["/usr/local/bin/protoc", \ 10 | "--plugin=protoc-gen-go=/usr/local/bin/protoc-gen-go", \ 11 | "--plugin=protoc-gen-go-grpc=/usr/local/bin/protoc-gen-go-grpc", \ 12 | "--plugin=protoc-gen-grpc-gateway=/usr/local/bin/protoc-gen-grpc-gateway", \ 13 | "--plugin=protoc-gen-openapiv2=/usr/local/bin/protoc-gen-openapiv2" \ 14 | ] 15 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs-derive/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "sigstore-protobuf-specs-derive" 3 | version = "0.0.1" 4 | edition = "2021" 5 | authors = ["Sigstore Authors "] 6 | homepage = "https://github.com/sigstore/protobuf-specs" 7 | repository = "https://github.com/sigstore/protobuf-specs" 8 | description = "Derive macros for sigstore-protobuf-specs. This is an implementation detail, you do not need this dependency." 9 | readme = "../README.md" 10 | license = "Apache-2.0" 11 | keywords = ["sigstore"] 12 | 13 | [dependencies] 14 | syn = "2.0" 15 | quote = "1.0" 16 | 17 | [lib] 18 | proc-macro = true 19 | -------------------------------------------------------------------------------- /protoc-builder/Dockerfile.python: -------------------------------------------------------------------------------- 1 | FROM python:3.14.0-alpine@sha256:8373231e1e906ddfb457748bfc032c4c06ada8c759b7b62d9c73ec2a3c56e710 2 | 3 | RUN pip3 install --upgrade --quiet pip 4 | 5 | # the specific versions of python protobuf tools are in hack/dev-requirements.txt so that Dependabot can bump them for updates 6 | ADD hack/dev-requirements.txt . 7 | 8 | RUN pip3 install -r dev-requirements.txt 9 | 10 | COPY --from=protoc-base:python /protobuf/bin/protoc /usr/local/bin/ 11 | COPY --from=protoc-base:python /protobuf/include/google /opt/include/google 12 | COPY --from=protoc-base:python /googleapis /googleapis 13 | 14 | ENTRYPOINT ["/usr/local/bin/protoc" ] 15 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | # Copyright 2023 The Sigstore Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | module Dev 18 | module Sigstore 19 | VERSION = '0.5.0' 20 | end 21 | end 22 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= 2 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= 3 | google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8= 4 | google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y= 5 | google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e h1:z3vDksarJxsAKM5dmEGv0GHwE2hKJ096wZra71Vs4sw= 6 | google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= 7 | google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= 8 | google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= 9 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/sigstore_protobuf_specs.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | # Copyright 2023 The Sigstore Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | require_relative 'sigstore_protobuf_specs/version' 18 | Dir['*_pb.rb', base: __dir__].each { |file| require_relative file } 19 | -------------------------------------------------------------------------------- /protoc-builder/Dockerfile.go: -------------------------------------------------------------------------------- 1 | FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS go-builder 2 | 3 | ADD hack/go/go.* tools/ 4 | 5 | # the specific versions of these tools are in hack/go.mod so that Dependabot can bump them for updates 6 | RUN cd tools && GOBIN=/go/tools go install tool 7 | 8 | FROM gcr.io/distroless/static-debian13:nonroot@sha256:423ba16a9ec162509175cb6904f703d3c8a5a3a58cff9b0b4fb2684bb74162c5 9 | 10 | COPY --from=go-builder /go/tools/protoc-* /usr/local/bin/ 11 | COPY --from=protoc-base:go /protobuf/bin/protoc /usr/local/bin/ 12 | COPY --from=protoc-base:go /protobuf/include/google /opt/include/google 13 | COPY --from=protoc-base:go /googleapis /googleapis 14 | 15 | ENTRYPOINT ["/usr/local/bin/protoc", "--plugin=protoc-gen-go=/usr/local/bin/protoc-gen-go", "--plugin=protoc-gen-go-grpc=/usr/local/bin/protoc-gen-go-grpc"] 16 | -------------------------------------------------------------------------------- /gen/pb-typescript/src/rekor/v2/index.ts: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2025 The Sigstore Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | export * from '../../__generated__/rekor/v2/dsse'; 17 | export * from '../../__generated__/rekor/v2/entry'; 18 | export * from '../../__generated__/rekor/v2/hashedrekord'; 19 | export * from '../../__generated__/rekor/v2/verifier'; 20 | -------------------------------------------------------------------------------- /.github/workflows/python-release.yml: -------------------------------------------------------------------------------- 1 | on: 2 | push: 3 | tags: 4 | - 'release/python/v*' 5 | 6 | permissions: {} 7 | 8 | name: release Python package 9 | 10 | jobs: 11 | pypi: 12 | name: upload release to PyPI 13 | runs-on: ubuntu-latest 14 | permissions: 15 | contents: read 16 | id-token: write # required for trusted publishing to PyPI 17 | 18 | steps: 19 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 20 | with: 21 | persist-credentials: false 22 | 23 | - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 24 | with: 25 | python-version: "3.x" 26 | 27 | - name: build 28 | run: | 29 | cd gen/pb-python/ 30 | make package 31 | 32 | - name: publish 33 | uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 34 | with: 35 | packages-dir: gen/pb-python/dist/ 36 | -------------------------------------------------------------------------------- /gen/pb-typescript/src/index.ts: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2023 The Sigstore Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | export * from './__generated__/envelope'; 17 | export * from './__generated__/sigstore_bundle'; 18 | export * from './__generated__/sigstore_common'; 19 | export * from './__generated__/sigstore_rekor'; 20 | export * from './__generated__/sigstore_trustroot'; 21 | export * from './__generated__/sigstore_verification'; 22 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/envelope_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: envelope.proto 4 | 5 | require 'google/protobuf' 6 | 7 | 8 | descriptor_data = "\n\x0e\x65nvelope.proto\x12\tio.intoto\"Z\n\x08\x45nvelope\x12\x0f\n\x07payload\x18\x01 \x01(\x0c\x12\x13\n\x0bpayloadType\x18\x02 \x01(\t\x12(\n\nsignatures\x18\x03 \x03(\x0b\x32\x14.io.intoto.Signature\"\'\n\tSignature\x12\x0b\n\x03sig\x18\x01 \x01(\x0c\x12\r\n\x05keyid\x18\x02 \x01(\tBDZ1github.com/sigstore/protobuf-specs/gen/pb-go/dsse\xea\x02\x0eSigstore::DSSEb\x06proto3" 9 | 10 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 11 | pool.add_serialized_file(descriptor_data) 12 | 13 | module Sigstore 14 | module DSSE 15 | Envelope = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("io.intoto.Envelope").msgclass 16 | Signature = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("io.intoto.Signature").msgclass 17 | end 18 | end 19 | -------------------------------------------------------------------------------- /gen/pb-typescript/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@sigstore/protobuf-specs", 3 | "version": "0.5.0", 4 | "description": "code-signing for npm packages", 5 | "main": "dist/index.js", 6 | "types": "dist/index.d.ts", 7 | "exports": { 8 | ".": "./dist/index.js", 9 | "./rekor/v2": "./dist/rekor/v2/index.js" 10 | }, 11 | "scripts": { 12 | "build": "tsc" 13 | }, 14 | "repository": { 15 | "type": "git", 16 | "url": "git+https://github.com/sigstore/protobuf-specs.git" 17 | }, 18 | "files": [ 19 | "dist" 20 | ], 21 | "author": "bdehamer@github.com", 22 | "license": "Apache-2.0", 23 | "bugs": { 24 | "url": "https://github.com/sigstore/protobuf-specs/issues" 25 | }, 26 | "homepage": "https://github.com/sigstore/protobuf-specs#readme", 27 | "devDependencies": { 28 | "@tsconfig/node18": "^18.2.4", 29 | "@types/node": "^18.14.0", 30 | "typescript": "^5.7.2" 31 | }, 32 | "engines": { 33 | "node": "^18.17.0 || >=20.5.0" 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "sigstore_protobuf_specs" 3 | version = "0.5.0" 4 | authors = ["Sigstore Authors "] 5 | edition = "2021" 6 | homepage = "https://github.com/sigstore/protobuf-specs" 7 | repository = "https://github.com/sigstore/protobuf-specs" 8 | description = "A library for serializing and deserializing Sigstore messages" 9 | readme = "../README.md" 10 | license = "Apache-2.0" 11 | keywords = ["sigstore"] 12 | categories = ["encoding", "parser-implementations"] 13 | 14 | [dependencies] 15 | prost-types = "0.14.1" 16 | prost = "0.14.1" 17 | prost-reflect = { version = "0.16.2", features = ["serde", "derive"] } 18 | serde = {version = "1.0", features = ["derive"]} 19 | serde_json = "1.0" 20 | sigstore-protobuf-specs-derive = { version = "0.0.1", path = "../sigstore-protobuf-specs-derive" } 21 | 22 | [build-dependencies] 23 | anyhow = "1.0.100" 24 | glob = "0.3" 25 | prost-build = "0.14.1" 26 | prost-reflect-build = "0.16.0" 27 | which = "8.0.0" 28 | -------------------------------------------------------------------------------- /protoc-builder/hack/go/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/sigstore/protobuf-specs/protoc-builder/hack/go 2 | 3 | go 1.24 4 | 5 | toolchain go1.24.0 6 | 7 | tool ( 8 | github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway 9 | github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 10 | google.golang.org/grpc/cmd/protoc-gen-go-grpc 11 | google.golang.org/protobuf/cmd/protoc-gen-go 12 | ) 13 | 14 | require ( 15 | github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect 16 | github.com/kr/text v0.2.0 // indirect 17 | github.com/rogpeppe/go-internal v1.14.1 // indirect 18 | golang.org/x/text v0.22.0 // indirect 19 | google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect 20 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect 21 | google.golang.org/grpc v1.70.0 // indirect 22 | google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect 23 | google.golang.org/protobuf v1.36.5 // indirect 24 | gopkg.in/yaml.v3 v3.0.1 // indirect 25 | ) 26 | -------------------------------------------------------------------------------- /gen/pb-ruby/README.md: -------------------------------------------------------------------------------- 1 | # sigstore_protobuf_specs 2 | 3 | These are the Ruby language bindings for Sigstore's protobuf specs. 4 | 5 | See the [repository's README](https://github.com/sigstore/protobuf-specs) 6 | for more information. 7 | 8 | ## Installation 9 | 10 | Add this line to your application's Gemfile: 11 | 12 | ```ruby 13 | gem 'sigstore_protobuf_specs' 14 | ``` 15 | 16 | And then execute: 17 | ```bash 18 | $ bundle install 19 | ``` 20 | Or install it yourself as: 21 | ```bash 22 | $ gem install sigstore_protobuf_specs 23 | ``` 24 | 25 | ## Usage 26 | 27 | Import all the bindings: 28 | 29 | ```ruby 30 | require 'sigstore_protobuf_specs' 31 | ``` 32 | 33 | Or you can import them individually: 34 | 35 | ```ruby 36 | require 'sigstore_bundle_pb' 37 | ``` 38 | 39 | See what is available in `gen/pb-ruby/lib/`. 40 | 41 | ## Releasing 42 | 43 | Make sure you update the version in `gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb` 44 | 45 | A release will be build and automatically pushed to RubyGems when a tag in the 46 | format `release/ruby/v*` is created. 47 | 48 | Contact elfotografo007 for Gem ownership stuff. 49 | 50 | ## Contributing 51 | 52 | Bug reports and pull requests are welcome on GitHub at https://github.com/sigstore/protobuf-specs/issues. 53 | 54 | -------------------------------------------------------------------------------- /protoc-builder/Dockerfile.typescript: -------------------------------------------------------------------------------- 1 | FROM node:25@sha256:7478f3725ef76ce6ba257a6818ea43c5eb7eb5bd424f0c3df3a80ff77203305e AS typescript-builder 2 | RUN mkdir /app 3 | COPY hack/package*.json /app 4 | WORKDIR /app 5 | 6 | # this flattens the node_modules in a way similar to the global install (which we'll (ab)use in a second) 7 | RUN npm ci --install-strategy=shallow 8 | 9 | # /usr/bin/env is called from ts-proto but not in distroless by default; we use busybox for this 10 | FROM gcr.io/distroless/base-debian13:debug-nonroot@sha256:8e839de96c6b6924577114e7a310020ca6dd715381f578a4cc916f110ac4dbbf AS env-source 11 | 12 | FROM gcr.io/distroless/nodejs24-debian13:nonroot@sha256:6a911c864ceb0c908d4043f2f4a0d49cb4a13ed2728561fee30c0696587466c4 13 | 14 | # node is installed in a non-default location in distroless 15 | ENV PATH=$PATH:/nodejs/bin 16 | 17 | COPY --from=typescript-builder /app/node_modules /usr/local/lib/node_modules 18 | COPY --from=env-source /busybox/busybox /usr/bin/env 19 | COPY --from=protoc-base:typescript /protobuf/bin/protoc /usr/local/bin/ 20 | COPY --from=protoc-base:typescript /protobuf/include/google /opt/include/google 21 | COPY --from=protoc-base:typescript /googleapis /googleapis 22 | 23 | ENTRYPOINT ["/usr/local/bin/protoc", "--plugin=/usr/local/lib/node_modules/ts-proto/protoc-gen-ts_proto" ] 24 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/src/generated/mod.rs: -------------------------------------------------------------------------------- 1 | // This file is @generated by prost-build. 2 | pub mod dev { 3 | pub mod sigstore { 4 | pub mod bundle { 5 | pub mod v1 { 6 | include!("dev.sigstore.bundle.v1.rs"); 7 | } 8 | } 9 | pub mod common { 10 | pub mod v1 { 11 | include!("dev.sigstore.common.v1.rs"); 12 | } 13 | } 14 | pub mod events { 15 | pub mod v1 { 16 | include!("dev.sigstore.events.v1.rs"); 17 | } 18 | } 19 | pub mod rekor { 20 | pub mod v1 { 21 | include!("dev.sigstore.rekor.v1.rs"); 22 | } 23 | pub mod v2 { 24 | include!("dev.sigstore.rekor.v2.rs"); 25 | } 26 | } 27 | pub mod trustroot { 28 | pub mod v1 { 29 | include!("dev.sigstore.trustroot.v1.rs"); 30 | } 31 | } 32 | pub mod verification { 33 | pub mod v1 { 34 | include!("dev.sigstore.verification.v1.rs"); 35 | } 36 | } 37 | } 38 | } 39 | pub mod google { 40 | pub mod api { 41 | include!("google.api.rs"); 42 | } 43 | } 44 | pub mod io { 45 | pub mod intoto { 46 | include!("io.intoto.rs"); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /gen/pb-python/pyproject.toml: -------------------------------------------------------------------------------- 1 | [build-system] 2 | requires = ["flit_core >=3.2,<4"] 3 | build-backend = "flit_core.buildapi" 4 | 5 | [project] 6 | name = "sigstore-protobuf-specs" 7 | version = "0.5.0" 8 | description = "A library for serializing and deserializing Sigstore messages" 9 | readme = "README.md" 10 | license = { file = "LICENSE" } 11 | authors = [ 12 | { name = "Sigstore Authors", email = "sigstore-dev@googlegroups.com" }, 13 | ] 14 | classifiers = [ 15 | "License :: OSI Approved :: Apache Software License", 16 | "Programming Language :: Python :: 3 :: Only", 17 | "Programming Language :: Python :: 3", 18 | "Programming Language :: Python :: 3.7", 19 | "Programming Language :: Python :: 3.8", 20 | "Programming Language :: Python :: 3.9", 21 | "Programming Language :: Python :: 3.10", 22 | "Programming Language :: Python :: 3.11", 23 | "Development Status :: 4 - Beta", 24 | "Intended Audience :: Developers", 25 | "Topic :: Security", 26 | "Topic :: Security :: Cryptography", 27 | ] 28 | dependencies = ["betterproto==2.0.0b7", "pydantic >= 2, < 3"] 29 | requires-python = ">=3.8" 30 | 31 | [project.urls] 32 | Homepage = "https://pypi.org/project/sigstore-protobuf-specs/" 33 | Issues = "https://github.com/sigstore/protobuf-specs/issues" 34 | Source = "https://github.com/sigstore/protobuf-specs" 35 | 36 | [project.optional-dependencies] 37 | dev = ["build"] 38 | -------------------------------------------------------------------------------- /service-protos/sync-rekor-tiles.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # A simple utility to copy protos from the rekor-tiles repository into protobuf specs for distribution 4 | set -o pipefail -o errexit -o nounset 5 | 6 | command -v gh &>/dev/null || { echo "gh not found" 1>&2; exit 1; } 7 | 8 | latest_tag=$(gh api graphql -f query='{repository(owner: "sigstore", name: "rekor-tiles"){refs(refPrefix: "refs/tags/", last: 1){nodes{name}}}}' --jq '.data.repository.refs.nodes[].name') 9 | 10 | if [ -z "$latest_tag" ]; then 11 | echo "latest tag not found" 12 | exit 1 13 | fi 14 | 15 | # clean up last sync 16 | rm ./rekor/v2/*.proto || echo "nothing to clean up" 17 | 18 | # mkdir just in case 19 | mkdir -p ./rekor/v2 20 | 21 | # copy all protos over except rekor_service.proto 22 | echo "syncing protos with ${latest_tag}" 23 | git clone --filter=blob:none --no-checkout --depth=1 https://github.com/sigstore/rekor-tiles.git ./rekor-tiles 24 | cd ./rekor-tiles 25 | git sparse-checkout set --no-cone '/api/proto/rekor/v2/*.proto' '!**/rekor_service.proto' 26 | git fetch origin tag "$latest_tag" --no-tags 27 | git checkout "$latest_tag" 28 | cd ../ 29 | cp -R ./rekor-tiles/api/proto/* . 30 | rm -rf ./rekor-tiles 31 | 32 | # replace the go package from the service definition to the protobuf out 33 | echo "replacing go-package" 34 | sed -i -e 's|^option go_package.*$|option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2";|' ./rekor/v2/*.proto 35 | -------------------------------------------------------------------------------- /.github/workflows/rust-release.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2023 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | on: 17 | push: 18 | tags: 19 | - 'release/rust/v*' 20 | 21 | permissions: {} 22 | 23 | name: release Rust crate 24 | 25 | jobs: 26 | publish: 27 | name: Publish to crates.io 28 | runs-on: ubuntu-latest 29 | permissions: 30 | contents: read 31 | id-token: write # needed for trusted publishing to crates.io 32 | 33 | steps: 34 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 35 | with: 36 | persist-credentials: false 37 | 38 | - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3 39 | id: auth 40 | 41 | - run: RUST_ACTION='publish -p sigstore_protobuf_specs' make rust 42 | env: 43 | CARGO_REGISTRY_TOKEN: "${{ steps.auth.outputs.token }}" 44 | -------------------------------------------------------------------------------- /gen/pb-ruby/sigstore_protobuf_specs.gemspec: -------------------------------------------------------------------------------- 1 | require File.expand_path("../lib/sigstore_protobuf_specs/version", __FILE__) 2 | 3 | Gem::Specification.new do |spec| 4 | spec.name = "sigstore_protobuf_specs" 5 | 6 | spec.version = Dev::Sigstore::VERSION 7 | spec.authors = ["Sigstore Authors"] 8 | spec.email = ["sigstore-dev@googlegroups.com"] 9 | 10 | spec.summary = %q{A library for serializing and deserializing Sigstore messages.} 11 | spec.homepage = "https://www.sigstore.dev/" 12 | spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0") 13 | 14 | spec.license = 'Apache-2.0' 15 | spec.required_ruby_version = ">= 2.7.0" 16 | 17 | spec.metadata["homepage_uri"] = spec.homepage 18 | spec.metadata["source_code_uri"] = "https://github.com/sigstore/protobuf-specs" 19 | spec.metadata["bug_tracker_uri"] = "https://github.com/sigstore/protobuf-specs/issues" 20 | 21 | # Specify which files should be added to the gem when it is released. 22 | # The `git ls-files -z` loads the files in the RubyGem that have been added into git. 23 | spec.files = Dir["README.md", "LICENSE", "lib/**/*"] 24 | spec.bindir = "bin" 25 | spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) } 26 | spec.require_paths = ["lib"] 27 | 28 | spec.add_runtime_dependency 'google-protobuf', '~> 4.29', '>= 4.29.3' 29 | spec.add_runtime_dependency 'googleapis-common-protos-types', '~> 1.18' 30 | end 31 | -------------------------------------------------------------------------------- /java/README.md: -------------------------------------------------------------------------------- 1 | # Java generator 2 | 3 | This directory contains the necessary build config for java code generation. The gradle 4 | build takes the protos defined in `../protos` and using the grade protobug plugin will 5 | generate a single jar. 6 | 7 | To generate a jar from the protobuf spec run 8 | ``` 9 | ./gradlew assemble 10 | ``` 11 | A jar file will be created at `./build/libs/protobuf-specs-SNAPSHOT.jar` 12 | 13 | ## Releasing 14 | 15 | ### Generate Release artifacts 16 | 1. On creation of a tag in the style `release/java/v1.2.3`, new artifacts will be built signed 17 | and published to maven central (in staging, but no released). 18 | 19 | ### Complete Publish Flow Maven Central 20 | 1. Log into https://central.sonatype.com with credentials that have permissions to upload to `dev.sigstore` 21 | 1. Goto "Publish" and release the component once it passes validation. 22 | 23 | ## How do I get permissions to upload to Maven Central 24 | - Create an account on https://central.sonatype.com 25 | - Request permissions to publish to dev.sigstore, for now this may involve contacting 26 | [Bob](https://github.com/bobcallaway) (or [Appu](https://github.com/loosebazooka)). 27 | 28 | ## Why is the gradle wrapper jar checked in? 29 | 30 | The file `gradle-wrapper.jar` is usually checked into java projects that are built with gradle. 31 | This file is validated by the gradle/wrapper-validation-action in the gradle-wrapper-validation.yml workflow. 32 | More info at: https://github.com/gradle/wrapper-validation-action 33 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/src/generated/io.intoto.rs: -------------------------------------------------------------------------------- 1 | // This file is @generated by prost-build. 2 | #[derive( 3 | sigstore_protobuf_specs_derive::Deserialize_proto, 4 | sigstore_protobuf_specs_derive::Serialize_proto 5 | )] 6 | #[derive(::prost_reflect::ReflectMessage)] 7 | #[prost_reflect(message_name = "io.intoto.Envelope")] 8 | #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] 9 | #[derive(Clone, PartialEq, ::prost::Message)] 10 | pub struct Envelope { 11 | #[prost(bytes = "vec", tag = "1")] 12 | pub payload: ::prost::alloc::vec::Vec, 13 | #[prost(string, tag = "2")] 14 | pub payload_type: ::prost::alloc::string::String, 15 | #[prost(message, repeated, tag = "3")] 16 | pub signatures: ::prost::alloc::vec::Vec, 17 | } 18 | #[derive( 19 | sigstore_protobuf_specs_derive::Deserialize_proto, 20 | sigstore_protobuf_specs_derive::Serialize_proto 21 | )] 22 | #[derive(::prost_reflect::ReflectMessage)] 23 | #[prost_reflect(message_name = "io.intoto.Signature")] 24 | #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] 25 | #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)] 26 | pub struct Signature { 27 | /// Signature itself. (In JSON, this is encoded as base64.) 28 | /// REQUIRED. 29 | #[prost(bytes = "vec", tag = "1")] 30 | pub sig: ::prost::alloc::vec::Vec, 31 | /// *Unauthenticated* hint identifying which public key was used. 32 | /// OPTIONAL. 33 | #[prost(string, tag = "2")] 34 | pub keyid: ::prost::alloc::string::String, 35 | } 36 | -------------------------------------------------------------------------------- /.github/workflows/generate.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2022 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Check generated code for changes 17 | 18 | permissions: 19 | contents: read 20 | 21 | on: 22 | push: 23 | branches: [main] 24 | pull_request: {} 25 | 26 | jobs: 27 | check_generated_protos: 28 | name: Check generated protobufs 29 | runs-on: ubuntu-latest 30 | 31 | steps: 32 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 33 | with: 34 | persist-credentials: false 35 | 36 | # clear out the generated files directory so we know we are actually 37 | # generating all the files again (instead of a subset) 38 | - name: Clear out protobuf directory 39 | run: | 40 | make clean 41 | 42 | - name: Compile protobufs 43 | run: | 44 | make all 45 | 46 | - name: Ensure no files were modified as a result of the codegen 47 | run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code 48 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/rekor/v2/dsse_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: rekor/v2/dsse.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'google/api/field_behavior_pb' 8 | require 'sigstore_common_pb' 9 | require 'envelope_pb' 10 | require 'rekor/v2/verifier_pb' 11 | 12 | 13 | descriptor_data = "\n\x13rekor/v2/dsse.proto\x12\x15\x64\x65v.sigstore.rekor.v2\x1a\x1fgoogle/api/field_behavior.proto\x1a\x15sigstore_common.proto\x1a\x0e\x65nvelope.proto\x1a\x17rekor/v2/verifier.proto\"v\n\x0f\x44SSERequestV002\x12*\n\x08\x65nvelope\x18\x01 \x01(\x0b\x32\x13.io.intoto.EnvelopeB\x03\xe0\x41\x02\x12\x37\n\tverifiers\x18\x02 \x03(\x0b\x32\x1f.dev.sigstore.rekor.v2.VerifierB\x03\xe0\x41\x02\"\x8b\x01\n\x10\x44SSELogEntryV002\x12<\n\x0bpayloadHash\x18\x01 \x01(\x0b\x32\".dev.sigstore.common.v1.HashOutputB\x03\xe0\x41\x02\x12\x39\n\nsignatures\x18\x02 \x03(\x0b\x32 .dev.sigstore.rekor.v2.SignatureB\x03\xe0\x41\x02\x42y\n\x1b\x64\x65v.sigstore.proto.rekor.v2B\x0bRekorV2DsseP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2\xea\x02\x13Sigstore::Rekor::V2b\x06proto3" 14 | 15 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 16 | pool.add_serialized_file(descriptor_data) 17 | 18 | module Sigstore 19 | module Rekor 20 | module V2 21 | DSSERequestV002 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.DSSERequestV002").msgclass 22 | DSSELogEntryV002 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.DSSELogEntryV002").msgclass 23 | end 24 | end 25 | end 26 | -------------------------------------------------------------------------------- /.github/workflows/java-build.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2022 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Check java build 17 | 18 | permissions: 19 | contents: read 20 | 21 | on: 22 | workflow_call: # allow this workflow to be called by other workflows 23 | push: 24 | branches: [main] 25 | pull_request: {} 26 | 27 | jobs: 28 | build: 29 | name: Build Java 30 | runs-on: ubuntu-latest 31 | 32 | steps: 33 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 34 | with: 35 | persist-credentials: false 36 | - name: Set up JDK 25 37 | uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0 38 | with: 39 | java-version: 25 40 | distribution: 'temurin' 41 | - name: Setup Gradle 42 | uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 43 | 44 | # make sure jar generation works and tests/checks pass 45 | - name: Test 46 | working-directory: java 47 | run: ./gradlew build 48 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/rekor/v2/hashedrekord_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: rekor/v2/hashedrekord.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'google/api/field_behavior_pb' 8 | require 'sigstore_common_pb' 9 | require 'rekor/v2/verifier_pb' 10 | 11 | 12 | descriptor_data = "\n\x1brekor/v2/hashedrekord.proto\x12\x15\x64\x65v.sigstore.rekor.v2\x1a\x1fgoogle/api/field_behavior.proto\x1a\x15sigstore_common.proto\x1a\x17rekor/v2/verifier.proto\"h\n\x17HashedRekordRequestV002\x12\x13\n\x06\x64igest\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\x12\x38\n\tsignature\x18\x02 \x01(\x0b\x32 .dev.sigstore.rekor.v2.SignatureB\x03\xe0\x41\x02\"\x8b\x01\n\x18HashedRekordLogEntryV002\x12\x35\n\x04\x64\x61ta\x18\x01 \x01(\x0b\x32\".dev.sigstore.common.v1.HashOutputB\x03\xe0\x41\x02\x12\x38\n\tsignature\x18\x02 \x01(\x0b\x32 .dev.sigstore.rekor.v2.SignatureB\x03\xe0\x41\x02\x42\x81\x01\n\x1b\x64\x65v.sigstore.proto.rekor.v2B\x13RekorV2HashedRekordP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2\xea\x02\x13Sigstore::Rekor::V2b\x06proto3" 13 | 14 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 15 | pool.add_serialized_file(descriptor_data) 16 | 17 | module Sigstore 18 | module Rekor 19 | module V2 20 | HashedRekordRequestV002 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.HashedRekordRequestV002").msgclass 21 | HashedRekordLogEntryV002 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.HashedRekordLogEntryV002").msgclass 22 | end 23 | end 24 | end 25 | -------------------------------------------------------------------------------- /.github/workflows/ruby-build.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2023 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Check Ruby build 17 | 18 | permissions: 19 | contents: read 20 | 21 | on: 22 | push: 23 | branches: [main] 24 | pull_request: {} 25 | 26 | jobs: 27 | build: 28 | name: Build Ruby generated code 29 | strategy: 30 | matrix: 31 | ruby-version: 32 | - '3.2' 33 | - '3.3' 34 | - '3.4' 35 | fail-fast: false 36 | 37 | runs-on: ubuntu-latest 38 | defaults: 39 | run: 40 | working-directory: gen/pb-ruby 41 | 42 | steps: 43 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 44 | with: 45 | persist-credentials: false 46 | - name: Set up Ruby ${{ matrix.ruby-version }} 47 | uses: ruby/setup-ruby@ac793fdd38cc468a4dd57246fa9d0e868aba9085 # v1.270.0 48 | with: 49 | ruby-version: ${{ matrix.ruby-version }} 50 | 51 | - name: Build 52 | run: | 53 | gem build sigstore_protobuf_specs.gemspec 54 | -------------------------------------------------------------------------------- /.github/workflows/python-build.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2022 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Check Python build 17 | 18 | permissions: 19 | contents: read 20 | 21 | on: 22 | push: 23 | branches: [main] 24 | pull_request: {} 25 | 26 | jobs: 27 | build: 28 | name: Test Python build of generated code 29 | strategy: 30 | matrix: 31 | python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] 32 | fail-fast: false 33 | 34 | runs-on: ubuntu-latest 35 | 36 | steps: 37 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 38 | with: 39 | persist-credentials: false 40 | - name: Set up Python ${{ matrix.python-version }} 41 | uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 42 | with: 43 | python-version: ${{ matrix.python-version }} 44 | 45 | - name: Build 46 | run: | 47 | cd gen/pb-python 48 | python -m venv env && source env/bin/activate 49 | python -m pip install --upgrade pip 50 | python -m pip install .[dev] 51 | 52 | python -m build 53 | -------------------------------------------------------------------------------- /.github/workflows/typescript-build.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2023 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Check Typescript build 17 | 18 | permissions: 19 | contents: read 20 | 21 | on: 22 | push: 23 | branches: [main] 24 | pull_request: {} 25 | 26 | jobs: 27 | build: 28 | name: Build Typescript generated code 29 | strategy: 30 | matrix: 31 | node-version: 32 | - 20.x 33 | - 22.x 34 | - 24.x 35 | fail-fast: false 36 | runs-on: ubuntu-latest 37 | 38 | defaults: 39 | run: 40 | working-directory: gen/pb-typescript 41 | 42 | steps: 43 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 44 | with: 45 | persist-credentials: false 46 | - name: Setup node ${{ matrix.node-version }} 47 | uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 48 | with: 49 | node-version: ${{ matrix.node-version }} 50 | cache: npm 51 | cache-dependency-path: gen/pb-typescript/package-lock.json 52 | - name: Build 53 | run: | 54 | npm ci 55 | npm run build 56 | -------------------------------------------------------------------------------- /protoc-builder/versions.mk: -------------------------------------------------------------------------------- 1 | # The default values for protoc version and googleapis commit will be used in the build *unless* overriden. 2 | # 3 | # If desired to override a language-specific protoc or googleapis import, 4 | # set a variable with the language name prefix followed by an underscore. 5 | # for example: 6 | # 7 | #GO_PROTOC_VERSION=v29.3 8 | #GO_PROTOC_CHECKSUM=sha256:3e866620c5be27664f3d2fa2d656b5f3e09b5152b42f1bedbf427b333e90021a 9 | #GO_GOOGLEAPIS_COMMIT=fc2697ec5327db9073b4e0aa140248f19b15d7ef 10 | 11 | # release tag from https://github.com/protocolbuffers/protobuf 12 | DEFAULT_PROTOC_VERSION=v33.1 13 | 14 | # sha256 of release zip file: sha256sum protoc-${DEFAULT_PROTOC_VERSION#v}-linux-x86_64.zip | awk '{print "sha256:" $1 }' 15 | DEFAULT_PROTOC_CHECKSUM=sha256:f3340e28a83d1c637d8bafdeed92b9f7db6a384c26bca880a6e5217b40a4328b 16 | 17 | # git commit from https://github.com/googleapis/googleapis 18 | DEFAULT_GOOGLEAPIS_COMMIT=8cd3749f4b98f2eeeef511c16431979aeb3a6502 19 | # git commit from https://github.com/grpc-ecosystem/grpc-gateway 20 | DEFAULT_GRPC_GATEWAY_COMMIT=d2d5e587243b4254ac96b76ce19636e0fd734a5e 21 | 22 | ################################################################################## 23 | ### DO NOT EDIT BELOW THIS LINE, AS THESE VALUES ARE USED IN THE CORE MAKEFILE ### 24 | ################################################################################## 25 | 26 | LANGUAGES := GO PYTHON RUBY RUST TYPESCRIPT 27 | COMPONENTS := PROTOC_VERSION PROTOC_CHECKSUM GOOGLEAPIS_COMMIT GRPC_GATEWAY_COMMIT 28 | 29 | # This is creating each possible variable permutation, e.g. 30 | # GO_PROTOC_VERSION, etc 31 | $(foreach lang,$(LANGUAGES),\ 32 | $(foreach component,$(COMPONENTS),\ 33 | $(eval $(lang)_$(component) ?= $$(DEFAULT_$(component))))) 34 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/rekor/v2/verifier_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: rekor/v2/verifier.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'sigstore_common_pb' 8 | require 'google/api/field_behavior_pb' 9 | 10 | 11 | descriptor_data = "\n\x17rekor/v2/verifier.proto\x12\x15\x64\x65v.sigstore.rekor.v2\x1a\x15sigstore_common.proto\x1a\x1fgoogle/api/field_behavior.proto\"#\n\tPublicKey\x12\x16\n\traw_bytes\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\"\xe1\x01\n\x08Verifier\x12;\n\npublic_key\x18\x01 \x01(\x0b\x32 .dev.sigstore.rekor.v2.PublicKeyB\x03\xe0\x41\x02H\x00\x12H\n\x10x509_certificate\x18\x02 \x01(\x0b\x32\'.dev.sigstore.common.v1.X509CertificateB\x03\xe0\x41\x02H\x00\x12\x42\n\x0bkey_details\x18\x03 \x01(\x0e\x32(.dev.sigstore.common.v1.PublicKeyDetailsB\x03\xe0\x41\x02\x42\n\n\x08verifier\"Y\n\tSignature\x12\x14\n\x07\x63ontent\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\x12\x36\n\x08verifier\x18\x02 \x01(\x0b\x32\x1f.dev.sigstore.rekor.v2.VerifierB\x03\xe0\x41\x02\x42}\n\x1b\x64\x65v.sigstore.proto.rekor.v2B\x0fRekorV2VerifierP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2\xea\x02\x13Sigstore::Rekor::V2b\x06proto3" 12 | 13 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 14 | pool.add_serialized_file(descriptor_data) 15 | 16 | module Sigstore 17 | module Rekor 18 | module V2 19 | PublicKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.PublicKey").msgclass 20 | Verifier = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.Verifier").msgclass 21 | Signature = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.Signature").msgclass 22 | end 23 | end 24 | end 25 | -------------------------------------------------------------------------------- /.github/workflows/typescript-publish.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2023 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | on: 17 | push: 18 | tags: 19 | - 'release/typescript/v*' 20 | 21 | name: Release TypeScript package 22 | 23 | permissions: {} 24 | 25 | jobs: 26 | publish: 27 | name: Publish package to npmjs 28 | runs-on: ubuntu-latest 29 | permissions: 30 | contents: read 31 | id-token: write # needed to sign provenance 32 | defaults: 33 | run: 34 | working-directory: gen/pb-typescript 35 | steps: 36 | - name: Checkout source 37 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 38 | with: 39 | persist-credentials: false 40 | - name: Setup node 41 | uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 42 | with: 43 | node-version: 24 44 | registry-url: 'https://registry.npmjs.org' 45 | package-manager-cache: false 46 | - name: Install npm w/ OIDC support 47 | run: | 48 | npm install -g npm@">=11.5.0" 49 | - name: Build package 50 | run: | 51 | npm ci 52 | npm run build 53 | - name: Publish package 54 | run: | 55 | npm publish --provenance --access public 56 | 57 | -------------------------------------------------------------------------------- /service-protos/rekor/v2/hashedrekord.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2025 The Sigstore Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | package dev.sigstore.rekor.v2; 17 | 18 | import "google/api/field_behavior.proto"; 19 | import "sigstore_common.proto"; 20 | 21 | import "rekor/v2/verifier.proto"; 22 | 23 | option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2"; 24 | 25 | option java_package = "dev.sigstore.proto.rekor.v2"; 26 | option java_multiple_files = true; 27 | option java_outer_classname = "RekorV2HashedRekord"; 28 | option ruby_package = "Sigstore::Rekor::V2"; 29 | 30 | // A request to add a hashedrekord v0.0.2 to the log 31 | message HashedRekordRequestV002 { 32 | // The hashed data 33 | bytes digest = 1 [(google.api.field_behavior) = REQUIRED]; 34 | // A single signature over the hashed data with the verifier needed to validate it 35 | Signature signature = 2 [(google.api.field_behavior) = REQUIRED]; 36 | } 37 | 38 | message HashedRekordLogEntryV002 { 39 | // The hashed data 40 | dev.sigstore.common.v1.HashOutput data = 1 [(google.api.field_behavior) = REQUIRED]; 41 | // A single signature over the hashed data with the verifier needed to validate it 42 | Signature signature = 2 [(google.api.field_behavior) = REQUIRED]; 43 | } 44 | -------------------------------------------------------------------------------- /service-protos/rekor/v2/dsse.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2025 The Sigstore Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | package dev.sigstore.rekor.v2; 17 | 18 | import "google/api/field_behavior.proto"; 19 | import "sigstore_common.proto"; 20 | import "envelope.proto"; 21 | 22 | import "rekor/v2/verifier.proto"; 23 | 24 | option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2"; 25 | 26 | option java_package = "dev.sigstore.proto.rekor.v2"; 27 | option java_multiple_files = true; 28 | option java_outer_classname = "RekorV2Dsse"; 29 | option ruby_package = "Sigstore::Rekor::V2"; 30 | 31 | // A request to add a DSSE v0.0.2 entry to the log 32 | message DSSERequestV002 { 33 | // A DSSE envelope 34 | io.intoto.Envelope envelope = 1 [(google.api.field_behavior) = REQUIRED]; 35 | // All necessary verification material to verify all signatures embedded in the envelope 36 | repeated Verifier verifiers = 2 [(google.api.field_behavior) = REQUIRED]; 37 | } 38 | 39 | 40 | message DSSELogEntryV002 { 41 | // The hash of the DSSE payload 42 | dev.sigstore.common.v1.HashOutput payloadHash = 1 [(google.api.field_behavior) = REQUIRED]; 43 | // Signatures and their associated verification material used to verify the payload 44 | repeated Signature signatures = 2 [(google.api.field_behavior) = REQUIRED]; 45 | } 46 | -------------------------------------------------------------------------------- /.github/workflows/protobuf-update.yml: -------------------------------------------------------------------------------- 1 | name: Protobuf update 2 | 3 | on: 4 | pull_request: 5 | types: [labeled] 6 | 7 | permissions: {} 8 | 9 | jobs: 10 | my_job: 11 | name: Update protobuf dependency 12 | runs-on: ubuntu-latest 13 | if: github.event.label.name == 'protobuf' 14 | permissions: 15 | contents: write # required to push commit to PR branch 16 | 17 | steps: 18 | - name: Checkout code 19 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 20 | with: 21 | fetch-depth: 0 22 | persist-credentials: true # zizmor: ignore[artipacked] 23 | 24 | - name: Update versions.mk with latest release version 25 | run: | 26 | export PROTOC_VERSION="$(awk -F'[:@]' '/FROM ghcr.io\/homebrew\/core\/protobuf/{print $2; exit}' protoc-builder/hack/Dockerfile.protobuf)" 27 | echo "Detected protobuf v${PROTOC_VERSION}... computing digest of artifact" 28 | 29 | export PROTOC_ZIP=$(mktemp) 30 | curl -fsSL --retry 3 -o ${PROTOC_ZIP} https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-x86_64.zip 31 | export PROTOC_CHECKSUM="$(sha256sum ${PROTOC_ZIP} | awk '{print "sha256:"$1}')" 32 | 33 | sed -i 's/^\(DEFAULT_PROTOC_VERSION\s*=\s*\).*/\1'v${PROTOC_VERSION}'/' protoc-builder/versions.mk 34 | sed -i 's/^\(DEFAULT_PROTOC_CHECKSUM\s*=\s*\).*/\1'${PROTOC_CHECKSUM}'/' protoc-builder/versions.mk 35 | 36 | - name: Amend Dependabot PR 37 | env: 38 | PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }} 39 | run: | 40 | git config user.name "github-actions[bot]" 41 | git config user.email "41898282+github-actions[bot]@users.noreply.github.com" 42 | git add -A 43 | git commit -sam "Bumping default protoc version and checksum in versions.mk" 44 | git push origin HEAD:${PULL_REQUEST_HEAD_REF} 45 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/rekor/v2/entry_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: rekor/v2/entry.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'google/api/field_behavior_pb' 8 | require 'rekor/v2/dsse_pb' 9 | require 'rekor/v2/hashedrekord_pb' 10 | 11 | 12 | descriptor_data = "\n\x14rekor/v2/entry.proto\x12\x15\x64\x65v.sigstore.rekor.v2\x1a\x1fgoogle/api/field_behavior.proto\x1a\x13rekor/v2/dsse.proto\x1a\x1brekor/v2/hashedrekord.proto\"d\n\x05\x45ntry\x12\x11\n\x04kind\x18\x01 \x01(\tB\x03\xe0\x41\x02\x12\x18\n\x0b\x61pi_version\x18\x02 \x01(\tB\x03\xe0\x41\x02\x12.\n\x04spec\x18\x03 \x01(\x0b\x32\x1b.dev.sigstore.rekor.v2.SpecB\x03\xe0\x41\x02\"\xa5\x01\n\x04Spec\x12R\n\x12hashed_rekord_v002\x18\x01 \x01(\x0b\x32/.dev.sigstore.rekor.v2.HashedRekordLogEntryV002B\x03\xe0\x41\x02H\x00\x12\x41\n\tdsse_v002\x18\x02 \x01(\x0b\x32\'.dev.sigstore.rekor.v2.DSSELogEntryV002B\x03\xe0\x41\x02H\x00\x42\x06\n\x04spec\"\xc1\x01\n\x12\x43reateEntryRequest\x12Y\n\x1ahashed_rekord_request_v002\x18\x01 \x01(\x0b\x32..dev.sigstore.rekor.v2.HashedRekordRequestV002B\x03\xe0\x41\x02H\x00\x12H\n\x11\x64sse_request_v002\x18\x02 \x01(\x0b\x32&.dev.sigstore.rekor.v2.DSSERequestV002B\x03\xe0\x41\x02H\x00\x42\x06\n\x04specBz\n\x1b\x64\x65v.sigstore.proto.rekor.v2B\x0cRekorV2EntryP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2\xea\x02\x13Sigstore::Rekor::V2b\x06proto3" 13 | 14 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 15 | pool.add_serialized_file(descriptor_data) 16 | 17 | module Sigstore 18 | module Rekor 19 | module V2 20 | Entry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.Entry").msgclass 21 | Spec = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.Spec").msgclass 22 | CreateEntryRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.CreateEntryRequest").msgclass 23 | end 24 | end 25 | end 26 | -------------------------------------------------------------------------------- /protos/envelope.proto: -------------------------------------------------------------------------------- 1 | // https://raw.githubusercontent.com/secure-systems-lab/dsse/9c813476bd36de70a5738c72e784f123ecea16af/envelope.proto 2 | 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | package io.intoto; 18 | 19 | option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/dsse"; 20 | option ruby_package = "Sigstore::DSSE"; 21 | 22 | // An authenticated message of arbitrary type. 23 | message Envelope { 24 | // Message to be signed. (In JSON, this is encoded as base64.) 25 | // REQUIRED. 26 | bytes payload = 1; 27 | 28 | // String unambiguously identifying how to interpret payload. 29 | // REQUIRED. 30 | string payloadType = 2; 31 | 32 | // Signature over: 33 | // PAE(type, payload) 34 | // Where PAE is defined as: 35 | // PAE(type, payload) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload 36 | // + = concatenation 37 | // SP = ASCII space [0x20] 38 | // "DSSEv1" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] 39 | // LEN(s) = ASCII decimal encoding of the byte length of s, with no leading zeros 40 | // REQUIRED (length >= 1). 41 | repeated Signature signatures = 3; 42 | } 43 | 44 | message Signature { 45 | // Signature itself. (In JSON, this is encoded as base64.) 46 | // REQUIRED. 47 | bytes sig = 1; 48 | 49 | // *Unauthenticated* hint identifying which public key was used. 50 | // OPTIONAL. 51 | string keyid = 2; 52 | } 53 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/io/intoto/__init__.py: -------------------------------------------------------------------------------- 1 | # Generated by the protocol buffer compiler. DO NOT EDIT! 2 | # sources: envelope.proto 3 | # plugin: python-betterproto 4 | # This file has been @generated 5 | 6 | from typing import TYPE_CHECKING 7 | 8 | 9 | if TYPE_CHECKING: 10 | from dataclasses import dataclass 11 | else: 12 | from pydantic.dataclasses import dataclass 13 | 14 | from typing import List 15 | 16 | import betterproto 17 | from pydantic.dataclasses import rebuild_dataclass 18 | 19 | 20 | @dataclass(eq=False, repr=False) 21 | class Envelope(betterproto.Message): 22 | """An authenticated message of arbitrary type.""" 23 | 24 | payload: bytes = betterproto.bytes_field(1) 25 | """ 26 | Message to be signed. (In JSON, this is encoded as base64.) 27 | REQUIRED. 28 | """ 29 | 30 | payload_type: str = betterproto.string_field(2) 31 | """ 32 | String unambiguously identifying how to interpret payload. 33 | REQUIRED. 34 | """ 35 | 36 | signatures: List["Signature"] = betterproto.message_field(3) 37 | """ 38 | Signature over: 39 | PAE(type, payload) 40 | Where PAE is defined as: 41 | PAE(type, payload) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload 42 | + = concatenation 43 | SP = ASCII space [0x20] 44 | "DSSEv1" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] 45 | LEN(s) = ASCII decimal encoding of the byte length of s, with no leading zeros 46 | REQUIRED (length >= 1). 47 | """ 48 | 49 | 50 | @dataclass(eq=False, repr=False) 51 | class Signature(betterproto.Message): 52 | sig: bytes = betterproto.bytes_field(1) 53 | """ 54 | Signature itself. (In JSON, this is encoded as base64.) 55 | REQUIRED. 56 | """ 57 | 58 | keyid: str = betterproto.string_field(2) 59 | """ 60 | *Unauthenticated* hint identifying which public key was used. 61 | OPTIONAL. 62 | """ 63 | 64 | 65 | rebuild_dataclass(Envelope) # type: ignore 66 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs-derive/src/lib.rs: -------------------------------------------------------------------------------- 1 | use proc_macro::TokenStream; 2 | use quote::quote; 3 | use syn::{parse_macro_input, DeriveInput}; 4 | 5 | #[proc_macro_derive(Serialize_proto)] 6 | pub fn derive_serialize(input: TokenStream) -> TokenStream { 7 | let input = parse_macro_input!(input as DeriveInput); 8 | let ident = input.ident; 9 | 10 | match input.data { 11 | syn::Data::Struct(_) => (), 12 | _ => return Default::default(), 13 | }; 14 | 15 | let expanded = quote! { 16 | impl serde::Serialize for #ident { 17 | fn serialize(&self, serializer: S) -> Result 18 | where 19 | S: serde::Serializer, 20 | { 21 | let message = prost_reflect::ReflectMessage::transcode_to_dynamic(self); 22 | serde::Serialize::serialize(&message, serializer) 23 | } 24 | } 25 | }; 26 | 27 | TokenStream::from(expanded) 28 | } 29 | 30 | #[proc_macro_derive(Deserialize_proto)] 31 | pub fn derive_deserialize(input: TokenStream) -> TokenStream { 32 | let input = parse_macro_input!(input as DeriveInput); 33 | let ident = input.ident; 34 | 35 | match input.data { 36 | syn::Data::Struct(_) => (), 37 | _ => return Default::default(), 38 | }; 39 | 40 | let expanded = quote! { 41 | impl<'de> serde::Deserialize<'de> for #ident { 42 | fn deserialize(deserializer: D) -> Result<#ident, D::Error> 43 | where 44 | D: serde::Deserializer<'de>, 45 | { 46 | let concrete_msg: #ident = Default::default(); 47 | let descriptor = prost_reflect::ReflectMessage::descriptor(&concrete_msg); 48 | let dynamic_msg = prost_reflect::DynamicMessage::deserialize(descriptor, deserializer)?; 49 | 50 | Ok(dynamic_msg.transcode_to().expect("failed to convert DynamicMessage to concrete Message!")) 51 | } 52 | } 53 | }; 54 | 55 | TokenStream::from(expanded) 56 | } 57 | -------------------------------------------------------------------------------- /.github/workflows/rust-build.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2023 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Check Rust build 17 | 18 | permissions: 19 | contents: read 20 | 21 | on: 22 | push: 23 | branches: [main] 24 | pull_request: {} 25 | 26 | env: 27 | CARGO_TERM_COLOR: always 28 | 29 | jobs: 30 | build: 31 | name: Build Rust generated code 32 | runs-on: ubuntu-latest 33 | strategy: 34 | matrix: 35 | toolchain: 36 | - stable 37 | - beta 38 | - nightly 39 | 40 | steps: 41 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 42 | with: 43 | persist-credentials: false 44 | - run: rustup update ${TOOLCHAIN} && rustup default ${TOOLCHAIN} 45 | env: 46 | TOOLCHAIN: ${{ matrix.toolchain }} 47 | - run: | 48 | make rust 49 | - run: | 50 | RUST_ACTION="build -p sigstore_protobuf_specs" make rust 51 | 52 | test: 53 | name: Test Rust generated code 54 | runs-on: ubuntu-latest 55 | strategy: 56 | matrix: 57 | toolchain: 58 | - stable 59 | 60 | steps: 61 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 62 | with: 63 | persist-credentials: false 64 | - run: rustup update ${TOOLCHAIN} && rustup default ${TOOLCHAIN} 65 | env: 66 | TOOLCHAIN: ${{ matrix.toolchain }} 67 | - run: | 68 | make rust RUST_ACTION=test 69 | -------------------------------------------------------------------------------- /protoc-builder/Dockerfile.protoc: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile-upstream:master 2 | # This container grabs the protoc compiler and the googleapi includes 3 | # /protobuf will contain the extracted protoc 4 | # /googleapis will contain the various googleapis proto imports one might need 5 | FROM debian:trixie-slim@sha256:18764e98673c3baf1a6f8d960b5b5a1ec69092049522abac4e24a7726425b016 AS protoc-builder 6 | 7 | # Create output directories 8 | RUN mkdir /protobuf /googleapis /grpc-gateway 9 | # Install needed utilities 10 | RUN apt-get update && apt-get install -y unzip git 11 | 12 | # Set up user and group to match host we're building the container on 13 | ARG UID 14 | 15 | RUN adduser --uid ${UID} --disabled-password myuser 16 | 17 | # Set permissions on the output directories so the user can write to them 18 | RUN chown myuser /protobuf /googleapis /grpc-gateway 19 | 20 | # Switch to user to execute the remaining commands 21 | USER myuser 22 | 23 | # Download specific release of protoc 24 | # TODO: add dependabot-like feature to check for release updates 25 | ARG PROTOC_VERSION 26 | ARG PROTOC_CHECKSUM 27 | 28 | ADD --chown=myuser --checksum=${PROTOC_CHECKSUM} https://github.com/protocolbuffers/protobuf/releases/download/${PROTOC_VERSION}/protoc-${PROTOC_VERSION#v}-linux-x86_64.zip /tmp/protoc.zip 29 | RUN unzip -d /protobuf /tmp/protoc.zip 30 | RUN chmod 755 /protobuf/bin/protoc 31 | 32 | # fetch specific commit of googleapis 33 | ARG GOOGLEAPIS_COMMIT 34 | RUN git clone --filter=tree:0 https://github.com/googleapis/googleapis.git /googleapis && \ 35 | cd /googleapis && git checkout ${GOOGLEAPIS_COMMIT} 36 | # fetch sparse checkout of grpc-gateway to add openapiv2/options 37 | ARG GRPC_GATEWAY_COMMIT 38 | RUN git clone --filter=tree:0 --no-checkout --sparse https://github.com/grpc-ecosystem/grpc-gateway.git /grpc-gateway && \ 39 | cd /grpc-gateway && git sparse-checkout add protoc-gen-openapiv2/options && git checkout ${GRPC_GATEWAY_COMMIT} 40 | 41 | FROM scratch 42 | COPY --from=protoc-builder /protobuf /protobuf 43 | COPY --from=protoc-builder /googleapis /googleapis 44 | COPY --from=protoc-builder /grpc-gateway /grpc-gateway 45 | -------------------------------------------------------------------------------- /service-protos/rekor/v2/verifier.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2025 The Sigstore Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | package dev.sigstore.rekor.v2; 17 | 18 | import "sigstore_common.proto"; 19 | import "google/api/field_behavior.proto"; 20 | 21 | option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2"; 22 | 23 | option java_package = "dev.sigstore.proto.rekor.v2"; 24 | option java_multiple_files = true; 25 | option java_outer_classname = "RekorV2Verifier"; 26 | option ruby_package = "Sigstore::Rekor::V2"; 27 | 28 | // PublicKey contains an encoded public key 29 | message PublicKey { 30 | // DER-encoded public key 31 | bytes raw_bytes = 1 [(google.api.field_behavior) = REQUIRED]; 32 | } 33 | 34 | // Either a public key or a X.509 cerificiate with an embedded public key 35 | message Verifier { 36 | oneof verifier { 37 | // DER-encoded public key. Encoding method is specified by the key_details attribute 38 | PublicKey public_key = 1 [(google.api.field_behavior) = REQUIRED]; 39 | // DER-encoded certificate 40 | dev.sigstore.common.v1.X509Certificate x509_certificate = 2 [(google.api.field_behavior) = REQUIRED]; 41 | } 42 | // Key encoding and signature algorithm to use for this key 43 | dev.sigstore.common.v1.PublicKeyDetails key_details = 3 [(google.api.field_behavior) = REQUIRED]; 44 | } 45 | 46 | // A signature and an associated verifier 47 | message Signature { 48 | bytes content = 1 [(google.api.field_behavior) = REQUIRED]; 49 | Verifier verifier = 2 [(google.api.field_behavior) = REQUIRED]; 50 | } 51 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/events_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: events.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'google/protobuf/any_pb' 8 | require 'google/protobuf/timestamp_pb' 9 | 10 | 11 | descriptor_data = "\n\x0c\x65vents.proto\x12\x16\x64\x65v.sigstore.events.v1\x1a\x19google/protobuf/any.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xba\x04\n\nCloudEvent\x12\n\n\x02id\x18\x01 \x01(\t\x12\x0e\n\x06source\x18\x02 \x01(\t\x12\x14\n\x0cspec_version\x18\x03 \x01(\t\x12\x0c\n\x04type\x18\x04 \x01(\t\x12\x46\n\nattributes\x18\x05 \x03(\x0b\x32\x32.dev.sigstore.events.v1.CloudEvent.AttributesEntry\x12\x15\n\x0b\x62inary_data\x18\x06 \x01(\x0cH\x00\x12\x13\n\ttext_data\x18\x07 \x01(\tH\x00\x12*\n\nproto_data\x18\x08 \x01(\x0b\x32\x14.google.protobuf.AnyH\x00\x1an\n\x0f\x41ttributesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12J\n\x05value\x18\x02 \x01(\x0b\x32;.dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue:\x02\x38\x01\x1a\xd3\x01\n\x18\x43loudEventAttributeValue\x12\x14\n\nce_boolean\x18\x01 \x01(\x08H\x00\x12\x14\n\nce_integer\x18\x02 \x01(\x05H\x00\x12\x13\n\tce_string\x18\x03 \x01(\tH\x00\x12\x12\n\x08\x63\x65_bytes\x18\x04 \x01(\x0cH\x00\x12\x10\n\x06\x63\x65_uri\x18\x05 \x01(\tH\x00\x12\x14\n\nce_uri_ref\x18\x06 \x01(\tH\x00\x12\x32\n\x0c\x63\x65_timestamp\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.TimestampH\x00\x42\x06\n\x04\x61ttrB\x06\n\x04\x64\x61ta\"E\n\x0f\x43loudEventBatch\x12\x32\n\x06\x65vents\x18\x01 \x03(\x0b\x32\".dev.sigstore.events.v1.CloudEventBk\n\x1c\x64\x65v.sigstore.proto.events.v1P\x01Z6github.com/sigstore/protobuf-specs/gen/pb-go/events/v1\xea\x02\x10Sigstore::Eventsb\x06proto3" 12 | 13 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 14 | pool.add_serialized_file(descriptor_data) 15 | 16 | module Sigstore 17 | module Events 18 | CloudEvent = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.events.v1.CloudEvent").msgclass 19 | CloudEvent::CloudEventAttributeValue = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue").msgclass 20 | CloudEventBatch = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.events.v1.CloudEventBatch").msgclass 21 | end 22 | end 23 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/release-checklist.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Release Checklist 3 | about: All the tasks required to complete a release across languages 4 | title: Release v 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | Full release instructions are at: [RELEASE.md](/sigstore/protobuf-specs/blob/main/RELEASE.md) 11 | 12 | ## Pre Release 13 | - [ ] Check mediatype version of [Bundle](/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto), updating for major/minor releases 14 | - [ ] Check mediatype version of [TrustedRoot](/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto), updating for major/minor releases 15 | - [ ] Update [CHANGELOG](/sigstore/protobuf-specs/blob/main/CHANGELOG.md) 16 | - [ ] Update [pyproject.toml](/sigstore/protobuf-specs/blob/main/gen/pb-python/pyproject.toml) so the `version` matches the targeted release 17 | - [ ] Update [package.json](/sigstore/protobuf-specs/blob/main/gen/pb-typescript/package.json) so the `version` matches the targeted release 18 | - [ ] Run `npm install` from the `gen/pb-typescript` directory to update [package-lock.json](/sigstore/protobuf-specs/blob/main/gen/pb-typescript/package-lock.json) 19 | - [ ] Update [version.rb](/sigstore/protobuf-specs/blob/main/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb) so the `version` matches the targeted release 20 | - [ ] Update [Cargo.toml](/sigstore/protobuf-specs/blob/main/gen/pb-rust/sigstore-protobuf-specs/Cargo.toml) so the `version` matches the targeted release 21 | 22 | ## Tag Release 23 | - [ ] `v` 24 | - [ ] `release/java/v` 25 | - [ ] `release/python/v` 26 | - [ ] `release/ruby/v` 27 | - [ ] `release/rust/v` 28 | - [ ] `release/typescript/v` 29 | - [ ] `release/service-builder/v` 30 | 31 | ## Publish Release 32 | - [ ] Java to Maven Central 33 | 34 | ## Verify Releases Published 35 | - [ ] [Java](https://central.sonatype.com/artifact/dev.sigstore/protobuf-specs/) 36 | - [ ] [Python](https://pypi.org/project/sigstore-protobuf-specs/) 37 | - [ ] [Ruby](https://rubygems.org/gems/sigstore_protobuf_specs) 38 | - [ ] [Rust](https://crates.io/crates/sigstore_protobuf_specs) 39 | - [ ] [Typescript](https://www.npmjs.com/package/@sigstore/protobuf-specs) 40 | - [ ] [Service Builder Container](https://github.com/sigstore/protobuf-specs/pkgs/container/protobuf-specs-service-builder) 41 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/tests/unit.rs: -------------------------------------------------------------------------------- 1 | use sigstore_protobuf_specs::dev::sigstore::common::v1::{HashOutput, LogId, MessageSignature}; 2 | 3 | /// HashOutput, a structure using only primitive types 4 | #[test] 5 | fn primitives() { 6 | let hash_output_json = r#"{"digest":"AQID"}"#; 7 | let hash_output_rs = HashOutput { 8 | algorithm: 0i32, 9 | digest: vec![1u8, 2u8, 3u8], 10 | }; 11 | 12 | let serialize = serde_json::to_string(&hash_output_rs); 13 | assert!(serialize.is_ok()); 14 | assert_eq!(serialize.unwrap(), hash_output_json); 15 | 16 | let deserialize = serde_json::from_str::(hash_output_json); 17 | assert!(deserialize.is_ok()); 18 | assert_eq!(deserialize.unwrap(), hash_output_rs); 19 | } 20 | 21 | /// LogId, a structure with a field using camelCase 22 | #[test] 23 | fn camel_case() { 24 | let log_id_json = r#"{"keyId":"AA=="}"#; 25 | let log_id_rs = LogId { key_id: vec![0] }; 26 | 27 | let serialize = serde_json::to_string(&log_id_rs); 28 | assert!(serialize.is_ok()); 29 | assert_eq!(serialize.unwrap(), log_id_json); 30 | 31 | let deserialize = serde_json::from_str::(log_id_json); 32 | assert!(deserialize.is_ok()); 33 | assert_eq!(deserialize.unwrap(), log_id_rs); 34 | } 35 | 36 | /// MessageSignature, nested structure 37 | #[test] 38 | fn nested() { 39 | let message_signature_json = r#"{ 40 | "messageDigest": { 41 | "algorithm": "SHA2_256", 42 | "digest": "AQID" 43 | }, 44 | "signature": "AQ==" 45 | }"#; 46 | 47 | let message_signature_rs = MessageSignature { 48 | message_digest: Some(HashOutput { 49 | algorithm: 1i32, 50 | digest: vec![1u8, 2u8, 3u8], 51 | }), 52 | signature: vec![1u8], 53 | }; 54 | 55 | let serialize = serde_json::to_string(&message_signature_rs); 56 | assert!(serialize.is_ok()); 57 | assert_eq!( 58 | serialize.unwrap(), 59 | message_signature_json 60 | .chars() 61 | .filter(|c| !c.is_whitespace()) 62 | .collect::() 63 | ); 64 | 65 | let deserialize = serde_json::from_str::(&message_signature_json); 66 | assert!(deserialize.is_ok()); 67 | assert_eq!(deserialize.unwrap(), message_signature_rs); 68 | } 69 | -------------------------------------------------------------------------------- /service-protos/rekor/v2/entry.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2025 The Sigstore Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | package dev.sigstore.rekor.v2; 17 | 18 | import "google/api/field_behavior.proto"; 19 | 20 | import "rekor/v2/dsse.proto"; 21 | import "rekor/v2/hashedrekord.proto"; 22 | 23 | option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2"; 24 | 25 | option java_package = "dev.sigstore.proto.rekor.v2"; 26 | option java_multiple_files = true; 27 | option java_outer_classname = "RekorV2Entry"; 28 | option ruby_package = "Sigstore::Rekor::V2"; 29 | 30 | // Entry is the message that is canonicalized and uploaded to the log. 31 | // This format is meant to be compliant with Rekor v1 entries in that 32 | // the `apiVersion` and `kind` can be parsed before parsing the spec. 33 | // Clients are expected to understand and handle the differences in the 34 | // contents of `spec` between Rekor v1 (a polymorphic OpenAPI defintion) 35 | // and Rekor v2 (a typed proto defintion). 36 | message Entry { 37 | string kind = 1 [(google.api.field_behavior) = REQUIRED]; 38 | string api_version = 2 [(google.api.field_behavior) = REQUIRED]; 39 | Spec spec = 3 [(google.api.field_behavior) = REQUIRED]; 40 | } 41 | 42 | // Spec contains one of the Rekor entry types. 43 | message Spec { 44 | oneof spec { 45 | HashedRekordLogEntryV002 hashed_rekord_v002 = 1 [(google.api.field_behavior) = REQUIRED]; 46 | DSSELogEntryV002 dsse_v002 = 2 [(google.api.field_behavior) = REQUIRED]; 47 | } 48 | } 49 | 50 | // Create a new HashedRekord or DSSE 51 | message CreateEntryRequest { 52 | oneof spec { 53 | HashedRekordRequestV002 hashed_rekord_request_v002 = 1 [(google.api.field_behavior) = REQUIRED]; 54 | DSSERequestV002 dsse_request_v002 = 2 [(google.api.field_behavior) = REQUIRED]; 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/sigstore_bundle_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: sigstore_bundle.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'google/api/field_behavior_pb' 8 | require 'envelope_pb' 9 | require 'sigstore_common_pb' 10 | require 'sigstore_rekor_pb' 11 | 12 | 13 | descriptor_data = "\n\x15sigstore_bundle.proto\x12\x16\x64\x65v.sigstore.bundle.v1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x0e\x65nvelope.proto\x1a\x15sigstore_common.proto\x1a\x14sigstore_rekor.proto\"g\n\x19TimestampVerificationData\x12J\n\x12rfc3161_timestamps\x18\x01 \x03(\x0b\x32..dev.sigstore.common.v1.RFC3161SignedTimestamp\"\x9e\x03\n\x14VerificationMaterial\x12\x46\n\npublic_key\x18\x01 \x01(\x0b\x32+.dev.sigstore.common.v1.PublicKeyIdentifierB\x03\xe0\x41\x02H\x00\x12S\n\x16x509_certificate_chain\x18\x02 \x01(\x0b\x32,.dev.sigstore.common.v1.X509CertificateChainB\x03\xe0\x41\x02H\x00\x12\x43\n\x0b\x63\x65rtificate\x18\x05 \x01(\x0b\x32\'.dev.sigstore.common.v1.X509CertificateB\x03\xe0\x41\x02H\x00\x12\x41\n\x0ctlog_entries\x18\x03 \x03(\x0b\x32+.dev.sigstore.rekor.v1.TransparencyLogEntry\x12V\n\x1btimestamp_verification_data\x18\x04 \x01(\x0b\x32\x31.dev.sigstore.bundle.v1.TimestampVerificationDataB\t\n\x07\x63ontent\"\xfe\x01\n\x06\x42undle\x12\x12\n\nmedia_type\x18\x01 \x01(\t\x12P\n\x15verification_material\x18\x02 \x01(\x0b\x32,.dev.sigstore.bundle.v1.VerificationMaterialB\x03\xe0\x41\x02\x12J\n\x11message_signature\x18\x03 \x01(\x0b\x32(.dev.sigstore.common.v1.MessageSignatureB\x03\xe0\x41\x02H\x00\x12\x31\n\rdsse_envelope\x18\x04 \x01(\x0b\x32\x13.io.intoto.EnvelopeB\x03\xe0\x41\x02H\x00\x42\t\n\x07\x63ontentJ\x04\x08\x05\x10\x33\x42|\n\x1c\x64\x65v.sigstore.proto.bundle.v1B\x0b\x42undleProtoP\x01Z6github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1\xea\x02\x14Sigstore::Bundle::V1b\x06proto3" 14 | 15 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 16 | pool.add_serialized_file(descriptor_data) 17 | 18 | module Sigstore 19 | module Bundle 20 | module V1 21 | TimestampVerificationData = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.bundle.v1.TimestampVerificationData").msgclass 22 | VerificationMaterial = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.bundle.v1.VerificationMaterial").msgclass 23 | Bundle = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.bundle.v1.Bundle").msgclass 24 | end 25 | end 26 | end 27 | -------------------------------------------------------------------------------- /.github/workflows/ruby-release.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2023 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | on: 17 | push: 18 | tags: 19 | - 'release/ruby/v*' 20 | 21 | permissions: {} 22 | 23 | name: release Ruby Gem 24 | 25 | jobs: 26 | publish: 27 | name: Publish to RubyGems 28 | runs-on: ubuntu-latest 29 | permissions: 30 | contents: read 31 | id-token: write # needed to authenticate to Google Cloud 32 | 33 | defaults: 34 | run: 35 | working-directory: gen/pb-ruby 36 | 37 | steps: 38 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 39 | with: 40 | persist-credentials: false 41 | 42 | - uses: ruby/setup-ruby@ac793fdd38cc468a4dd57246fa9d0e868aba9085 # v1.270.0 43 | with: 44 | ruby-version: '3.3' 45 | 46 | - name: Authenticate to Google Cloud 47 | uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 48 | with: 49 | workload_identity_provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider 50 | service_account: protobuf-specs-releaser@sigstore-secrets.iam.gserviceaccount.com 51 | 52 | - uses: google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262 # v3.0.0 53 | id: secrets 54 | with: 55 | secrets: |- 56 | rubygems_auth_token:sigstore-secrets/protobuf-specs-rubygems-auth-token 57 | 58 | - name: Build 59 | run: | 60 | gem build sigstore_protobuf_specs.gemspec 61 | 62 | - name: Publish 63 | run: | 64 | mkdir -p $HOME/.gem 65 | printf -- "---\n:rubygems_api_key: ${RUBYGEMS_AUTH_TOKEN}\n" > $HOME/.gem/credentials 66 | chmod 0600 $HOME/.gem/credentials 67 | gem push *.gem 68 | env: 69 | RUBYGEMS_AUTH_TOKEN: "${{ steps.secrets.outputs.rubygems_auth_token }}" 70 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/tests/integration.rs: -------------------------------------------------------------------------------- 1 | use std::io; 2 | 3 | use sigstore_protobuf_specs::dev::sigstore::bundle::v1::Bundle; 4 | 5 | macro_rules! include_asset { 6 | ($path:literal) => { 7 | include_str!(concat!(env!("CARGO_MANIFEST_DIR"), "/assets/", $path)) 8 | }; 9 | } 10 | 11 | struct SpaceSeparatorFormatter; 12 | 13 | impl serde_json::ser::Formatter for SpaceSeparatorFormatter { 14 | fn begin_array_value(&mut self, writer: &mut W, first: bool) -> io::Result<()> 15 | where 16 | W: ?Sized + io::Write, 17 | { 18 | if first { 19 | Ok(()) 20 | } else { 21 | writer.write_all(b", ") 22 | } 23 | } 24 | 25 | fn begin_object_value(&mut self, writer: &mut W) -> io::Result<()> 26 | where 27 | W: ?Sized + io::Write, 28 | { 29 | writer.write_all(b": ") 30 | } 31 | 32 | fn begin_object_key(&mut self, writer: &mut W, first: bool) -> io::Result<()> 33 | where 34 | W: ?Sized + io::Write, 35 | { 36 | if first { 37 | Ok(()) 38 | } else { 39 | writer.write_all(b", ") 40 | } 41 | } 42 | 43 | fn write_string_fragment(&mut self, writer: &mut W, fragment: &str) -> io::Result<()> 44 | where 45 | W: ?Sized + io::Write, 46 | { 47 | // Replace em-dashes with a unicode escape. serde_json unescapes it. 48 | writer.write_all(fragment.replace("\u{2014}", "\\u2014").as_bytes()) 49 | } 50 | } 51 | 52 | /// Test re-serializing a known-good bundle from sigstore-python. 53 | #[test] 54 | fn bundle_roundtrip() { 55 | // Deserialize bundle, trimming trailing whitespace. 56 | let input = include_asset!("a.txt.sigstore").trim_end(); 57 | let bundle: Bundle = serde_json::from_str(input).expect("failed to deserialize Bundle!"); 58 | 59 | // Re-serialize bundle with our python-like formatter. 60 | let formatter = SpaceSeparatorFormatter {}; 61 | let mut result = Vec::new(); 62 | let mut ser = serde_json::Serializer::with_formatter(&mut result, formatter); 63 | serde::Serialize::serialize(&bundle, &mut ser).expect("failed to re-serialize Bundle!"); 64 | 65 | // Notwithstanding the workarounds above, our serialized bundle should be 66 | // byte-for-byte identical to the input bundle. 67 | let result = std::str::from_utf8(&result).unwrap(); 68 | assert_eq!( 69 | input, 70 | &result[..], 71 | "re-serialized Bundle does not match original!" 72 | ); 73 | } 74 | -------------------------------------------------------------------------------- /protos/events.proto: -------------------------------------------------------------------------------- 1 | // https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/formats/cloudevents.proto 2 | 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | /** 16 | * CloudEvent Protobuf Format 17 | * 18 | * - Required context attributes are explicity represented. 19 | * - Optional and Extension context attributes are carried in a map structure. 20 | * - Data may be represented as binary, text, or protobuf messages. 21 | */ 22 | 23 | syntax = "proto3"; 24 | 25 | package dev.sigstore.events.v1; 26 | 27 | import "google/protobuf/any.proto"; 28 | import "google/protobuf/timestamp.proto"; 29 | 30 | option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/events/v1"; 31 | option java_package = "dev.sigstore.proto.events.v1"; 32 | option java_multiple_files = true; 33 | option ruby_package = "Sigstore::Events"; 34 | 35 | message CloudEvent { 36 | 37 | // -- CloudEvent Context Attributes 38 | 39 | // Required Attributes 40 | string id = 1; 41 | string source = 2; // URI-reference 42 | string spec_version = 3; 43 | string type = 4; 44 | 45 | // Optional & Extension Attributes 46 | map attributes = 5; 47 | 48 | // -- CloudEvent Data (Bytes, Text, or Proto) 49 | oneof data { 50 | bytes binary_data = 6; 51 | string text_data = 7; 52 | google.protobuf.Any proto_data = 8; 53 | } 54 | 55 | /** 56 | * The CloudEvent specification defines 57 | * seven attribute value types... 58 | */ 59 | 60 | message CloudEventAttributeValue { 61 | 62 | oneof attr { 63 | bool ce_boolean = 1; 64 | int32 ce_integer = 2; 65 | string ce_string = 3; 66 | bytes ce_bytes = 4; 67 | string ce_uri = 5; 68 | string ce_uri_ref = 6; 69 | google.protobuf.Timestamp ce_timestamp = 7; 70 | } 71 | } 72 | } 73 | 74 | /** 75 | * CloudEvent Protobuf Batch Format 76 | * 77 | */ 78 | 79 | message CloudEventBatch { 80 | repeated CloudEvent events = 1; 81 | } 82 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs-codegen/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::path::Path; 2 | 3 | /// Find the standard protobuf include directory. 4 | fn protobuf_include_path() -> String { 5 | let mut protobuf_root = which::which("protoc") 6 | .ok() 7 | // dirname(/bin/protoc) / ../ 8 | .and_then(|path| path.ancestors().nth(2).map(|p| p.to_path_buf())) 9 | .expect("protobuf installation directory not found!"); 10 | protobuf_root.push("include"); 11 | protobuf_root.to_str().unwrap().to_owned() 12 | } 13 | 14 | fn main() -> anyhow::Result<()> { 15 | let includes = vec![ 16 | concat!(env!("CARGO_MANIFEST_DIR"), "/../../../protos").to_owned(), 17 | concat!(env!("CARGO_MANIFEST_DIR"), "/../../../service-protos").to_owned(), 18 | // WKTs path 19 | protobuf_include_path(), 20 | "/googleapis".to_owned(), 21 | // googleapis types path: set `SIGSTORE_PROTOBUF_EXTRA_INCLUDE` to override. 22 | std::env::var("SIGSTORE_PROTOBUF_EXTRA_INCLUDE").unwrap_or("/opt/include".to_owned()), 23 | ]; 24 | 25 | for include in &includes { 26 | let include = Path::new(include); 27 | if !include.is_dir() { 28 | panic!("invalid include dir: {:?}", include); 29 | } 30 | } 31 | 32 | let mut config = prost_build::Config::new(); 33 | config 34 | .include_file("mod.rs") 35 | .type_attribute( 36 | ".", 37 | "#[derive(sigstore_protobuf_specs_derive::Deserialize_proto, sigstore_protobuf_specs_derive::Serialize_proto)]", 38 | ) 39 | // Disable problematic comments interpreted as doctests. 40 | .disable_comments([".io.intoto.Envelope"]) 41 | .out_dir("sigstore-protobuf-specs/src/generated/"); 42 | 43 | let protos = glob::glob(concat!( 44 | env!("CARGO_MANIFEST_DIR"), 45 | "/../../../protos/*.proto" 46 | )) 47 | .expect("no protos found!") 48 | .flatten(); 49 | 50 | let service_protos = glob::glob(concat!( 51 | env!("CARGO_MANIFEST_DIR"), 52 | "/../../../service-protos/rekor/v2/*.proto" 53 | )) 54 | .expect("no service protos found!") 55 | .flatten(); 56 | 57 | prost_reflect_build::Builder::new() 58 | .file_descriptor_set_bytes("crate::FILE_DESCRIPTOR_SET_BYTES") 59 | .file_descriptor_set_path("sigstore-protobuf-specs/src/generated/file_descriptor_set.bin") 60 | .compile_protos_with_config( 61 | config, 62 | &protos.chain(service_protos).collect::>(), 63 | &includes, 64 | )?; 65 | 66 | Ok(()) 67 | } 68 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/sigstore_rekor_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: sigstore_rekor.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'google/api/field_behavior_pb' 8 | require 'sigstore_common_pb' 9 | 10 | 11 | descriptor_data = "\n\x14sigstore_rekor.proto\x12\x15\x64\x65v.sigstore.rekor.v1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x15sigstore_common.proto\"6\n\x0bKindVersion\x12\x11\n\x04kind\x18\x01 \x01(\tB\x03\xe0\x41\x02\x12\x14\n\x07version\x18\x02 \x01(\tB\x03\xe0\x41\x02\"#\n\nCheckpoint\x12\x15\n\x08\x65nvelope\x18\x01 \x01(\tB\x03\xe0\x41\x02\"\xa9\x01\n\x0eInclusionProof\x12\x16\n\tlog_index\x18\x01 \x01(\x03\x42\x03\xe0\x41\x02\x12\x16\n\troot_hash\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x02\x12\x16\n\ttree_size\x18\x03 \x01(\x03\x42\x03\xe0\x41\x02\x12\x13\n\x06hashes\x18\x04 \x03(\x0c\x42\x03\xe0\x41\x02\x12:\n\ncheckpoint\x18\x05 \x01(\x0b\x32!.dev.sigstore.rekor.v1.CheckpointB\x03\xe0\x41\x02\"7\n\x10InclusionPromise\x12#\n\x16signed_entry_timestamp\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\"\xe4\x02\n\x14TransparencyLogEntry\x12\x16\n\tlog_index\x18\x01 \x01(\x03\x42\x03\xe0\x41\x02\x12\x32\n\x06log_id\x18\x02 \x01(\x0b\x32\x1d.dev.sigstore.common.v1.LogIdB\x03\xe0\x41\x02\x12=\n\x0ckind_version\x18\x03 \x01(\x0b\x32\".dev.sigstore.rekor.v1.KindVersionB\x03\xe0\x41\x02\x12\x1c\n\x0fintegrated_time\x18\x04 \x01(\x03\x42\x03\xe0\x41\x02\x12\x42\n\x11inclusion_promise\x18\x05 \x01(\x0b\x32\'.dev.sigstore.rekor.v1.InclusionPromise\x12\x43\n\x0finclusion_proof\x18\x06 \x01(\x0b\x32%.dev.sigstore.rekor.v1.InclusionProofB\x03\xe0\x41\x02\x12\x1a\n\x12\x63\x61nonicalized_body\x18\x07 \x01(\x0c\x42x\n\x1b\x64\x65v.sigstore.proto.rekor.v1B\nRekorProtoP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1\xea\x02\x13Sigstore::Rekor::V1b\x06proto3" 12 | 13 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 14 | pool.add_serialized_file(descriptor_data) 15 | 16 | module Sigstore 17 | module Rekor 18 | module V1 19 | KindVersion = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v1.KindVersion").msgclass 20 | Checkpoint = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v1.Checkpoint").msgclass 21 | InclusionProof = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v1.InclusionProof").msgclass 22 | InclusionPromise = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v1.InclusionPromise").msgclass 23 | TransparencyLogEntry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v1.TransparencyLogEntry").msgclass 24 | end 25 | end 26 | end 27 | -------------------------------------------------------------------------------- /.github/workflows/container-release.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2025 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | name: Release service builder container 16 | 17 | on: 18 | push: 19 | tags: 20 | - 'release/service-builder/v*' 21 | 22 | permissions: {} 23 | 24 | jobs: 25 | release: 26 | name: Release services container image 27 | runs-on: ubuntu-latest 28 | 29 | permissions: 30 | id-token: write # needed to sign build provenance 31 | contents: read 32 | packages: write # needed to upload to GitHub Packages 33 | attestations: write # needed to persist attestation 34 | 35 | env: 36 | TAG: ${{ github.ref_name }} 37 | REGISTRY: ghcr.io 38 | IMAGE_NO_TAG: ghcr.io/${{ github.repository }}-service-builder 39 | 40 | steps: 41 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 42 | with: 43 | persist-credentials: false 44 | 45 | - name: Calculate tag and image_ref 46 | run: | 47 | tag="${TAG#"release/service-builder/v"}" 48 | echo "IMAGE_REF=${IMAGE_NO_TAG}:$tag" >> $GITHUB_ENV 49 | 50 | - name: Log into ghcr.io 51 | uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 52 | with: 53 | registry: ${{ env.REGISTRY }} 54 | username: ${{ github.repository_owner }} 55 | password: ${{ secrets.GITHUB_TOKEN }} 56 | 57 | - name: Build services container 58 | run: make services-image 59 | 60 | - name: Tag image 61 | run: docker tag protoc-services ${IMAGE_REF} 62 | 63 | - name: Push image 64 | run: docker push ${IMAGE_REF} 65 | 66 | - name: Get image digest 67 | run: | 68 | digest=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_REF}) 69 | image_digest=$(echo $digest | cut -d"@" -f2) 70 | echo "IMAGE_DIGEST=$image_digest" >> "$GITHUB_ENV" 71 | 72 | - name: Generate artifact attestation 73 | uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 74 | with: 75 | subject-name: ${{ env.IMAGE_NO_TAG }} 76 | subject-digest: ${{ env.IMAGE_DIGEST }} 77 | push-to-registry: true 78 | 79 | -------------------------------------------------------------------------------- /gen/pb-typescript/src/__generated__/rekor/v2/dsse.ts: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-ts_proto. DO NOT EDIT. 2 | // versions: 3 | // protoc-gen-ts_proto v2.8.3 4 | // protoc v6.33.1 5 | // source: rekor/v2/dsse.proto 6 | 7 | /* eslint-disable */ 8 | import { Envelope } from "../../envelope"; 9 | import { HashOutput } from "../../sigstore_common"; 10 | import { Signature, Verifier } from "./verifier"; 11 | 12 | /** A request to add a DSSE v0.0.2 entry to the log */ 13 | export interface DSSERequestV002 { 14 | /** A DSSE envelope */ 15 | envelope: 16 | | Envelope 17 | | undefined; 18 | /** All necessary verification material to verify all signatures embedded in the envelope */ 19 | verifiers: Verifier[]; 20 | } 21 | 22 | export interface DSSELogEntryV002 { 23 | /** The hash of the DSSE payload */ 24 | payloadHash: 25 | | HashOutput 26 | | undefined; 27 | /** Signatures and their associated verification material used to verify the payload */ 28 | signatures: Signature[]; 29 | } 30 | 31 | export const DSSERequestV002: MessageFns = { 32 | fromJSON(object: any): DSSERequestV002 { 33 | return { 34 | envelope: isSet(object.envelope) ? Envelope.fromJSON(object.envelope) : undefined, 35 | verifiers: globalThis.Array.isArray(object?.verifiers) 36 | ? object.verifiers.map((e: any) => Verifier.fromJSON(e)) 37 | : [], 38 | }; 39 | }, 40 | 41 | toJSON(message: DSSERequestV002): unknown { 42 | const obj: any = {}; 43 | if (message.envelope !== undefined) { 44 | obj.envelope = Envelope.toJSON(message.envelope); 45 | } 46 | if (message.verifiers?.length) { 47 | obj.verifiers = message.verifiers.map((e) => Verifier.toJSON(e)); 48 | } 49 | return obj; 50 | }, 51 | }; 52 | 53 | export const DSSELogEntryV002: MessageFns = { 54 | fromJSON(object: any): DSSELogEntryV002 { 55 | return { 56 | payloadHash: isSet(object.payloadHash) ? HashOutput.fromJSON(object.payloadHash) : undefined, 57 | signatures: globalThis.Array.isArray(object?.signatures) 58 | ? object.signatures.map((e: any) => Signature.fromJSON(e)) 59 | : [], 60 | }; 61 | }, 62 | 63 | toJSON(message: DSSELogEntryV002): unknown { 64 | const obj: any = {}; 65 | if (message.payloadHash !== undefined) { 66 | obj.payloadHash = HashOutput.toJSON(message.payloadHash); 67 | } 68 | if (message.signatures?.length) { 69 | obj.signatures = message.signatures.map((e) => Signature.toJSON(e)); 70 | } 71 | return obj; 72 | }, 73 | }; 74 | 75 | function isSet(value: any): boolean { 76 | return value !== null && value !== undefined; 77 | } 78 | 79 | interface MessageFns { 80 | fromJSON(object: any): T; 81 | toJSON(message: T): unknown; 82 | } 83 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # protobuf-specs 2 | 3 | This repository holds protobuf specifications for Sigstore messages. 4 | 5 | ## Protobuf 6 | 7 | If you change protobuf definitions, you will need to regenerate the code by running the protocol buffer compiler on the changed `.proto` files. 8 | 9 | You will need [Docker](https://docs.docker.com/get-docker/) installed and configured to [run as non-root user](https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user) to generate the protobuf stubs. Then run, 10 | 11 | ``` 12 | $ make all 13 | ``` 14 | 15 | to generate the Go and Python files under `gen/`. 16 | 17 | ## Adding New Algorithms 18 | 19 | With the standardization of post-quantum cryptography signing algorithms by NIST, 20 | ML-DSA (FIPS 204, Dilithium) and SLH-DSA (FIPS 205, SPHINCS+), and with ongoing 21 | work to standardize [another set of algorithms](https://csrc.nist.gov/projects/pqc-dig-sig), 22 | Sigstore will be accepting additional algorithms to sign artifacts and verification material. 23 | 24 | To add a new algorithm, you must first get consensus with the community through 25 | an update to the 26 | [algorithm registry specification](https://github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md). 27 | Tag client maintainers to make sure that the new algorithm can be supported by their ecosystem. 28 | Algorithms do not have to be supported by all clients, but you should not propose an algorithm 29 | that is not widely standardized. Algorithms must be supported in Go since Fulcio and Rekor 30 | will need to be updated to support signature verification, and the Go libraries should be 31 | well-known and vetted and not based on C implementations with Go bindings. 32 | 33 | After updating the specification, update the 34 | [`PublicKeyDetails`](https://github.com/sigstore/protobuf-specs/blob/c30eb14cece57d88c08579197ecfdb57a5f1aba5/protos/sigstore_common.proto#L63) 35 | to include the new signing algorithm identifier. If the algorithm also uses a new hashing algorithm, update 36 | [`HashAlgorithm`](https://github.com/sigstore/protobuf-specs/blob/c30eb14cece57d88c08579197ecfdb57a5f1aba5/protos/sigstore_common.proto#L37). 37 | 38 | ## Service Builder 39 | 40 | This project publishes a container to [`ghcr.io/sigstore/protobuf-specs-service-builder`](https://github.com/sigstore/protobuf-specs/pkgs/container/protobuf-specs-service-builder) 41 | which contains all the necessary protoc tools, .proto files and .proto dependencies to generate service 42 | defintions for sigstore services (like rekor and fulcio). This container is not meant to be used by anyone 43 | else and no requests or support will be provided. 44 | 45 | ## Deprecation Notice 46 | 47 | - Effective July 17th, 2025: the jsonschema generated files in gen/jsonschema/schemas/ were removed from this repository. 48 | -------------------------------------------------------------------------------- /gen/pb-typescript/src/__generated__/rekor/v2/hashedrekord.ts: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-ts_proto. DO NOT EDIT. 2 | // versions: 3 | // protoc-gen-ts_proto v2.8.3 4 | // protoc v6.33.1 5 | // source: rekor/v2/hashedrekord.proto 6 | 7 | /* eslint-disable */ 8 | import { HashOutput } from "../../sigstore_common"; 9 | import { Signature } from "./verifier"; 10 | 11 | /** A request to add a hashedrekord v0.0.2 to the log */ 12 | export interface HashedRekordRequestV002 { 13 | /** The hashed data */ 14 | digest: Buffer; 15 | /** A single signature over the hashed data with the verifier needed to validate it */ 16 | signature: Signature | undefined; 17 | } 18 | 19 | export interface HashedRekordLogEntryV002 { 20 | /** The hashed data */ 21 | data: 22 | | HashOutput 23 | | undefined; 24 | /** A single signature over the hashed data with the verifier needed to validate it */ 25 | signature: Signature | undefined; 26 | } 27 | 28 | export const HashedRekordRequestV002: MessageFns = { 29 | fromJSON(object: any): HashedRekordRequestV002 { 30 | return { 31 | digest: isSet(object.digest) ? Buffer.from(bytesFromBase64(object.digest)) : Buffer.alloc(0), 32 | signature: isSet(object.signature) ? Signature.fromJSON(object.signature) : undefined, 33 | }; 34 | }, 35 | 36 | toJSON(message: HashedRekordRequestV002): unknown { 37 | const obj: any = {}; 38 | if (message.digest.length !== 0) { 39 | obj.digest = base64FromBytes(message.digest); 40 | } 41 | if (message.signature !== undefined) { 42 | obj.signature = Signature.toJSON(message.signature); 43 | } 44 | return obj; 45 | }, 46 | }; 47 | 48 | export const HashedRekordLogEntryV002: MessageFns = { 49 | fromJSON(object: any): HashedRekordLogEntryV002 { 50 | return { 51 | data: isSet(object.data) ? HashOutput.fromJSON(object.data) : undefined, 52 | signature: isSet(object.signature) ? Signature.fromJSON(object.signature) : undefined, 53 | }; 54 | }, 55 | 56 | toJSON(message: HashedRekordLogEntryV002): unknown { 57 | const obj: any = {}; 58 | if (message.data !== undefined) { 59 | obj.data = HashOutput.toJSON(message.data); 60 | } 61 | if (message.signature !== undefined) { 62 | obj.signature = Signature.toJSON(message.signature); 63 | } 64 | return obj; 65 | }, 66 | }; 67 | 68 | function bytesFromBase64(b64: string): Uint8Array { 69 | return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); 70 | } 71 | 72 | function base64FromBytes(arr: Uint8Array): string { 73 | return globalThis.Buffer.from(arr).toString("base64"); 74 | } 75 | 76 | function isSet(value: any): boolean { 77 | return value !== null && value !== undefined; 78 | } 79 | 80 | interface MessageFns { 81 | fromJSON(object: any): T; 82 | toJSON(message: T): unknown; 83 | } 84 | -------------------------------------------------------------------------------- /protoc-builder/hack/go/go.sum: -------------------------------------------------------------------------------- 1 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 2 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= 3 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= 4 | github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo= 5 | github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= 6 | github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= 7 | github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= 8 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 9 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 10 | github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= 11 | github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= 12 | golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8= 13 | golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= 14 | golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= 15 | golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 16 | golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= 17 | golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= 18 | google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950= 19 | google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg= 20 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4= 21 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I= 22 | google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ= 23 | google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw= 24 | google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 h1:F29+wU6Ee6qgu9TddPgooOdaqsxTMunOoj8KA5yuS5A= 25 | google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1/go.mod h1:5KF+wpkbTSbGcR9zteSqZV6fqFOWBl4Yde8En8MryZA= 26 | google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= 27 | google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= 28 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 29 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 30 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 31 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 32 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 33 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/events/v1/__init__.py: -------------------------------------------------------------------------------- 1 | # Generated by the protocol buffer compiler. DO NOT EDIT! 2 | # sources: events.proto 3 | # plugin: python-betterproto 4 | # This file has been @generated 5 | 6 | from typing import TYPE_CHECKING 7 | 8 | 9 | if TYPE_CHECKING: 10 | from dataclasses import dataclass 11 | else: 12 | from pydantic.dataclasses import dataclass 13 | 14 | from datetime import datetime 15 | from typing import ( 16 | Dict, 17 | List, 18 | Optional, 19 | ) 20 | 21 | import betterproto 22 | import betterproto.lib.pydantic.google.protobuf as betterproto_lib_pydantic_google_protobuf 23 | from pydantic import model_validator 24 | from pydantic.dataclasses import rebuild_dataclass 25 | 26 | 27 | @dataclass(eq=False, repr=False) 28 | class CloudEvent(betterproto.Message): 29 | id: str = betterproto.string_field(1) 30 | """Required Attributes""" 31 | 32 | source: str = betterproto.string_field(2) 33 | spec_version: str = betterproto.string_field(3) 34 | type: str = betterproto.string_field(4) 35 | attributes: Dict[str, "CloudEventCloudEventAttributeValue"] = betterproto.map_field( 36 | 5, betterproto.TYPE_STRING, betterproto.TYPE_MESSAGE 37 | ) 38 | """Optional & Extension Attributes""" 39 | 40 | binary_data: Optional[bytes] = betterproto.bytes_field( 41 | 6, optional=True, group="data" 42 | ) 43 | text_data: Optional[str] = betterproto.string_field(7, optional=True, group="data") 44 | proto_data: Optional["betterproto_lib_pydantic_google_protobuf.Any"] = ( 45 | betterproto.message_field(8, optional=True, group="data") 46 | ) 47 | 48 | @model_validator(mode="after") 49 | def check_oneof(cls, values): 50 | return cls._validate_field_groups(values) 51 | 52 | 53 | @dataclass(eq=False, repr=False) 54 | class CloudEventCloudEventAttributeValue(betterproto.Message): 55 | ce_boolean: Optional[bool] = betterproto.bool_field(1, optional=True, group="attr") 56 | ce_integer: Optional[int] = betterproto.int32_field(2, optional=True, group="attr") 57 | ce_string: Optional[str] = betterproto.string_field(3, optional=True, group="attr") 58 | ce_bytes: Optional[bytes] = betterproto.bytes_field(4, optional=True, group="attr") 59 | ce_uri: Optional[str] = betterproto.string_field(5, optional=True, group="attr") 60 | ce_uri_ref: Optional[str] = betterproto.string_field(6, optional=True, group="attr") 61 | ce_timestamp: Optional[datetime] = betterproto.message_field( 62 | 7, optional=True, group="attr" 63 | ) 64 | 65 | @model_validator(mode="after") 66 | def check_oneof(cls, values): 67 | return cls._validate_field_groups(values) 68 | 69 | 70 | @dataclass(eq=False, repr=False) 71 | class CloudEventBatch(betterproto.Message): 72 | events: List["CloudEvent"] = betterproto.message_field(1) 73 | 74 | 75 | rebuild_dataclass(CloudEvent) # type: ignore 76 | rebuild_dataclass(CloudEventCloudEventAttributeValue) # type: ignore 77 | rebuild_dataclass(CloudEventBatch) # type: ignore 78 | -------------------------------------------------------------------------------- /.github/workflows/java-release.yml: -------------------------------------------------------------------------------- 1 | name: Build Java Release 2 | on: 3 | push: 4 | tags: 5 | # if you change this pattern, make sure jobs.strip-tag still works 6 | - 'release/java/v[0-9]+.[0-9]+.[0-9]+' 7 | 8 | permissions: {} 9 | 10 | jobs: 11 | ci: 12 | permissions: 13 | contents: read 14 | uses: ./.github/workflows/java-build.yml 15 | 16 | strip-tag: 17 | name: Compute version from tag 18 | runs-on: ubuntu-latest 19 | outputs: 20 | version: ${{ steps.version.outputs.version }} 21 | steps: 22 | - name: process tag 23 | id: version 24 | env: 25 | TAG: ${{ github.ref_name }} 26 | run: | 27 | echo "version=${TAG#"release/java/v"}" >> $GITHUB_OUTPUT 28 | 29 | build: 30 | name: Build, Sign, and Release Java artifacts 31 | runs-on: ubuntu-latest 32 | needs: [ci, strip-tag] 33 | permissions: 34 | contents: read # to checkout code 35 | id-token: write # to sign with sigstore 36 | steps: 37 | - name: checkout tag 38 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 39 | with: 40 | persist-credentials: false 41 | 42 | - name: Set up JDK 25 43 | uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0 44 | with: 45 | java-version: 25 46 | distribution: 'temurin' 47 | 48 | - name: Authenticate to Google Cloud 49 | uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 50 | with: 51 | workload_identity_provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider 52 | service_account: protobuf-specs-releaser@sigstore-secrets.iam.gserviceaccount.com 53 | 54 | - uses: google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262 # v3.0.0 55 | id: secrets 56 | with: 57 | secrets: |- 58 | signing_key:sigstore-secrets/sigstore-java-pgp-priv-key 59 | signing_password:sigstore-secrets/sigstore-java-pgp-priv-key-password 60 | sonatype_username:sigstore-secrets/sigstore-sonatype-central-portal-username 61 | sonatype_password:sigstore-secrets/sigstore-sonatype-central-portal-password 62 | 63 | - name: Build, Sign and Push to Maven Central 64 | # TODO: someone still needs to close and release this, but that can be automated next 65 | working-directory: ./java 66 | env: 67 | VERSION: ${{ needs.strip-tag.outputs.version }} 68 | ORG_GRADLE_PROJECT_signingKey: ${{ steps.secrets.outputs.signing_key }} 69 | ORG_GRADLE_PROJECT_signingPassword: ${{ steps.secrets.outputs.signing_password }} 70 | CENTRAL_PORTAL_USERNAME: ${{ steps.secrets.outputs.sonatype_username }} 71 | CENTRAL_PORTAL_PASSWORD: ${{ steps.secrets.outputs.sonatype_password }} 72 | run: | 73 | ./gradlew clean :publishAggregationToCentralPortal -Pversion=${VERSION} -Prelease 74 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2023 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | version: 2 17 | updates: 18 | - package-ecosystem: "gomod" 19 | directory: "/" 20 | schedule: 21 | interval: "weekly" 22 | cooldown: 23 | default-days: 14 24 | groups: 25 | go-deps: 26 | patterns: 27 | - "*" 28 | - package-ecosystem: "github-actions" 29 | directory: "/" 30 | schedule: 31 | interval: "weekly" 32 | groups: 33 | actions-deps: 34 | patterns: 35 | - "*" 36 | - package-ecosystem: "gradle" 37 | directory: "/java" 38 | schedule: 39 | interval: "monthly" 40 | cooldown: 41 | default-days: 14 42 | groups: 43 | protobuf: 44 | patterns: 45 | - "*protobuf*" 46 | java-deps: 47 | patterns: 48 | - "*" 49 | exclude-patterns: 50 | - "*protobuf*" 51 | - package-ecosystem: "docker" 52 | directory: "/protoc-builder" 53 | schedule: 54 | interval: "monthly" 55 | groups: 56 | docker-refs: 57 | patterns: 58 | - "*" 59 | - package-ecosystem: "gomod" 60 | directory: "/protoc-builder/hack/go" 61 | schedule: 62 | interval: "monthly" 63 | cooldown: 64 | default-days: 14 65 | groups: 66 | go-deps: 67 | patterns: 68 | - "*" 69 | - package-ecosystem: "pip" 70 | directory: "/protoc-builder/hack" 71 | schedule: 72 | interval: "monthly" 73 | cooldown: 74 | default-days: 14 75 | groups: 76 | python-deps: 77 | patterns: 78 | - "*" 79 | - package-ecosystem: "cargo" 80 | directory: "/gen/pb-rust" 81 | schedule: 82 | interval: "monthly" 83 | cooldown: 84 | default-days: 14 85 | groups: 86 | rust-deps: 87 | patterns: 88 | - "*" 89 | - package-ecosystem: "npm" 90 | directory: "/protoc-builder/hack" 91 | schedule: 92 | interval: "monthly" 93 | cooldown: 94 | default-days: 14 95 | groups: 96 | js-deps: 97 | patterns: 98 | - "*" 99 | # this monitors Homebrew builds of protobuf compiler to monitor protobuf releases; 100 | # but still downloads the release asset from GitHub (since it is statically linked) 101 | # the "protobuf" label triggers a workflow to update versions.mk 102 | - package-ecosystem: "docker" 103 | directory: "/protoc-builder/hack" 104 | schedule: 105 | interval: "monthly" 106 | labels: 107 | - "dependencies" 108 | - "protobuf" 109 | -------------------------------------------------------------------------------- /java/gradlew.bat: -------------------------------------------------------------------------------- 1 | @rem 2 | @rem Copyright 2015 the original author or authors. 3 | @rem 4 | @rem Licensed under the Apache License, Version 2.0 (the "License"); 5 | @rem you may not use this file except in compliance with the License. 6 | @rem You may obtain a copy of the License at 7 | @rem 8 | @rem https://www.apache.org/licenses/LICENSE-2.0 9 | @rem 10 | @rem Unless required by applicable law or agreed to in writing, software 11 | @rem distributed under the License is distributed on an "AS IS" BASIS, 12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | @rem See the License for the specific language governing permissions and 14 | @rem limitations under the License. 15 | @rem 16 | @rem SPDX-License-Identifier: Apache-2.0 17 | @rem 18 | 19 | @if "%DEBUG%"=="" @echo off 20 | @rem ########################################################################## 21 | @rem 22 | @rem Gradle startup script for Windows 23 | @rem 24 | @rem ########################################################################## 25 | 26 | @rem Set local scope for the variables with windows NT shell 27 | if "%OS%"=="Windows_NT" setlocal 28 | 29 | set DIRNAME=%~dp0 30 | if "%DIRNAME%"=="" set DIRNAME=. 31 | @rem This is normally unused 32 | set APP_BASE_NAME=%~n0 33 | set APP_HOME=%DIRNAME% 34 | 35 | @rem Resolve any "." and ".." in APP_HOME to make it shorter. 36 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi 37 | 38 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 39 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" 40 | 41 | @rem Find java.exe 42 | if defined JAVA_HOME goto findJavaFromJavaHome 43 | 44 | set JAVA_EXE=java.exe 45 | %JAVA_EXE% -version >NUL 2>&1 46 | if %ERRORLEVEL% equ 0 goto execute 47 | 48 | echo. 1>&2 49 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 50 | echo. 1>&2 51 | echo Please set the JAVA_HOME variable in your environment to match the 1>&2 52 | echo location of your Java installation. 1>&2 53 | 54 | goto fail 55 | 56 | :findJavaFromJavaHome 57 | set JAVA_HOME=%JAVA_HOME:"=% 58 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 59 | 60 | if exist "%JAVA_EXE%" goto execute 61 | 62 | echo. 1>&2 63 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 64 | echo. 1>&2 65 | echo Please set the JAVA_HOME variable in your environment to match the 1>&2 66 | echo location of your Java installation. 1>&2 67 | 68 | goto fail 69 | 70 | :execute 71 | @rem Setup the command line 72 | 73 | 74 | 75 | @rem Execute Gradle 76 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %* 77 | 78 | :end 79 | @rem End local scope for the variables with windows NT shell 80 | if %ERRORLEVEL% equ 0 goto mainEnd 81 | 82 | :fail 83 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 84 | rem the _cmd.exe /c_ return code! 85 | set EXIT_CODE=%ERRORLEVEL% 86 | if %EXIT_CODE% equ 0 set EXIT_CODE=1 87 | if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% 88 | exit /b %EXIT_CODE% 89 | 90 | :mainEnd 91 | if "%OS%"=="Windows_NT" endlocal 92 | 93 | :omega 94 | -------------------------------------------------------------------------------- /gen/pb-typescript/package-lock.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@sigstore/protobuf-specs", 3 | "version": "0.5.0", 4 | "lockfileVersion": 2, 5 | "requires": true, 6 | "packages": { 7 | "": { 8 | "name": "@sigstore/protobuf-specs", 9 | "version": "0.5.0", 10 | "license": "Apache-2.0", 11 | "devDependencies": { 12 | "@tsconfig/node18": "^18.2.4", 13 | "@types/node": "^18.14.0", 14 | "typescript": "^5.7.2" 15 | }, 16 | "engines": { 17 | "node": "^18.17.0 || >=20.5.0" 18 | } 19 | }, 20 | "node_modules/@tsconfig/node18": { 21 | "version": "18.2.4", 22 | "resolved": "https://registry.npmjs.org/@tsconfig/node18/-/node18-18.2.4.tgz", 23 | "integrity": "sha512-5xxU8vVs9/FNcvm3gE07fPbn9tl6tqGGWA9tSlwsUEkBxtRnTsNmwrV8gasZ9F/EobaSv9+nu8AxUKccw77JpQ==", 24 | "dev": true 25 | }, 26 | "node_modules/@types/node": { 27 | "version": "18.19.70", 28 | "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.70.tgz", 29 | "integrity": "sha512-RE+K0+KZoEpDUbGGctnGdkrLFwi1eYKTlIHNl2Um98mUkGsm1u2Ff6Ltd0e8DktTtC98uy7rSj+hO8t/QuLoVQ==", 30 | "dev": true, 31 | "dependencies": { 32 | "undici-types": "~5.26.4" 33 | } 34 | }, 35 | "node_modules/typescript": { 36 | "version": "5.7.3", 37 | "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.7.3.tgz", 38 | "integrity": "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw==", 39 | "dev": true, 40 | "bin": { 41 | "tsc": "bin/tsc", 42 | "tsserver": "bin/tsserver" 43 | }, 44 | "engines": { 45 | "node": ">=14.17" 46 | } 47 | }, 48 | "node_modules/undici-types": { 49 | "version": "5.26.5", 50 | "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", 51 | "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", 52 | "dev": true 53 | } 54 | }, 55 | "dependencies": { 56 | "@tsconfig/node18": { 57 | "version": "18.2.4", 58 | "resolved": "https://registry.npmjs.org/@tsconfig/node18/-/node18-18.2.4.tgz", 59 | "integrity": "sha512-5xxU8vVs9/FNcvm3gE07fPbn9tl6tqGGWA9tSlwsUEkBxtRnTsNmwrV8gasZ9F/EobaSv9+nu8AxUKccw77JpQ==", 60 | "dev": true 61 | }, 62 | "@types/node": { 63 | "version": "18.19.70", 64 | "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.70.tgz", 65 | "integrity": "sha512-RE+K0+KZoEpDUbGGctnGdkrLFwi1eYKTlIHNl2Um98mUkGsm1u2Ff6Ltd0e8DktTtC98uy7rSj+hO8t/QuLoVQ==", 66 | "dev": true, 67 | "requires": { 68 | "undici-types": "~5.26.4" 69 | } 70 | }, 71 | "typescript": { 72 | "version": "5.7.3", 73 | "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.7.3.tgz", 74 | "integrity": "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw==", 75 | "dev": true 76 | }, 77 | "undici-types": { 78 | "version": "5.26.5", 79 | "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", 80 | "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", 81 | "dev": true 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at . All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at [http://contributor-covenant.org/version/1/4][version] 72 | 73 | [homepage]: http://contributor-covenant.org 74 | [version]: http://contributor-covenant.org/version/1/4/ -------------------------------------------------------------------------------- /gen/pb-typescript/src/__generated__/envelope.ts: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-ts_proto. DO NOT EDIT. 2 | // versions: 3 | // protoc-gen-ts_proto v2.8.3 4 | // protoc v6.33.1 5 | // source: envelope.proto 6 | 7 | /* eslint-disable */ 8 | 9 | /** An authenticated message of arbitrary type. */ 10 | export interface Envelope { 11 | /** 12 | * Message to be signed. (In JSON, this is encoded as base64.) 13 | * REQUIRED. 14 | */ 15 | payload: Buffer; 16 | /** 17 | * String unambiguously identifying how to interpret payload. 18 | * REQUIRED. 19 | */ 20 | payloadType: string; 21 | /** 22 | * Signature over: 23 | * PAE(type, payload) 24 | * Where PAE is defined as: 25 | * PAE(type, payload) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload 26 | * + = concatenation 27 | * SP = ASCII space [0x20] 28 | * "DSSEv1" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] 29 | * LEN(s) = ASCII decimal encoding of the byte length of s, with no leading zeros 30 | * REQUIRED (length >= 1). 31 | */ 32 | signatures: Signature[]; 33 | } 34 | 35 | export interface Signature { 36 | /** 37 | * Signature itself. (In JSON, this is encoded as base64.) 38 | * REQUIRED. 39 | */ 40 | sig: Buffer; 41 | /** 42 | * Unauthenticated* hint identifying which public key was used. 43 | * OPTIONAL. 44 | */ 45 | keyid: string; 46 | } 47 | 48 | export const Envelope: MessageFns = { 49 | fromJSON(object: any): Envelope { 50 | return { 51 | payload: isSet(object.payload) ? Buffer.from(bytesFromBase64(object.payload)) : Buffer.alloc(0), 52 | payloadType: isSet(object.payloadType) ? globalThis.String(object.payloadType) : "", 53 | signatures: globalThis.Array.isArray(object?.signatures) 54 | ? object.signatures.map((e: any) => Signature.fromJSON(e)) 55 | : [], 56 | }; 57 | }, 58 | 59 | toJSON(message: Envelope): unknown { 60 | const obj: any = {}; 61 | if (message.payload.length !== 0) { 62 | obj.payload = base64FromBytes(message.payload); 63 | } 64 | if (message.payloadType !== "") { 65 | obj.payloadType = message.payloadType; 66 | } 67 | if (message.signatures?.length) { 68 | obj.signatures = message.signatures.map((e) => Signature.toJSON(e)); 69 | } 70 | return obj; 71 | }, 72 | }; 73 | 74 | export const Signature: MessageFns = { 75 | fromJSON(object: any): Signature { 76 | return { 77 | sig: isSet(object.sig) ? Buffer.from(bytesFromBase64(object.sig)) : Buffer.alloc(0), 78 | keyid: isSet(object.keyid) ? globalThis.String(object.keyid) : "", 79 | }; 80 | }, 81 | 82 | toJSON(message: Signature): unknown { 83 | const obj: any = {}; 84 | if (message.sig.length !== 0) { 85 | obj.sig = base64FromBytes(message.sig); 86 | } 87 | if (message.keyid !== "") { 88 | obj.keyid = message.keyid; 89 | } 90 | return obj; 91 | }, 92 | }; 93 | 94 | function bytesFromBase64(b64: string): Uint8Array { 95 | return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); 96 | } 97 | 98 | function base64FromBytes(arr: Uint8Array): string { 99 | return globalThis.Buffer.from(arr).toString("base64"); 100 | } 101 | 102 | function isSet(value: any): boolean { 103 | return value !== null && value !== undefined; 104 | } 105 | 106 | interface MessageFns { 107 | fromJSON(object: any): T; 108 | toJSON(message: T): unknown; 109 | } 110 | -------------------------------------------------------------------------------- /.github/workflows/googleapis-update.yml: -------------------------------------------------------------------------------- 1 | name: Update Google APIs Commit Hash 2 | 3 | on: 4 | schedule: 5 | - cron: '0 0 1 * *' 6 | workflow_dispatch: 7 | 8 | permissions: {} 9 | 10 | jobs: 11 | update_protobuf_version: 12 | name: Update protobuf includes to latest commit 13 | runs-on: ubuntu-latest 14 | permissions: 15 | contents: write # required for pushing commits to a branch 16 | pull-requests: write # required for creating a new PR 17 | 18 | steps: 19 | - name: Checkout code 20 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 21 | with: 22 | fetch-depth: 0 23 | persist-credentials: true # zizmor: ignore[artipacked] 24 | 25 | - name: Extract latest commit hash from googleapis/googleapis and create PR 26 | env: 27 | RUN_ID: ${{ github.run_id }} 28 | GH_TOKEN: ${{ secrets.GOOGLEAPIS_SIGSTOREBOT_TOKEN }} 29 | run: | 30 | (cd /tmp && git clone --depth=1 https://github.com/googleapis/googleapis) 31 | export LATEST_COMMIT_HASH=$(cd /tmp/googleapis && git log -n 1 --format=%H) 32 | sed -i "s/^\(DEFAULT_GOOGLEAPIS_COMMIT\s*=\s*\).*/\1${LATEST_COMMIT_HASH}/" protoc-builder/versions.mk 33 | 34 | make all 35 | 36 | git config user.name "Sigstore Bot" 37 | git config user.email "86837369+sigstore-bot@users.noreply.github.com" 38 | git config --global --type bool push.autoSetupRemote true 39 | git add -A 40 | git checkout -b googleapis-${RUN_ID} 41 | git commit -sam "Update GOOGLEAPIS_COMMIT in versions.mk" 42 | git push 43 | gh pr create --title "build(deps): bump github.com/googleapis/googleapis to latest commit in protoc-builder/versions.mk" \ 44 | --body "This pull request updates the DEFAULT_GOOGLEAPIS_COMMIT variable in protoc-builder/versions.mk with the latest commit hash from the googleapis/googleapis repository." \ 45 | --base main \ 46 | --head googleapis-${RUN_ID} 47 | 48 | update_grpc_gateway_version: 49 | runs-on: ubuntu-latest 50 | name: Update gRPC Gateway OpenAPI v2 includes to latest commit 51 | permissions: 52 | contents: write # required for pushing commits to a branch 53 | pull-requests: write # required for creating a new PR 54 | 55 | steps: 56 | - name: Checkout code 57 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 58 | with: 59 | fetch-depth: 0 60 | persist-credentials: true # zizmor: ignore[artipacked] 61 | 62 | - name: Extract latest commit hash from grpc-ecosystem/grpc-gateway and create PR 63 | env: 64 | RUN_ID: ${{ github.run_id }} 65 | GH_TOKEN: ${{ secrets.GOOGLEAPIS_SIGSTOREBOT_TOKEN }} 66 | run: | 67 | (cd /tmp && git clone --depth=1 https://github.com/grpc-ecosystem/grpc-gateway) 68 | export LATEST_COMMIT_HASH=$(cd /tmp/grpc-gateway && git log -n 1 --format=%H) 69 | sed -i "s/^\(DEFAULT_GRPC_GATEWAY_COMMIT\s*=\s*\).*/\1${LATEST_COMMIT_HASH}/" protoc-builder/versions.mk 70 | 71 | make all 72 | 73 | git config user.name "Sigstore Bot" 74 | git config user.email "86837369+sigstore-bot@users.noreply.github.com" 75 | git config --global --type bool push.autoSetupRemote true 76 | git add -A 77 | git checkout -b grpc-gateway-${RUN_ID} 78 | git commit -sam "Update GRPC_GATEWAY_COMMIT in versions.mk" 79 | git push 80 | gh pr create --title "build(deps): bump github.com/grpc-ecosystem/grpc-gateway to latest commit in protoc-builder/versions.mk" \ 81 | --body "This pull request updates the DEFAULT_GRPC_GATEWAY_COMMIT variable in protoc-builder/versions.mk with the latest commit hash from the grpc-ecosystem/grpc-gateway repository." \ 82 | --base main \ 83 | --head grpc-gateway-${RUN_ID} 84 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/google/api/__init__.py: -------------------------------------------------------------------------------- 1 | # Generated by the protocol buffer compiler. DO NOT EDIT! 2 | # sources: google/api/field_behavior.proto 3 | # plugin: python-betterproto 4 | # This file has been @generated 5 | 6 | from typing import TYPE_CHECKING 7 | 8 | 9 | if TYPE_CHECKING: 10 | from dataclasses import dataclass 11 | else: 12 | from pydantic.dataclasses import dataclass 13 | 14 | import betterproto 15 | from pydantic.dataclasses import rebuild_dataclass 16 | 17 | 18 | class FieldBehavior(betterproto.Enum): 19 | """ 20 | An indicator of the behavior of a given field (for example, that a field 21 | is required in requests, or given as output but ignored as input). 22 | This **does not** change the behavior in protocol buffers itself; it only 23 | denotes the behavior and may affect how API tooling handles the field. 24 | 25 | Note: This enum **may** receive new values in the future. 26 | """ 27 | 28 | UNSPECIFIED = 0 29 | """Conventional default for enums. Do not use this.""" 30 | 31 | OPTIONAL = 1 32 | """ 33 | Specifically denotes a field as optional. 34 | While all fields in protocol buffers are optional, this may be specified 35 | for emphasis if appropriate. 36 | """ 37 | 38 | REQUIRED = 2 39 | """ 40 | Denotes a field as required. 41 | This indicates that the field **must** be provided as part of the request, 42 | and failure to do so will cause an error (usually `INVALID_ARGUMENT`). 43 | """ 44 | 45 | OUTPUT_ONLY = 3 46 | """ 47 | Denotes a field as output only. 48 | This indicates that the field is provided in responses, but including the 49 | field in a request does nothing (the server *must* ignore it and 50 | *must not* throw an error as a result of the field's presence). 51 | """ 52 | 53 | INPUT_ONLY = 4 54 | """ 55 | Denotes a field as input only. 56 | This indicates that the field is provided in requests, and the 57 | corresponding field is not included in output. 58 | """ 59 | 60 | IMMUTABLE = 5 61 | """ 62 | Denotes a field as immutable. 63 | This indicates that the field may be set once in a request to create a 64 | resource, but may not be changed thereafter. 65 | """ 66 | 67 | UNORDERED_LIST = 6 68 | """ 69 | Denotes that a (repeated) field is an unordered list. 70 | This indicates that the service may provide the elements of the list 71 | in any arbitrary order, rather than the order the user originally 72 | provided. Additionally, the list's order may or may not be stable. 73 | """ 74 | 75 | NON_EMPTY_DEFAULT = 7 76 | """ 77 | Denotes that this field returns a non-empty default value if not set. 78 | This indicates that if the user provides the empty value in a request, 79 | a non-empty value will be returned. The user will not be aware of what 80 | non-empty value to expect. 81 | """ 82 | 83 | IDENTIFIER = 8 84 | """ 85 | Denotes that the field in a resource (a message annotated with 86 | google.api.resource) is used in the resource name to uniquely identify the 87 | resource. For AIP-compliant APIs, this should only be applied to the 88 | `name` field on the resource. 89 | 90 | This behavior should not be applied to references to other resources within 91 | the message. 92 | 93 | The identifier field of resources often have different field behavior 94 | depending on the request it is embedded in (e.g. for Create methods name 95 | is optional and unused, while for Update methods it is required). Instead 96 | of method-specific annotations, only `IDENTIFIER` is required. 97 | """ 98 | 99 | @classmethod 100 | def __get_pydantic_core_schema__(cls, _source_type, _handler): 101 | from pydantic_core import core_schema 102 | 103 | return core_schema.int_schema(ge=0) 104 | -------------------------------------------------------------------------------- /gen/pb-typescript/src/__generated__/rekor/v2/verifier.ts: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-ts_proto. DO NOT EDIT. 2 | // versions: 3 | // protoc-gen-ts_proto v2.8.3 4 | // protoc v6.33.1 5 | // source: rekor/v2/verifier.proto 6 | 7 | /* eslint-disable */ 8 | import { 9 | PublicKeyDetails, 10 | publicKeyDetailsFromJSON, 11 | publicKeyDetailsToJSON, 12 | X509Certificate, 13 | } from "../../sigstore_common"; 14 | 15 | /** PublicKey contains an encoded public key */ 16 | export interface PublicKey { 17 | /** DER-encoded public key */ 18 | rawBytes: Buffer; 19 | } 20 | 21 | /** Either a public key or a X.509 cerificiate with an embedded public key */ 22 | export interface Verifier { 23 | verifier?: 24 | | // 25 | /** DER-encoded public key. Encoding method is specified by the key_details attribute */ 26 | { $case: "publicKey"; publicKey: PublicKey } 27 | | // 28 | /** DER-encoded certificate */ 29 | { $case: "x509Certificate"; x509Certificate: X509Certificate } 30 | | undefined; 31 | /** Key encoding and signature algorithm to use for this key */ 32 | keyDetails: PublicKeyDetails; 33 | } 34 | 35 | /** A signature and an associated verifier */ 36 | export interface Signature { 37 | content: Buffer; 38 | verifier: Verifier | undefined; 39 | } 40 | 41 | export const PublicKey: MessageFns = { 42 | fromJSON(object: any): PublicKey { 43 | return { rawBytes: isSet(object.rawBytes) ? Buffer.from(bytesFromBase64(object.rawBytes)) : Buffer.alloc(0) }; 44 | }, 45 | 46 | toJSON(message: PublicKey): unknown { 47 | const obj: any = {}; 48 | if (message.rawBytes.length !== 0) { 49 | obj.rawBytes = base64FromBytes(message.rawBytes); 50 | } 51 | return obj; 52 | }, 53 | }; 54 | 55 | export const Verifier: MessageFns = { 56 | fromJSON(object: any): Verifier { 57 | return { 58 | verifier: isSet(object.publicKey) 59 | ? { $case: "publicKey", publicKey: PublicKey.fromJSON(object.publicKey) } 60 | : isSet(object.x509Certificate) 61 | ? { $case: "x509Certificate", x509Certificate: X509Certificate.fromJSON(object.x509Certificate) } 62 | : undefined, 63 | keyDetails: isSet(object.keyDetails) ? publicKeyDetailsFromJSON(object.keyDetails) : 0, 64 | }; 65 | }, 66 | 67 | toJSON(message: Verifier): unknown { 68 | const obj: any = {}; 69 | if (message.verifier?.$case === "publicKey") { 70 | obj.publicKey = PublicKey.toJSON(message.verifier.publicKey); 71 | } else if (message.verifier?.$case === "x509Certificate") { 72 | obj.x509Certificate = X509Certificate.toJSON(message.verifier.x509Certificate); 73 | } 74 | if (message.keyDetails !== 0) { 75 | obj.keyDetails = publicKeyDetailsToJSON(message.keyDetails); 76 | } 77 | return obj; 78 | }, 79 | }; 80 | 81 | export const Signature: MessageFns = { 82 | fromJSON(object: any): Signature { 83 | return { 84 | content: isSet(object.content) ? Buffer.from(bytesFromBase64(object.content)) : Buffer.alloc(0), 85 | verifier: isSet(object.verifier) ? Verifier.fromJSON(object.verifier) : undefined, 86 | }; 87 | }, 88 | 89 | toJSON(message: Signature): unknown { 90 | const obj: any = {}; 91 | if (message.content.length !== 0) { 92 | obj.content = base64FromBytes(message.content); 93 | } 94 | if (message.verifier !== undefined) { 95 | obj.verifier = Verifier.toJSON(message.verifier); 96 | } 97 | return obj; 98 | }, 99 | }; 100 | 101 | function bytesFromBase64(b64: string): Uint8Array { 102 | return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); 103 | } 104 | 105 | function base64FromBytes(arr: Uint8Array): string { 106 | return globalThis.Buffer.from(arr).toString("base64"); 107 | } 108 | 109 | function isSet(value: any): boolean { 110 | return value !== null && value !== undefined; 111 | } 112 | 113 | interface MessageFns { 114 | fromJSON(object: any): T; 115 | toJSON(message: T): unknown; 116 | } 117 | -------------------------------------------------------------------------------- /java/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | `java-library` 3 | `maven-publish` 4 | id("dev.sigstore.sign") version "2.0.0" 5 | id("com.diffplug.spotless") version "8.1.0" 6 | id("com.gradleup.nmcp") version "1.3.0" 7 | id("com.gradleup.nmcp.aggregation") version "1.3.0" 8 | `signing` 9 | } 10 | 11 | description = "Sigstore protobuf spec protos bundled into a jar" 12 | 13 | repositories { 14 | mavenCentral() 15 | } 16 | 17 | sourceSets { 18 | main { 19 | resources { 20 | srcDirs("../protos", "../service-protos") 21 | include("**/*.proto") 22 | } 23 | } 24 | } 25 | 26 | // gradle reproducible jar builds 27 | tasks.withType().configureEach { 28 | isPreserveFileTimestamps = false 29 | isReproducibleFileOrder = true 30 | } 31 | 32 | java { 33 | withJavadocJar() 34 | withSourcesJar() 35 | } 36 | 37 | spotless { 38 | kotlinGradle { 39 | target("*.gradle.kts") // default target for kotlinGradle 40 | ktlint() 41 | } 42 | format("misc") { 43 | target("*.md", ".gitignore", "**/*.yaml") 44 | 45 | trimTrailingWhitespace() 46 | leadingTabsToSpaces() 47 | endWithNewline() 48 | } 49 | // we have no non-generated java code 50 | } 51 | 52 | val repoUrl = "https://github.com/sigstore/protobuf-specs" 53 | 54 | publishing { 55 | publications { 56 | create("proto") { 57 | 58 | artifactId = project.name 59 | from(components["java"]) 60 | 61 | pom { 62 | name.set( 63 | (project.findProperty("artifact.name") as? String) 64 | ?: project.name, 65 | ) 66 | description.set( 67 | project.provider { project.description }, 68 | ) 69 | inceptionYear.set("2022") 70 | url.set(repoUrl) 71 | organization { 72 | name.set("Sigstore") 73 | url.set("https://sigstore.dev") 74 | } 75 | developers { 76 | developer { 77 | organization.set("Sigstore authors") 78 | organizationUrl.set("https://sigstore.dev") 79 | } 80 | } 81 | issueManagement { 82 | system.set("GitHub Issues") 83 | url.set("$repoUrl/issues") 84 | } 85 | licenses { 86 | license { 87 | name.set("Apache-2.0") 88 | url.set("https://www.apache.org/licenses/LICENSE-2.0.txt") 89 | } 90 | } 91 | scm { 92 | connection.set("scm:git:$repoUrl.git") 93 | developerConnection.set("scm:git:$repoUrl.git") 94 | url.set(repoUrl) 95 | tag.set("HEAD") 96 | } 97 | } 98 | } 99 | } 100 | } 101 | 102 | signing { 103 | val signingKey: String? by project 104 | val signingPassword: String? by project 105 | useInMemoryPgpKeys(signingKey, signingPassword) 106 | sign(publishing.publications["proto"]) 107 | } 108 | 109 | tasks.withType().configureEach { 110 | onlyIf("Is a release") { 111 | project.hasProperty("release") 112 | } 113 | onlyIf("PGP Signing is not skipped") { 114 | !project.hasProperty("skipPgpSigning") 115 | } 116 | } 117 | 118 | tasks.withType().configureEach { 119 | onlyIf("Is a release") { 120 | project.hasProperty("release") 121 | } 122 | onlyIf("Sigstore Signing is not skipped") { 123 | !project.hasProperty("skipSigstoreSigning") 124 | } 125 | } 126 | 127 | nmcpAggregation { 128 | centralPortal { 129 | username = providers.environmentVariable("CENTRAL_PORTAL_USERNAME") 130 | password = providers.environmentVariable("CENTRAL_PORTAL_PASSWORD") 131 | publishingType = "USER_MANAGED" 132 | publicationName = "sigstore protobuf-specs $version" 133 | } 134 | } 135 | 136 | dependencies { 137 | nmcpAggregation(project) 138 | } 139 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.events.v1.rs: -------------------------------------------------------------------------------- 1 | // This file is @generated by prost-build. 2 | #[derive( 3 | sigstore_protobuf_specs_derive::Deserialize_proto, 4 | sigstore_protobuf_specs_derive::Serialize_proto 5 | )] 6 | #[derive(::prost_reflect::ReflectMessage)] 7 | #[prost_reflect(message_name = "dev.sigstore.events.v1.CloudEvent")] 8 | #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] 9 | #[derive(Clone, PartialEq, ::prost::Message)] 10 | pub struct CloudEvent { 11 | /// Required Attributes 12 | #[prost(string, tag = "1")] 13 | pub id: ::prost::alloc::string::String, 14 | /// URI-reference 15 | #[prost(string, tag = "2")] 16 | pub source: ::prost::alloc::string::String, 17 | #[prost(string, tag = "3")] 18 | pub spec_version: ::prost::alloc::string::String, 19 | #[prost(string, tag = "4")] 20 | pub r#type: ::prost::alloc::string::String, 21 | /// Optional & Extension Attributes 22 | #[prost(map = "string, message", tag = "5")] 23 | pub attributes: ::std::collections::HashMap< 24 | ::prost::alloc::string::String, 25 | cloud_event::CloudEventAttributeValue, 26 | >, 27 | /// -- CloudEvent Data (Bytes, Text, or Proto) 28 | #[prost(oneof = "cloud_event::Data", tags = "6, 7, 8")] 29 | pub data: ::core::option::Option, 30 | } 31 | /// Nested message and enum types in `CloudEvent`. 32 | pub mod cloud_event { 33 | #[derive( 34 | sigstore_protobuf_specs_derive::Deserialize_proto, 35 | sigstore_protobuf_specs_derive::Serialize_proto 36 | )] 37 | #[derive(::prost_reflect::ReflectMessage)] 38 | #[prost_reflect( 39 | message_name = "dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue" 40 | )] 41 | #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] 42 | #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)] 43 | pub struct CloudEventAttributeValue { 44 | #[prost( 45 | oneof = "cloud_event_attribute_value::Attr", 46 | tags = "1, 2, 3, 4, 5, 6, 7" 47 | )] 48 | pub attr: ::core::option::Option, 49 | } 50 | /// Nested message and enum types in `CloudEventAttributeValue`. 51 | pub mod cloud_event_attribute_value { 52 | #[derive( 53 | sigstore_protobuf_specs_derive::Deserialize_proto, 54 | sigstore_protobuf_specs_derive::Serialize_proto 55 | )] 56 | #[derive(Clone, PartialEq, Eq, Hash, ::prost::Oneof)] 57 | pub enum Attr { 58 | #[prost(bool, tag = "1")] 59 | CeBoolean(bool), 60 | #[prost(int32, tag = "2")] 61 | CeInteger(i32), 62 | #[prost(string, tag = "3")] 63 | CeString(::prost::alloc::string::String), 64 | #[prost(bytes, tag = "4")] 65 | CeBytes(::prost::alloc::vec::Vec), 66 | #[prost(string, tag = "5")] 67 | CeUri(::prost::alloc::string::String), 68 | #[prost(string, tag = "6")] 69 | CeUriRef(::prost::alloc::string::String), 70 | #[prost(message, tag = "7")] 71 | CeTimestamp(::prost_types::Timestamp), 72 | } 73 | } 74 | /// -- CloudEvent Data (Bytes, Text, or Proto) 75 | #[derive( 76 | sigstore_protobuf_specs_derive::Deserialize_proto, 77 | sigstore_protobuf_specs_derive::Serialize_proto 78 | )] 79 | #[derive(Clone, PartialEq, Eq, Hash, ::prost::Oneof)] 80 | pub enum Data { 81 | #[prost(bytes, tag = "6")] 82 | BinaryData(::prost::alloc::vec::Vec), 83 | #[prost(string, tag = "7")] 84 | TextData(::prost::alloc::string::String), 85 | #[prost(message, tag = "8")] 86 | ProtoData(::prost_types::Any), 87 | } 88 | } 89 | #[derive( 90 | sigstore_protobuf_specs_derive::Deserialize_proto, 91 | sigstore_protobuf_specs_derive::Serialize_proto 92 | )] 93 | #[derive(::prost_reflect::ReflectMessage)] 94 | #[prost_reflect(message_name = "dev.sigstore.events.v1.CloudEventBatch")] 95 | #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] 96 | #[derive(Clone, PartialEq, ::prost::Message)] 97 | pub struct CloudEventBatch { 98 | #[prost(message, repeated, tag = "1")] 99 | pub events: ::prost::alloc::vec::Vec, 100 | } 101 | -------------------------------------------------------------------------------- /gen/pb-typescript/src/__generated__/rekor/v2/entry.ts: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-ts_proto. DO NOT EDIT. 2 | // versions: 3 | // protoc-gen-ts_proto v2.8.3 4 | // protoc v6.33.1 5 | // source: rekor/v2/entry.proto 6 | 7 | /* eslint-disable */ 8 | import { DSSELogEntryV002, DSSERequestV002 } from "./dsse"; 9 | import { HashedRekordLogEntryV002, HashedRekordRequestV002 } from "./hashedrekord"; 10 | 11 | /** 12 | * Entry is the message that is canonicalized and uploaded to the log. 13 | * This format is meant to be compliant with Rekor v1 entries in that 14 | * the `apiVersion` and `kind` can be parsed before parsing the spec. 15 | * Clients are expected to understand and handle the differences in the 16 | * contents of `spec` between Rekor v1 (a polymorphic OpenAPI defintion) 17 | * and Rekor v2 (a typed proto defintion). 18 | */ 19 | export interface Entry { 20 | kind: string; 21 | apiVersion: string; 22 | spec: Spec | undefined; 23 | } 24 | 25 | /** Spec contains one of the Rekor entry types. */ 26 | export interface Spec { 27 | spec?: { $case: "hashedRekordV002"; hashedRekordV002: HashedRekordLogEntryV002 } | { 28 | $case: "dsseV002"; 29 | dsseV002: DSSELogEntryV002; 30 | } | undefined; 31 | } 32 | 33 | /** Create a new HashedRekord or DSSE */ 34 | export interface CreateEntryRequest { 35 | spec?: { $case: "hashedRekordRequestV002"; hashedRekordRequestV002: HashedRekordRequestV002 } | { 36 | $case: "dsseRequestV002"; 37 | dsseRequestV002: DSSERequestV002; 38 | } | undefined; 39 | } 40 | 41 | export const Entry: MessageFns = { 42 | fromJSON(object: any): Entry { 43 | return { 44 | kind: isSet(object.kind) ? globalThis.String(object.kind) : "", 45 | apiVersion: isSet(object.apiVersion) ? globalThis.String(object.apiVersion) : "", 46 | spec: isSet(object.spec) ? Spec.fromJSON(object.spec) : undefined, 47 | }; 48 | }, 49 | 50 | toJSON(message: Entry): unknown { 51 | const obj: any = {}; 52 | if (message.kind !== "") { 53 | obj.kind = message.kind; 54 | } 55 | if (message.apiVersion !== "") { 56 | obj.apiVersion = message.apiVersion; 57 | } 58 | if (message.spec !== undefined) { 59 | obj.spec = Spec.toJSON(message.spec); 60 | } 61 | return obj; 62 | }, 63 | }; 64 | 65 | export const Spec: MessageFns = { 66 | fromJSON(object: any): Spec { 67 | return { 68 | spec: isSet(object.hashedRekordV002) 69 | ? { $case: "hashedRekordV002", hashedRekordV002: HashedRekordLogEntryV002.fromJSON(object.hashedRekordV002) } 70 | : isSet(object.dsseV002) 71 | ? { $case: "dsseV002", dsseV002: DSSELogEntryV002.fromJSON(object.dsseV002) } 72 | : undefined, 73 | }; 74 | }, 75 | 76 | toJSON(message: Spec): unknown { 77 | const obj: any = {}; 78 | if (message.spec?.$case === "hashedRekordV002") { 79 | obj.hashedRekordV002 = HashedRekordLogEntryV002.toJSON(message.spec.hashedRekordV002); 80 | } else if (message.spec?.$case === "dsseV002") { 81 | obj.dsseV002 = DSSELogEntryV002.toJSON(message.spec.dsseV002); 82 | } 83 | return obj; 84 | }, 85 | }; 86 | 87 | export const CreateEntryRequest: MessageFns = { 88 | fromJSON(object: any): CreateEntryRequest { 89 | return { 90 | spec: isSet(object.hashedRekordRequestV002) 91 | ? { 92 | $case: "hashedRekordRequestV002", 93 | hashedRekordRequestV002: HashedRekordRequestV002.fromJSON(object.hashedRekordRequestV002), 94 | } 95 | : isSet(object.dsseRequestV002) 96 | ? { $case: "dsseRequestV002", dsseRequestV002: DSSERequestV002.fromJSON(object.dsseRequestV002) } 97 | : undefined, 98 | }; 99 | }, 100 | 101 | toJSON(message: CreateEntryRequest): unknown { 102 | const obj: any = {}; 103 | if (message.spec?.$case === "hashedRekordRequestV002") { 104 | obj.hashedRekordRequestV002 = HashedRekordRequestV002.toJSON(message.spec.hashedRekordRequestV002); 105 | } else if (message.spec?.$case === "dsseRequestV002") { 106 | obj.dsseRequestV002 = DSSERequestV002.toJSON(message.spec.dsseRequestV002); 107 | } 108 | return obj; 109 | }, 110 | }; 111 | 112 | function isSet(value: any): boolean { 113 | return value !== null && value !== undefined; 114 | } 115 | 116 | interface MessageFns { 117 | fromJSON(object: any): T; 118 | toJSON(message: T): unknown; 119 | } 120 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/sigstore_trustroot_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: sigstore_trustroot.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'google/api/field_behavior_pb' 8 | require 'sigstore_common_pb' 9 | 10 | 11 | descriptor_data = "\n\x18sigstore_trustroot.proto\x12\x19\x64\x65v.sigstore.trustroot.v1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x15sigstore_common.proto\"\x9c\x02\n\x17TransparencyLogInstance\x12\x10\n\x08\x62\x61se_url\x18\x01 \x01(\t\x12=\n\x0ehash_algorithm\x18\x02 \x01(\x0e\x32%.dev.sigstore.common.v1.HashAlgorithm\x12\x35\n\npublic_key\x18\x03 \x01(\x0b\x32!.dev.sigstore.common.v1.PublicKey\x12-\n\x06log_id\x18\x04 \x01(\x0b\x32\x1d.dev.sigstore.common.v1.LogId\x12\x38\n\x11\x63heckpoint_key_id\x18\x05 \x01(\x0b\x32\x1d.dev.sigstore.common.v1.LogId\x12\x10\n\x08operator\x18\x06 \x01(\t\"\xe9\x01\n\x14\x43\x65rtificateAuthority\x12:\n\x07subject\x18\x01 \x01(\x0b\x32).dev.sigstore.common.v1.DistinguishedName\x12\x0b\n\x03uri\x18\x02 \x01(\t\x12@\n\ncert_chain\x18\x03 \x01(\x0b\x32,.dev.sigstore.common.v1.X509CertificateChain\x12\x34\n\tvalid_for\x18\x04 \x01(\x0b\x32!.dev.sigstore.common.v1.TimeRange\x12\x10\n\x08operator\x18\x05 \x01(\t\"\xca\x02\n\x0bTrustedRoot\x12\x12\n\nmedia_type\x18\x01 \x01(\t\x12\x41\n\x05tlogs\x18\x02 \x03(\x0b\x32\x32.dev.sigstore.trustroot.v1.TransparencyLogInstance\x12P\n\x17\x63\x65rtificate_authorities\x18\x03 \x03(\x0b\x32/.dev.sigstore.trustroot.v1.CertificateAuthority\x12\x42\n\x06\x63tlogs\x18\x04 \x03(\x0b\x32\x32.dev.sigstore.trustroot.v1.TransparencyLogInstance\x12N\n\x15timestamp_authorities\x18\x05 \x03(\x0b\x32/.dev.sigstore.trustroot.v1.CertificateAuthority\"\x99\x03\n\rSigningConfig\x12\x12\n\nmedia_type\x18\x05 \x01(\t\x12\x33\n\x07\x63\x61_urls\x18\x06 \x03(\x0b\x32\".dev.sigstore.trustroot.v1.Service\x12\x35\n\toidc_urls\x18\x07 \x03(\x0b\x32\".dev.sigstore.trustroot.v1.Service\x12;\n\x0frekor_tlog_urls\x18\x08 \x03(\x0b\x32\".dev.sigstore.trustroot.v1.Service\x12J\n\x11rekor_tlog_config\x18\t \x01(\x0b\x32/.dev.sigstore.trustroot.v1.ServiceConfiguration\x12\x34\n\x08tsa_urls\x18\n \x03(\x0b\x32\".dev.sigstore.trustroot.v1.Service\x12\x43\n\ntsa_config\x18\x0b \x01(\x0b\x32/.dev.sigstore.trustroot.v1.ServiceConfigurationJ\x04\x08\x01\x10\x05\"\x8d\x01\n\x07Service\x12\x10\n\x03url\x18\x01 \x01(\tB\x03\xe0\x41\x02\x12\x1e\n\x11major_api_version\x18\x02 \x01(\rB\x03\xe0\x41\x02\x12\x39\n\tvalid_for\x18\x03 \x01(\x0b\x32!.dev.sigstore.common.v1.TimeRangeB\x03\xe0\x41\x02\x12\x15\n\x08operator\x18\x04 \x01(\tB\x03\xe0\x41\x02\"h\n\x14ServiceConfiguration\x12\x41\n\x08selector\x18\x01 \x01(\x0e\x32*.dev.sigstore.trustroot.v1.ServiceSelectorB\x03\xe0\x41\x02\x12\r\n\x05\x63ount\x18\x02 \x01(\r\"\xb1\x01\n\x11\x43lientTrustConfig\x12\x12\n\nmedia_type\x18\x01 \x01(\t\x12\x41\n\x0ctrusted_root\x18\x02 \x01(\x0b\x32&.dev.sigstore.trustroot.v1.TrustedRootB\x03\xe0\x41\x02\x12\x45\n\x0esigning_config\x18\x03 \x01(\x0b\x32(.dev.sigstore.trustroot.v1.SigningConfigB\x03\xe0\x41\x02*N\n\x0fServiceSelector\x12\x1e\n\x1aSERVICE_SELECTOR_UNDEFINED\x10\x00\x12\x07\n\x03\x41LL\x10\x01\x12\x07\n\x03\x41NY\x10\x02\x12\t\n\x05\x45XACT\x10\x03\x42\x88\x01\n\x1f\x64\x65v.sigstore.proto.trustroot.v1B\x0eTrustRootProtoP\x01Z9github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1\xea\x02\x17Sigstore::TrustRoot::V1b\x06proto3" 12 | 13 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 14 | pool.add_serialized_file(descriptor_data) 15 | 16 | module Sigstore 17 | module TrustRoot 18 | module V1 19 | TransparencyLogInstance = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.trustroot.v1.TransparencyLogInstance").msgclass 20 | CertificateAuthority = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.trustroot.v1.CertificateAuthority").msgclass 21 | TrustedRoot = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.trustroot.v1.TrustedRoot").msgclass 22 | SigningConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.trustroot.v1.SigningConfig").msgclass 23 | Service = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.trustroot.v1.Service").msgclass 24 | ServiceConfiguration = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.trustroot.v1.ServiceConfiguration").msgclass 25 | ClientTrustConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.trustroot.v1.ClientTrustConfig").msgclass 26 | ServiceSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.trustroot.v1.ServiceSelector").enummodule 27 | end 28 | end 29 | end 30 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/src/generated/google.api.rs: -------------------------------------------------------------------------------- 1 | // This file is @generated by prost-build. 2 | /// An indicator of the behavior of a given field (for example, that a field 3 | /// is required in requests, or given as output but ignored as input). 4 | /// This **does not** change the behavior in protocol buffers itself; it only 5 | /// denotes the behavior and may affect how API tooling handles the field. 6 | /// 7 | /// Note: This enum **may** receive new values in the future. 8 | #[derive( 9 | sigstore_protobuf_specs_derive::Deserialize_proto, 10 | sigstore_protobuf_specs_derive::Serialize_proto 11 | )] 12 | #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)] 13 | #[repr(i32)] 14 | pub enum FieldBehavior { 15 | /// Conventional default for enums. Do not use this. 16 | Unspecified = 0, 17 | /// Specifically denotes a field as optional. 18 | /// While all fields in protocol buffers are optional, this may be specified 19 | /// for emphasis if appropriate. 20 | Optional = 1, 21 | /// Denotes a field as required. 22 | /// This indicates that the field **must** be provided as part of the request, 23 | /// and failure to do so will cause an error (usually `INVALID_ARGUMENT`). 24 | Required = 2, 25 | /// Denotes a field as output only. 26 | /// This indicates that the field is provided in responses, but including the 27 | /// field in a request does nothing (the server *must* ignore it and 28 | /// *must not* throw an error as a result of the field's presence). 29 | OutputOnly = 3, 30 | /// Denotes a field as input only. 31 | /// This indicates that the field is provided in requests, and the 32 | /// corresponding field is not included in output. 33 | InputOnly = 4, 34 | /// Denotes a field as immutable. 35 | /// This indicates that the field may be set once in a request to create a 36 | /// resource, but may not be changed thereafter. 37 | Immutable = 5, 38 | /// Denotes that a (repeated) field is an unordered list. 39 | /// This indicates that the service may provide the elements of the list 40 | /// in any arbitrary order, rather than the order the user originally 41 | /// provided. Additionally, the list's order may or may not be stable. 42 | UnorderedList = 6, 43 | /// Denotes that this field returns a non-empty default value if not set. 44 | /// This indicates that if the user provides the empty value in a request, 45 | /// a non-empty value will be returned. The user will not be aware of what 46 | /// non-empty value to expect. 47 | NonEmptyDefault = 7, 48 | /// Denotes that the field in a resource (a message annotated with 49 | /// google.api.resource) is used in the resource name to uniquely identify the 50 | /// resource. For AIP-compliant APIs, this should only be applied to the 51 | /// `name` field on the resource. 52 | /// 53 | /// This behavior should not be applied to references to other resources within 54 | /// the message. 55 | /// 56 | /// The identifier field of resources often have different field behavior 57 | /// depending on the request it is embedded in (e.g. for Create methods name 58 | /// is optional and unused, while for Update methods it is required). Instead 59 | /// of method-specific annotations, only `IDENTIFIER` is required. 60 | Identifier = 8, 61 | } 62 | impl FieldBehavior { 63 | /// String value of the enum field names used in the ProtoBuf definition. 64 | /// 65 | /// The values are not transformed in any way and thus are considered stable 66 | /// (if the ProtoBuf definition does not change) and safe for programmatic use. 67 | pub fn as_str_name(&self) -> &'static str { 68 | match self { 69 | Self::Unspecified => "FIELD_BEHAVIOR_UNSPECIFIED", 70 | Self::Optional => "OPTIONAL", 71 | Self::Required => "REQUIRED", 72 | Self::OutputOnly => "OUTPUT_ONLY", 73 | Self::InputOnly => "INPUT_ONLY", 74 | Self::Immutable => "IMMUTABLE", 75 | Self::UnorderedList => "UNORDERED_LIST", 76 | Self::NonEmptyDefault => "NON_EMPTY_DEFAULT", 77 | Self::Identifier => "IDENTIFIER", 78 | } 79 | } 80 | /// Creates an enum from field names used in the ProtoBuf definition. 81 | pub fn from_str_name(value: &str) -> ::core::option::Option { 82 | match value { 83 | "FIELD_BEHAVIOR_UNSPECIFIED" => Some(Self::Unspecified), 84 | "OPTIONAL" => Some(Self::Optional), 85 | "REQUIRED" => Some(Self::Required), 86 | "OUTPUT_ONLY" => Some(Self::OutputOnly), 87 | "INPUT_ONLY" => Some(Self::InputOnly), 88 | "IMMUTABLE" => Some(Self::Immutable), 89 | "UNORDERED_LIST" => Some(Self::UnorderedList), 90 | "NON_EMPTY_DEFAULT" => Some(Self::NonEmptyDefault), 91 | "IDENTIFIER" => Some(Self::Identifier), 92 | _ => None, 93 | } 94 | } 95 | } 96 | -------------------------------------------------------------------------------- /gen/pb-rust/sigstore-protobuf-specs/assets/a.txt.sigstore: -------------------------------------------------------------------------------- 1 | {"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.2", "verificationMaterial": {"x509CertificateChain": {"certificates": [{"rawBytes": "MIICyjCCAk+gAwIBAgIUShApN6D/p2nhkAUYXANZuDspU40wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwMTI2MTkzNTI5WhcNMjQwMTI2MTk0NTI5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETlg64yErozlmXokHJcyN7OjHDBfIS1BXvukXd9PNxYTDkp1j5NdQnm+yH6HqvYLcylvga5iIK7KSprRX6M99I6OCAW4wggFqMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeMzvd2GyzazwDGhInM+jtU130QAwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wGAYDVR0RAQH/BA4wDIEKYUB0bnkudG93bjAsBgorBgEEAYO/MAEBBB5odHRwczovL2dpdGh1Yi5jb20vbG9naW4vb2F1dGgwLgYKKwYBBAGDvzABCAQgDB5odHRwczovL2dpdGh1Yi5jb20vbG9naW4vb2F1dGgwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAY1HRSMSAAAEAwBHMEUCIQDODo1nxR9++rHfAZP+AyqwwmikJ27VcHPNPU+Gnq3S5wIgRjGJri32fkFxwf405Kmp3zNcx+s7kEdqV3Q6IUxTxQEwCgYIKoZIzj0EAwMDaQAwZgIxAMBcoQCOXt24cBBo5kCzF3j/SInrNCb4YivLyWrj5/rC5ych+Rygw/FgInM6kOROvAIxAJMiU4OFWWWAjaed8IS1DhG9YFNZnGWdwy7FFhLwwOa6qf4QsXAlUj+YPyrRkwfdng=="}]}, "tlogEntries": [{"logIndex": "66794718", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1706297730", "inclusionPromise": {"signedEntryTimestamp": "MEQCIA8KjI3qM1FojdnBSPXyII/7Q8NUgRQ0ji86ZNNWT1XqAiAA0msqxS4rN9xCo6jKcjGaKwFuHEwa5Mw1JCwBzLt1gw=="}, "inclusionProof": {"logIndex": "62631287", "rootHash": "1fx8bMb9/1d0q/PdLBgr5EVIs5kz2Shwpy4TFo8Uhis=", "treeSize": "62631288", "hashes": ["A6hYJrNwNazA1eoJIpV498CX76QaBgJWNoCRt1X74JE=", "f9+1RSu6Acof0xeSFOubv4ka3FdHBtpSVrdSbIAjMsQ=", "3ooji9Ujxw5HG1h56HHfj87vS4MOVVFUjVGuvJtW81M=", "HEgnXDufRCuJISdHCQjKnv3wP0PRUtE+AiYjdvZWaxw=", "/FEizqX7NOhA4OdohRvVtM2N5URHa6uesg3p4vEoQ4E=", "WoINPf5XzzezzULe1uVrKF5yQxRALb2KxRHOKi7Dttk=", "FpQhnaN+UmxzFqCood81DHl9WxyOOSpBMfD2FpNVk3k=", "WPXbPb4ACE/BbpP8q1dpTjRmTu4OFOse4d5YHP34YjA=", "+eTYHIbql8gaQnVj1zBqRSbN8d5uLSwQCZSNEu1IEQc=", "Dl6tJTXUpFc8TLlVlAbs+hrhujOBSxEW6PE/3+PwQIc=", "AGGlRS/pLuSZMVaGq6mY5uZswBtCoNSuaHM6P5twGuE=", "8v5YV3W9gmSnYBkC5JADJ4j3NA7GuFPPkPXA9OPNmTg=", "GgcbvbmxENRIPRbgqtWIgdwahX7JwKNl+o6XN+NdICM=", "v6TgT0lJE8lEEO1hEJGAUugTK5CNAqqixlVK80tmkb0=", "HjoTzYu7nFqxAa9lTSDZxoA4a1wJ4P8BT2/QyLM8PH4=", "IsLbMqrjdeHhyZ6XODgAs95aU12MJIbe9XB6kXaMDYw=", "UeXYBoLMUKvbOS7ToMsaoblG4fS/8QPQTTFGIBVeE70=", "mMSG/rXYcJKnikbEtb4EhoZUkAr/wuhv+yAHTcc6iDo=", "aWnEm9c/Gb8operqvTMd3WBQLe+yzT2W4Xt0HICt7Gw="], "checkpoint": {"envelope": "rekor.sigstore.dev - 2605736670972794746\n62631288\n1fx8bMb9/1d0q/PdLBgr5EVIs5kz2Shwpy4TFo8Uhis=\nTimestamp: 1706297730413822848\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAncCOrkCPoSXfFZt5jqL654xXX/OK7spQ8tkP9NTkexwIgY1HfG6TWamNSwNslbt5TXjgp4cxLiAYBG+n1/fpzu1U=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2MzI1NzliNTE4M2Q0MThmZjNkYzQ0Mzk5NGZkMzVlMGUxYTJhNmNlODlhMWVlMjJmZGNhNTc3ZjhlOGJjOWMzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUURVdWt0dTZjckpBVHRRZ29Ra2FIb0hxRld0K1h2RGQ0UHZKbERRNWFLbVhBSWdDS1VPOHFjdUxUSTA4UER3NkYwUlNsaEJVamdtQ01FbFgrWENlU2FDanBnPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVha05EUVdzclowRjNTVUpCWjBsVlUyaEJjRTQyUkM5d01tNW9hMEZWV1ZoQlRscDFSSE53VlRRd2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDFVU1RKTlZHdDZUbFJKTlZkb1kwNU5hbEYzVFZSSk1rMVVhekJPVkVrMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZVYkdjMk5IbEZjbTk2YkcxWWIydElTbU41VGpkUGFraEVRbVpKVXpGQ1dIWjFhMWdLWkRsUVRuaFpWRVJyY0RGcU5VNWtVVzV0SzNsSU5raHhkbGxNWTNsc2RtZGhOV2xKU3pkTFUzQnlVbGcyVFRrNVNUWlBRMEZYTkhkblowWnhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZsVFhwMkNtUXlSM2w2WVhwM1JFZG9TVzVOSzJwMFZURXpNRkZCZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBkQldVUldVakJTUVZGSUwwSkJOSGRFU1VWTFdWVkNNR0p1YTNWa1J6a3pZbXBCYzBKbmIzSkNaMFZGUVZsUEwwMUJSVUpDUWpWdlpFaFNkd3BqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZG1KSE9XNWhWelIyWWpKR01XUkhaM2RNWjFsTFMzZFpRa0pCUjBSMmVrRkNRMEZSWjBSQ05XOWtTRkozQ21ONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMllrYzVibUZYTkhaaU1rWXhaRWRuZDJkWmIwZERhWE5IUVZGUlFqRnVhME5DUVVsRlprRlNOa0ZJWjBFS1pHZEVaRkJVUW5GNGMyTlNUVzFOV2tob2VWcGFlbU5EYjJ0d1pYVk9ORGh5Wml0SWFXNUxRVXg1Ym5WcVowRkJRVmt4U0ZKVFRWTkJRVUZGUVhkQ1NBcE5SVlZEU1ZGRVQwUnZNVzU0VWprckszSklaa0ZhVUN0QmVYRjNkMjFwYTBveU4xWmpTRkJPVUZVclIyNXhNMU0xZDBsblVtcEhTbkpwTXpKbWEwWjRDbmRtTkRBMVMyMXdNM3BPWTNncmN6ZHJSV1J4VmpOUk5rbFZlRlI0VVVWM1EyZFpTVXR2V2tsNmFqQkZRWGROUkdGUlFYZGFaMGw0UVUxQ1kyOVJRMDhLV0hReU5HTkNRbTgxYTBONlJqTnFMMU5KYm5KT1EySTBXV2wyVEhsWGNtbzFMM0pETlhsamFDdFNlV2QzTDBablNXNU5ObXRQVWs5MlFVbDRRVXBOYVFwVk5FOUdWMWRYUVdwaFpXUTRTVk14UkdoSE9WbEdUbHB1UjFka2QzazNSa1pvVEhkM1QyRTJjV1kwVVhOWVFXeFZhaXRaVUhseVVtdDNabVJ1WnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "YyV5tRg9QY/z3EQ5lP014OGips6Joe4i/cpXf46LycM="}, "signature": "MEUCIQDUuktu6crJATtQgoQkaHoHqFWt+XvDd4PvJlDQ5aKmXAIgCKUO8qcuLTI08PDw6F0RSlhBUjgmCMElX+XCeSaCjpg="}} 2 | -------------------------------------------------------------------------------- /RELEASE.md: -------------------------------------------------------------------------------- 1 | # Release management for protocol buffer specifications 2 | 3 | This repository primary provides two features: 4 | 5 | * Protobuf specifications for messages used within Sigstore. 6 | * Language bindings for different ecosystems. 7 | 8 | During a release, a few steps have to be synchronized to release the 9 | messages and the language clients. 10 | 11 | ## Notes on semantic versioning 12 | 13 | General information on evolving protocol buffers is described 14 | [here](https://developers.google.com/protocol-buffers/docs/proto3#updating). 15 | 16 | ### Major version change 17 | As expected this indicate a breaking change. Any major update MUST 18 | update the package name of the generated code. 19 | Examples of breaking changes are (non-complete list): 20 | 21 | * Deletion or rename of a field. 22 | * Changing the type of a field. 23 | * Altering the field number (**NEVER DO THIS!**). 24 | 25 | ### Minor version change 26 | An update which does not break the functionality of existing (older) 27 | clients. For more information on forward compatible changes in 28 | protobuf see the [Language 29 | Guide](https://developers.google.com/protocol-buffers/docs/proto3#updating). 30 | 31 | ### Patch version change 32 | Any update which does not change the behaviour. For the protocol buffer 33 | messages this is limited to _only_ capture changes in the comments, 34 | not the messages themselves. For language bindings patch versions MAY 35 | be used for bug-fixes. 36 | 37 | ## Releasing new versions of the messages 38 | 39 | Checklist prior to releasing: 40 | 41 | 1. Gather consensus among the community and maintainers of this 42 | repository that the messages are ready to be released. Create an 43 | issue to inform the community. The issue should describe the 44 | intended release, and any changes it introduces. The issue must be 45 | open for comments *at least* for a complete week (7 days). 46 | 1. Decide the new version of this release. The releases are versioned 47 | via [semver](https://semver.org/). 48 | 1. Two of the messages, 49 | [Bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) 50 | and 51 | [TrustedRoot](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto), 52 | are expected to be persisted and serialized to disk, and exchanged 53 | via other mechanisms such as the [Sigstore TUF 54 | root](https://github.com/sigstore/root-signing). Therefore they 55 | contain a `media_type`. The media types are versioned, and so they 56 | must be updated appropriately according to semver. Each message 57 | SHOULD be versioned independently and so MAY differ from the 58 | targeted release. The media type represents the version of the 59 | message, not the release. Note that the media type does NOT capture 60 | the patch version, only major/minor. 61 | 1. Update [pyproject.toml](gen/pb-python/pyproject.toml) so the 62 | `version` matches the targeted release. 63 | 1. Update [package.json](gen/pb-typescript/package.json) so the 64 | `version` matches the targeted release. 65 | - Run `npm install` from the "gen/pb-typescript" directory to sync the 66 | version change to the `package-lock.json` file. 67 | 1. Update [version.rb](gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb) so the 68 | `version` matches the targeted release. 69 | 1. Update [Cargo.toml](gen/pb-rust/Cargo.toml) so the 70 | `version` matches the targeted release. 71 | 1. Update the [CHANGELOG](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md). 72 | 73 | When all of the above are set, prepare for release by creating a tag 74 | with the following pattern: `vX.Y.Z` and push to the repository. Bonus 75 | point if the tag is signed :champagne:. 76 | 77 | ## Releasing new language bindings 78 | 79 | ### Go 80 | 81 | Prepare a tag with the pattern `vX.Y.Z` and push it. No workflow is needed. 82 | 83 | **WARNING**: Tags should not be updated to a new ref or deleted/recreated after creation. 84 | Go provides a checksum database that persists an immutable mapping between version and ref, 85 | and updating the tag will break clients that have already downloaded the release. 86 | 87 | ### Java 88 | 89 | Prepare a tag with the following pattern `release/java/vX.Y.Z` and 90 | push it. The [workflow](.github/workflows/java-build-for-release.yml) will 91 | automatically start. 92 | After the job is finished, complete the release following [java 93 | release 94 | instructions](https://github.com/sigstore/protobuf-specs/blob/main/java/README.md#releasing). 95 | 96 | ### Python 97 | 98 | Prepare a tag with the following pattern `release/python/vX.Y.Z` and 99 | push it. The [workflow](.github/workflows/python-release.yml) 100 | will automatically start. 101 | 102 | ### Ruby 103 | 104 | Prepare a tag with the following pattern `release/ruby/vX.Y.Z` and 105 | push it. The [workflow](.github/workflows/ruby-release.yml) 106 | will automatically start. 107 | 108 | ### Rust 109 | 110 | Prepare a tag with the following pattern `release/rust/vX.Y.Z` and 111 | push it. The [workflow](.github/workflows/rust-release.yml) 112 | will automatically start. 113 | 114 | ### TypeScript 115 | 116 | Prepare a tag with the following pattern `release/typescript/vX.Y.Z` and 117 | push it. The [workflow](.github/workflows/typescript-release.yml) 118 | will automatically start. 119 | 120 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/sigstore_verification_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: sigstore_verification.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'sigstore_common_pb' 8 | require 'sigstore_trustroot_pb' 9 | require 'sigstore_bundle_pb' 10 | 11 | 12 | descriptor_data = "\n\x1bsigstore_verification.proto\x12\x1c\x64\x65v.sigstore.verification.v1\x1a\x15sigstore_common.proto\x1a\x18sigstore_trustroot.proto\x1a\x15sigstore_bundle.proto\"\xa3\x01\n\x13\x43\x65rtificateIdentity\x12\x0e\n\x06issuer\x18\x01 \x01(\t\x12;\n\x03san\x18\x02 \x01(\x0b\x32..dev.sigstore.common.v1.SubjectAlternativeName\x12?\n\x04oids\x18\x03 \x03(\x0b\x32\x31.dev.sigstore.common.v1.ObjectIdentifierValuePair\"^\n\x15\x43\x65rtificateIdentities\x12\x45\n\nidentities\x18\x01 \x03(\x0b\x32\x31.dev.sigstore.verification.v1.CertificateIdentity\"M\n\x13PublicKeyIdentities\x12\x36\n\x0bpublic_keys\x18\x01 \x03(\x0b\x32!.dev.sigstore.common.v1.PublicKey\"\xaa\t\n\x1b\x41rtifactVerificationOptions\x12U\n\x16\x63\x65rtificate_identities\x18\x01 \x01(\x0b\x32\x33.dev.sigstore.verification.v1.CertificateIdentitiesH\x00\x12H\n\x0bpublic_keys\x18\x02 \x01(\x0b\x32\x31.dev.sigstore.verification.v1.PublicKeyIdentitiesH\x00\x12`\n\x0ctlog_options\x18\x03 \x01(\x0b\x32\x45.dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptionsH\x01\x88\x01\x01\x12\x62\n\rctlog_options\x18\x04 \x01(\x0b\x32\x46.dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptionsH\x02\x88\x01\x01\x12m\n\x0btsa_options\x18\x05 \x01(\x0b\x32S.dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptionsH\x03\x88\x01\x01\x12|\n\x15integrated_ts_options\x18\x06 \x01(\x0b\x32X.dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptionsH\x04\x88\x01\x01\x12q\n\x10observer_options\x18\x07 \x01(\x0b\x32R.dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptionsH\x05\x88\x01\x01\x1aV\n\x0bTlogOptions\x12\x11\n\tthreshold\x18\x01 \x01(\x05\x12#\n\x1bperform_online_verification\x18\x02 \x01(\x08\x12\x0f\n\x07\x64isable\x18\x03 \x01(\x08\x1a\x38\n\x0c\x43tlogOptions\x12\x11\n\tthreshold\x18\x01 \x01(\x05\x12\x0f\n\x07\x64isable\x18\x03 \x01(\x08J\x04\x08\x02\x10\x03\x1a?\n\x19TimestampAuthorityOptions\x12\x11\n\tthreshold\x18\x01 \x01(\x05\x12\x0f\n\x07\x64isable\x18\x02 \x01(\x08\x1a\x44\n\x1eTlogIntegratedTimestampOptions\x12\x11\n\tthreshold\x18\x01 \x01(\x05\x12\x0f\n\x07\x64isable\x18\x02 \x01(\x08\x1a>\n\x18ObserverTimestampOptions\x12\x11\n\tthreshold\x18\x01 \x01(\x05\x12\x0f\n\x07\x64isable\x18\x02 \x01(\x08\x42\t\n\x07signersB\x0f\n\r_tlog_optionsB\x10\n\x0e_ctlog_optionsB\x0e\n\x0c_tsa_optionsB\x18\n\x16_integrated_ts_optionsB\x13\n\x11_observer_options\"}\n\x08\x41rtifact\x12\x16\n\x0c\x61rtifact_uri\x18\x01 \x01(\tH\x00\x12\x12\n\x08\x61rtifact\x18\x02 \x01(\x0cH\x00\x12=\n\x0f\x61rtifact_digest\x18\x03 \x01(\x0b\x32\".dev.sigstore.common.v1.HashOutputH\x00\x42\x06\n\x04\x64\x61ta\"\xaa\x02\n\x05Input\x12\x43\n\x13\x61rtifact_trust_root\x18\x01 \x01(\x0b\x32&.dev.sigstore.trustroot.v1.TrustedRoot\x12`\n\x1d\x61rtifact_verification_options\x18\x02 \x01(\x0b\x32\x39.dev.sigstore.verification.v1.ArtifactVerificationOptions\x12.\n\x06\x62undle\x18\x03 \x01(\x0b\x32\x1e.dev.sigstore.bundle.v1.Bundle\x12=\n\x08\x61rtifact\x18\x04 \x01(\x0b\x32&.dev.sigstore.verification.v1.ArtifactH\x00\x88\x01\x01\x42\x0b\n\t_artifactB\x94\x01\n\"dev.sigstore.proto.verification.v1B\x11VerificationProtoP\x01Z, 83 | * "lastName": 84 | * } 85 | * 86 | * If the embedded message type is well-known and has a custom JSON 87 | * representation, that representation will be embedded adding a field 88 | * `value` which holds the custom JSON in addition to the `@type` 89 | * field. Example (for message [google.protobuf.Duration][]): 90 | * 91 | * { 92 | * "@type": "type.googleapis.com/google.protobuf.Duration", 93 | * "value": "1.212s" 94 | * } 95 | */ 96 | export interface Any { 97 | /** 98 | * A URL/resource name that uniquely identifies the type of the serialized 99 | * protocol buffer message. This string must contain at least 100 | * one "/" character. The last segment of the URL's path must represent 101 | * the fully qualified name of the type (as in 102 | * `path/google.protobuf.Duration`). The name should be in a canonical form 103 | * (e.g., leading "." is not accepted). 104 | * 105 | * In practice, teams usually precompile into the binary all types that they 106 | * expect it to use in the context of Any. However, for URLs which use the 107 | * scheme `http`, `https`, or no scheme, one can optionally set up a type 108 | * server that maps type URLs to message definitions as follows: 109 | * 110 | * * If no scheme is provided, `https` is assumed. 111 | * * An HTTP GET on the URL must yield a [google.protobuf.Type][] 112 | * value in binary format, or produce an error. 113 | * * Applications are allowed to cache lookup results based on the 114 | * URL, or have them precompiled into a binary to avoid any 115 | * lookup. Therefore, binary compatibility needs to be preserved 116 | * on changes to types. (Use versioned type names to manage 117 | * breaking changes.) 118 | * 119 | * Note: this functionality is not currently available in the official 120 | * protobuf release, and it is not used for type URLs beginning with 121 | * type.googleapis.com. As of May 2023, there are no widely used type server 122 | * implementations and no plans to implement one. 123 | * 124 | * Schemes other than `http`, `https` (or the empty scheme) might be 125 | * used with implementation specific semantics. 126 | */ 127 | typeUrl: string; 128 | /** Must be a valid serialized protocol buffer of the above specified type. */ 129 | value: Buffer; 130 | } 131 | 132 | export const Any: MessageFns = { 133 | fromJSON(object: any): Any { 134 | return { 135 | typeUrl: isSet(object.typeUrl) ? globalThis.String(object.typeUrl) : "", 136 | value: isSet(object.value) ? Buffer.from(bytesFromBase64(object.value)) : Buffer.alloc(0), 137 | }; 138 | }, 139 | 140 | toJSON(message: Any): unknown { 141 | const obj: any = {}; 142 | if (message.typeUrl !== "") { 143 | obj.typeUrl = message.typeUrl; 144 | } 145 | if (message.value.length !== 0) { 146 | obj.value = base64FromBytes(message.value); 147 | } 148 | return obj; 149 | }, 150 | }; 151 | 152 | function bytesFromBase64(b64: string): Uint8Array { 153 | return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); 154 | } 155 | 156 | function base64FromBytes(arr: Uint8Array): string { 157 | return globalThis.Buffer.from(arr).toString("base64"); 158 | } 159 | 160 | function isSet(value: any): boolean { 161 | return value !== null && value !== undefined; 162 | } 163 | 164 | interface MessageFns { 165 | fromJSON(object: any): T; 166 | toJSON(message: T): unknown; 167 | } 168 | -------------------------------------------------------------------------------- /gen/pb-typescript/src/__generated__/google/protobuf/timestamp.ts: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-ts_proto. DO NOT EDIT. 2 | // versions: 3 | // protoc-gen-ts_proto v2.8.3 4 | // protoc v6.33.1 5 | // source: google/protobuf/timestamp.proto 6 | 7 | /* eslint-disable */ 8 | 9 | /** 10 | * A Timestamp represents a point in time independent of any time zone or local 11 | * calendar, encoded as a count of seconds and fractions of seconds at 12 | * nanosecond resolution. The count is relative to an epoch at UTC midnight on 13 | * January 1, 1970, in the proleptic Gregorian calendar which extends the 14 | * Gregorian calendar backwards to year one. 15 | * 16 | * All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap 17 | * second table is needed for interpretation, using a [24-hour linear 18 | * smear](https://developers.google.com/time/smear). 19 | * 20 | * The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By 21 | * restricting to that range, we ensure that we can convert to and from [RFC 22 | * 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings. 23 | * 24 | * # Examples 25 | * 26 | * Example 1: Compute Timestamp from POSIX `time()`. 27 | * 28 | * Timestamp timestamp; 29 | * timestamp.set_seconds(time(NULL)); 30 | * timestamp.set_nanos(0); 31 | * 32 | * Example 2: Compute Timestamp from POSIX `gettimeofday()`. 33 | * 34 | * struct timeval tv; 35 | * gettimeofday(&tv, NULL); 36 | * 37 | * Timestamp timestamp; 38 | * timestamp.set_seconds(tv.tv_sec); 39 | * timestamp.set_nanos(tv.tv_usec * 1000); 40 | * 41 | * Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`. 42 | * 43 | * FILETIME ft; 44 | * GetSystemTimeAsFileTime(&ft); 45 | * UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime; 46 | * 47 | * // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z 48 | * // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z. 49 | * Timestamp timestamp; 50 | * timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL)); 51 | * timestamp.set_nanos((INT32) ((ticks % 10000000) * 100)); 52 | * 53 | * Example 4: Compute Timestamp from Java `System.currentTimeMillis()`. 54 | * 55 | * long millis = System.currentTimeMillis(); 56 | * 57 | * Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000) 58 | * .setNanos((int) ((millis % 1000) * 1000000)).build(); 59 | * 60 | * Example 5: Compute Timestamp from Java `Instant.now()`. 61 | * 62 | * Instant now = Instant.now(); 63 | * 64 | * Timestamp timestamp = 65 | * Timestamp.newBuilder().setSeconds(now.getEpochSecond()) 66 | * .setNanos(now.getNano()).build(); 67 | * 68 | * Example 6: Compute Timestamp from current time in Python. 69 | * 70 | * timestamp = Timestamp() 71 | * timestamp.GetCurrentTime() 72 | * 73 | * # JSON Mapping 74 | * 75 | * In JSON format, the Timestamp type is encoded as a string in the 76 | * [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the 77 | * format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z" 78 | * where {year} is always expressed using four digits while {month}, {day}, 79 | * {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional 80 | * seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution), 81 | * are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone 82 | * is required. A proto3 JSON serializer should always use UTC (as indicated by 83 | * "Z") when printing the Timestamp type and a proto3 JSON parser should be 84 | * able to accept both UTC and other timezones (as indicated by an offset). 85 | * 86 | * For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past 87 | * 01:30 UTC on January 15, 2017. 88 | * 89 | * In JavaScript, one can convert a Date object to this format using the 90 | * standard 91 | * [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString) 92 | * method. In Python, a standard `datetime.datetime` object can be converted 93 | * to this format using 94 | * [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with 95 | * the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use 96 | * the Joda Time's [`ISODateTimeFormat.dateTime()`]( 97 | * http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() 98 | * ) to obtain a formatter capable of generating timestamps in this format. 99 | */ 100 | export interface Timestamp { 101 | /** 102 | * Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must 103 | * be between -315576000000 and 315576000000 inclusive (which corresponds to 104 | * 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). 105 | */ 106 | seconds: string; 107 | /** 108 | * Non-negative fractions of a second at nanosecond resolution. This field is 109 | * the nanosecond portion of the duration, not an alternative to seconds. 110 | * Negative second values with fractions must still have non-negative nanos 111 | * values that count forward in time. Must be between 0 and 999,999,999 112 | * inclusive. 113 | */ 114 | nanos: number; 115 | } 116 | 117 | export const Timestamp: MessageFns = { 118 | fromJSON(object: any): Timestamp { 119 | return { 120 | seconds: isSet(object.seconds) ? globalThis.String(object.seconds) : "0", 121 | nanos: isSet(object.nanos) ? globalThis.Number(object.nanos) : 0, 122 | }; 123 | }, 124 | 125 | toJSON(message: Timestamp): unknown { 126 | const obj: any = {}; 127 | if (message.seconds !== "0") { 128 | obj.seconds = message.seconds; 129 | } 130 | if (message.nanos !== 0) { 131 | obj.nanos = Math.round(message.nanos); 132 | } 133 | return obj; 134 | }, 135 | }; 136 | 137 | function isSet(value: any): boolean { 138 | return value !== null && value !== undefined; 139 | } 140 | 141 | interface MessageFns { 142 | fromJSON(object: any): T; 143 | toJSON(message: T): unknown; 144 | } 145 | -------------------------------------------------------------------------------- /gen/pb-ruby/lib/sigstore_common_pb.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: sigstore_common.proto 4 | 5 | require 'google/protobuf' 6 | 7 | require 'google/api/field_behavior_pb' 8 | require 'google/protobuf/timestamp_pb' 9 | 10 | 11 | descriptor_data = "\n\x15sigstore_common.proto\x12\x16\x64\x65v.sigstore.common.v1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"V\n\nHashOutput\x12\x38\n\talgorithm\x18\x01 \x01(\x0e\x32%.dev.sigstore.common.v1.HashAlgorithm\x12\x0e\n\x06\x64igest\x18\x02 \x01(\x0c\"f\n\x10MessageSignature\x12:\n\x0emessage_digest\x18\x01 \x01(\x0b\x32\".dev.sigstore.common.v1.HashOutput\x12\x16\n\tsignature\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x02\"\x1c\n\x05LogId\x12\x13\n\x06key_id\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\"7\n\x16RFC3161SignedTimestamp\x12\x1d\n\x10signed_timestamp\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\"\xb9\x01\n\tPublicKey\x12\x16\n\traw_bytes\x18\x01 \x01(\x0cH\x00\x88\x01\x01\x12=\n\x0bkey_details\x18\x02 \x01(\x0e\x32(.dev.sigstore.common.v1.PublicKeyDetails\x12\x39\n\tvalid_for\x18\x03 \x01(\x0b\x32!.dev.sigstore.common.v1.TimeRangeH\x01\x88\x01\x01\x42\x0c\n\n_raw_bytesB\x0c\n\n_valid_for\"#\n\x13PublicKeyIdentifier\x12\x0c\n\x04hint\x18\x01 \x01(\t\"#\n\x10ObjectIdentifier\x12\x0f\n\x02id\x18\x01 \x03(\x05\x42\x03\xe0\x41\x02\"a\n\x19ObjectIdentifierValuePair\x12\x35\n\x03oid\x18\x01 \x01(\x0b\x32(.dev.sigstore.common.v1.ObjectIdentifier\x12\r\n\x05value\x18\x02 \x01(\x0c\">\n\x11\x44istinguishedName\x12\x14\n\x0corganization\x18\x01 \x01(\t\x12\x13\n\x0b\x63ommon_name\x18\x02 \x01(\t\")\n\x0fX509Certificate\x12\x16\n\traw_bytes\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\"\x89\x01\n\x16SubjectAlternativeName\x12@\n\x04type\x18\x01 \x01(\x0e\x32\x32.dev.sigstore.common.v1.SubjectAlternativeNameType\x12\x10\n\x06regexp\x18\x02 \x01(\tH\x00\x12\x0f\n\x05value\x18\x03 \x01(\tH\x00\x42\n\n\x08identity\"U\n\x14X509CertificateChain\x12=\n\x0c\x63\x65rtificates\x18\x01 \x03(\x0b\x32\'.dev.sigstore.common.v1.X509Certificate\"l\n\tTimeRange\x12)\n\x05start\x18\x01 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12,\n\x03\x65nd\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.TimestampH\x00\x88\x01\x01\x42\x06\n\x04_end*u\n\rHashAlgorithm\x12\x1e\n\x1aHASH_ALGORITHM_UNSPECIFIED\x10\x00\x12\x0c\n\x08SHA2_256\x10\x01\x12\x0c\n\x08SHA2_384\x10\x02\x12\x0c\n\x08SHA2_512\x10\x03\x12\x0c\n\x08SHA3_256\x10\x04\x12\x0c\n\x08SHA3_384\x10\x05*\x8f\x05\n\x10PublicKeyDetails\x12\"\n\x1ePUBLIC_KEY_DETAILS_UNSPECIFIED\x10\x00\x12\x19\n\x11PKCS1_RSA_PKCS1V5\x10\x01\x1a\x02\x08\x01\x12\x15\n\rPKCS1_RSA_PSS\x10\x02\x1a\x02\x08\x01\x12\x18\n\x10PKIX_RSA_PKCS1V5\x10\x03\x1a\x02\x08\x01\x12\x14\n\x0cPKIX_RSA_PSS\x10\x04\x1a\x02\x08\x01\x12!\n\x1dPKIX_RSA_PKCS1V15_2048_SHA256\x10\t\x12!\n\x1dPKIX_RSA_PKCS1V15_3072_SHA256\x10\n\x12!\n\x1dPKIX_RSA_PKCS1V15_4096_SHA256\x10\x0b\x12\x1c\n\x18PKIX_RSA_PSS_2048_SHA256\x10\x10\x12\x1c\n\x18PKIX_RSA_PSS_3072_SHA256\x10\x11\x12\x1c\n\x18PKIX_RSA_PSS_4096_SHA256\x10\x12\x12$\n\x1cPKIX_ECDSA_P256_HMAC_SHA_256\x10\x06\x1a\x02\x08\x01\x12\x1b\n\x17PKIX_ECDSA_P256_SHA_256\x10\x05\x12\x1b\n\x17PKIX_ECDSA_P384_SHA_384\x10\x0c\x12\x1b\n\x17PKIX_ECDSA_P521_SHA_512\x10\r\x12\x10\n\x0cPKIX_ED25519\x10\x07\x12\x13\n\x0fPKIX_ED25519_PH\x10\x08\x12\x1f\n\x17PKIX_ECDSA_P384_SHA_256\x10\x13\x1a\x02\x08\x01\x12\x1f\n\x17PKIX_ECDSA_P521_SHA_256\x10\x14\x1a\x02\x08\x01\x12\x12\n\nLMS_SHA256\x10\x0e\x1a\x02\x08\x01\x12\x14\n\x0cLMOTS_SHA256\x10\x0f\x1a\x02\x08\x01\x12\r\n\tML_DSA_65\x10\x15\x12\r\n\tML_DSA_87\x10\x16\"\x04\x08\x17\x10\x32*o\n\x1aSubjectAlternativeNameType\x12-\n)SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED\x10\x00\x12\t\n\x05\x45MAIL\x10\x01\x12\x07\n\x03URI\x10\x02\x12\x0e\n\nOTHER_NAME\x10\x03\x42|\n\x1c\x64\x65v.sigstore.proto.common.v1B\x0b\x43ommonProtoP\x01Z6github.com/sigstore/protobuf-specs/gen/pb-go/common/v1\xea\x02\x14Sigstore::Common::V1b\x06proto3" 12 | 13 | pool = ::Google::Protobuf::DescriptorPool.generated_pool 14 | pool.add_serialized_file(descriptor_data) 15 | 16 | module Sigstore 17 | module Common 18 | module V1 19 | HashOutput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.HashOutput").msgclass 20 | MessageSignature = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.MessageSignature").msgclass 21 | LogId = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.LogId").msgclass 22 | RFC3161SignedTimestamp = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.RFC3161SignedTimestamp").msgclass 23 | PublicKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.PublicKey").msgclass 24 | PublicKeyIdentifier = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.PublicKeyIdentifier").msgclass 25 | ObjectIdentifier = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.ObjectIdentifier").msgclass 26 | ObjectIdentifierValuePair = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.ObjectIdentifierValuePair").msgclass 27 | DistinguishedName = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.DistinguishedName").msgclass 28 | X509Certificate = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.X509Certificate").msgclass 29 | SubjectAlternativeName = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.SubjectAlternativeName").msgclass 30 | X509CertificateChain = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.X509CertificateChain").msgclass 31 | TimeRange = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.TimeRange").msgclass 32 | HashAlgorithm = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.HashAlgorithm").enummodule 33 | PublicKeyDetails = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.PublicKeyDetails").enummodule 34 | SubjectAlternativeNameType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.common.v1.SubjectAlternativeNameType").enummodule 35 | end 36 | end 37 | end 38 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v2/__init__.py: -------------------------------------------------------------------------------- 1 | # Generated by the protocol buffer compiler. DO NOT EDIT! 2 | # sources: rekor/v2/dsse.proto, rekor/v2/entry.proto, rekor/v2/hashedrekord.proto, rekor/v2/verifier.proto 3 | # plugin: python-betterproto 4 | # This file has been @generated 5 | 6 | from typing import TYPE_CHECKING 7 | 8 | 9 | if TYPE_CHECKING: 10 | from dataclasses import dataclass 11 | else: 12 | from pydantic.dataclasses import dataclass 13 | 14 | from typing import ( 15 | List, 16 | Optional, 17 | ) 18 | 19 | import betterproto 20 | from pydantic import model_validator 21 | from pydantic.dataclasses import rebuild_dataclass 22 | 23 | from .....io import intoto as ____io_intoto__ 24 | from ...common import v1 as __common_v1__ 25 | 26 | 27 | @dataclass(eq=False, repr=False) 28 | class PublicKey(betterproto.Message): 29 | """PublicKey contains an encoded public key""" 30 | 31 | raw_bytes: bytes = betterproto.bytes_field(1) 32 | """DER-encoded public key""" 33 | 34 | 35 | @dataclass(eq=False, repr=False) 36 | class Verifier(betterproto.Message): 37 | """ 38 | Either a public key or a X.509 cerificiate with an embedded public key 39 | """ 40 | 41 | public_key: Optional["PublicKey"] = betterproto.message_field( 42 | 1, optional=True, group="verifier" 43 | ) 44 | """ 45 | DER-encoded public key. Encoding method is specified by the key_details attribute 46 | """ 47 | 48 | x509_certificate: Optional["__common_v1__.X509Certificate"] = ( 49 | betterproto.message_field(2, optional=True, group="verifier") 50 | ) 51 | """DER-encoded certificate""" 52 | 53 | key_details: "__common_v1__.PublicKeyDetails" = betterproto.enum_field(3) 54 | """Key encoding and signature algorithm to use for this key""" 55 | 56 | @model_validator(mode="after") 57 | def check_oneof(cls, values): 58 | return cls._validate_field_groups(values) 59 | 60 | 61 | @dataclass(eq=False, repr=False) 62 | class Signature(betterproto.Message): 63 | """A signature and an associated verifier""" 64 | 65 | content: bytes = betterproto.bytes_field(1) 66 | verifier: "Verifier" = betterproto.message_field(2) 67 | 68 | 69 | @dataclass(eq=False, repr=False) 70 | class DsseRequestV002(betterproto.Message): 71 | """A request to add a DSSE v0.0.2 entry to the log""" 72 | 73 | envelope: "____io_intoto__.Envelope" = betterproto.message_field(1) 74 | """A DSSE envelope""" 75 | 76 | verifiers: List["Verifier"] = betterproto.message_field(2) 77 | """ 78 | All necessary verification material to verify all signatures embedded in the envelope 79 | """ 80 | 81 | 82 | @dataclass(eq=False, repr=False) 83 | class DsseLogEntryV002(betterproto.Message): 84 | payload_hash: "__common_v1__.HashOutput" = betterproto.message_field(1) 85 | """The hash of the DSSE payload""" 86 | 87 | signatures: List["Signature"] = betterproto.message_field(2) 88 | """ 89 | Signatures and their associated verification material used to verify the payload 90 | """ 91 | 92 | 93 | @dataclass(eq=False, repr=False) 94 | class HashedRekordRequestV002(betterproto.Message): 95 | """A request to add a hashedrekord v0.0.2 to the log""" 96 | 97 | digest: bytes = betterproto.bytes_field(1) 98 | """The hashed data""" 99 | 100 | signature: "Signature" = betterproto.message_field(2) 101 | """ 102 | A single signature over the hashed data with the verifier needed to validate it 103 | """ 104 | 105 | 106 | @dataclass(eq=False, repr=False) 107 | class HashedRekordLogEntryV002(betterproto.Message): 108 | data: "__common_v1__.HashOutput" = betterproto.message_field(1) 109 | """The hashed data""" 110 | 111 | signature: "Signature" = betterproto.message_field(2) 112 | """ 113 | A single signature over the hashed data with the verifier needed to validate it 114 | """ 115 | 116 | 117 | @dataclass(eq=False, repr=False) 118 | class Entry(betterproto.Message): 119 | """ 120 | Entry is the message that is canonicalized and uploaded to the log. 121 | This format is meant to be compliant with Rekor v1 entries in that 122 | the `apiVersion` and `kind` can be parsed before parsing the spec. 123 | Clients are expected to understand and handle the differences in the 124 | contents of `spec` between Rekor v1 (a polymorphic OpenAPI defintion) 125 | and Rekor v2 (a typed proto defintion). 126 | """ 127 | 128 | kind: str = betterproto.string_field(1) 129 | api_version: str = betterproto.string_field(2) 130 | spec: "Spec" = betterproto.message_field(3) 131 | 132 | 133 | @dataclass(eq=False, repr=False) 134 | class Spec(betterproto.Message): 135 | """Spec contains one of the Rekor entry types.""" 136 | 137 | hashed_rekord_v002: Optional["HashedRekordLogEntryV002"] = ( 138 | betterproto.message_field(1, optional=True, group="spec") 139 | ) 140 | dsse_v002: Optional["DsseLogEntryV002"] = betterproto.message_field( 141 | 2, optional=True, group="spec" 142 | ) 143 | 144 | @model_validator(mode="after") 145 | def check_oneof(cls, values): 146 | return cls._validate_field_groups(values) 147 | 148 | 149 | @dataclass(eq=False, repr=False) 150 | class CreateEntryRequest(betterproto.Message): 151 | """Create a new HashedRekord or DSSE""" 152 | 153 | hashed_rekord_request_v002: Optional["HashedRekordRequestV002"] = ( 154 | betterproto.message_field(1, optional=True, group="spec") 155 | ) 156 | dsse_request_v002: Optional["DsseRequestV002"] = betterproto.message_field( 157 | 2, optional=True, group="spec" 158 | ) 159 | 160 | @model_validator(mode="after") 161 | def check_oneof(cls, values): 162 | return cls._validate_field_groups(values) 163 | 164 | 165 | rebuild_dataclass(Verifier) # type: ignore 166 | rebuild_dataclass(Signature) # type: ignore 167 | rebuild_dataclass(DsseRequestV002) # type: ignore 168 | rebuild_dataclass(DsseLogEntryV002) # type: ignore 169 | rebuild_dataclass(HashedRekordRequestV002) # type: ignore 170 | rebuild_dataclass(HashedRekordLogEntryV002) # type: ignore 171 | rebuild_dataclass(Entry) # type: ignore 172 | rebuild_dataclass(Spec) # type: ignore 173 | rebuild_dataclass(CreateEntryRequest) # type: ignore 174 | -------------------------------------------------------------------------------- /gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py: -------------------------------------------------------------------------------- 1 | # Generated by the protocol buffer compiler. DO NOT EDIT! 2 | # sources: sigstore_bundle.proto 3 | # plugin: python-betterproto 4 | # This file has been @generated 5 | 6 | from typing import TYPE_CHECKING 7 | 8 | 9 | if TYPE_CHECKING: 10 | from dataclasses import dataclass 11 | else: 12 | from pydantic.dataclasses import dataclass 13 | 14 | from typing import ( 15 | List, 16 | Optional, 17 | ) 18 | 19 | import betterproto 20 | from pydantic import model_validator 21 | from pydantic.dataclasses import rebuild_dataclass 22 | 23 | from .....io import intoto as ____io_intoto__ 24 | from ...common import v1 as __common_v1__ 25 | from ...rekor import v1 as __rekor_v1__ 26 | 27 | 28 | @dataclass(eq=False, repr=False) 29 | class TimestampVerificationData(betterproto.Message): 30 | """ 31 | Various timestamped counter signatures over the artifacts signature. 32 | Currently only RFC3161 signatures are provided. More formats may be added 33 | in the future. 34 | """ 35 | 36 | rfc3161_timestamps: List["__common_v1__.Rfc3161SignedTimestamp"] = ( 37 | betterproto.message_field(1) 38 | ) 39 | """ 40 | A list of RFC3161 signed timestamps provided by the user. 41 | This can be used when the entry has not been stored on a 42 | transparency log, or in conjunction for a stronger trust model. 43 | Clients MUST verify the hashed message in the message imprint 44 | against the signature in the bundle. 45 | """ 46 | 47 | 48 | @dataclass(eq=False, repr=False) 49 | class VerificationMaterial(betterproto.Message): 50 | """ 51 | VerificationMaterial captures details on the materials used to verify 52 | signatures. This message may be embedded in a DSSE envelope as a signature 53 | extension. Specifically, the `ext` field of the extension will expect this 54 | message when the signature extension is for Sigstore. This is identified by 55 | the `kind` field in the extension, which must be set to 56 | application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. 57 | When used as a DSSE extension, if the `public_key` field is used to indicate 58 | the key identifier, it MUST match the `keyid` field of the signature the 59 | extension is attached to. 60 | """ 61 | 62 | public_key: Optional["__common_v1__.PublicKeyIdentifier"] = ( 63 | betterproto.message_field(1, optional=True, group="content") 64 | ) 65 | x509_certificate_chain: Optional["__common_v1__.X509CertificateChain"] = ( 66 | betterproto.message_field(2, optional=True, group="content") 67 | ) 68 | certificate: Optional["__common_v1__.X509Certificate"] = betterproto.message_field( 69 | 5, optional=True, group="content" 70 | ) 71 | tlog_entries: List["__rekor_v1__.TransparencyLogEntry"] = betterproto.message_field( 72 | 3 73 | ) 74 | """ 75 | An inclusion proof and an optional signed timestamp from the log. 76 | Client verification libraries MAY provide an option to support v0.1 77 | bundles for backwards compatibility, which may contain an inclusion 78 | promise and not an inclusion proof. In this case, the client MUST 79 | validate the promise. 80 | Verifiers SHOULD NOT allow v0.1 bundles if they're used in an 81 | ecosystem which never produced them. 82 | """ 83 | 84 | timestamp_verification_data: "TimestampVerificationData" = ( 85 | betterproto.message_field(4) 86 | ) 87 | """ 88 | Timestamp may also come from 89 | tlog_entries.inclusion_promise.signed_entry_timestamp. 90 | """ 91 | 92 | @model_validator(mode="after") 93 | def check_oneof(cls, values): 94 | return cls._validate_field_groups(values) 95 | 96 | 97 | @dataclass(eq=False, repr=False) 98 | class Bundle(betterproto.Message): 99 | media_type: str = betterproto.string_field(1) 100 | """ 101 | MUST be application/vnd.dev.sigstore.bundle.v0.3+json when 102 | when encoded as JSON. 103 | Clients must to be able to accept media type using the previously 104 | defined formats: 105 | * application/vnd.dev.sigstore.bundle+json;version=0.1 106 | * application/vnd.dev.sigstore.bundle+json;version=0.2 107 | * application/vnd.dev.sigstore.bundle+json;version=0.3 108 | """ 109 | 110 | verification_material: "VerificationMaterial" = betterproto.message_field(2) 111 | """ 112 | When a signer is identified by a X.509 certificate, a verifier MUST 113 | verify that the signature was computed at the time the certificate 114 | was valid as described in the Sigstore client spec: "Verification 115 | using a Bundle". 116 | 117 | If the verification material contains a public key identifier 118 | (key hint) and the `content` is a DSSE envelope, the key hints 119 | MUST be exactly the same in the verification material and in the 120 | DSSE envelope. 121 | """ 122 | 123 | message_signature: Optional["__common_v1__.MessageSignature"] = ( 124 | betterproto.message_field(3, optional=True, group="content") 125 | ) 126 | dsse_envelope: Optional["____io_intoto__.Envelope"] = betterproto.message_field( 127 | 4, optional=True, group="content" 128 | ) 129 | """ 130 | A DSSE envelope can contain arbitrary payloads. 131 | Verifiers must verify that the payload type is a 132 | supported and expected type. This is part of the DSSE 133 | protocol which is defined here: 134 | 135 | DSSE envelopes in a bundle MUST have exactly one signature. 136 | This is a limitation from the DSSE spec, as it can contain 137 | multiple signatures. There are two primary reasons: 138 | 1. It simplifies the verification logic and policy 139 | 2. The bundle (currently) can only contain a single 140 | instance of the required verification materials 141 | During verification a client MUST reject an envelope if 142 | the number of signatures is not equal to one. 143 | """ 144 | 145 | @model_validator(mode="after") 146 | def check_oneof(cls, values): 147 | return cls._validate_field_groups(values) 148 | 149 | 150 | rebuild_dataclass(TimestampVerificationData) # type: ignore 151 | rebuild_dataclass(VerificationMaterial) # type: ignore 152 | rebuild_dataclass(Bundle) # type: ignore 153 | --------------------------------------------------------------------------------