diff --git a/.github/ISSUE_TEMPLATE/release-checklist.md b/.github/ISSUE_TEMPLATE/release-checklist.md index b58de8dc..9be04ad9 100644 --- a/.github/ISSUE_TEMPLATE/release-checklist.md +++ b/.github/ISSUE_TEMPLATE/release-checklist.md @@ -25,6 +25,7 @@ Full release instructions are at: [RELEASE.md](/sigstore/protobuf-specs/blob/mai - [ ] `release/ruby/v` - [ ] `release/rust/v` - [ ] `release/typescript/v` +- [ ] `release/service-builder/v` ## Publish Release - [ ] Java to Maven Central @@ -35,3 +36,4 @@ Full release instructions are at: [RELEASE.md](/sigstore/protobuf-specs/blob/mai - [ ] [Ruby](https://rubygems.org/gems/sigstore_protobuf_specs) - [ ] [Rust](https://crates.io/crates/sigstore_protobuf_specs) - [ ] [Typescript](https://www.npmjs.com/package/@sigstore/protobuf-specs) +- [ ] [Service Builder Container](https://github.com/sigstore/protobuf-specs/pkgs/container/protobuf-specs-service-builder) diff --git a/.github/workflows/container-release.yml b/.github/workflows/container-release.yml new file mode 100644 index 00000000..5e5126e2 --- /dev/null +++ b/.github/workflows/container-release.yml @@ -0,0 +1,73 @@ +# +# Copyright 2025 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +name: Release service builder container + +on: + push: + tags: + - 'release/service-builder/v*' + +jobs: + release: + runs-on: ubuntu-latest + + permissions: + id-token: write + contents: read + packages: write + attestations: write + + env: + TAG: ${{ github.ref_name }} + REGISTRY: ghcr.io + IMAGE_NO_TAG: ghcr.io/${{ github.repository }}-service-builder + + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Calculate tag and image_ref + run: | + tag="${TAG#"release/service-builder/v"}" + echo "IMAGE_REF=${{ env.IMAGE_NO_TAG }}:$tag" >> $GITHUB_ENV + + - name: Log into ghcr.io + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build services container + run: make services-image + + - name: Tag image + run: docker tag protoc-services ${{ env.IMAGE_REF }} + + - name: Push image + run: docker push ${{ env.IMAGE_REF }} + + - name: Get image digest + run: | + digest=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.IMAGE_REF }}) + image_digest=$(echo $digest | cut -d"@" -f2) + echo "IMAGE_DIGEST=$image_digest" >> "$GITHUB_ENV" + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 + with: + subject-name: ${{ env.IMAGE_NO_TAG }} + subject-digest: ${{ env.IMAGE_DIGEST }} + push-to-registry: true + diff --git a/.github/workflows/generate.yml b/.github/workflows/generate.yml index 9ac4115d..dc1c9049 100644 --- a/.github/workflows/generate.yml +++ b/.github/workflows/generate.yml @@ -20,17 +20,8 @@ permissions: on: push: - branches: - - 'main' - paths: - - '**.proto' - - 'gen/**' - - 'protoc-builder/**' - pull_request: - paths: - - '**.proto' - - 'gen/**' - - 'protoc-builder/**' + branches: [main] + pull_request: {} jobs: check_generated_protos: diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index 62b45afd..5db5ad8b 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -14,4 +14,4 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1 + - uses: gradle/actions/wrapper-validation@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0 diff --git a/.github/workflows/java-build.yml b/.github/workflows/java-build.yml index 079c82b1..d7148f59 100644 --- a/.github/workflows/java-build.yml +++ b/.github/workflows/java-build.yml @@ -21,13 +21,8 @@ permissions: on: workflow_call: # allow this workflow to be called by other workflows push: - paths: - - '**.proto' - - 'java/**' - pull_request: - paths: - - '**.proto' - - 'java/**' + branches: [main] + pull_request: {} jobs: build: @@ -48,7 +43,7 @@ jobs: java-version: ${{ matrix.java-version }} distribution: 'temurin' - name: Setup Gradle - uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1 + uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0 # make sure jar generation works and tests/checks pass - name: Test diff --git a/.github/workflows/python-build.yml b/.github/workflows/python-build.yml index 027eaba9..b2b890c8 100644 --- a/.github/workflows/python-build.yml +++ b/.github/workflows/python-build.yml @@ -20,25 +20,14 @@ permissions: on: push: - paths: - - '**.proto' - - 'gen/pb-python/**' - - 'protoc-builder/Dockerfile.python' - - 'protoc-builder/versions.mk' - - 'protoc-builder/hack/dev-requirements.txt' - pull_request: - paths: - - '**.proto' - - 'gen/pb-python/**' - - 'protoc-builder/Dockerfile.python' - - 'protoc-builder/versions.mk' - - 'protoc-builder/hack/dev-requirements.txt' + branches: [main] + pull_request: {} jobs: build: strategy: matrix: - python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] + python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"] fail-fast: false runs-on: ubuntu-latest diff --git a/.github/workflows/ruby-build.yml b/.github/workflows/ruby-build.yml index 9e4e0650..affbd8eb 100644 --- a/.github/workflows/ruby-build.yml +++ b/.github/workflows/ruby-build.yml @@ -20,17 +20,8 @@ permissions: on: push: - paths: - - '**.proto' - - 'gen/pb-ruby/**' - - 'protoc-builder/Dockerfile.ruby' - - 'protoc-builder/versions.mk' - pull_request: - paths: - - '**.proto' - - 'gen/pb-ruby/**' - - 'protoc-builder/Dockerfile.ruby' - - 'protoc-builder/versions.mk' + branches: [main] + pull_request: {} jobs: build: @@ -53,7 +44,7 @@ jobs: with: persist-credentials: false - name: Set up Ruby ${{ matrix.ruby-version }} - uses: ruby/setup-ruby@84684c07c1965536eb4802c8daf1a77968df0cb1 # v1.239.0 + uses: ruby/setup-ruby@c95ae3725f6ebdd095f2bd19caed7ebc14435ba5 # v1.243.0 with: ruby-version: ${{ matrix.ruby-version }} diff --git a/.github/workflows/ruby-release.yml b/.github/workflows/ruby-release.yml index 60d23aac..8fd90644 100644 --- a/.github/workflows/ruby-release.yml +++ b/.github/workflows/ruby-release.yml @@ -39,7 +39,7 @@ jobs: with: persist-credentials: false - - uses: ruby/setup-ruby@84684c07c1965536eb4802c8daf1a77968df0cb1 # v1.239.0 + - uses: ruby/setup-ruby@c95ae3725f6ebdd095f2bd19caed7ebc14435ba5 # v1.243.0 with: ruby-version: '3.2' diff --git a/.github/workflows/rust-build.yml b/.github/workflows/rust-build.yml index 8fe15e10..9bdeecb0 100644 --- a/.github/workflows/rust-build.yml +++ b/.github/workflows/rust-build.yml @@ -20,17 +20,8 @@ permissions: on: push: - paths: - - "**.proto" - - "gen/pb-rust/**" - - "protoc-builder/Dockerfile.rust" - - "protoc-builder/versions.mk" - pull_request: - paths: - - "**.proto" - - "gen/pb-rust/**" - - "protoc-builder/Dockerfile.rust" - - "protoc-builder/versions.mk" + branches: [main] + pull_request: {} env: CARGO_TERM_COLOR: always diff --git a/.github/workflows/typescript-build.yml b/.github/workflows/typescript-build.yml index 641a3d66..2b26a34c 100644 --- a/.github/workflows/typescript-build.yml +++ b/.github/workflows/typescript-build.yml @@ -20,19 +20,8 @@ permissions: on: push: - paths: - - '**.proto' - - 'gen/pb-typescript/**' - - 'protoc-builder/Dockerfile.typescript' - - 'protoc-builder/hack/package*.json' - - 'protoc-builder/versions.mk' - pull_request: - paths: - - '**.proto' - - 'gen/pb-typescript/**' - - 'protoc-builder/Dockerfile.typescript' - - 'protoc-builder/hack/package*.json' - - 'protoc-builder/versions.mk' + branches: [main] + pull_request: {} jobs: build: diff --git a/CHANGELOG.md b/CHANGELOG.md index 25e5749a..bfa1d402 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,10 @@ All versions prior to 0.2.0 are untracked. ### Changed +## 0.4.3 + +* Added Rekor v2 generated clients ([#661](https://github.com/sigstore/protobuf-specs/pull/661)) + ## 0.4.2 ### Changed diff --git a/Makefile b/Makefile index a2ce3877..e3fdad05 100644 --- a/Makefile +++ b/Makefile @@ -15,10 +15,12 @@ PROTOC_IMAGE = protoc-base PROTOC_GO_IMAGE = protoc-go -PROTOC_JSONSCHEMA_IMAGE = protoc-jsonschema PROTOC_PYTHON_IMAGE = protoc-python PROTOC_RUBY_IMAGE = protoc-ruby PROTOC_RUST_IMAGE = protoc-rust +# the container release action depends on the name being "protoc-services" +# so change it there too if you change it here. +PROTOC_SERVICES_IMAGE = protoc-services PROTOC_TYPESCRIPT_IMAGE = protoc-typescript RUST_ACTION ?= run -p sigstore-protobuf-specs-codegen @@ -29,53 +31,50 @@ GID ?= $(shell id -g) DOCKER_BUILD = docker build --platform ${PLATFORM} --build-arg UID=${UID} DOCKER_RUN = docker run --platform ${PLATFORM} --user ${UID}:${GID} -PROTOS = $(shell find protos/ -iname "*.proto" | sed 's|^|/defs/|') +PROTOS = $(shell find protos/ service-protos/ -iname "*.proto" | sed 's|^|/defs/|') +PROTO_INCLUDES=-I/opt/include -I/googleapis -I/defs/protos -I/defs/service-protos include protoc-builder/versions.mk # generate all language protobuf code -all: go python typescript ruby jsonschema rust +all: go python typescript ruby rust # generate Go protobuf code go: base-image-go @echo "Generating go proto Docker image" cd protoc-builder && ${DOCKER_BUILD} -t ${PROTOC_GO_IMAGE} -f Dockerfile.go . @echo "Generating go protobuf files" - ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_GO_IMAGE} \ - -I/opt/include -I/googleapis -I/defs/protos \ + ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_GO_IMAGE} ${PROTO_INCLUDES}\ --go_opt=module=github.com/sigstore/protobuf-specs/gen/pb-go --go_out=/defs/gen/pb-go ${PROTOS} +# an image on ghcr for generating defintions for sigstore services +services-image: base-image-go + @echo "Generating go proto base image" + cd protoc-builder && ${DOCKER_BUILD} -t ${PROTOC_GO_IMAGE} -f Dockerfile.go . + @echo "Generating services Docker image" + # build from root directory so we can inject ./protos/ into the image + ${DOCKER_BUILD} -t ${PROTOC_SERVICES_IMAGE} --build-arg GO_BASE=${PROTOC_GO_IMAGE} -f protoc-builder/Dockerfile.services . + python: base-image-python @echo "Generating python proto Docker image" cd protoc-builder && ${DOCKER_BUILD} -t ${PROTOC_PYTHON_IMAGE} -f Dockerfile.python . @echo "Generating python protobuf files" - ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_PYTHON_IMAGE} \ - -I/opt/include -I/googleapis -I/defs/protos \ + ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_PYTHON_IMAGE} ${PROTO_INCLUDES}\ --python_betterproto_opt=pydantic_dataclasses --python_betterproto_out=/defs/gen/pb-python/sigstore_protobuf_specs ${PROTOS} typescript: base-image-typescript @echo "Generating typescript proto Docker image" cd protoc-builder && ${DOCKER_BUILD} -t ${PROTOC_TYPESCRIPT_IMAGE} -f Dockerfile.typescript . @echo "Generating javascript protobuf files" - ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_TYPESCRIPT_IMAGE} \ - -I/opt/include -I/googleapis -I/defs/protos \ + ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_TYPESCRIPT_IMAGE} ${PROTO_INCLUDES}\ --ts_proto_out=/defs/gen/pb-typescript/src/__generated__ --ts_proto_opt=oneof=unions,forceLong=string,env=node,exportCommonSymbols=false,outputPartialMethods=false,outputEncodeMethods=false,unrecognizedEnum=false ${PROTOS} ruby: base-image-ruby @echo "Generating ruby proto Docker image" cd protoc-builder && ${DOCKER_BUILD} -t ${PROTOC_RUBY_IMAGE} -f Dockerfile.ruby . @echo "Generating ruby protobuf files" - ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_RUBY_IMAGE} \ - -I/opt/include -I/googleapis -I/defs/protos --ruby_out=/defs/gen/pb-ruby/lib ${PROTOS} - -jsonschema: base-image-jsonschema - @echo "Generating jsonschema proto Docker image" - cd protoc-builder && ${DOCKER_BUILD} -t ${PROTOC_JSONSCHEMA_IMAGE} -f Dockerfile.jsonschema . - @echo "Generating JSON schema files" - mkdir -p gen/jsonschema/schemas - ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_JSONSCHEMA_IMAGE} \ - -I/opt/include -I/googleapis -I/defs/protos \ - --jsonschema_out=/defs/gen/jsonschema/schemas --jsonschema_opt=disallow_additional_properties --jsonschema_opt=enforce_oneof --jsonschema_opt=enums_as_strings_only --jsonschema_opt=file_extension=schema.json --jsonschema_opt=json_fieldnames ${PROTOS} + ${DOCKER_RUN} -v ${PWD}:/defs ${PROTOC_RUBY_IMAGE} ${PROTO_INCLUDES}\ + --ruby_out=/defs/gen/pb-ruby/lib ${PROTOS} rust: base-image-rust @echo "Generating rust proto Docker image" @@ -92,14 +91,6 @@ base-image-go: --build-arg PROTOC_CHECKSUM=${GO_PROTOC_CHECKSUM} \ --build-arg GOOGLEAPIS_COMMIT=${GO_GOOGLEAPIS_COMMIT} . -.PHONY: base-image-jsonschema -base-image-jsonschema: - @echo "Building base docker image for jsonschema" - cd protoc-builder && ${DOCKER_BUILD} ${DOCKER_CACHE} -t ${PROTOC_IMAGE}:jsonschema -f Dockerfile.protoc \ - --build-arg PROTOC_VERSION=${JSONSCHEMA_PROTOC_VERSION} \ - --build-arg PROTOC_CHECKSUM=${JSONSCHEMA_PROTOC_CHECKSUM} \ - --build-arg GOOGLEAPIS_COMMIT=${JSONSCHEMA_GOOGLEAPIS_COMMIT} . - .PHONY: base-image-python base-image-python: @echo "Building base docker image for Python" @@ -139,7 +130,6 @@ base-image-typescript: base-image-no-cache: @echo "Building development docker images with disabled cache" @DOCKER_CACHE="--no-cache" make base-image-go - @DOCKER_CACHE="--no-cache" make base-image-jsonschema @DOCKER_CACHE="--no-cache" make base-image-python @DOCKER_CACHE="--no-cache" make base-image-ruby @DOCKER_CACHE="--no-cache" make base-image-rust @@ -151,10 +141,9 @@ clean: gen/pb-typescript/src/__generated__/* \ gen/pb-python/sigstore_protobuf_specs/dev \ gen/pb-python/sigstore_protobuf_specs/io \ - gen/pb-rust/target \ - gen/jsonschema/schemas + gen/pb-rust/target + find gen/pb-ruby/ -type f -name '*_pb.rb' -delete docker rmi -f ${PROTOC_IMAGE}:go ${PROTOC_GO_IMAGE} \ - ${PROTOC_IMAGE}:jsonschema ${PROTOC_JSONSCHEMA_IMAGE} \ ${PROTOC_IMAGE}:python ${PROTOC_PYTHON_IMAGE} \ ${PROTOC_IMAGE}:ruby ${PROTOC_RUBY_IMAGE} \ ${PROTOC_IMAGE}:rust ${PROTOC_RUST_IMAGE} \ diff --git a/README.md b/README.md index 7a705b8a..61b9bfea 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,13 @@ After updating the specification, update the to include the new signing algorithm identifier. If the algorithm also uses a new hashing algorithm, update [`HashAlgorithm`](https://github.com/sigstore/protobuf-specs/blob/c30eb14cece57d88c08579197ecfdb57a5f1aba5/protos/sigstore_common.proto#L37). +## Service Builder + +This project publishes a container to [`ghcr.io/sigstore/protobuf-specs-service-builder`](https://github.com/sigstore/protobuf-specs/pkgs/container/protobuf-specs-service-builder) +which contains all the necessary protoc tools, .proto files and .proto dependencies to generate service +defintions for sigstore services (like rekor and fulcio). This container is not meant to be used by anyone +else and no requests or support will be provided. + ## Deprecation Notice - Effective January 17th, 2025: the jsonschema generated files in gen/jsonschema/schemas/ are formally deprecated. They will be removed in 6 months from this repository and not built repeatedly going forward. If you are using them, please open an issue on this repository and let us know. diff --git a/gen/pb-go/rekor/v2/dsse.pb.go b/gen/pb-go/rekor/v2/dsse.pb.go new file mode 100644 index 00000000..75390c31 --- /dev/null +++ b/gen/pb-go/rekor/v2/dsse.pb.go @@ -0,0 +1,248 @@ +// Copyright 2025 The Sigstore Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.5 +// protoc v6.30.2 +// source: rekor/v2/dsse.proto + +package v2 + +import ( + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + dsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" + _ "google.golang.org/genproto/googleapis/api/annotations" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// A request to add a DSSE v0.0.2 entry to the log +type DSSERequestV002 struct { + state protoimpl.MessageState `protogen:"open.v1"` + // A DSSE envelope + Envelope *dsse.Envelope `protobuf:"bytes,1,opt,name=envelope,proto3" json:"envelope,omitempty"` + // All necessary verification material to verify all signatures embedded in the envelope + Verifiers []*Verifier `protobuf:"bytes,2,rep,name=verifiers,proto3" json:"verifiers,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *DSSERequestV002) Reset() { + *x = DSSERequestV002{} + mi := &file_rekor_v2_dsse_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DSSERequestV002) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DSSERequestV002) ProtoMessage() {} + +func (x *DSSERequestV002) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_dsse_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DSSERequestV002.ProtoReflect.Descriptor instead. +func (*DSSERequestV002) Descriptor() ([]byte, []int) { + return file_rekor_v2_dsse_proto_rawDescGZIP(), []int{0} +} + +func (x *DSSERequestV002) GetEnvelope() *dsse.Envelope { + if x != nil { + return x.Envelope + } + return nil +} + +func (x *DSSERequestV002) GetVerifiers() []*Verifier { + if x != nil { + return x.Verifiers + } + return nil +} + +type DSSELogEntryV002 struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The hash of the DSSE payload + PayloadHash *v1.HashOutput `protobuf:"bytes,1,opt,name=payloadHash,proto3" json:"payloadHash,omitempty"` + // Signatures and their associated verification material used to verify the payload + Signatures []*Signature `protobuf:"bytes,2,rep,name=signatures,proto3" json:"signatures,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *DSSELogEntryV002) Reset() { + *x = DSSELogEntryV002{} + mi := &file_rekor_v2_dsse_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DSSELogEntryV002) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DSSELogEntryV002) ProtoMessage() {} + +func (x *DSSELogEntryV002) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_dsse_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DSSELogEntryV002.ProtoReflect.Descriptor instead. +func (*DSSELogEntryV002) Descriptor() ([]byte, []int) { + return file_rekor_v2_dsse_proto_rawDescGZIP(), []int{1} +} + +func (x *DSSELogEntryV002) GetPayloadHash() *v1.HashOutput { + if x != nil { + return x.PayloadHash + } + return nil +} + +func (x *DSSELogEntryV002) GetSignatures() []*Signature { + if x != nil { + return x.Signatures + } + return nil +} + +var File_rekor_v2_dsse_proto protoreflect.FileDescriptor + +var file_rekor_v2_dsse_proto_rawDesc = string([]byte{ + 0x0a, 0x13, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x64, 0x73, 0x73, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, + 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x1a, 0x1f, 0x67, 0x6f, + 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, + 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x0e, 0x65, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x76, + 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8b, 0x01, + 0x0a, 0x0f, 0x44, 0x53, 0x53, 0x45, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x56, 0x30, 0x30, + 0x32, 0x12, 0x34, 0x0a, 0x08, 0x65, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x69, 0x6f, 0x2e, 0x69, 0x6e, 0x74, 0x6f, 0x74, 0x6f, 0x2e, + 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x08, 0x65, + 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x12, 0x42, 0x0a, 0x09, 0x76, 0x65, 0x72, 0x69, 0x66, + 0x69, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x64, 0x65, 0x76, + 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, + 0x76, 0x32, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x42, 0x03, 0xe0, 0x41, 0x02, + 0x52, 0x09, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, 0xa4, 0x01, 0x0a, 0x10, + 0x44, 0x53, 0x53, 0x45, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x56, 0x30, 0x30, 0x32, + 0x12, 0x49, 0x0a, 0x0b, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x48, 0x61, 0x73, 0x68, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x48, + 0x61, 0x73, 0x68, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0b, + 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x48, 0x61, 0x73, 0x68, 0x12, 0x45, 0x0a, 0x0a, 0x73, + 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x20, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, + 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, + 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0a, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, + 0x65, 0x73, 0x42, 0x79, 0x0a, 0x1b, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, + 0x32, 0x42, 0x0b, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x56, 0x32, 0x44, 0x73, 0x73, 0x65, 0x50, 0x01, + 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, + 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x72, + 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0xea, 0x02, 0x13, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x3a, 0x3a, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, +}) + +var ( + file_rekor_v2_dsse_proto_rawDescOnce sync.Once + file_rekor_v2_dsse_proto_rawDescData []byte +) + +func file_rekor_v2_dsse_proto_rawDescGZIP() []byte { + file_rekor_v2_dsse_proto_rawDescOnce.Do(func() { + file_rekor_v2_dsse_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_rekor_v2_dsse_proto_rawDesc), len(file_rekor_v2_dsse_proto_rawDesc))) + }) + return file_rekor_v2_dsse_proto_rawDescData +} + +var file_rekor_v2_dsse_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_rekor_v2_dsse_proto_goTypes = []any{ + (*DSSERequestV002)(nil), // 0: dev.sigstore.rekor.v2.DSSERequestV002 + (*DSSELogEntryV002)(nil), // 1: dev.sigstore.rekor.v2.DSSELogEntryV002 + (*dsse.Envelope)(nil), // 2: io.intoto.Envelope + (*Verifier)(nil), // 3: dev.sigstore.rekor.v2.Verifier + (*v1.HashOutput)(nil), // 4: dev.sigstore.common.v1.HashOutput + (*Signature)(nil), // 5: dev.sigstore.rekor.v2.Signature +} +var file_rekor_v2_dsse_proto_depIdxs = []int32{ + 2, // 0: dev.sigstore.rekor.v2.DSSERequestV002.envelope:type_name -> io.intoto.Envelope + 3, // 1: dev.sigstore.rekor.v2.DSSERequestV002.verifiers:type_name -> dev.sigstore.rekor.v2.Verifier + 4, // 2: dev.sigstore.rekor.v2.DSSELogEntryV002.payloadHash:type_name -> dev.sigstore.common.v1.HashOutput + 5, // 3: dev.sigstore.rekor.v2.DSSELogEntryV002.signatures:type_name -> dev.sigstore.rekor.v2.Signature + 4, // [4:4] is the sub-list for method output_type + 4, // [4:4] is the sub-list for method input_type + 4, // [4:4] is the sub-list for extension type_name + 4, // [4:4] is the sub-list for extension extendee + 0, // [0:4] is the sub-list for field type_name +} + +func init() { file_rekor_v2_dsse_proto_init() } +func file_rekor_v2_dsse_proto_init() { + if File_rekor_v2_dsse_proto != nil { + return + } + file_rekor_v2_verifier_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_rekor_v2_dsse_proto_rawDesc), len(file_rekor_v2_dsse_proto_rawDesc)), + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_rekor_v2_dsse_proto_goTypes, + DependencyIndexes: file_rekor_v2_dsse_proto_depIdxs, + MessageInfos: file_rekor_v2_dsse_proto_msgTypes, + }.Build() + File_rekor_v2_dsse_proto = out.File + file_rekor_v2_dsse_proto_goTypes = nil + file_rekor_v2_dsse_proto_depIdxs = nil +} diff --git a/gen/pb-go/rekor/v2/entry.pb.go b/gen/pb-go/rekor/v2/entry.pb.go new file mode 100644 index 00000000..9bbb83c3 --- /dev/null +++ b/gen/pb-go/rekor/v2/entry.pb.go @@ -0,0 +1,395 @@ +// Copyright 2025 The Sigstore Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.5 +// protoc v6.30.2 +// source: rekor/v2/entry.proto + +package v2 + +import ( + _ "google.golang.org/genproto/googleapis/api/annotations" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// Entry is the message that is canonicalized and uploaded to the log. +// This format is meant to be compliant with Rekor v1 entries in that +// the `apiVersion` and `kind` can be parsed before parsing the spec. +// Clients are expected to understand and handle the differences in the +// contents of `spec` between Rekor v1 (a polymorphic OpenAPI defintion) +// and Rekor v2 (a typed proto defintion). +type Entry struct { + state protoimpl.MessageState `protogen:"open.v1"` + Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"` + ApiVersion string `protobuf:"bytes,2,opt,name=api_version,json=apiVersion,proto3" json:"api_version,omitempty"` + Spec *Spec `protobuf:"bytes,3,opt,name=spec,proto3" json:"spec,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Entry) Reset() { + *x = Entry{} + mi := &file_rekor_v2_entry_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Entry) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Entry) ProtoMessage() {} + +func (x *Entry) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_entry_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Entry.ProtoReflect.Descriptor instead. +func (*Entry) Descriptor() ([]byte, []int) { + return file_rekor_v2_entry_proto_rawDescGZIP(), []int{0} +} + +func (x *Entry) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *Entry) GetApiVersion() string { + if x != nil { + return x.ApiVersion + } + return "" +} + +func (x *Entry) GetSpec() *Spec { + if x != nil { + return x.Spec + } + return nil +} + +// Spec contains one of the Rekor entry types. +type Spec struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Spec: + // + // *Spec_HashedRekordV002 + // *Spec_DsseV002 + Spec isSpec_Spec `protobuf_oneof:"spec"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Spec) Reset() { + *x = Spec{} + mi := &file_rekor_v2_entry_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Spec) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Spec) ProtoMessage() {} + +func (x *Spec) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_entry_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Spec.ProtoReflect.Descriptor instead. +func (*Spec) Descriptor() ([]byte, []int) { + return file_rekor_v2_entry_proto_rawDescGZIP(), []int{1} +} + +func (x *Spec) GetSpec() isSpec_Spec { + if x != nil { + return x.Spec + } + return nil +} + +func (x *Spec) GetHashedRekordV002() *HashedRekordLogEntryV002 { + if x != nil { + if x, ok := x.Spec.(*Spec_HashedRekordV002); ok { + return x.HashedRekordV002 + } + } + return nil +} + +func (x *Spec) GetDsseV002() *DSSELogEntryV002 { + if x != nil { + if x, ok := x.Spec.(*Spec_DsseV002); ok { + return x.DsseV002 + } + } + return nil +} + +type isSpec_Spec interface { + isSpec_Spec() +} + +type Spec_HashedRekordV002 struct { + HashedRekordV002 *HashedRekordLogEntryV002 `protobuf:"bytes,1,opt,name=hashed_rekord_v002,json=hashedRekordV002,proto3,oneof"` +} + +type Spec_DsseV002 struct { + DsseV002 *DSSELogEntryV002 `protobuf:"bytes,2,opt,name=dsse_v002,json=dsseV002,proto3,oneof"` +} + +func (*Spec_HashedRekordV002) isSpec_Spec() {} + +func (*Spec_DsseV002) isSpec_Spec() {} + +// Create a new HashedRekord or DSSE +type CreateEntryRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Spec: + // + // *CreateEntryRequest_HashedRekordRequestV002 + // *CreateEntryRequest_DsseRequestV002 + Spec isCreateEntryRequest_Spec `protobuf_oneof:"spec"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CreateEntryRequest) Reset() { + *x = CreateEntryRequest{} + mi := &file_rekor_v2_entry_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CreateEntryRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateEntryRequest) ProtoMessage() {} + +func (x *CreateEntryRequest) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_entry_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateEntryRequest.ProtoReflect.Descriptor instead. +func (*CreateEntryRequest) Descriptor() ([]byte, []int) { + return file_rekor_v2_entry_proto_rawDescGZIP(), []int{2} +} + +func (x *CreateEntryRequest) GetSpec() isCreateEntryRequest_Spec { + if x != nil { + return x.Spec + } + return nil +} + +func (x *CreateEntryRequest) GetHashedRekordRequestV002() *HashedRekordRequestV002 { + if x != nil { + if x, ok := x.Spec.(*CreateEntryRequest_HashedRekordRequestV002); ok { + return x.HashedRekordRequestV002 + } + } + return nil +} + +func (x *CreateEntryRequest) GetDsseRequestV002() *DSSERequestV002 { + if x != nil { + if x, ok := x.Spec.(*CreateEntryRequest_DsseRequestV002); ok { + return x.DsseRequestV002 + } + } + return nil +} + +type isCreateEntryRequest_Spec interface { + isCreateEntryRequest_Spec() +} + +type CreateEntryRequest_HashedRekordRequestV002 struct { + HashedRekordRequestV002 *HashedRekordRequestV002 `protobuf:"bytes,1,opt,name=hashed_rekord_request_v002,json=hashedRekordRequestV002,proto3,oneof"` +} + +type CreateEntryRequest_DsseRequestV002 struct { + DsseRequestV002 *DSSERequestV002 `protobuf:"bytes,2,opt,name=dsse_request_v002,json=dsseRequestV002,proto3,oneof"` +} + +func (*CreateEntryRequest_HashedRekordRequestV002) isCreateEntryRequest_Spec() {} + +func (*CreateEntryRequest_DsseRequestV002) isCreateEntryRequest_Spec() {} + +var File_rekor_v2_entry_proto protoreflect.FileDescriptor + +var file_rekor_v2_entry_proto_rawDesc = string([]byte{ + 0x0a, 0x14, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x65, 0x6e, 0x74, 0x72, 0x79, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x1a, 0x1f, 0x67, + 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, + 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x13, + 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x64, 0x73, 0x73, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x68, 0x61, + 0x73, 0x68, 0x65, 0x64, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x22, 0x7c, 0x0a, 0x05, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x17, 0x0a, 0x04, 0x6b, 0x69, 0x6e, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6b, 0x69, + 0x6e, 0x64, 0x12, 0x24, 0x0a, 0x0b, 0x61, 0x70, 0x69, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, + 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0a, 0x61, 0x70, + 0x69, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, + 0x70, 0x65, 0x63, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63, 0x22, 0xc1, + 0x01, 0x0a, 0x04, 0x53, 0x70, 0x65, 0x63, 0x12, 0x64, 0x0a, 0x12, 0x68, 0x61, 0x73, 0x68, 0x65, + 0x64, 0x5f, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x64, 0x5f, 0x76, 0x30, 0x30, 0x32, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x48, 0x61, 0x73, 0x68, + 0x65, 0x64, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x64, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, + 0x56, 0x30, 0x30, 0x32, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x10, 0x68, 0x61, 0x73, + 0x68, 0x65, 0x64, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x64, 0x56, 0x30, 0x30, 0x32, 0x12, 0x4b, 0x0a, + 0x09, 0x64, 0x73, 0x73, 0x65, 0x5f, 0x76, 0x30, 0x30, 0x32, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x44, 0x53, 0x53, 0x45, 0x4c, 0x6f, 0x67, + 0x45, 0x6e, 0x74, 0x72, 0x79, 0x56, 0x30, 0x30, 0x32, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, + 0x52, 0x08, 0x64, 0x73, 0x73, 0x65, 0x56, 0x30, 0x30, 0x32, 0x42, 0x06, 0x0a, 0x04, 0x73, 0x70, + 0x65, 0x63, 0x22, 0xeb, 0x01, 0x0a, 0x12, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x74, + 0x72, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x72, 0x0a, 0x1a, 0x68, 0x61, 0x73, + 0x68, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x64, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x5f, 0x76, 0x30, 0x30, 0x32, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2e, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, + 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x65, 0x64, 0x52, 0x65, 0x6b, 0x6f, + 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x56, 0x30, 0x30, 0x32, 0x42, 0x03, 0xe0, + 0x41, 0x02, 0x48, 0x00, 0x52, 0x17, 0x68, 0x61, 0x73, 0x68, 0x65, 0x64, 0x52, 0x65, 0x6b, 0x6f, + 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x56, 0x30, 0x30, 0x32, 0x12, 0x59, 0x0a, + 0x11, 0x64, 0x73, 0x73, 0x65, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x76, 0x30, + 0x30, 0x32, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, + 0x2e, 0x44, 0x53, 0x53, 0x45, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x56, 0x30, 0x30, 0x32, + 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x0f, 0x64, 0x73, 0x73, 0x65, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x56, 0x30, 0x30, 0x32, 0x42, 0x06, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, + 0x42, 0x7a, 0x0a, 0x1b, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x42, + 0x0c, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x56, 0x32, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x50, 0x01, 0x5a, + 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, + 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x72, 0x65, + 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0xea, 0x02, 0x13, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x3a, 0x3a, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +}) + +var ( + file_rekor_v2_entry_proto_rawDescOnce sync.Once + file_rekor_v2_entry_proto_rawDescData []byte +) + +func file_rekor_v2_entry_proto_rawDescGZIP() []byte { + file_rekor_v2_entry_proto_rawDescOnce.Do(func() { + file_rekor_v2_entry_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_rekor_v2_entry_proto_rawDesc), len(file_rekor_v2_entry_proto_rawDesc))) + }) + return file_rekor_v2_entry_proto_rawDescData +} + +var file_rekor_v2_entry_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_rekor_v2_entry_proto_goTypes = []any{ + (*Entry)(nil), // 0: dev.sigstore.rekor.v2.Entry + (*Spec)(nil), // 1: dev.sigstore.rekor.v2.Spec + (*CreateEntryRequest)(nil), // 2: dev.sigstore.rekor.v2.CreateEntryRequest + (*HashedRekordLogEntryV002)(nil), // 3: dev.sigstore.rekor.v2.HashedRekordLogEntryV002 + (*DSSELogEntryV002)(nil), // 4: dev.sigstore.rekor.v2.DSSELogEntryV002 + (*HashedRekordRequestV002)(nil), // 5: dev.sigstore.rekor.v2.HashedRekordRequestV002 + (*DSSERequestV002)(nil), // 6: dev.sigstore.rekor.v2.DSSERequestV002 +} +var file_rekor_v2_entry_proto_depIdxs = []int32{ + 1, // 0: dev.sigstore.rekor.v2.Entry.spec:type_name -> dev.sigstore.rekor.v2.Spec + 3, // 1: dev.sigstore.rekor.v2.Spec.hashed_rekord_v002:type_name -> dev.sigstore.rekor.v2.HashedRekordLogEntryV002 + 4, // 2: dev.sigstore.rekor.v2.Spec.dsse_v002:type_name -> dev.sigstore.rekor.v2.DSSELogEntryV002 + 5, // 3: dev.sigstore.rekor.v2.CreateEntryRequest.hashed_rekord_request_v002:type_name -> dev.sigstore.rekor.v2.HashedRekordRequestV002 + 6, // 4: dev.sigstore.rekor.v2.CreateEntryRequest.dsse_request_v002:type_name -> dev.sigstore.rekor.v2.DSSERequestV002 + 5, // [5:5] is the sub-list for method output_type + 5, // [5:5] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name +} + +func init() { file_rekor_v2_entry_proto_init() } +func file_rekor_v2_entry_proto_init() { + if File_rekor_v2_entry_proto != nil { + return + } + file_rekor_v2_dsse_proto_init() + file_rekor_v2_hashedrekord_proto_init() + file_rekor_v2_entry_proto_msgTypes[1].OneofWrappers = []any{ + (*Spec_HashedRekordV002)(nil), + (*Spec_DsseV002)(nil), + } + file_rekor_v2_entry_proto_msgTypes[2].OneofWrappers = []any{ + (*CreateEntryRequest_HashedRekordRequestV002)(nil), + (*CreateEntryRequest_DsseRequestV002)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_rekor_v2_entry_proto_rawDesc), len(file_rekor_v2_entry_proto_rawDesc)), + NumEnums: 0, + NumMessages: 3, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_rekor_v2_entry_proto_goTypes, + DependencyIndexes: file_rekor_v2_entry_proto_depIdxs, + MessageInfos: file_rekor_v2_entry_proto_msgTypes, + }.Build() + File_rekor_v2_entry_proto = out.File + file_rekor_v2_entry_proto_goTypes = nil + file_rekor_v2_entry_proto_depIdxs = nil +} diff --git a/gen/pb-go/rekor/v2/hashedrekord.pb.go b/gen/pb-go/rekor/v2/hashedrekord.pb.go new file mode 100644 index 00000000..ca519b67 --- /dev/null +++ b/gen/pb-go/rekor/v2/hashedrekord.pb.go @@ -0,0 +1,242 @@ +// Copyright 2025 The Sigstore Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.5 +// protoc v6.30.2 +// source: rekor/v2/hashedrekord.proto + +package v2 + +import ( + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + _ "google.golang.org/genproto/googleapis/api/annotations" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// A request to add a hashedrekord v0.0.2 to the log +type HashedRekordRequestV002 struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The hashed data + Digest []byte `protobuf:"bytes,1,opt,name=digest,proto3" json:"digest,omitempty"` + // A single signature over the hashed data with the verifier needed to validate it + Signature *Signature `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *HashedRekordRequestV002) Reset() { + *x = HashedRekordRequestV002{} + mi := &file_rekor_v2_hashedrekord_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *HashedRekordRequestV002) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*HashedRekordRequestV002) ProtoMessage() {} + +func (x *HashedRekordRequestV002) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_hashedrekord_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use HashedRekordRequestV002.ProtoReflect.Descriptor instead. +func (*HashedRekordRequestV002) Descriptor() ([]byte, []int) { + return file_rekor_v2_hashedrekord_proto_rawDescGZIP(), []int{0} +} + +func (x *HashedRekordRequestV002) GetDigest() []byte { + if x != nil { + return x.Digest + } + return nil +} + +func (x *HashedRekordRequestV002) GetSignature() *Signature { + if x != nil { + return x.Signature + } + return nil +} + +type HashedRekordLogEntryV002 struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The hashed data + Data *v1.HashOutput `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"` + // A single signature over the hashed data with the verifier needed to validate it + Signature *Signature `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *HashedRekordLogEntryV002) Reset() { + *x = HashedRekordLogEntryV002{} + mi := &file_rekor_v2_hashedrekord_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *HashedRekordLogEntryV002) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*HashedRekordLogEntryV002) ProtoMessage() {} + +func (x *HashedRekordLogEntryV002) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_hashedrekord_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use HashedRekordLogEntryV002.ProtoReflect.Descriptor instead. +func (*HashedRekordLogEntryV002) Descriptor() ([]byte, []int) { + return file_rekor_v2_hashedrekord_proto_rawDescGZIP(), []int{1} +} + +func (x *HashedRekordLogEntryV002) GetData() *v1.HashOutput { + if x != nil { + return x.Data + } + return nil +} + +func (x *HashedRekordLogEntryV002) GetSignature() *Signature { + if x != nil { + return x.Signature + } + return nil +} + +var File_rekor_v2_hashedrekord_proto protoreflect.FileDescriptor + +var file_rekor_v2_hashedrekord_proto_rawDesc = string([]byte{ + 0x0a, 0x1b, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x65, + 0x64, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, + 0x72, 0x2e, 0x76, 0x32, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, + 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x72, 0x65, + 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x7b, 0x0a, 0x17, 0x48, 0x61, 0x73, 0x68, 0x65, 0x64, 0x52, + 0x65, 0x6b, 0x6f, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x56, 0x30, 0x30, 0x32, + 0x12, 0x1b, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, + 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x43, 0x0a, + 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x20, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, + 0x72, 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, + 0x72, 0x65, 0x22, 0x9c, 0x01, 0x0a, 0x18, 0x48, 0x61, 0x73, 0x68, 0x65, 0x64, 0x52, 0x65, 0x6b, + 0x6f, 0x72, 0x64, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x56, 0x30, 0x30, 0x32, 0x12, + 0x3b, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x4f, 0x75, 0x74, 0x70, 0x75, + 0x74, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x43, 0x0a, 0x09, + 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x20, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, + 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, + 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, + 0x65, 0x42, 0x81, 0x01, 0x0a, 0x1b, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, + 0x32, 0x42, 0x13, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x56, 0x32, 0x48, 0x61, 0x73, 0x68, 0x65, 0x64, + 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x64, 0x50, 0x01, 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, + 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0xea, + 0x02, 0x13, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x52, 0x65, 0x6b, 0x6f, + 0x72, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +}) + +var ( + file_rekor_v2_hashedrekord_proto_rawDescOnce sync.Once + file_rekor_v2_hashedrekord_proto_rawDescData []byte +) + +func file_rekor_v2_hashedrekord_proto_rawDescGZIP() []byte { + file_rekor_v2_hashedrekord_proto_rawDescOnce.Do(func() { + file_rekor_v2_hashedrekord_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_rekor_v2_hashedrekord_proto_rawDesc), len(file_rekor_v2_hashedrekord_proto_rawDesc))) + }) + return file_rekor_v2_hashedrekord_proto_rawDescData +} + +var file_rekor_v2_hashedrekord_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_rekor_v2_hashedrekord_proto_goTypes = []any{ + (*HashedRekordRequestV002)(nil), // 0: dev.sigstore.rekor.v2.HashedRekordRequestV002 + (*HashedRekordLogEntryV002)(nil), // 1: dev.sigstore.rekor.v2.HashedRekordLogEntryV002 + (*Signature)(nil), // 2: dev.sigstore.rekor.v2.Signature + (*v1.HashOutput)(nil), // 3: dev.sigstore.common.v1.HashOutput +} +var file_rekor_v2_hashedrekord_proto_depIdxs = []int32{ + 2, // 0: dev.sigstore.rekor.v2.HashedRekordRequestV002.signature:type_name -> dev.sigstore.rekor.v2.Signature + 3, // 1: dev.sigstore.rekor.v2.HashedRekordLogEntryV002.data:type_name -> dev.sigstore.common.v1.HashOutput + 2, // 2: dev.sigstore.rekor.v2.HashedRekordLogEntryV002.signature:type_name -> dev.sigstore.rekor.v2.Signature + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name +} + +func init() { file_rekor_v2_hashedrekord_proto_init() } +func file_rekor_v2_hashedrekord_proto_init() { + if File_rekor_v2_hashedrekord_proto != nil { + return + } + file_rekor_v2_verifier_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_rekor_v2_hashedrekord_proto_rawDesc), len(file_rekor_v2_hashedrekord_proto_rawDesc)), + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_rekor_v2_hashedrekord_proto_goTypes, + DependencyIndexes: file_rekor_v2_hashedrekord_proto_depIdxs, + MessageInfos: file_rekor_v2_hashedrekord_proto_msgTypes, + }.Build() + File_rekor_v2_hashedrekord_proto = out.File + file_rekor_v2_hashedrekord_proto_goTypes = nil + file_rekor_v2_hashedrekord_proto_depIdxs = nil +} diff --git a/gen/pb-go/rekor/v2/verifier.pb.go b/gen/pb-go/rekor/v2/verifier.pb.go new file mode 100644 index 00000000..098e6078 --- /dev/null +++ b/gen/pb-go/rekor/v2/verifier.pb.go @@ -0,0 +1,338 @@ +// Copyright 2025 The Sigstore Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.5 +// protoc v6.30.2 +// source: rekor/v2/verifier.proto + +package v2 + +import ( + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + _ "google.golang.org/genproto/googleapis/api/annotations" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// PublicKey contains an encoded public key +type PublicKey struct { + state protoimpl.MessageState `protogen:"open.v1"` + // DER-encoded public key + RawBytes []byte `protobuf:"bytes,1,opt,name=raw_bytes,json=rawBytes,proto3" json:"raw_bytes,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *PublicKey) Reset() { + *x = PublicKey{} + mi := &file_rekor_v2_verifier_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PublicKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PublicKey) ProtoMessage() {} + +func (x *PublicKey) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_verifier_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PublicKey.ProtoReflect.Descriptor instead. +func (*PublicKey) Descriptor() ([]byte, []int) { + return file_rekor_v2_verifier_proto_rawDescGZIP(), []int{0} +} + +func (x *PublicKey) GetRawBytes() []byte { + if x != nil { + return x.RawBytes + } + return nil +} + +// Either a public key or a X.509 cerificiate with an embedded public key +type Verifier struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Verifier: + // + // *Verifier_PublicKey + // *Verifier_X509Certificate + Verifier isVerifier_Verifier `protobuf_oneof:"verifier"` + // Key encoding and signature algorithm to use for this key + KeyDetails v1.PublicKeyDetails `protobuf:"varint,3,opt,name=key_details,json=keyDetails,proto3,enum=dev.sigstore.common.v1.PublicKeyDetails" json:"key_details,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Verifier) Reset() { + *x = Verifier{} + mi := &file_rekor_v2_verifier_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Verifier) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Verifier) ProtoMessage() {} + +func (x *Verifier) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_verifier_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Verifier.ProtoReflect.Descriptor instead. +func (*Verifier) Descriptor() ([]byte, []int) { + return file_rekor_v2_verifier_proto_rawDescGZIP(), []int{1} +} + +func (x *Verifier) GetVerifier() isVerifier_Verifier { + if x != nil { + return x.Verifier + } + return nil +} + +func (x *Verifier) GetPublicKey() *PublicKey { + if x != nil { + if x, ok := x.Verifier.(*Verifier_PublicKey); ok { + return x.PublicKey + } + } + return nil +} + +func (x *Verifier) GetX509Certificate() *v1.X509Certificate { + if x != nil { + if x, ok := x.Verifier.(*Verifier_X509Certificate); ok { + return x.X509Certificate + } + } + return nil +} + +func (x *Verifier) GetKeyDetails() v1.PublicKeyDetails { + if x != nil { + return x.KeyDetails + } + return v1.PublicKeyDetails(0) +} + +type isVerifier_Verifier interface { + isVerifier_Verifier() +} + +type Verifier_PublicKey struct { + // DER-encoded public key. Encoding method is specified by the key_details attribute + PublicKey *PublicKey `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3,oneof"` +} + +type Verifier_X509Certificate struct { + // DER-encoded certificate + X509Certificate *v1.X509Certificate `protobuf:"bytes,2,opt,name=x509_certificate,json=x509Certificate,proto3,oneof"` +} + +func (*Verifier_PublicKey) isVerifier_Verifier() {} + +func (*Verifier_X509Certificate) isVerifier_Verifier() {} + +// A signature and an associated verifier +type Signature struct { + state protoimpl.MessageState `protogen:"open.v1"` + Content []byte `protobuf:"bytes,1,opt,name=content,proto3" json:"content,omitempty"` + Verifier *Verifier `protobuf:"bytes,2,opt,name=verifier,proto3" json:"verifier,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Signature) Reset() { + *x = Signature{} + mi := &file_rekor_v2_verifier_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Signature) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Signature) ProtoMessage() {} + +func (x *Signature) ProtoReflect() protoreflect.Message { + mi := &file_rekor_v2_verifier_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Signature.ProtoReflect.Descriptor instead. +func (*Signature) Descriptor() ([]byte, []int) { + return file_rekor_v2_verifier_proto_rawDescGZIP(), []int{2} +} + +func (x *Signature) GetContent() []byte { + if x != nil { + return x.Content + } + return nil +} + +func (x *Signature) GetVerifier() *Verifier { + if x != nil { + return x.Verifier + } + return nil +} + +var File_rekor_v2_verifier_proto protoreflect.FileDescriptor + +var file_rekor_v2_verifier_proto_rawDesc = string([]byte{ + 0x0a, 0x17, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, + 0x69, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, + 0x1a, 0x15, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, + 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x2d, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, + 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x0a, 0x09, 0x72, 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, + 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x08, 0x72, + 0x61, 0x77, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x89, 0x02, 0x0a, 0x08, 0x56, 0x65, 0x72, 0x69, + 0x66, 0x69, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, + 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, + 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, + 0x00, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x59, 0x0a, 0x10, + 0x78, 0x35, 0x30, 0x39, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, + 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x42, + 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x0f, 0x78, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x4e, 0x0a, 0x0b, 0x6b, 0x65, 0x79, 0x5f, 0x64, + 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x44, + 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0a, 0x6b, 0x65, 0x79, + 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x42, 0x0a, 0x0a, 0x08, 0x76, 0x65, 0x72, 0x69, 0x66, + 0x69, 0x65, 0x72, 0x22, 0x6c, 0x0a, 0x09, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, + 0x12, 0x1d, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x12, + 0x40, 0x0a, 0x08, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, + 0x65, 0x72, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x08, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, + 0x72, 0x42, 0x7d, 0x0a, 0x1b, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x32, + 0x42, 0x0f, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x56, 0x32, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, + 0x72, 0x50, 0x01, 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, + 0x6f, 0x2f, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0xea, 0x02, 0x13, 0x53, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x3a, 0x3a, 0x56, 0x32, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +}) + +var ( + file_rekor_v2_verifier_proto_rawDescOnce sync.Once + file_rekor_v2_verifier_proto_rawDescData []byte +) + +func file_rekor_v2_verifier_proto_rawDescGZIP() []byte { + file_rekor_v2_verifier_proto_rawDescOnce.Do(func() { + file_rekor_v2_verifier_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_rekor_v2_verifier_proto_rawDesc), len(file_rekor_v2_verifier_proto_rawDesc))) + }) + return file_rekor_v2_verifier_proto_rawDescData +} + +var file_rekor_v2_verifier_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_rekor_v2_verifier_proto_goTypes = []any{ + (*PublicKey)(nil), // 0: dev.sigstore.rekor.v2.PublicKey + (*Verifier)(nil), // 1: dev.sigstore.rekor.v2.Verifier + (*Signature)(nil), // 2: dev.sigstore.rekor.v2.Signature + (*v1.X509Certificate)(nil), // 3: dev.sigstore.common.v1.X509Certificate + (v1.PublicKeyDetails)(0), // 4: dev.sigstore.common.v1.PublicKeyDetails +} +var file_rekor_v2_verifier_proto_depIdxs = []int32{ + 0, // 0: dev.sigstore.rekor.v2.Verifier.public_key:type_name -> dev.sigstore.rekor.v2.PublicKey + 3, // 1: dev.sigstore.rekor.v2.Verifier.x509_certificate:type_name -> dev.sigstore.common.v1.X509Certificate + 4, // 2: dev.sigstore.rekor.v2.Verifier.key_details:type_name -> dev.sigstore.common.v1.PublicKeyDetails + 1, // 3: dev.sigstore.rekor.v2.Signature.verifier:type_name -> dev.sigstore.rekor.v2.Verifier + 4, // [4:4] is the sub-list for method output_type + 4, // [4:4] is the sub-list for method input_type + 4, // [4:4] is the sub-list for extension type_name + 4, // [4:4] is the sub-list for extension extendee + 0, // [0:4] is the sub-list for field type_name +} + +func init() { file_rekor_v2_verifier_proto_init() } +func file_rekor_v2_verifier_proto_init() { + if File_rekor_v2_verifier_proto != nil { + return + } + file_rekor_v2_verifier_proto_msgTypes[1].OneofWrappers = []any{ + (*Verifier_PublicKey)(nil), + (*Verifier_X509Certificate)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_rekor_v2_verifier_proto_rawDesc), len(file_rekor_v2_verifier_proto_rawDesc)), + NumEnums: 0, + NumMessages: 3, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_rekor_v2_verifier_proto_goTypes, + DependencyIndexes: file_rekor_v2_verifier_proto_depIdxs, + MessageInfos: file_rekor_v2_verifier_proto_msgTypes, + }.Build() + File_rekor_v2_verifier_proto = out.File + file_rekor_v2_verifier_proto_goTypes = nil + file_rekor_v2_verifier_proto_depIdxs = nil +} diff --git a/gen/pb-python/pyproject.toml b/gen/pb-python/pyproject.toml index 7979ba0c..2dbac94e 100644 --- a/gen/pb-python/pyproject.toml +++ b/gen/pb-python/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "sigstore-protobuf-specs" -version = "0.4.2" +version = "0.4.3" description = "A library for serializing and deserializing Sigstore messages" readme = "README.md" license = { file = "LICENSE" } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v2/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v2/__init__.py new file mode 100644 index 00000000..dac0d263 --- /dev/null +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v2/__init__.py @@ -0,0 +1,173 @@ +# Generated by the protocol buffer compiler. DO NOT EDIT! +# sources: rekor/v2/dsse.proto, rekor/v2/entry.proto, rekor/v2/hashedrekord.proto, rekor/v2/verifier.proto +# plugin: python-betterproto +# This file has been @generated + +from typing import TYPE_CHECKING + + +if TYPE_CHECKING: + from dataclasses import dataclass +else: + from pydantic.dataclasses import dataclass + +from typing import ( + List, + Optional, +) + +import betterproto +from pydantic import model_validator +from pydantic.dataclasses import rebuild_dataclass + +from .....io import intoto as ____io_intoto__ +from ...common import v1 as __common_v1__ + + +@dataclass(eq=False, repr=False) +class PublicKey(betterproto.Message): + """PublicKey contains an encoded public key""" + + raw_bytes: bytes = betterproto.bytes_field(1) + """DER-encoded public key""" + + +@dataclass(eq=False, repr=False) +class Verifier(betterproto.Message): + """ + Either a public key or a X.509 cerificiate with an embedded public key + """ + + public_key: Optional["PublicKey"] = betterproto.message_field( + 1, optional=True, group="verifier" + ) + """ + DER-encoded public key. Encoding method is specified by the key_details attribute + """ + + x509_certificate: Optional["__common_v1__.X509Certificate"] = ( + betterproto.message_field(2, optional=True, group="verifier") + ) + """DER-encoded certificate""" + + key_details: "__common_v1__.PublicKeyDetails" = betterproto.enum_field(3) + """Key encoding and signature algorithm to use for this key""" + + @model_validator(mode="after") + def check_oneof(cls, values): + return cls._validate_field_groups(values) + + +@dataclass(eq=False, repr=False) +class Signature(betterproto.Message): + """A signature and an associated verifier""" + + content: bytes = betterproto.bytes_field(1) + verifier: "Verifier" = betterproto.message_field(2) + + +@dataclass(eq=False, repr=False) +class DsseRequestV002(betterproto.Message): + """A request to add a DSSE v0.0.2 entry to the log""" + + envelope: "____io_intoto__.Envelope" = betterproto.message_field(1) + """A DSSE envelope""" + + verifiers: List["Verifier"] = betterproto.message_field(2) + """ + All necessary verification material to verify all signatures embedded in the envelope + """ + + +@dataclass(eq=False, repr=False) +class DsseLogEntryV002(betterproto.Message): + payload_hash: "__common_v1__.HashOutput" = betterproto.message_field(1) + """The hash of the DSSE payload""" + + signatures: List["Signature"] = betterproto.message_field(2) + """ + Signatures and their associated verification material used to verify the payload + """ + + +@dataclass(eq=False, repr=False) +class HashedRekordRequestV002(betterproto.Message): + """A request to add a hashedrekord v0.0.2 to the log""" + + digest: bytes = betterproto.bytes_field(1) + """The hashed data""" + + signature: "Signature" = betterproto.message_field(2) + """ + A single signature over the hashed data with the verifier needed to validate it + """ + + +@dataclass(eq=False, repr=False) +class HashedRekordLogEntryV002(betterproto.Message): + data: "__common_v1__.HashOutput" = betterproto.message_field(1) + """The hashed data""" + + signature: "Signature" = betterproto.message_field(2) + """ + A single signature over the hashed data with the verifier needed to validate it + """ + + +@dataclass(eq=False, repr=False) +class Entry(betterproto.Message): + """ + Entry is the message that is canonicalized and uploaded to the log. + This format is meant to be compliant with Rekor v1 entries in that + the `apiVersion` and `kind` can be parsed before parsing the spec. + Clients are expected to understand and handle the differences in the + contents of `spec` between Rekor v1 (a polymorphic OpenAPI defintion) + and Rekor v2 (a typed proto defintion). + """ + + kind: str = betterproto.string_field(1) + api_version: str = betterproto.string_field(2) + spec: "Spec" = betterproto.message_field(3) + + +@dataclass(eq=False, repr=False) +class Spec(betterproto.Message): + """Spec contains one of the Rekor entry types.""" + + hashed_rekord_v002: Optional["HashedRekordLogEntryV002"] = ( + betterproto.message_field(1, optional=True, group="spec") + ) + dsse_v002: Optional["DsseLogEntryV002"] = betterproto.message_field( + 2, optional=True, group="spec" + ) + + @model_validator(mode="after") + def check_oneof(cls, values): + return cls._validate_field_groups(values) + + +@dataclass(eq=False, repr=False) +class CreateEntryRequest(betterproto.Message): + """Create a new HashedRekord or DSSE""" + + hashed_rekord_request_v002: Optional["HashedRekordRequestV002"] = ( + betterproto.message_field(1, optional=True, group="spec") + ) + dsse_request_v002: Optional["DsseRequestV002"] = betterproto.message_field( + 2, optional=True, group="spec" + ) + + @model_validator(mode="after") + def check_oneof(cls, values): + return cls._validate_field_groups(values) + + +rebuild_dataclass(Verifier) # type: ignore +rebuild_dataclass(Signature) # type: ignore +rebuild_dataclass(DsseRequestV002) # type: ignore +rebuild_dataclass(DsseLogEntryV002) # type: ignore +rebuild_dataclass(HashedRekordRequestV002) # type: ignore +rebuild_dataclass(HashedRekordLogEntryV002) # type: ignore +rebuild_dataclass(Entry) # type: ignore +rebuild_dataclass(Spec) # type: ignore +rebuild_dataclass(CreateEntryRequest) # type: ignore diff --git a/gen/pb-ruby/lib/rekor/v2/dsse_pb.rb b/gen/pb-ruby/lib/rekor/v2/dsse_pb.rb new file mode 100644 index 00000000..4af755fe --- /dev/null +++ b/gen/pb-ruby/lib/rekor/v2/dsse_pb.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true +# Generated by the protocol buffer compiler. DO NOT EDIT! +# source: rekor/v2/dsse.proto + +require 'google/protobuf' + +require 'google/api/field_behavior_pb' +require 'sigstore_common_pb' +require 'envelope_pb' +require 'rekor/v2/verifier_pb' + + +descriptor_data = "\n\x13rekor/v2/dsse.proto\x12\x15\x64\x65v.sigstore.rekor.v2\x1a\x1fgoogle/api/field_behavior.proto\x1a\x15sigstore_common.proto\x1a\x0e\x65nvelope.proto\x1a\x17rekor/v2/verifier.proto\"v\n\x0f\x44SSERequestV002\x12*\n\x08\x65nvelope\x18\x01 \x01(\x0b\x32\x13.io.intoto.EnvelopeB\x03\xe0\x41\x02\x12\x37\n\tverifiers\x18\x02 \x03(\x0b\x32\x1f.dev.sigstore.rekor.v2.VerifierB\x03\xe0\x41\x02\"\x8b\x01\n\x10\x44SSELogEntryV002\x12<\n\x0bpayloadHash\x18\x01 \x01(\x0b\x32\".dev.sigstore.common.v1.HashOutputB\x03\xe0\x41\x02\x12\x39\n\nsignatures\x18\x02 \x03(\x0b\x32 .dev.sigstore.rekor.v2.SignatureB\x03\xe0\x41\x02\x42y\n\x1b\x64\x65v.sigstore.proto.rekor.v2B\x0bRekorV2DsseP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2\xea\x02\x13Sigstore::Rekor::V2b\x06proto3" + +pool = Google::Protobuf::DescriptorPool.generated_pool +pool.add_serialized_file(descriptor_data) + +module Sigstore + module Rekor + module V2 + DSSERequestV002 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.DSSERequestV002").msgclass + DSSELogEntryV002 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.DSSELogEntryV002").msgclass + end + end +end diff --git a/gen/pb-ruby/lib/rekor/v2/entry_pb.rb b/gen/pb-ruby/lib/rekor/v2/entry_pb.rb new file mode 100644 index 00000000..2a0e6dcf --- /dev/null +++ b/gen/pb-ruby/lib/rekor/v2/entry_pb.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true +# Generated by the protocol buffer compiler. DO NOT EDIT! +# source: rekor/v2/entry.proto + +require 'google/protobuf' + +require 'google/api/field_behavior_pb' +require 'rekor/v2/dsse_pb' +require 'rekor/v2/hashedrekord_pb' + + +descriptor_data = "\n\x14rekor/v2/entry.proto\x12\x15\x64\x65v.sigstore.rekor.v2\x1a\x1fgoogle/api/field_behavior.proto\x1a\x13rekor/v2/dsse.proto\x1a\x1brekor/v2/hashedrekord.proto\"d\n\x05\x45ntry\x12\x11\n\x04kind\x18\x01 \x01(\tB\x03\xe0\x41\x02\x12\x18\n\x0b\x61pi_version\x18\x02 \x01(\tB\x03\xe0\x41\x02\x12.\n\x04spec\x18\x03 \x01(\x0b\x32\x1b.dev.sigstore.rekor.v2.SpecB\x03\xe0\x41\x02\"\xa5\x01\n\x04Spec\x12R\n\x12hashed_rekord_v002\x18\x01 \x01(\x0b\x32/.dev.sigstore.rekor.v2.HashedRekordLogEntryV002B\x03\xe0\x41\x02H\x00\x12\x41\n\tdsse_v002\x18\x02 \x01(\x0b\x32\'.dev.sigstore.rekor.v2.DSSELogEntryV002B\x03\xe0\x41\x02H\x00\x42\x06\n\x04spec\"\xc1\x01\n\x12\x43reateEntryRequest\x12Y\n\x1ahashed_rekord_request_v002\x18\x01 \x01(\x0b\x32..dev.sigstore.rekor.v2.HashedRekordRequestV002B\x03\xe0\x41\x02H\x00\x12H\n\x11\x64sse_request_v002\x18\x02 \x01(\x0b\x32&.dev.sigstore.rekor.v2.DSSERequestV002B\x03\xe0\x41\x02H\x00\x42\x06\n\x04specBz\n\x1b\x64\x65v.sigstore.proto.rekor.v2B\x0cRekorV2EntryP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2\xea\x02\x13Sigstore::Rekor::V2b\x06proto3" + +pool = Google::Protobuf::DescriptorPool.generated_pool +pool.add_serialized_file(descriptor_data) + +module Sigstore + module Rekor + module V2 + Entry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.Entry").msgclass + Spec = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.Spec").msgclass + CreateEntryRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.CreateEntryRequest").msgclass + end + end +end diff --git a/gen/pb-ruby/lib/rekor/v2/hashedrekord_pb.rb b/gen/pb-ruby/lib/rekor/v2/hashedrekord_pb.rb new file mode 100644 index 00000000..38bcabf4 --- /dev/null +++ b/gen/pb-ruby/lib/rekor/v2/hashedrekord_pb.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true +# Generated by the protocol buffer compiler. DO NOT EDIT! +# source: rekor/v2/hashedrekord.proto + +require 'google/protobuf' + +require 'google/api/field_behavior_pb' +require 'sigstore_common_pb' +require 'rekor/v2/verifier_pb' + + +descriptor_data = "\n\x1brekor/v2/hashedrekord.proto\x12\x15\x64\x65v.sigstore.rekor.v2\x1a\x1fgoogle/api/field_behavior.proto\x1a\x15sigstore_common.proto\x1a\x17rekor/v2/verifier.proto\"h\n\x17HashedRekordRequestV002\x12\x13\n\x06\x64igest\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\x12\x38\n\tsignature\x18\x02 \x01(\x0b\x32 .dev.sigstore.rekor.v2.SignatureB\x03\xe0\x41\x02\"\x8b\x01\n\x18HashedRekordLogEntryV002\x12\x35\n\x04\x64\x61ta\x18\x01 \x01(\x0b\x32\".dev.sigstore.common.v1.HashOutputB\x03\xe0\x41\x02\x12\x38\n\tsignature\x18\x02 \x01(\x0b\x32 .dev.sigstore.rekor.v2.SignatureB\x03\xe0\x41\x02\x42\x81\x01\n\x1b\x64\x65v.sigstore.proto.rekor.v2B\x13RekorV2HashedRekordP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2\xea\x02\x13Sigstore::Rekor::V2b\x06proto3" + +pool = Google::Protobuf::DescriptorPool.generated_pool +pool.add_serialized_file(descriptor_data) + +module Sigstore + module Rekor + module V2 + HashedRekordRequestV002 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.HashedRekordRequestV002").msgclass + HashedRekordLogEntryV002 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.HashedRekordLogEntryV002").msgclass + end + end +end diff --git a/gen/pb-ruby/lib/rekor/v2/verifier_pb.rb b/gen/pb-ruby/lib/rekor/v2/verifier_pb.rb new file mode 100644 index 00000000..82b97a66 --- /dev/null +++ b/gen/pb-ruby/lib/rekor/v2/verifier_pb.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true +# Generated by the protocol buffer compiler. DO NOT EDIT! +# source: rekor/v2/verifier.proto + +require 'google/protobuf' + +require 'sigstore_common_pb' +require 'google/api/field_behavior_pb' + + +descriptor_data = "\n\x17rekor/v2/verifier.proto\x12\x15\x64\x65v.sigstore.rekor.v2\x1a\x15sigstore_common.proto\x1a\x1fgoogle/api/field_behavior.proto\"#\n\tPublicKey\x12\x16\n\traw_bytes\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\"\xe1\x01\n\x08Verifier\x12;\n\npublic_key\x18\x01 \x01(\x0b\x32 .dev.sigstore.rekor.v2.PublicKeyB\x03\xe0\x41\x02H\x00\x12H\n\x10x509_certificate\x18\x02 \x01(\x0b\x32\'.dev.sigstore.common.v1.X509CertificateB\x03\xe0\x41\x02H\x00\x12\x42\n\x0bkey_details\x18\x03 \x01(\x0e\x32(.dev.sigstore.common.v1.PublicKeyDetailsB\x03\xe0\x41\x02\x42\n\n\x08verifier\"Y\n\tSignature\x12\x14\n\x07\x63ontent\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x02\x12\x36\n\x08verifier\x18\x02 \x01(\x0b\x32\x1f.dev.sigstore.rekor.v2.VerifierB\x03\xe0\x41\x02\x42}\n\x1b\x64\x65v.sigstore.proto.rekor.v2B\x0fRekorV2VerifierP\x01Z5github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2\xea\x02\x13Sigstore::Rekor::V2b\x06proto3" + +pool = Google::Protobuf::DescriptorPool.generated_pool +pool.add_serialized_file(descriptor_data) + +module Sigstore + module Rekor + module V2 + PublicKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.PublicKey").msgclass + Verifier = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.Verifier").msgclass + Signature = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("dev.sigstore.rekor.v2.Signature").msgclass + end + end +end diff --git a/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb b/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb index 82031f42..6df21825 100644 --- a/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb +++ b/gen/pb-ruby/lib/sigstore_protobuf_specs/version.rb @@ -16,6 +16,6 @@ module Dev module Sigstore - VERSION = '0.4.2' + VERSION = '0.4.3' end end diff --git a/gen/pb-rust/Cargo.lock b/gen/pb-rust/Cargo.lock index 4e4001fa..48663743 100644 --- a/gen/pb-rust/Cargo.lock +++ b/gen/pb-rust/Cargo.lock @@ -242,9 +242,9 @@ dependencies = [ [[package]] name = "prost-build" -version = "0.13.4" +version = "0.13.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d0f3e5beed80eb580c68e2c600937ac2c4eedabdfd5ef1e5b7ea4f3fba84497b" +checksum = "be769465445e8c1474e9c5dac2018218498557af32d9ed057325ec9a41ae81bf" dependencies = [ "heck", "itertools", @@ -473,7 +473,7 @@ dependencies = [ [[package]] name = "sigstore_protobuf_specs" -version = "0.4.2" +version = "0.4.3" dependencies = [ "anyhow", "glob", diff --git a/gen/pb-rust/sigstore-protobuf-specs-codegen/Cargo.toml b/gen/pb-rust/sigstore-protobuf-specs-codegen/Cargo.toml index 6f52a24d..7cdfd19f 100644 --- a/gen/pb-rust/sigstore-protobuf-specs-codegen/Cargo.toml +++ b/gen/pb-rust/sigstore-protobuf-specs-codegen/Cargo.toml @@ -6,6 +6,6 @@ edition = "2021" [dependencies] anyhow = "1.0.97" glob = "0.3" -prost-build = "0.13.4" +prost-build = "0.13.5" prost-reflect-build = "0.15.1" which = "7.0.3" diff --git a/gen/pb-rust/sigstore-protobuf-specs-codegen/src/main.rs b/gen/pb-rust/sigstore-protobuf-specs-codegen/src/main.rs index 842c6deb..a1d33b81 100644 --- a/gen/pb-rust/sigstore-protobuf-specs-codegen/src/main.rs +++ b/gen/pb-rust/sigstore-protobuf-specs-codegen/src/main.rs @@ -14,6 +14,7 @@ fn protobuf_include_path() -> String { fn main() -> anyhow::Result<()> { let includes = vec![ concat!(env!("CARGO_MANIFEST_DIR"), "/../../../protos").to_owned(), + concat!(env!("CARGO_MANIFEST_DIR"), "/../../../service-protos").to_owned(), // WKTs path protobuf_include_path(), "/googleapis".to_owned(), @@ -39,18 +40,26 @@ fn main() -> anyhow::Result<()> { .disable_comments([".io.intoto.Envelope"]) .out_dir("sigstore-protobuf-specs/src/generated/"); + let protos = glob::glob(concat!( + env!("CARGO_MANIFEST_DIR"), + "/../../../protos/*.proto" + )) + .expect("no protos found!") + .flatten(); + + let service_protos = glob::glob(concat!( + env!("CARGO_MANIFEST_DIR"), + "/../../../service-protos/rekor/v2/*.proto" + )) + .expect("no service protos found!") + .flatten(); + prost_reflect_build::Builder::new() .file_descriptor_set_bytes("crate::FILE_DESCRIPTOR_SET_BYTES") .file_descriptor_set_path("sigstore-protobuf-specs/src/generated/file_descriptor_set.bin") .compile_protos_with_config( config, - &glob::glob(concat!( - env!("CARGO_MANIFEST_DIR"), - "/../../../protos/*.proto" - )) - .expect("no protos found!") - .flatten() - .collect::>(), + &protos.chain(service_protos).collect::>(), &includes, )?; diff --git a/gen/pb-rust/sigstore-protobuf-specs/Cargo.toml b/gen/pb-rust/sigstore-protobuf-specs/Cargo.toml index f6412a42..0b4769f6 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/Cargo.toml +++ b/gen/pb-rust/sigstore-protobuf-specs/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "sigstore_protobuf_specs" -version = "0.4.2" +version = "0.4.3" authors = ["Sigstore Authors "] edition = "2021" homepage = "https://github.com/sigstore/protobuf-specs" @@ -22,6 +22,6 @@ sigstore-protobuf-specs-derive = { version = "0.0.1", path = "../sigstore-protob [build-dependencies] anyhow = "1.0.97" glob = "0.3" -prost-build = "0.13.4" +prost-build = "0.13.5" prost-reflect-build = "0.15.1" which = "7.0.3" diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v2.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v2.rs new file mode 100644 index 00000000..05f5cac8 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v2.rs @@ -0,0 +1,206 @@ +// This file is @generated by prost-build. +/// PublicKey contains an encoded public key +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.PublicKey")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct PublicKey { + /// DER-encoded public key + #[prost(bytes = "vec", tag = "1")] + pub raw_bytes: ::prost::alloc::vec::Vec, +} +/// Either a public key or a X.509 cerificiate with an embedded public key +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.Verifier")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Verifier { + /// Key encoding and signature algorithm to use for this key + #[prost(enumeration = "super::super::common::v1::PublicKeyDetails", tag = "3")] + pub key_details: i32, + #[prost(oneof = "verifier::Verifier", tags = "1, 2")] + pub verifier: ::core::option::Option, +} +/// Nested message and enum types in `Verifier`. +pub mod verifier { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Verifier { + /// DER-encoded public key. Encoding method is specified by the key_details attribute + #[prost(message, tag = "1")] + PublicKey(super::PublicKey), + /// DER-encoded certificate + #[prost(message, tag = "2")] + X509Certificate(super::super::super::common::v1::X509Certificate), + } +} +/// A signature and an associated verifier +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.Signature")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Signature { + #[prost(bytes = "vec", tag = "1")] + pub content: ::prost::alloc::vec::Vec, + #[prost(message, optional, tag = "2")] + pub verifier: ::core::option::Option, +} +/// A request to add a DSSE v0.0.2 entry to the log +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.DSSERequestV002")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct DsseRequestV002 { + /// A DSSE envelope + #[prost(message, optional, tag = "1")] + pub envelope: ::core::option::Option< + super::super::super::super::io::intoto::Envelope, + >, + /// All necessary verification material to verify all signatures embedded in the envelope + #[prost(message, repeated, tag = "2")] + pub verifiers: ::prost::alloc::vec::Vec, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.DSSELogEntryV002")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct DsseLogEntryV002 { + /// The hash of the DSSE payload + #[prost(message, optional, tag = "1")] + pub payload_hash: ::core::option::Option, + /// Signatures and their associated verification material used to verify the payload + #[prost(message, repeated, tag = "2")] + pub signatures: ::prost::alloc::vec::Vec, +} +/// A request to add a hashedrekord v0.0.2 to the log +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.HashedRekordRequestV002")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct HashedRekordRequestV002 { + /// The hashed data + #[prost(bytes = "vec", tag = "1")] + pub digest: ::prost::alloc::vec::Vec, + /// A single signature over the hashed data with the verifier needed to validate it + #[prost(message, optional, tag = "2")] + pub signature: ::core::option::Option, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.HashedRekordLogEntryV002")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct HashedRekordLogEntryV002 { + /// The hashed data + #[prost(message, optional, tag = "1")] + pub data: ::core::option::Option, + /// A single signature over the hashed data with the verifier needed to validate it + #[prost(message, optional, tag = "2")] + pub signature: ::core::option::Option, +} +/// Entry is the message that is canonicalized and uploaded to the log. +/// This format is meant to be compliant with Rekor v1 entries in that +/// the `apiVersion` and `kind` can be parsed before parsing the spec. +/// Clients are expected to understand and handle the differences in the +/// contents of `spec` between Rekor v1 (a polymorphic OpenAPI defintion) +/// and Rekor v2 (a typed proto defintion). +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.Entry")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Entry { + #[prost(string, tag = "1")] + pub kind: ::prost::alloc::string::String, + #[prost(string, tag = "2")] + pub api_version: ::prost::alloc::string::String, + #[prost(message, optional, tag = "3")] + pub spec: ::core::option::Option, +} +/// Spec contains one of the Rekor entry types. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.Spec")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Spec { + #[prost(oneof = "spec::Spec", tags = "1, 2")] + pub spec: ::core::option::Option, +} +/// Nested message and enum types in `Spec`. +pub mod spec { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Spec { + #[prost(message, tag = "1")] + HashedRekordV002(super::HashedRekordLogEntryV002), + #[prost(message, tag = "2")] + DsseV002(super::DsseLogEntryV002), + } +} +/// Create a new HashedRekord or DSSE +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v2.CreateEntryRequest")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct CreateEntryRequest { + #[prost(oneof = "create_entry_request::Spec", tags = "1, 2")] + pub spec: ::core::option::Option, +} +/// Nested message and enum types in `CreateEntryRequest`. +pub mod create_entry_request { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Spec { + #[prost(message, tag = "1")] + HashedRekordRequestV002(super::HashedRekordRequestV002), + #[prost(message, tag = "2")] + DsseRequestV002(super::DsseRequestV002), + } +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin index 8880fde8..6ebf1ec2 100644 Binary files a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin and b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin differ diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/mod.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/mod.rs index bb579230..b2b44b47 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/mod.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/mod.rs @@ -20,6 +20,9 @@ pub mod dev { pub mod v1 { include!("dev.sigstore.rekor.v1.rs"); } + pub mod v2 { + include!("dev.sigstore.rekor.v2.rs"); + } } pub mod trustroot { pub mod v1 { diff --git a/gen/pb-typescript/package.json b/gen/pb-typescript/package.json index 8fd60ac2..3080a305 100644 --- a/gen/pb-typescript/package.json +++ b/gen/pb-typescript/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/protobuf-specs", - "version": "0.4.2", + "version": "0.4.3", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", diff --git a/gen/pb-typescript/src/__generated__/rekor/v2/dsse.ts b/gen/pb-typescript/src/__generated__/rekor/v2/dsse.ts new file mode 100644 index 00000000..801dc640 --- /dev/null +++ b/gen/pb-typescript/src/__generated__/rekor/v2/dsse.ts @@ -0,0 +1,82 @@ +// Code generated by protoc-gen-ts_proto. DO NOT EDIT. +// versions: +// protoc-gen-ts_proto v2.7.0 +// protoc v6.30.2 +// source: rekor/v2/dsse.proto + +/* eslint-disable */ +import { Envelope } from "../../envelope"; +import { HashOutput } from "../../sigstore_common"; +import { Signature, Verifier } from "./verifier"; + +/** A request to add a DSSE v0.0.2 entry to the log */ +export interface DSSERequestV002 { + /** A DSSE envelope */ + envelope: + | Envelope + | undefined; + /** All necessary verification material to verify all signatures embedded in the envelope */ + verifiers: Verifier[]; +} + +export interface DSSELogEntryV002 { + /** The hash of the DSSE payload */ + payloadHash: + | HashOutput + | undefined; + /** Signatures and their associated verification material used to verify the payload */ + signatures: Signature[]; +} + +export const DSSERequestV002: MessageFns = { + fromJSON(object: any): DSSERequestV002 { + return { + envelope: isSet(object.envelope) ? Envelope.fromJSON(object.envelope) : undefined, + verifiers: globalThis.Array.isArray(object?.verifiers) + ? object.verifiers.map((e: any) => Verifier.fromJSON(e)) + : [], + }; + }, + + toJSON(message: DSSERequestV002): unknown { + const obj: any = {}; + if (message.envelope !== undefined) { + obj.envelope = Envelope.toJSON(message.envelope); + } + if (message.verifiers?.length) { + obj.verifiers = message.verifiers.map((e) => Verifier.toJSON(e)); + } + return obj; + }, +}; + +export const DSSELogEntryV002: MessageFns = { + fromJSON(object: any): DSSELogEntryV002 { + return { + payloadHash: isSet(object.payloadHash) ? HashOutput.fromJSON(object.payloadHash) : undefined, + signatures: globalThis.Array.isArray(object?.signatures) + ? object.signatures.map((e: any) => Signature.fromJSON(e)) + : [], + }; + }, + + toJSON(message: DSSELogEntryV002): unknown { + const obj: any = {}; + if (message.payloadHash !== undefined) { + obj.payloadHash = HashOutput.toJSON(message.payloadHash); + } + if (message.signatures?.length) { + obj.signatures = message.signatures.map((e) => Signature.toJSON(e)); + } + return obj; + }, +}; + +function isSet(value: any): boolean { + return value !== null && value !== undefined; +} + +interface MessageFns { + fromJSON(object: any): T; + toJSON(message: T): unknown; +} diff --git a/gen/pb-typescript/src/__generated__/rekor/v2/entry.ts b/gen/pb-typescript/src/__generated__/rekor/v2/entry.ts new file mode 100644 index 00000000..3811a32e --- /dev/null +++ b/gen/pb-typescript/src/__generated__/rekor/v2/entry.ts @@ -0,0 +1,119 @@ +// Code generated by protoc-gen-ts_proto. DO NOT EDIT. +// versions: +// protoc-gen-ts_proto v2.7.0 +// protoc v6.30.2 +// source: rekor/v2/entry.proto + +/* eslint-disable */ +import { DSSELogEntryV002, DSSERequestV002 } from "./dsse"; +import { HashedRekordLogEntryV002, HashedRekordRequestV002 } from "./hashedrekord"; + +/** + * Entry is the message that is canonicalized and uploaded to the log. + * This format is meant to be compliant with Rekor v1 entries in that + * the `apiVersion` and `kind` can be parsed before parsing the spec. + * Clients are expected to understand and handle the differences in the + * contents of `spec` between Rekor v1 (a polymorphic OpenAPI defintion) + * and Rekor v2 (a typed proto defintion). + */ +export interface Entry { + kind: string; + apiVersion: string; + spec: Spec | undefined; +} + +/** Spec contains one of the Rekor entry types. */ +export interface Spec { + spec?: { $case: "hashedRekordV002"; hashedRekordV002: HashedRekordLogEntryV002 } | { + $case: "dsseV002"; + dsseV002: DSSELogEntryV002; + } | undefined; +} + +/** Create a new HashedRekord or DSSE */ +export interface CreateEntryRequest { + spec?: { $case: "hashedRekordRequestV002"; hashedRekordRequestV002: HashedRekordRequestV002 } | { + $case: "dsseRequestV002"; + dsseRequestV002: DSSERequestV002; + } | undefined; +} + +export const Entry: MessageFns = { + fromJSON(object: any): Entry { + return { + kind: isSet(object.kind) ? globalThis.String(object.kind) : "", + apiVersion: isSet(object.apiVersion) ? globalThis.String(object.apiVersion) : "", + spec: isSet(object.spec) ? Spec.fromJSON(object.spec) : undefined, + }; + }, + + toJSON(message: Entry): unknown { + const obj: any = {}; + if (message.kind !== "") { + obj.kind = message.kind; + } + if (message.apiVersion !== "") { + obj.apiVersion = message.apiVersion; + } + if (message.spec !== undefined) { + obj.spec = Spec.toJSON(message.spec); + } + return obj; + }, +}; + +export const Spec: MessageFns = { + fromJSON(object: any): Spec { + return { + spec: isSet(object.hashedRekordV002) + ? { $case: "hashedRekordV002", hashedRekordV002: HashedRekordLogEntryV002.fromJSON(object.hashedRekordV002) } + : isSet(object.dsseV002) + ? { $case: "dsseV002", dsseV002: DSSELogEntryV002.fromJSON(object.dsseV002) } + : undefined, + }; + }, + + toJSON(message: Spec): unknown { + const obj: any = {}; + if (message.spec?.$case === "hashedRekordV002") { + obj.hashedRekordV002 = HashedRekordLogEntryV002.toJSON(message.spec.hashedRekordV002); + } else if (message.spec?.$case === "dsseV002") { + obj.dsseV002 = DSSELogEntryV002.toJSON(message.spec.dsseV002); + } + return obj; + }, +}; + +export const CreateEntryRequest: MessageFns = { + fromJSON(object: any): CreateEntryRequest { + return { + spec: isSet(object.hashedRekordRequestV002) + ? { + $case: "hashedRekordRequestV002", + hashedRekordRequestV002: HashedRekordRequestV002.fromJSON(object.hashedRekordRequestV002), + } + : isSet(object.dsseRequestV002) + ? { $case: "dsseRequestV002", dsseRequestV002: DSSERequestV002.fromJSON(object.dsseRequestV002) } + : undefined, + }; + }, + + toJSON(message: CreateEntryRequest): unknown { + const obj: any = {}; + if (message.spec?.$case === "hashedRekordRequestV002") { + obj.hashedRekordRequestV002 = HashedRekordRequestV002.toJSON(message.spec.hashedRekordRequestV002); + } else if (message.spec?.$case === "dsseRequestV002") { + obj.dsseRequestV002 = DSSERequestV002.toJSON(message.spec.dsseRequestV002); + } + return obj; + }, +}; + +function isSet(value: any): boolean { + return value !== null && value !== undefined; +} + +interface MessageFns { + fromJSON(object: any): T; + toJSON(message: T): unknown; +} diff --git a/gen/pb-typescript/src/__generated__/rekor/v2/hashedrekord.ts b/gen/pb-typescript/src/__generated__/rekor/v2/hashedrekord.ts new file mode 100644 index 00000000..87dc0254 --- /dev/null +++ b/gen/pb-typescript/src/__generated__/rekor/v2/hashedrekord.ts @@ -0,0 +1,83 @@ +// Code generated by protoc-gen-ts_proto. DO NOT EDIT. +// versions: +// protoc-gen-ts_proto v2.7.0 +// protoc v6.30.2 +// source: rekor/v2/hashedrekord.proto + +/* eslint-disable */ +import { HashOutput } from "../../sigstore_common"; +import { Signature } from "./verifier"; + +/** A request to add a hashedrekord v0.0.2 to the log */ +export interface HashedRekordRequestV002 { + /** The hashed data */ + digest: Buffer; + /** A single signature over the hashed data with the verifier needed to validate it */ + signature: Signature | undefined; +} + +export interface HashedRekordLogEntryV002 { + /** The hashed data */ + data: + | HashOutput + | undefined; + /** A single signature over the hashed data with the verifier needed to validate it */ + signature: Signature | undefined; +} + +export const HashedRekordRequestV002: MessageFns = { + fromJSON(object: any): HashedRekordRequestV002 { + return { + digest: isSet(object.digest) ? Buffer.from(bytesFromBase64(object.digest)) : Buffer.alloc(0), + signature: isSet(object.signature) ? Signature.fromJSON(object.signature) : undefined, + }; + }, + + toJSON(message: HashedRekordRequestV002): unknown { + const obj: any = {}; + if (message.digest.length !== 0) { + obj.digest = base64FromBytes(message.digest); + } + if (message.signature !== undefined) { + obj.signature = Signature.toJSON(message.signature); + } + return obj; + }, +}; + +export const HashedRekordLogEntryV002: MessageFns = { + fromJSON(object: any): HashedRekordLogEntryV002 { + return { + data: isSet(object.data) ? HashOutput.fromJSON(object.data) : undefined, + signature: isSet(object.signature) ? Signature.fromJSON(object.signature) : undefined, + }; + }, + + toJSON(message: HashedRekordLogEntryV002): unknown { + const obj: any = {}; + if (message.data !== undefined) { + obj.data = HashOutput.toJSON(message.data); + } + if (message.signature !== undefined) { + obj.signature = Signature.toJSON(message.signature); + } + return obj; + }, +}; + +function bytesFromBase64(b64: string): Uint8Array { + return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); +} + +function base64FromBytes(arr: Uint8Array): string { + return globalThis.Buffer.from(arr).toString("base64"); +} + +function isSet(value: any): boolean { + return value !== null && value !== undefined; +} + +interface MessageFns { + fromJSON(object: any): T; + toJSON(message: T): unknown; +} diff --git a/gen/pb-typescript/src/__generated__/rekor/v2/verifier.ts b/gen/pb-typescript/src/__generated__/rekor/v2/verifier.ts new file mode 100644 index 00000000..097bfe08 --- /dev/null +++ b/gen/pb-typescript/src/__generated__/rekor/v2/verifier.ts @@ -0,0 +1,116 @@ +// Code generated by protoc-gen-ts_proto. DO NOT EDIT. +// versions: +// protoc-gen-ts_proto v2.7.0 +// protoc v6.30.2 +// source: rekor/v2/verifier.proto + +/* eslint-disable */ +import { + PublicKeyDetails, + publicKeyDetailsFromJSON, + publicKeyDetailsToJSON, + X509Certificate, +} from "../../sigstore_common"; + +/** PublicKey contains an encoded public key */ +export interface PublicKey { + /** DER-encoded public key */ + rawBytes: Buffer; +} + +/** Either a public key or a X.509 cerificiate with an embedded public key */ +export interface Verifier { + verifier?: + | // + /** DER-encoded public key. Encoding method is specified by the key_details attribute */ + { $case: "publicKey"; publicKey: PublicKey } + | // + /** DER-encoded certificate */ + { $case: "x509Certificate"; x509Certificate: X509Certificate } + | undefined; + /** Key encoding and signature algorithm to use for this key */ + keyDetails: PublicKeyDetails; +} + +/** A signature and an associated verifier */ +export interface Signature { + content: Buffer; + verifier: Verifier | undefined; +} + +export const PublicKey: MessageFns = { + fromJSON(object: any): PublicKey { + return { rawBytes: isSet(object.rawBytes) ? Buffer.from(bytesFromBase64(object.rawBytes)) : Buffer.alloc(0) }; + }, + + toJSON(message: PublicKey): unknown { + const obj: any = {}; + if (message.rawBytes.length !== 0) { + obj.rawBytes = base64FromBytes(message.rawBytes); + } + return obj; + }, +}; + +export const Verifier: MessageFns = { + fromJSON(object: any): Verifier { + return { + verifier: isSet(object.publicKey) + ? { $case: "publicKey", publicKey: PublicKey.fromJSON(object.publicKey) } + : isSet(object.x509Certificate) + ? { $case: "x509Certificate", x509Certificate: X509Certificate.fromJSON(object.x509Certificate) } + : undefined, + keyDetails: isSet(object.keyDetails) ? publicKeyDetailsFromJSON(object.keyDetails) : 0, + }; + }, + + toJSON(message: Verifier): unknown { + const obj: any = {}; + if (message.verifier?.$case === "publicKey") { + obj.publicKey = PublicKey.toJSON(message.verifier.publicKey); + } else if (message.verifier?.$case === "x509Certificate") { + obj.x509Certificate = X509Certificate.toJSON(message.verifier.x509Certificate); + } + if (message.keyDetails !== 0) { + obj.keyDetails = publicKeyDetailsToJSON(message.keyDetails); + } + return obj; + }, +}; + +export const Signature: MessageFns = { + fromJSON(object: any): Signature { + return { + content: isSet(object.content) ? Buffer.from(bytesFromBase64(object.content)) : Buffer.alloc(0), + verifier: isSet(object.verifier) ? Verifier.fromJSON(object.verifier) : undefined, + }; + }, + + toJSON(message: Signature): unknown { + const obj: any = {}; + if (message.content.length !== 0) { + obj.content = base64FromBytes(message.content); + } + if (message.verifier !== undefined) { + obj.verifier = Verifier.toJSON(message.verifier); + } + return obj; + }, +}; + +function bytesFromBase64(b64: string): Uint8Array { + return Uint8Array.from(globalThis.Buffer.from(b64, "base64")); +} + +function base64FromBytes(arr: Uint8Array): string { + return globalThis.Buffer.from(arr).toString("base64"); +} + +function isSet(value: any): boolean { + return value !== null && value !== undefined; +} + +interface MessageFns { + fromJSON(object: any): T; + toJSON(message: T): unknown; +} diff --git a/java/README.md b/java/README.md index f4b84cff..a46919a9 100644 --- a/java/README.md +++ b/java/README.md @@ -13,16 +13,12 @@ A jar file will be created at `./build/libs/protobuf-specs-SNAPSHOT.jar` ## Releasing ### Generate Release artifacts -1. On creation of a tag in the style `release/java/v1.2.3`, new artifacts will be built and -uploaded to a github release `release/java/v1.2.3` -1. Once a release is created, check it and remove the draft label on the github release page. -1. On a machine with your pgp key, `gpg`, `bash` and `cosign`, go to `protobuf-specs/java/scripts` -1. Run `./sign_and_bundle_release.sh v1.2.3` to generate a release bundle for `release/java/v1.2.3` +1. On creation of a tag in the style `release/java/v1.2.3`, new artifacts will be built signed + and published to maven central (in staging, but no released). -### Publish on Maven Central +### Complete Publish Flow Maven Central 1. Log into https://s01.oss.sonatype.org with credentials that have permissions to upload to `dev.sigstore` -1. Take the release bundle, `release_java_v1.2.3/protobuf-specs-1.2.3-bundle.jar` and upload via the `Staging Upload -> (Upload Mode) Artifact Bundle` -1. Once the bundle is validated and checked, release it via `Staging Repositories`, if any issues occur, drop it and fix the issues before restarting the release process. +1. Find the release in `Staging Repositories`, "close" it and once it passes validation "release" it. ## How do I get permissions to upload to Maven Central diff --git a/java/build.gradle.kts b/java/build.gradle.kts index fa20639b..92a0b231 100644 --- a/java/build.gradle.kts +++ b/java/build.gradle.kts @@ -15,7 +15,8 @@ repositories { sourceSets { main { resources { - srcDirs("../protos") + srcDirs("../protos", "../service-protos") + include("**/*.proto") } } } diff --git a/protoc-builder/Dockerfile.services b/protoc-builder/Dockerfile.services new file mode 100644 index 00000000..9e7df038 --- /dev/null +++ b/protoc-builder/Dockerfile.services @@ -0,0 +1,13 @@ +ARG GO_BASE # no default + +FROM ${GO_BASE} + +COPY /protos /protobuf-specs + +# just add the plugins for grpc-gateway and openapiv2 into the entrypoint +ENTRYPOINT ["/usr/local/bin/protoc", \ + "--plugin=protoc-gen-go=/usr/local/bin/protoc-gen-go", \ + "--plugin=protoc-gen-go-grpc=/usr/local/bin/protoc-gen-go-grpc", \ + "--plugin=protoc-gen-grpc-gateway=/usr/local/bin/protoc-gen-grpc-gateway", \ + "--plugin=protoc-gen-openapiv2=/usr/local/bin/protoc-gen-openapiv2" \ +] diff --git a/protoc-builder/Dockerfile.typescript b/protoc-builder/Dockerfile.typescript index 8cbb9b6a..e864e310 100644 --- a/protoc-builder/Dockerfile.typescript +++ b/protoc-builder/Dockerfile.typescript @@ -7,7 +7,7 @@ WORKDIR /app RUN npm ci --install-strategy=shallow # /usr/bin/env is called from ts-proto but not in distroless by default; we use busybox for this -FROM gcr.io/distroless/base-debian12:debug-nonroot@sha256:76acc040228aed628435f9951e0bee94f99645efabcdf362e94a8c70ba422f99 AS env-source +FROM gcr.io/distroless/base-debian12:debug-nonroot@sha256:5baa38c4513f1eeb010c1f6c6bbc5b2c244b40afce7d4100142be22024a48630 AS env-source FROM gcr.io/distroless/nodejs22-debian12:nonroot@sha256:7461370c8473cfcbf5def249423d5e8301b0e6b98cb256b3c8707f0201c2ea4a diff --git a/protoc-builder/hack/go/go.mod b/protoc-builder/hack/go/go.mod index 92260800..37191aa2 100644 --- a/protoc-builder/hack/go/go.mod +++ b/protoc-builder/hack/go/go.mod @@ -5,11 +5,21 @@ go 1.24 toolchain go1.24.0 tool ( + github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway + github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 google.golang.org/grpc/cmd/protoc-gen-go-grpc google.golang.org/protobuf/cmd/protoc-gen-go ) require ( + github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect + github.com/kr/text v0.2.0 // indirect + github.com/rogpeppe/go-internal v1.14.1 // indirect + golang.org/x/text v0.22.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect + google.golang.org/grpc v1.70.0 // indirect google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect google.golang.org/protobuf v1.36.5 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/protoc-builder/hack/go/go.sum b/protoc-builder/hack/go/go.sum index c1ba3f08..4e145190 100644 --- a/protoc-builder/hack/go/go.sum +++ b/protoc-builder/hack/go/go.sum @@ -1,18 +1,32 @@ -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 h1:1GBuWVLM/KMVUv1t1En5Gs+gFZCNd360GGb4sSxtrhU= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= +golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8= +golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= +golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= +golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= +golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= +google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950= +google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I= +google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ= +google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 h1:F29+wU6Ee6qgu9TddPgooOdaqsxTMunOoj8KA5yuS5A= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1/go.mod h1:5KF+wpkbTSbGcR9zteSqZV6fqFOWBl4Yde8En8MryZA= google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/service-protos/README.md b/service-protos/README.md new file mode 100644 index 00000000..a0d891d5 --- /dev/null +++ b/service-protos/README.md @@ -0,0 +1,4 @@ +## Service Protos + +A mirror of proto defintions from various sigstore services +- `./rekor/v2`: `https://github.com/sigstore/rekor-tiles/api/proto/"rekor/v2/*.proto"` diff --git a/service-protos/rekor/v2/dsse.proto b/service-protos/rekor/v2/dsse.proto new file mode 100644 index 00000000..944ad806 --- /dev/null +++ b/service-protos/rekor/v2/dsse.proto @@ -0,0 +1,45 @@ +// Copyright 2025 The Sigstore Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; +package dev.sigstore.rekor.v2; + +import "google/api/field_behavior.proto"; +import "sigstore_common.proto"; +import "envelope.proto"; + +import "rekor/v2/verifier.proto"; + +option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2"; + +option java_package = "dev.sigstore.proto.rekor.v2"; +option java_multiple_files = true; +option java_outer_classname = "RekorV2Dsse"; +option ruby_package = "Sigstore::Rekor::V2"; + +// A request to add a DSSE v0.0.2 entry to the log +message DSSERequestV002 { + // A DSSE envelope + io.intoto.Envelope envelope = 1 [(google.api.field_behavior) = REQUIRED]; + // All necessary verification material to verify all signatures embedded in the envelope + repeated Verifier verifiers = 2 [(google.api.field_behavior) = REQUIRED]; +} + + +message DSSELogEntryV002 { + // The hash of the DSSE payload + dev.sigstore.common.v1.HashOutput payloadHash = 1 [(google.api.field_behavior) = REQUIRED]; + // Signatures and their associated verification material used to verify the payload + repeated Signature signatures = 2 [(google.api.field_behavior) = REQUIRED]; +} diff --git a/service-protos/rekor/v2/entry.proto b/service-protos/rekor/v2/entry.proto new file mode 100644 index 00000000..ba56dd8b --- /dev/null +++ b/service-protos/rekor/v2/entry.proto @@ -0,0 +1,56 @@ +// Copyright 2025 The Sigstore Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; +package dev.sigstore.rekor.v2; + +import "google/api/field_behavior.proto"; + +import "rekor/v2/dsse.proto"; +import "rekor/v2/hashedrekord.proto"; + +option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2"; + +option java_package = "dev.sigstore.proto.rekor.v2"; +option java_multiple_files = true; +option java_outer_classname = "RekorV2Entry"; +option ruby_package = "Sigstore::Rekor::V2"; + +// Entry is the message that is canonicalized and uploaded to the log. +// This format is meant to be compliant with Rekor v1 entries in that +// the `apiVersion` and `kind` can be parsed before parsing the spec. +// Clients are expected to understand and handle the differences in the +// contents of `spec` between Rekor v1 (a polymorphic OpenAPI defintion) +// and Rekor v2 (a typed proto defintion). +message Entry { + string kind = 1 [(google.api.field_behavior) = REQUIRED]; + string api_version = 2 [(google.api.field_behavior) = REQUIRED]; + Spec spec = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Spec contains one of the Rekor entry types. +message Spec { + oneof spec { + HashedRekordLogEntryV002 hashed_rekord_v002 = 1 [(google.api.field_behavior) = REQUIRED]; + DSSELogEntryV002 dsse_v002 = 2 [(google.api.field_behavior) = REQUIRED]; + } +} + +// Create a new HashedRekord or DSSE +message CreateEntryRequest { + oneof spec { + HashedRekordRequestV002 hashed_rekord_request_v002 = 1 [(google.api.field_behavior) = REQUIRED]; + DSSERequestV002 dsse_request_v002 = 2 [(google.api.field_behavior) = REQUIRED]; + } +} diff --git a/service-protos/rekor/v2/hashedrekord.proto b/service-protos/rekor/v2/hashedrekord.proto new file mode 100644 index 00000000..d442cec4 --- /dev/null +++ b/service-protos/rekor/v2/hashedrekord.proto @@ -0,0 +1,43 @@ +// Copyright 2025 The Sigstore Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; +package dev.sigstore.rekor.v2; + +import "google/api/field_behavior.proto"; +import "sigstore_common.proto"; + +import "rekor/v2/verifier.proto"; + +option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2"; + +option java_package = "dev.sigstore.proto.rekor.v2"; +option java_multiple_files = true; +option java_outer_classname = "RekorV2HashedRekord"; +option ruby_package = "Sigstore::Rekor::V2"; + +// A request to add a hashedrekord v0.0.2 to the log +message HashedRekordRequestV002 { + // The hashed data + bytes digest = 1 [(google.api.field_behavior) = REQUIRED]; + // A single signature over the hashed data with the verifier needed to validate it + Signature signature = 2 [(google.api.field_behavior) = REQUIRED]; +} + +message HashedRekordLogEntryV002 { + // The hashed data + dev.sigstore.common.v1.HashOutput data = 1 [(google.api.field_behavior) = REQUIRED]; + // A single signature over the hashed data with the verifier needed to validate it + Signature signature = 2 [(google.api.field_behavior) = REQUIRED]; +} diff --git a/service-protos/rekor/v2/verifier.proto b/service-protos/rekor/v2/verifier.proto new file mode 100644 index 00000000..aa244b9f --- /dev/null +++ b/service-protos/rekor/v2/verifier.proto @@ -0,0 +1,50 @@ +// Copyright 2025 The Sigstore Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; +package dev.sigstore.rekor.v2; + +import "sigstore_common.proto"; +import "google/api/field_behavior.proto"; + +option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2"; + +option java_package = "dev.sigstore.proto.rekor.v2"; +option java_multiple_files = true; +option java_outer_classname = "RekorV2Verifier"; +option ruby_package = "Sigstore::Rekor::V2"; + +// PublicKey contains an encoded public key +message PublicKey { + // DER-encoded public key + bytes raw_bytes = 1 [(google.api.field_behavior) = REQUIRED]; +} + +// Either a public key or a X.509 cerificiate with an embedded public key +message Verifier { + oneof verifier { + // DER-encoded public key. Encoding method is specified by the key_details attribute + PublicKey public_key = 1 [(google.api.field_behavior) = REQUIRED]; + // DER-encoded certificate + dev.sigstore.common.v1.X509Certificate x509_certificate = 2 [(google.api.field_behavior) = REQUIRED]; + } + // Key encoding and signature algorithm to use for this key + dev.sigstore.common.v1.PublicKeyDetails key_details = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// A signature and an associated verifier +message Signature { + bytes content = 1 [(google.api.field_behavior) = REQUIRED]; + Verifier verifier = 2 [(google.api.field_behavior) = REQUIRED]; +} diff --git a/service-protos/sync-rekor-tiles.sh b/service-protos/sync-rekor-tiles.sh new file mode 100755 index 00000000..4ed8b404 --- /dev/null +++ b/service-protos/sync-rekor-tiles.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +# A simple utility to copy protos from the rekor-tiles repository into protobuf specs for distribution +set -o pipefail -o errexit -o nounset + +command -v gh &>/dev/null || { echo "gh not found" 1>&2; exit 1; } + +latest_tag=$(gh api graphql -f query='{repository(owner: "sigstore", name: "rekor-tiles"){refs(refPrefix: "refs/tags/", last: 1){nodes{name}}}}' --jq '.data.repository.refs.nodes[].name') + +if [ -z "$latest_tag" ]; then + echo "latest tag not found" + exit 1 +fi + +# clean up last sync +rm ./rekor/v2/*.proto || echo "nothing to clean up" + +# mkdir just in case +mkdir -p ./rekor/v2 + +# copy all protos over except rekor_service.proto +echo "syncing protos with ${latest_tag}" +git clone --filter=blob:none --no-checkout --depth=1 https://github.com/sigstore/rekor-tiles.git ./rekor-tiles +cd ./rekor-tiles +git sparse-checkout set --no-cone '/api/proto/rekor/v2/*.proto' '!**/rekor_service.proto' +git fetch origin tag "$latest_tag" --no-tags +git checkout "$latest_tag" +cd ../ +cp -R ./rekor-tiles/api/proto/* . +rm -rf ./rekor-tiles + +# replace the go package from the service definition to the protobuf out +echo "replacing go-package" +sed -i -e 's|^option go_package.*$|option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v2";|' ./rekor/v2/*.proto