Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py: 98%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

45 statements  

1# Generated by the protocol buffer compiler. DO NOT EDIT! 

2# sources: sigstore_rekor.proto 

3# plugin: python-betterproto 

4# This file has been @generated 

5 

6from dataclasses import dataclass 

7from typing import List 

8 

9import betterproto 

10 

11from ...common import v1 as __common_v1__ 

12 

13 

14@dataclass(eq=False, repr=False) 

15class KindVersion(betterproto.Message): 

16 """KindVersion contains the entry's kind and api version.""" 

17 

18 kind: str = betterproto.string_field(1) 

19 """ 

20 Kind is the type of entry being stored in the log. See here for a list: 

21 https://github.com/sigstore/rekor/tree/main/pkg/types 

22 """ 

23 

24 version: str = betterproto.string_field(2) 

25 """The specific api version of the type.""" 

26 

27 

28@dataclass(eq=False, repr=False) 

29class Checkpoint(betterproto.Message): 

30 """ 

31 The checkpoint MUST contain an origin string as a unique log identifier, 

32 the tree size, and the root hash. It MAY also be followed by optional data, 

33 and clients MUST NOT assume optional data. The checkpoint MUST also contain 

34 a signature over the root hash (tree head). The checkpoint MAY contain 

35 additional signatures, but the first SHOULD be the signature from the log. 

36 Checkpoint contents are concatenated with newlines into a single string. 

37 The checkpoint format is described in https://github.com/transparency- 

38 dev/formats/blob/main/log/README.md and 

39 https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. An example 

40 implementation can be found in 

41 https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go 

42 """ 

43 

44 envelope: str = betterproto.string_field(1) 

45 

46 

47@dataclass(eq=False, repr=False) 

48class InclusionProof(betterproto.Message): 

49 """ 

50 InclusionProof is the proof returned from the transparency log. Can be used 

51 for offline or online verification against the log. 

52 """ 

53 

54 log_index: int = betterproto.int64_field(1) 

55 """The index of the entry in the tree it was written to.""" 

56 

57 root_hash: bytes = betterproto.bytes_field(2) 

58 """ 

59 The hash digest stored at the root of the merkle tree at the time the proof 

60 was generated. 

61 """ 

62 

63 tree_size: int = betterproto.int64_field(3) 

64 """The size of the merkle tree at the time the proof was generated.""" 

65 

66 hashes: List[bytes] = betterproto.bytes_field(4) 

67 """ 

68 A list of hashes required to compute the inclusion proof, sorted in order 

69 from leaf to root. Note that leaf and root hashes are not included. The 

70 root hash is available separately in this message, and the leaf hash should 

71 be calculated by the client. 

72 """ 

73 

74 checkpoint: "Checkpoint" = betterproto.message_field(5) 

75 """ 

76 Signature of the tree head, as of the time of this proof was generated. See 

77 above info on 'Checkpoint' for more details. 

78 """ 

79 

80 

81@dataclass(eq=False, repr=False) 

82class InclusionPromise(betterproto.Message): 

83 """ 

84 The inclusion promise is calculated by Rekor. It's calculated as a 

85 signature over a canonical JSON serialization of the persisted entry, the 

86 log ID, log index and the integration timestamp. See https://github.com/sig 

87 store/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.g 

88 o#L54 The format of the signature depends on the transparency log's public 

89 key. If the signature algorithm requires a hash function and/or a signature 

90 scheme (e.g. RSA) those has to be retrieved out-of-band from the log's 

91 operators, together with the public key. This is used to verify the 

92 integration timestamp's value and that the log has promised to include the 

93 entry. 

94 """ 

95 

96 signed_entry_timestamp: bytes = betterproto.bytes_field(1) 

97 

98 

99@dataclass(eq=False, repr=False) 

100class TransparencyLogEntry(betterproto.Message): 

101 """ 

102 TransparencyLogEntry captures all the details required from Rekor to 

103 reconstruct an entry, given that the payload is provided via other means. 

104 This type can easily be created from the existing response from Rekor. 

105 Future iterations could rely on Rekor returning the minimal set of 

106 attributes (excluding the payload) that are required for verifying the 

107 inclusion promise. The inclusion promise (called SignedEntryTimestamp in 

108 the response from Rekor) is similar to a Signed Certificate Timestamp as 

109 described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2. 

110 """ 

111 

112 log_index: int = betterproto.int64_field(1) 

113 """The global index of the entry, used when querying the log by index.""" 

114 

115 log_id: "__common_v1__.LogId" = betterproto.message_field(2) 

116 """The unique identifier of the log.""" 

117 

118 kind_version: "KindVersion" = betterproto.message_field(3) 

119 """ 

120 The kind (type) and version of the object associated with this entry. These 

121 values are required to construct the entry during verification. 

122 """ 

123 

124 integrated_time: int = betterproto.int64_field(4) 

125 """The UNIX timestamp from the log when the entry was persisted.""" 

126 

127 inclusion_promise: "InclusionPromise" = betterproto.message_field(5) 

128 """ 

129 The inclusion promise/signed entry timestamp from the log. Required for 

130 v0.1 bundles, and MUST be verified. Optional for >= v0.2 bundles, and 

131 SHOULD be verified when present. Also may be used as a signed timestamp. 

132 """ 

133 

134 inclusion_proof: "InclusionProof" = betterproto.message_field(6) 

135 """ 

136 The inclusion proof can be used for offline or online verification that the 

137 entry was appended to the log, and that the log has not been altered. 

138 """ 

139 

140 canonicalized_body: bytes = betterproto.bytes_field(7) 

141 """ 

142 Optional. The canonicalized transparency log entry, used to reconstruct the 

143 Signed Entry Timestamp (SET) during verification. The contents of this 

144 field are the same as the `body` field in a Rekor response, meaning that it 

145 does **not** include the "full" canonicalized form (of log index, ID, etc.) 

146 which are exposed as separate fields. The verifier is responsible for 

147 combining the `canonicalized_body`, `log_index`, `log_id`, and 

148 `integrated_time` into the payload that the SET's signature is generated 

149 over. This field is intended to be used in cases where the SET cannot be 

150 produced determinisitically (e.g. inconsistent JSON field ordering, 

151 differing whitespace, etc). If set, clients MUST verify that the signature 

152 referenced in the `canonicalized_body` matches the signature provided in 

153 the `Bundle.content`. If not set, clients are responsible for constructing 

154 an equivalent payload from other sources to verify the signature. 

155 """