Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py: 97%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

29 statements  

1# Generated by the protocol buffer compiler. DO NOT EDIT! 

2# sources: sigstore_bundle.proto 

3# plugin: python-betterproto 

4# This file has been @generated 

5 

6from dataclasses import dataclass 

7from typing import List 

8 

9import betterproto 

10 

11from .....io import intoto as ____io_intoto__ 

12from ...common import v1 as __common_v1__ 

13from ...rekor import v1 as __rekor_v1__ 

14 

15 

16@dataclass(eq=False, repr=False) 

17class TimestampVerificationData(betterproto.Message): 

18 """ 

19 Various timestamped counter signatures over the artifacts signature. 

20 Currently only RFC3161 signatures are provided. More formats may be added 

21 in the future. 

22 """ 

23 

24 rfc3161_timestamps: List["__common_v1__.Rfc3161SignedTimestamp"] = ( 

25 betterproto.message_field(1) 

26 ) 

27 """ 

28 A list of RFC3161 signed timestamps provided by the user. This can be used 

29 when the entry has not been stored on a transparency log, or in conjunction 

30 for a stronger trust model. Clients MUST verify the hashed message in the 

31 message imprint against the signature in the bundle. 

32 """ 

33 

34 

35@dataclass(eq=False, repr=False) 

36class VerificationMaterial(betterproto.Message): 

37 """ 

38 VerificationMaterial captures details on the materials used to verify 

39 signatures. This message may be embedded in a DSSE envelope as a signature 

40 extension. Specifically, the `ext` field of the extension will expect this 

41 message when the signature extension is for Sigstore. This is identified by 

42 the `kind` field in the extension, which must be set to 

43 application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. 

44 When used as a DSSE extension, if the `public_key` field is used to 

45 indicate the key identifier, it MUST match the `keyid` field of the 

46 signature the extension is attached to. 

47 """ 

48 

49 public_key: "__common_v1__.PublicKeyIdentifier" = betterproto.message_field( 

50 1, group="content" 

51 ) 

52 x509_certificate_chain: "__common_v1__.X509CertificateChain" = ( 

53 betterproto.message_field(2, group="content") 

54 ) 

55 certificate: "__common_v1__.X509Certificate" = betterproto.message_field( 

56 5, group="content" 

57 ) 

58 tlog_entries: List["__rekor_v1__.TransparencyLogEntry"] = betterproto.message_field( 

59 3 

60 ) 

61 """ 

62 An inclusion proof and an optional signed timestamp from the log. Client 

63 verification libraries MAY provide an option to support v0.1 bundles for 

64 backwards compatibility, which may contain an inclusion promise and not an 

65 inclusion proof. In this case, the client MUST validate the promise. 

66 Verifiers SHOULD NOT allow v0.1 bundles if they're used in an ecosystem 

67 which never produced them. 

68 """ 

69 

70 timestamp_verification_data: "TimestampVerificationData" = ( 

71 betterproto.message_field(4) 

72 ) 

73 """ 

74 Timestamp may also come from 

75 tlog_entries.inclusion_promise.signed_entry_timestamp. 

76 """ 

77 

78 

79@dataclass(eq=False, repr=False) 

80class Bundle(betterproto.Message): 

81 media_type: str = betterproto.string_field(1) 

82 """ 

83 MUST be application/vnd.dev.sigstore.bundle.v0.3+json when when encoded as 

84 JSON. Clients must to be able to accept media type using the previously 

85 defined formats: * application/vnd.dev.sigstore.bundle+json;version=0.1 * 

86 application/vnd.dev.sigstore.bundle+json;version=0.2 * 

87 application/vnd.dev.sigstore.bundle+json;version=0.3 

88 """ 

89 

90 verification_material: "VerificationMaterial" = betterproto.message_field(2) 

91 """ 

92 When a signer is identified by a X.509 certificate, a verifier MUST verify 

93 that the signature was computed at the time the certificate was valid as 

94 described in the Sigstore client spec: "Verification using a Bundle". <http 

95 s://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E 

96 /edit#heading=h.x8bduppe89ln> If the verification material contains a 

97 public key identifier (key hint) and the `content` is a DSSE envelope, the 

98 key hints MUST be exactly the same in the verification material and in the 

99 DSSE envelope. 

100 """ 

101 

102 message_signature: "__common_v1__.MessageSignature" = betterproto.message_field( 

103 3, group="content" 

104 ) 

105 dsse_envelope: "____io_intoto__.Envelope" = betterproto.message_field( 

106 4, group="content" 

107 ) 

108 """ 

109 A DSSE envelope can contain arbitrary payloads. Verifiers must verify that 

110 the payload type is a supported and expected type. This is part of the DSSE 

111 protocol which is defined here: <https://github.com/secure-systems- 

112 lab/dsse/blob/master/protocol.md> DSSE envelopes in a bundle MUST have 

113 exactly one signture. This is a limitation from the DSSE spec, as it can 

114 contain multiple signatures. There are two primary reasons: 1. It simplfies 

115 the verification logic and policy 2. The bundle (currently) can only 

116 contain a single instance of the required verification materials During 

117 verification a client MUST reject an envelope if the number of signatures 

118 is not equal to one. 

119 """