Shortcuts on this page
r m x toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Generated by the protocol buffer compiler. DO NOT EDIT!
2# sources: sigstore_bundle.proto
3# plugin: python-betterproto
4# This file has been @generated
6from typing import TYPE_CHECKING
9if TYPE_CHECKING:
10 from dataclasses import dataclass
11else:
12 from pydantic.dataclasses import dataclass
14from typing import (
15 List,
16 Optional,
17)
19import betterproto
20from pydantic import model_validator
21from pydantic.dataclasses import rebuild_dataclass
23from .....io import intoto as ____io_intoto__
24from ...common import v1 as __common_v1__
25from ...rekor import v1 as __rekor_v1__
28@dataclass(eq=False, repr=False)
29class TimestampVerificationData(betterproto.Message):
30 """
31 Various timestamped counter signatures over the artifacts signature.
32 Currently only RFC3161 signatures are provided. More formats may be added
33 in the future.
34 """
36 rfc3161_timestamps: List["__common_v1__.Rfc3161SignedTimestamp"] = (
37 betterproto.message_field(1)
38 )
39 """
40 A list of RFC3161 signed timestamps provided by the user.
41 This can be used when the entry has not been stored on a
42 transparency log, or in conjunction for a stronger trust model.
43 Clients MUST verify the hashed message in the message imprint
44 against the signature in the bundle.
45 """
48@dataclass(eq=False, repr=False)
49class VerificationMaterial(betterproto.Message):
50 """
51 VerificationMaterial captures details on the materials used to verify
52 signatures. This message may be embedded in a DSSE envelope as a signature
53 extension. Specifically, the `ext` field of the extension will expect this
54 message when the signature extension is for Sigstore. This is identified by
55 the `kind` field in the extension, which must be set to
56 application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore.
57 When used as a DSSE extension, if the `public_key` field is used to indicate
58 the key identifier, it MUST match the `keyid` field of the signature the
59 extension is attached to.
60 """
62 public_key: Optional["__common_v1__.PublicKeyIdentifier"] = (
63 betterproto.message_field(1, optional=True, group="content")
64 )
65 x509_certificate_chain: Optional["__common_v1__.X509CertificateChain"] = (
66 betterproto.message_field(2, optional=True, group="content")
67 )
68 certificate: Optional["__common_v1__.X509Certificate"] = betterproto.message_field(
69 5, optional=True, group="content"
70 )
71 tlog_entries: List["__rekor_v1__.TransparencyLogEntry"] = betterproto.message_field(
72 3
73 )
74 """
75 An inclusion proof and an optional signed timestamp from the log.
76 Client verification libraries MAY provide an option to support v0.1
77 bundles for backwards compatibility, which may contain an inclusion
78 promise and not an inclusion proof. In this case, the client MUST
79 validate the promise.
80 Verifiers SHOULD NOT allow v0.1 bundles if they're used in an
81 ecosystem which never produced them.
82 """
84 timestamp_verification_data: "TimestampVerificationData" = (
85 betterproto.message_field(4)
86 )
87 """
88 Timestamp may also come from
89 tlog_entries.inclusion_promise.signed_entry_timestamp.
90 """
92 @model_validator(mode="after")
93 def check_oneof(cls, values):
94 return cls._validate_field_groups(values)
97@dataclass(eq=False, repr=False)
98class Bundle(betterproto.Message):
99 media_type: str = betterproto.string_field(1)
100 """
101 MUST be application/vnd.dev.sigstore.bundle.v0.3+json when
102 when encoded as JSON.
103 Clients must to be able to accept media type using the previously
104 defined formats:
105 * application/vnd.dev.sigstore.bundle+json;version=0.1
106 * application/vnd.dev.sigstore.bundle+json;version=0.2
107 * application/vnd.dev.sigstore.bundle+json;version=0.3
108 """
110 verification_material: "VerificationMaterial" = betterproto.message_field(2)
111 """
112 When a signer is identified by a X.509 certificate, a verifier MUST
113 verify that the signature was computed at the time the certificate
114 was valid as described in the Sigstore client spec: "Verification
115 using a Bundle".
116 <https://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln>
117 If the verification material contains a public key identifier
118 (key hint) and the `content` is a DSSE envelope, the key hints
119 MUST be exactly the same in the verification material and in the
120 DSSE envelope.
121 """
123 message_signature: Optional["__common_v1__.MessageSignature"] = (
124 betterproto.message_field(3, optional=True, group="content")
125 )
126 dsse_envelope: Optional["____io_intoto__.Envelope"] = betterproto.message_field(
127 4, optional=True, group="content"
128 )
129 """
130 A DSSE envelope can contain arbitrary payloads.
131 Verifiers must verify that the payload type is a
132 supported and expected type. This is part of the DSSE
133 protocol which is defined here:
134 <https://github.com/secure-systems-lab/dsse/blob/master/protocol.md>
135 DSSE envelopes in a bundle MUST have exactly one signature.
136 This is a limitation from the DSSE spec, as it can contain
137 multiple signatures. There are two primary reasons:
138 1. It simplifies the verification logic and policy
139 2. The bundle (currently) can only contain a single
140 instance of the required verification materials
141 During verification a client MUST reject an envelope if
142 the number of signatures is not equal to one.
143 """
145 @model_validator(mode="after")
146 def check_oneof(cls, values):
147 return cls._validate_field_groups(values)
150rebuild_dataclass(TimestampVerificationData) # type: ignore
151rebuild_dataclass(VerificationMaterial) # type: ignore
152rebuild_dataclass(Bundle) # type: ignore