Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sigstore_rekor: clarify inclusion_promise requirement #380

Merged
merged 3 commits into from
Aug 9, 2024
Merged

sigstore_rekor: clarify inclusion_promise requirement #380

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3b39d52
sigstore_rekor: clarify inclusion_promise requirement
woodruffw Aug 9, 2024
2441465
gen: `make all`
woodruffw Aug 9, 2024
d9edb63
rekor: clarify suitable sources of time
woodruffw Aug 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion gen/jsonschema/schemas/Bundle.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,7 @@
"inclusionPromise": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
"additionalProperties": false,
"description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
"description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
},
"inclusionProof": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
Expand Down
2 changes: 1 addition & 1 deletion gen/jsonschema/schemas/Input.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -512,7 +512,7 @@
"inclusionPromise": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
"additionalProperties": false,
"description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
"description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
},
"inclusionProof": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
Expand Down
2 changes: 1 addition & 1 deletion gen/jsonschema/schemas/TransparencyLogEntry.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
"inclusionPromise": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
"additionalProperties": false,
"description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
"description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
},
"inclusionProof": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
Expand Down
2 changes: 1 addition & 1 deletion gen/jsonschema/schemas/VerificationMaterial.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@
"inclusionPromise": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
"additionalProperties": false,
"description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
"description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
},
"inclusionProof": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
Expand Down
6 changes: 4 additions & 2 deletions gen/pb-go/rekor/v1/sigstore_rekor.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,10 @@ pub struct TransparencyLogEntry {
pub integrated_time: i64,
/// The inclusion promise/signed entry timestamp from the log.
/// Required for v0.1 bundles, and MUST be verified.
/// Optional for >= v0.2 bundles, and SHOULD be verified when present.
/// Also may be used as a signed timestamp.
/// Optional for >= v0.2 bundles if another source of signed time
/// is present.
/// MUST be verified if no other source of signed time is present,
/// and SHOULD be verified otherwise.
#[prost(message, optional, tag = "5")]
pub inclusion_promise: ::core::option::Option<InclusionPromise>,
/// The inclusion proof can be used for offline or online verification
Expand Down
Binary file modified gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
View file
Open in desktop
Binary file not shown.
6 changes: 4 additions & 2 deletions gen/pb-typescript/src/__generated__/sigstore_rekor.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions protos/sigstore_rekor.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,10 @@ message TransparencyLogEntry {
int64 integrated_time = 4 [(google.api.field_behavior) = REQUIRED];
// The inclusion promise/signed entry timestamp from the log.
// Required for v0.1 bundles, and MUST be verified.
// Optional for >= v0.2 bundles, and SHOULD be verified when present.
// Also may be used as a signed timestamp.
// Optional for >= v0.2 bundles if another source of signed time
// is present.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One could interpret "another source of ... time" to be current time, but "current time" wouldn't be signed. We could be very prescriptive and say "When verifying long-lived certificates, the client MAY choose to not require a signed timestamp and instead use the system clock." Thoughts?

Copy link
Member Author

@woodruffw woodruffw Aug 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds good to me! Updating.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in d9edb63 -- it now talks about a "suitable" source of time, which can be either another signed time source or the current system time when the certs are long-lived. LMKWYT!

// MUST be verified if no other source of signed time is present,
// and SHOULD be verified otherwise.
InclusionPromise inclusion_promise = 5;
// The inclusion proof can be used for offline or online verification
// that the entry was appended to the log, and that the log has not been
Expand Down
Loading