Clarify key hint (#148)

* Clarified how the use of (reduntant) key hint. Key hint is both specified in the bundle's `verification material` but may also be specified inside the `content` if it'a DSSE envelope. Signed-off-by: Fredrik Skogman <[email protected]> * Generated protos based on the new change Signed-off-by: Fredrik Skogman <[email protected]> --------- Signed-off-by: Fredrik Skogman <[email protected]>
sigstore · Oct 5, 2023 · 6b78019 · 6b78019
1 parent ddfa96f
commit 6b78019
Show file tree

Hide file tree

Showing 8 changed files with 20 additions and 5 deletions.
diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json
@@ -11,7 +11,7 @@
                 "verificationMaterial": {
                     "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial",
                     "additionalProperties": false,
-                    "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e"
+                    "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e If the verification material contains a public key identifier (key hint) and the `content` is a DSSE envelope, the key hints MUST be exactly the same in the verification material and in the DSSE envelope."
                 },
                 "messageSignature": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.MessageSignature",

diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
@@ -44,7 +44,7 @@
                 "verificationMaterial": {
                     "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial",
                     "additionalProperties": false,
-                    "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e"
+                    "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e If the verification material contains a public key identifier (key hint) and the `content` is a DSSE envelope, the key hints MUST be exactly the same in the verification material and in the DSSE envelope."
                 },
                 "messageSignature": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.MessageSignature",

diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py
diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json
@@ -11,7 +11,7 @@
                 "verificationMaterial": {
                     "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial",
                     "additionalProperties": false,
-                    "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e"
+                    "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e If the verification material contains a public key identifier (key hint) and the `content` is a DSSE envelope, the key hints MUST be exactly the same in the verification material and in the DSSE envelope."
                 },
                 "messageSignature": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.MessageSignature",

diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json
@@ -44,7 +44,7 @@
                 "verificationMaterial": {
                     "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial",
                     "additionalProperties": false,
-                    "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e"
+                    "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e If the verification material contains a public key identifier (key hint) and the `content` is a DSSE envelope, the key hints MUST be exactly the same in the verification material and in the DSSE envelope."
                 },
                 "messageSignature": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.MessageSignature",

diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts
diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto
@@ -77,6 +77,10 @@ message Bundle {
         // was valid as described in the Sigstore client spec: "Verification
         // using a Bundle".
         // <https://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln>
+        // If the verification material contains a public key identifier
+        // (key hint) and the `content` is a DSSE envelope, the key hints
+        // MUST be exactly the same in the verification material and in the
+        // DSSE envelope.
         VerificationMaterial verification_material = 2 [(google.api.field_behavior) = REQUIRED];
         oneof content {
                 dev.sigstore.common.v1.MessageSignature message_signature = 3 [(google.api.field_behavior) = REQUIRED];