Require inclusion proofs, make promises optional

The log always generates inclusion proofs, so we will make it a requirement that clients verify the proof. Promises will be deprecated over time, but for now, we'll make them optional. Fixes sigstore#82 Ref sigstore/rekor#1566 Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
haydentherapper · Jun 30, 2023 · c18c1e9 · c18c1e9
1 parent 5ef5406
commit c18c1e9
Show file tree

Hide file tree

Showing 12 changed files with 50 additions and 43 deletions.
diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go
diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts
diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto
@@ -53,8 +53,8 @@ message VerificationMaterial {
                 dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED];
                 dev.sigstore.common.v1.X509CertificateChain x509_certificate_chain = 2 [(google.api.field_behavior) = REQUIRED];
         }
-        // This is the inclusion promise and/or proof, where
-        // the timestamp is coming from the transparency log.
+        // This is the inclusion proof, where the timestamp is coming from
+        // the transparency log.
         repeated dev.sigstore.rekor.v1.TransparencyLogEntry tlog_entries = 3;
         // Timestamp verification data, over the artifact's signature.
         TimestampVerificationData timestamp_verification_data = 4;

diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto
@@ -46,7 +46,7 @@ message Checkpoint {
 }
 
 // InclusionProof is the proof returned from the transparency log. Can
-// be used for on line verification against the log.
+// be used for offline or online verification against the log.
 message InclusionProof {
         // The index of the entry in the log.
         int64 log_index = 1 [(google.api.field_behavior) = REQUIRED];
@@ -87,7 +87,7 @@ message InclusionPromise {
 // attributes (excluding the payload) that are required for verifying the
 // inclusion promise. The inclusion promise (called SignedEntryTimestamp in
 // the response from Rekor) is similar to a Signed Certificate Timestamp
-// as described here https://www.rfc-editor.org/rfc/rfc9162#name-signed-certificate-timestam.
+// as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2.
 message TransparencyLogEntry {
         // The index of the entry in the log.
         int64 log_index = 1 [(google.api.field_behavior) = REQUIRED];
@@ -99,12 +99,13 @@ message TransparencyLogEntry {
         KindVersion kind_version = 3 [(google.api.field_behavior) = REQUIRED];
         // The UNIX timestamp from the log when the entry was persisted.
         int64 integrated_time = 4 [(google.api.field_behavior) = REQUIRED];
-        // The inclusion promise/signed entry timestamp from the log.
-        InclusionPromise inclusion_promise = 5 [(google.api.field_behavior) = REQUIRED];
-        // The inclusion proof can be used for online verification that the
-        // entry was appended to the log, and that the log has not been
+        // The inclusion promise/signed entry timestamp from the log. Optional,
+        // but MUST be verified if present.
+        InclusionPromise inclusion_promise = 5;
+        // The inclusion proof can be used for offline or online verification
+        // that the entry was appended to the log, and that the log has not been
         // altered.
-        InclusionProof inclusion_proof = 6;
+        InclusionProof inclusion_proof = 6 [(google.api.field_behavior) = REQUIRED];
         // Optional. The canonicalized transparency log entry, used to
         // reconstruct the Signed Entry Timestamp (SET) during verification.
         // The contents of this field are the same as the `body` field in

diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto
@@ -27,7 +27,7 @@ option java_outer_classname = "TrustRootProto";
 // See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters
 // for more details.
 // The included parameters are the minimal set required to identify a log,
-// and verify an inclusion promise.
+// and verify an inclusion proof/promise.
 message TransparencyLogInstance {
         // The base URL at which can be used to URLs for the client.
         string base_url = 1;