Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trustroot: initial client config messages #277

Merged
merged 9 commits into from
Apr 2, 2024
Merged
40 changes: 40 additions & 0 deletions protos/sigstore_trustroot.proto
Original file line number Diff line number Diff line change
Expand Up @@ -117,3 +117,43 @@ message TrustedRoot {
// A set of trusted timestamping authorities.
repeated CertificateAuthority timestamp_authorities = 5;
}


// SigningConfig represents the trusted entities/state needed by Sigstore
// signing. In particular, it primarily contains service URLs that a Sigstore
// signer may need to connect to for the online aspects of signing.
message SigningConfig {
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
// A URL to a Fulcio-compatible CA, capable of receiving
// Certificate Signing Requests (CSRs) and responding with
// issued certificates.
//
// This URL **MUST** be the "base" URL for the CA, which clients
// should construct an appropriate CSR endpoint on top of.
// For example, if `fulcio_url` is `https://example.com/ca`, then
// the client **MAY** construct the CSR endpoint as
// `https://example.com/ca/api/v2/signingCert`.
string fulcio_url = 1;
woodruffw marked this conversation as resolved.
Show resolved Hide resolved

// A URL to an OpenID Connect identity provider.
//
// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
// should perform well-known OpenID Connect discovery against.
string oidc_url = 2;

// A URL to a Rekor-compatible transparency log.
//
// This URL **MUST** be the "base" URL for the transparency log,
// which clients should construct appropriate API endpoints on top of.
string rekor_url = 3;
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
}

// ClientTrustConfig describes the complete state needed by a client
// to perform both signing and verification operations against a particular
// instance of Sigstore.
message ClientTrustConfig {
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
// The root of trust, which MUST be present.
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
TrustedRoot trusted_root = 1 [(google.api.field_behavior) = REQUIRED];
woodruffw marked this conversation as resolved.
Show resolved Hide resolved

//
SigningConfig signing_config = 2 [(google.api.field_behavior) = REQUIRED];
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
}
Loading