Table of Contents

Namespace Dev.Sigstore.Trustroot.V1

Classes

CertificateAuthority

CertificateAuthority enlists the information required to identify which CA to use and perform signature verification.

ClientTrustConfig

ClientTrustConfig describes the complete state needed by a client to perform both signing and verification operations against a particular instance of Sigstore.

Service

Service represents an instance of a service that is a part of Sigstore infrastructure. When selecting one or multiple services from a list of services, clients MUST:

  • Use the API version hint to determine the service with the highest API version that the client is compatible with.
  • Only select services within the specified validity period and that have the newest validity start date. When selecting multiple services, clients MUST:
  • Use the ServiceConfiguration to determine how many services MUST be selected. Clients MUST return an error if there are not enough services that meet the selection criteria.
  • Group services by operator and select at most one service from an operator. During verification, clients MUST treat valid verification metadata from the operator as valid only once towards a threshold.
  • Select services from only the highest supported API version.
ServiceConfiguration

ServiceConfiguration specifies how a client should select a set of Services to connect to, along with a count when a specific number of Services is requested.

SigningConfig

SigningConfig represents the trusted entities/state needed by Sigstore signing. In particular, it primarily contains service URLs that a Sigstore signer may need to connect to for the online aspects of signing.

SigstoreTrustrootReflection

Holder for reflection information generated from sigstore_trustroot.proto

TransparencyLogInstance

TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise.

TrustedRoot

TrustedRoot describes the client's complete set of trusted entities. How the TrustedRoot is populated is not specified, but can be a combination of many sources such as TUF repositories, files on disk etc.

The TrustedRoot is not meant to be used for any artifact verification, only to capture the complete/global set of trusted verification materials. When verifying an artifact, based on the artifact and policies, a selection of keys/authorities are expected to be extracted and provided to the verification function. This way the set of keys/authorities can be kept to a minimal set by the policy to gain better control over what signatures that are allowed.

The embedded transparency logs, CT logs, CAs and TSAs MUST include any previously used instance -- otherwise signatures made in the past cannot be verified.

All the listed instances SHOULD be sorted by the 'valid_for.start' in ascending order, that is, the oldest instance first. Clients MUST accept instances that overlaps in time, if not clients may experience problems during rotations of verification materials.

To be able to manage planned rotations of either transparency logs or certificate authorities, clienst MUST accept lists of instances where the last instance have a 'valid_for' that belongs to the future. This should not be a problem as clients SHOULD first seek the trust root for a suitable instance before creating a per artifact trust root (that is, a sub-set of the complete trust root) that is used for verification.

Enums

ServiceSelector

ServiceSelector specifies how a client SHOULD select a set of Services to connect to. A client SHOULD throw an error if the value is SERVICE_SELECTOR_UNDEFINED.