Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gen, protos: 0.3, single cert #191

Merged
merged 6 commits into from
Jan 15, 2024
Merged

Conversation

woodruffw
Copy link
Member

This adds a new oneof variant to VerificationMaterials.contents that specifically encodes a single X.509 leaf certificate. This ratchets down (soft) invariants that were previously documented on the x509_certificate_chain member.

In the process, it also bumps the bundle version (0.3) and moves some documentation around.

Closes #190.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw self-assigned this Jan 10, 2024
protos/sigstore_bundle.proto Show resolved Hide resolved
@@ -32,8 +32,8 @@ option ruby_package = "Sigstore::Bundle::V1";
// The primary message ('Bundle') MUST be versioned, by populating the
// 'media_type' field. Semver-ish (only major/minor versions) scheme MUST
// be used. The current version as specified by this file is:
// application/vnd.dev.sigstore.bundle+json;version=0.2
// The semantic version is thus '0.2'.
// application/vnd.dev.sigstore.bundle+json;version=0.3
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just pressure testing - Do we want a new version at this point? I think yes. We could add the field without a new version to avoid this being a breaking change, but then the field would have to be optional.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I think so as well -- IMO making the field non-optional would be confusing in context, since the other two content variants are marked as required.

(But maybe there are other good reasons to not bump the version here? Other client maintainers should probably chime in 🙂)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would think that a breaking change is desired if we want clients to actually adopt the usage of the new certificate. If not, clients would need to write the certificate into both x509_certificate_chain and certificate, and I'm not sure that's desirable?

I think we can roll this out quite easy by describing the change more of a clarification, and as part of that moving the certificate to a new field and making it explicit. This would of course still require clients to discriminate on the version, and this is less optimal for verifiers that would need to be compliant with multiple versions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would think that a breaking change is desired if we want clients to actually adopt the usage of the new certificate. If not, clients would need to write the certificate into both x509_certificate_chain and certificate, and I'm not sure that's desirable?

My 0.02c would be for encouraging clients to adopt the certificate form -- the language in VerificationMaterial currently says that adopting the 0.3 bundle for keyless signing + PGI means that clients MUST use the certificate field instead of x509_certificate_chain.

But yeah, this does make things a bit of a mess for verifying clients...

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For clients that wish to only support PGI, we could say just take the first cert of cert-chain or certificate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the current wording is good 👍 . My comment was a general about clients that would need to deal with multiple versions, not how the fields are used to day. I.e that regardless what we do, clients have to pay the price :) This is of course not specific to this spec, it's a general statement of concurrently supporting multiple versions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, further version proliferation isn't ideal.

In the interest of keeping the number of version iterations to a minimum, maybe we should roll this up with a few other changes that we expect to occur in a new version? In particular, I'm thinking of #189, #183, #66, and maybe some others.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, maybe it's time we plan for a next release, i.e bulk more things together as you mentioned. Don't think there is any urgency around getting v0.3 out?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No extreme urgency, although I would definitely like to get #189 merged sooner rather than later 🙂 -- there's a lot of work that isn't strictly blocked on it, but will probably become a client interop challenge unless we eventually enumerate the various sigs/hashes that can occur on the PGI.

protos/sigstore_bundle.proto Outdated Show resolved Hide resolved
protos/sigstore_bundle.proto Outdated Show resolved Hide resolved
protos/sigstore_common.proto Outdated Show resolved Hide resolved
protos/sigstore_common.proto Show resolved Hide resolved
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Fredrik Skogman <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Copy link
Member

@kommendorkapten kommendorkapten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this 🚀

Signed-off-by: William Woodruff <[email protected]>
Copy link
Collaborator

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

@woodruffw
Copy link
Member Author

In terms of procedure, should we merge here and let 0.3 live on main? I figure that's fine since it won't be tagged or released anywhere yet, but just confirming 🙂

Copy link
Member

@kommendorkapten kommendorkapten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, merge this and let 0.3 live at main until we cut a release.

@woodruffw woodruffw merged commit 66063f0 into sigstore:main Jan 15, 2024
25 checks passed
@woodruffw woodruffw deleted the ww/single-cert branch January 15, 2024 23:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Proposal: Specify only leaf cert in bundle
4 participants