Skip to content

Commit

Permalink
Update SigningConfig to specify API version and validity periods
Browse files Browse the repository at this point in the history 
In order to faciliate clients gracefully handling breaking API
changes, the SigningConfig will now include API versions for each
of the service URLs so that clients can determine what services
they are compatible with. Additionally, we've included validity periods
which will be used to faciliate Rekor log sharding, when we spin up new
log shards and distribute new key material.

Fixes sigstore#474

Signed-off-by: Hayden Blauzvern <[email protected]>
  • Loading branch information
@haydentherapper
haydentherapper committed Feb 14, 2025
1 parent e943ce1 commit d7dfccc
Show file tree
Hide file tree
Showing 10 changed files with 833 additions and 81 deletions.
63 changes: 58 additions & 5 deletions gen/jsonschema/schemas/ClientTrustConfig.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,33 +186,86 @@
"title": "Certificate Authority",
"description": "CertificateAuthority enlists the information required to identify which CA to use and perform signature verification."
},
"dev.sigstore.trustroot.v1.Service": {
"properties": {
"url": {
"type": "string",
"description": "URL of the service. Must include scheme and authority. May include path."
},
"majorApiVersion": {
"type": "integer",
"description": "Specifies the major API version. A value of 0 represents a service that has not yet been released."
},
"validFor": {
"$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",
"additionalProperties": false,
"description": "Validity period of a service. A service that has only a start date should be considered the most recent instance of that service, but the client must not assume there is only one valid instance. The TimeRange should be considered valid *inclusive* of the endpoints."
}
},
"additionalProperties": false,
"type": "object",
"title": "Service",
"description": "Service represents an instance of a service that is a part of Sigstore infrastructure. Clients must use the API version hint to determine the service with the highest API version that the client is compatible with. Clients must also only connect to services within the specified validity period and that has the newest validity start date."
},
"dev.sigstore.trustroot.v1.SigningConfig": {
"properties": {
"mediaType": {
"type": "string",
"description": "MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json"
"description": "MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json or application/vnd.dev.sigstore.signingconfig.v0.2+json"
},
"caUrl": {
"type": "string",
"description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
"description": "Deprecated: Use certificate_authority_urls A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
},
"oidcUrl": {
"type": "string",
"description": "A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
"description": "Deprecated: Use openid_connect_provider_urls A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
},
"tlogUrls": {
"items": {
"type": "string"
},
"type": "array",
"description": "One or more URLs to Rekor-compatible transparency log. Each URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
"description": "Deprecated: Use rekor_log_urls One or more URLs to Rekor-compatible transparency logs. Each URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
},
"tsaUrls": {
"items": {
"type": "string"
},
"type": "array",
"description": "One ore more URLs to RFC 3161 Time Stamping Authority (TSA). Each URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
"description": "Deprecated: Use timestamp_authority_urls One or more URLs to RFC 3161 Time Stamping Authorities (TSA). Each URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
},
"certificateAuthorityUrls": {
"items": {
"$ref": "#/definitions/dev.sigstore.trustroot.v1.Service"
},
"additionalProperties": false,
"type": "array",
"description": "URLs to Fulcio-compatible CAs, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. These URLs **MUST** be the \"base\" URL for the CAs, which clients should construct an appropriate CSR endpoint on top of. For example, if a CA URL is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`. Clients must select only Service with the highest API version that the client is compatible with and that is within its validity period. Clients should select the first Service that meets this requirement."
},
"openidConnectProviderUrls": {
"items": {
"$ref": "#/definitions/dev.sigstore.trustroot.v1.Service"
},
"additionalProperties": false,
"type": "array",
"description": "URLs to OpenID Connect identity providers. These URLs **MUST** be the \"base\" URLs for the OIDC IdPs, which clients should perform well-known OpenID Connect discovery against. Clients must select only Service with the highest API version that the client is compatible with and that is within its validity period. Clients should select the first Service that meets this requirement."
},
"rekorLogUrls": {
"items": {
"$ref": "#/definitions/dev.sigstore.trustroot.v1.Service"
},
"additionalProperties": false,
"type": "array",
"description": "URLs to Rekor-compatible transparency logs. These URL **MUST** be the \"base\" URLs for the transparency logs, which clients should construct appropriate API endpoints on top of. Clients must select ALL Services with the highest API version that the client is compatible with and that are within its validity period."
},
"timestampAuthorityUrls": {
"items": {
"$ref": "#/definitions/dev.sigstore.trustroot.v1.Service"
},
"additionalProperties": false,
"type": "array",
"description": "URLs to RFC 3161 Time Stamping Authorities (TSA). These URLs **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161. Clients must select ALL Services with the highest API version that the client is compatible with and that are within its validity period."
}
},
"additionalProperties": false,
Expand Down
50 changes: 50 additions & 0 deletions gen/jsonschema/schemas/Service.schema.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/Service",
"definitions": {
"Service": {
"properties": {
"url": {
"type": "string",
"description": "URL of the service. Must include scheme and authority. May include path."
},
"majorApiVersion": {
"type": "integer",
"description": "Specifies the major API version. A value of 0 represents a service that has not yet been released."
},
"validFor": {
"$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",
"additionalProperties": false,
"description": "Validity period of a service. A service that has only a start date should be considered the most recent instance of that service, but the client must not assume there is only one valid instance. The TimeRange should be considered valid *inclusive* of the endpoints."
}
},
"additionalProperties": false,
"type": "object",
"title": "Service",
"description": "Service represents an instance of a service that is a part of Sigstore infrastructure. Clients must use the API version hint to determine the service with the highest API version that the client is compatible with. Clients must also only connect to services within the specified validity period and that has the newest validity start date."
},
"dev.sigstore.common.v1.TimeRange": {
"properties": {
"start": {
"type": "string",
"format": "date-time"
},
"end": {
"type": "string",
"format": "date-time"
}
},
"additionalProperties": false,
"type": "object",
"oneOf": [
{
"required": [
"end"
]
}
],
"title": "Time Range",
"description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end."
}
}
}
86 changes: 81 additions & 5 deletions gen/jsonschema/schemas/SigningConfig.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,35 +6,111 @@
"properties": {
"mediaType": {
"type": "string",
"description": "MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json"
"description": "MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json or application/vnd.dev.sigstore.signingconfig.v0.2+json"
},
"caUrl": {
"type": "string",
"description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
"description": "Deprecated: Use certificate_authority_urls A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
},
"oidcUrl": {
"type": "string",
"description": "A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
"description": "Deprecated: Use openid_connect_provider_urls A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
},
"tlogUrls": {
"items": {
"type": "string"
},
"type": "array",
"description": "One or more URLs to Rekor-compatible transparency log. Each URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
"description": "Deprecated: Use rekor_log_urls One or more URLs to Rekor-compatible transparency logs. Each URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
},
"tsaUrls": {
"items": {
"type": "string"
},
"type": "array",
"description": "One ore more URLs to RFC 3161 Time Stamping Authority (TSA). Each URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
"description": "Deprecated: Use timestamp_authority_urls One or more URLs to RFC 3161 Time Stamping Authorities (TSA). Each URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
},
"certificateAuthorityUrls": {
"items": {
"$ref": "#/definitions/dev.sigstore.trustroot.v1.Service"
},
"additionalProperties": false,
"type": "array",
"description": "URLs to Fulcio-compatible CAs, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. These URLs **MUST** be the \"base\" URL for the CAs, which clients should construct an appropriate CSR endpoint on top of. For example, if a CA URL is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`. Clients must select only Service with the highest API version that the client is compatible with and that is within its validity period. Clients should select the first Service that meets this requirement."
},
"openidConnectProviderUrls": {
"items": {
"$ref": "#/definitions/dev.sigstore.trustroot.v1.Service"
},
"additionalProperties": false,
"type": "array",
"description": "URLs to OpenID Connect identity providers. These URLs **MUST** be the \"base\" URLs for the OIDC IdPs, which clients should perform well-known OpenID Connect discovery against. Clients must select only Service with the highest API version that the client is compatible with and that is within its validity period. Clients should select the first Service that meets this requirement."
},
"rekorLogUrls": {
"items": {
"$ref": "#/definitions/dev.sigstore.trustroot.v1.Service"
},
"additionalProperties": false,
"type": "array",
"description": "URLs to Rekor-compatible transparency logs. These URL **MUST** be the \"base\" URLs for the transparency logs, which clients should construct appropriate API endpoints on top of. Clients must select ALL Services with the highest API version that the client is compatible with and that are within its validity period."
},
"timestampAuthorityUrls": {
"items": {
"$ref": "#/definitions/dev.sigstore.trustroot.v1.Service"
},
"additionalProperties": false,
"type": "array",
"description": "URLs to RFC 3161 Time Stamping Authorities (TSA). These URLs **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161. Clients must select ALL Services with the highest API version that the client is compatible with and that are within its validity period."
}
},
"additionalProperties": false,
"type": "object",
"title": "Signing Config",
"description": "SigningConfig represents the trusted entities/state needed by Sigstore signing. In particular, it primarily contains service URLs that a Sigstore signer may need to connect to for the online aspects of signing."
},
"dev.sigstore.common.v1.TimeRange": {
"properties": {
"start": {
"type": "string",
"format": "date-time"
},
"end": {
"type": "string",
"format": "date-time"
}
},
"additionalProperties": false,
"type": "object",
"oneOf": [
{
"required": [
"end"
]
}
],
"title": "Time Range",
"description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end."
},
"dev.sigstore.trustroot.v1.Service": {
"properties": {
"url": {
"type": "string",
"description": "URL of the service. Must include scheme and authority. May include path."
},
"majorApiVersion": {
"type": "integer",
"description": "Specifies the major API version. A value of 0 represents a service that has not yet been released."
},
"validFor": {
"$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",
"additionalProperties": false,
"description": "Validity period of a service. A service that has only a start date should be considered the most recent instance of that service, but the client must not assume there is only one valid instance. The TimeRange should be considered valid *inclusive* of the endpoints."
}
},
"additionalProperties": false,
"type": "object",
"title": "Service",
"description": "Service represents an instance of a service that is a part of Sigstore infrastructure. Clients must use the API version hint to determine the service with the highest API version that the client is compatible with. Clients must also only connect to services within the specified validity period and that has the newest validity start date."
}
}
}
Loading

0 comments on commit d7dfccc

Please sign in to comment.