keyid documented, but not annotated, as optional in io.intoto.Signature

[jku]

message Signature {
  // Signature itself. (In JSON, this is encoded as base64.)
  // REQUIRED.
  bytes sig = 1;

  // *Unauthenticated* hint identifying which public key was used.
  // OPTIONAL.
  string keyid = 2;
}

should maybe be optional string keyid = 2; -- alternatively should not be documented as optional and should instead suggest a placeholder value?

[jku]

ah, I've just been told in this version of protobuf optional is the default 🤷

So maybe this is not a bug at all... It feels wrong that the generated code annotations now don't expose optionality at all but this seems to be as designed.

[haydentherapper]

Yea, optional is now the default in proto3. We should be annotating sig as required though based on the comment.

[woodruffw]

Summarizing from a discussion in the Sigstore Slack:

This is caused by the mess that is optional/required semantics in proto3 -- in proto3 everything is implicitly optional, even if not marked with the optional qualifier. This is made even more complicated by the fact that the optional qualifier was actually removed from proto3, but then re-added in 3.15.

Ideally we'd use optional to mark optionality (which would result in correct type hints in the Python bindings), but this may change the wire format (although I'm not sure this actually would matter, since everybody uses the JSON format). But even with that change, everything that isn't marked as optional is still optional (thanks to "implicit field presence").