Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update signature spec with timestamp annotation (sigstore#1274)
Browse files Browse the repository at this point in the history
The timestamp will be used to find a versioned TUF target metadata.
This allows targets to be rotated while still being able to validate
old entries that were signed by previous targets.

Ref sigstore#1273

Signed-off-by: Hayden Blauzvern <[email protected]>
haydentherapper authored and mlieberman85 committed May 6, 2022

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent ed77f64 commit d1baed2
Showing 1 changed file with 46 additions and 0 deletions.
46 changes: 46 additions & 0 deletions specs/SIGNATURE_SPEC.md
Original file line number Diff line number Diff line change
@@ -100,6 +100,7 @@ Gyp4apdU7AXEwysEQIb034aPrTlpmxh90SnTZFs2DHOvCjCPPAmoWfuQUwPhSPRb
```

* `bundle` string

This OPTIONAL property contains a JSON formatted `bundle` type, which can be used for offline verification.
Example `bundle`:

@@ -124,6 +125,38 @@ Gyp4apdU7AXEwysEQIb034aPrTlpmxh90SnTZFs2DHOvCjCPPAmoWfuQUwPhSPRb

For instructions on using the `bundle` for verification, see [USAGE.md](../USAGE.md#verify-a-signature-was-added-to-the-transparency-log).

* `timestamp` string

This OPTIONAL property contains JSON formatted [TUF timestamp metadata](https://theupdateframework.io/metadata/#timestamp-metadata-timestampjson), which is used to find which versioned TUF target should be used to verify a signature.
Example `timestamp`:

```json
{
"signatures": [
{
"keyid": "b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d",
"sig": "3046022100926cd1a5a90539f3efa97390293180132413c7d30d94399c220a8a9aa9907e6e0221009e07b0e207f76dd45caeab87258553ddcf83fc7db6dfbbd4678d18f8c3517023"
}
],
"signed": {
"_type": "timestamp",
"expires": "2022-01-15T00:39:22Z",
"meta": {
"snapshot.json": {
"hashes": {
"sha256": "95e5b6822e0c3a9924f2f906c0b75e09246ad6d37078806085a273fddd079679",
"sha512": "4b1df9f2cc2d052bee185554ded7c526e283d4fab8388557a7b684c4ce0efb28c196e33a5140e7de9de99b2f5f37a7b2503617c2ff220168c5b7a79340675acf"
},
"length": 1658,
"version": 8
}
},
"spec_version": "1.0",
"version": 8
}
}
```

## Storage

`cosign` image signatures are stored in an OCI registry and are designed to make use of the existing specifications.
@@ -239,6 +272,19 @@ Example `chain`:
}
```

##### Timestamp

The `timestamp` is stored as an `annotation` on the layer, in the same descriptor.
The `annotation` key is `dev.cosignproject.cosign/timestamp`.

Example `timestamp`:

```json
"annotations": {
"dev.sigstore.cosign/timestamp": "{\"signatures\": [{\"keyid\": \"b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d\", \"sig\": \"3046022100926cd1a5a90539f3efa97390293180132413c7d30d94399c220a8a9aa9907e6e0221009e07b0e207f76dd45caeab87258553ddcf83fc7db6dfbbd4678d18f8c3517023\"}], \"signed\": {\"_type\": \"timestamp\", \"expires\": \"2022-01-15T00:39:22Z\", \"meta\": {\"snapshot.json\": {\"hashes\": {\"sha256\": \"95e5b6822e0c3a9924f2f906c0b75e09246ad6d37078806085a273fddd079679\", \"sha512\": \"4b1df9f2cc2d052bee185554ded7c526e283d4fab8388557a7b684c4ce0efb28c196e33a5140e7de9de99b2f5f37a7b2503617c2ff220168c5b7a79340675acf\"}, \"length\": 1658, \"version\": 8}}, \"spec_version\": \"1.0\", \"version\": 8}}"
}
```

## Payloads

Implementations MUST support at least the following payload types:

0 comments on commit d1baed2

Please sign in to comment.