Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Explain "valid time" and add publickeyID Signed-off-by: Appu <appu@google.com>
- Loading branch information
1 parent
9c16d65
commit a2735b7
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,10 +18,12 @@ is satisfied by the **Verification Material** and signature **Content**. | |
|
|
||
| ### Verification Material | ||
|
|
||
| This is key material used to verify signatures along with supporting metadata like transparency log entries and timestamps. When using short lived Fulcio certificates where verification may occur after the certificate has expired, bundles must include at least one transparency log's signed entry timestamp or an [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamp to provide proof that signing occured during the ceritificates validity window. | ||
|
|
||
| #### Key Material | ||
|
|
||
| ##### X.509 certificate | ||
|
|
||
| A single X.509 leaf certificate conveying the signing key and containing [extensions](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md) | ||
|
Check failure on line 27 in content/en/about/bundle.md
|
||
| for identities consumed at verification time. This is the recommended `"verificationMaterial"` type | ||
| for use with the public Sigstore infrastructure. | ||
|
|
@@ -34,10 +36,23 @@ for use with the public Sigstore infrastructure. | |
| } | ||
| ``` | ||
|
|
||
| ##### Public Key Identifier | ||
|
|
||
| A hint to identify an (out of band) delivered key, to verify a signature. Like traditional PKI key distribution | ||
| the format of the hint must be agreed upon out of band by the signer and the verifiers. The key itself is not embedded in the Sigstore bundle. | ||
|
|
||
| ```json | ||
| "verificationMaterial": { | ||
| "publicKeyIdentifier": { | ||
| "hint": "<HINT>" | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| #### Transparency Log Entries | ||
|
|
||
| One or more transparency logs entries to provide proof of inclusion in a public log and optionally a timestamp to | ||
| validate signing occurred during ceritificate validity. | ||
|
|
||
| ```json | ||
| "verificationMaterial": { | ||
|
|
@@ -76,7 +91,7 @@ validate signing occurred at a valid point in time. | |
|
|
||
| #### Timestamp | ||
|
|
||
| Zero or more [RFC3161](https://www.ietf.org/rfc/rfc3161.txt) timestamps to validate signing occurred during ceritificate validity. | ||
|
|
||
| ```json | ||
| "verificationMaterial": { | ||
|
|
||
