This repository holds protobuf specifications for Sigstore messages.
If you change protobuf definitions, you will need to regenerate the code by running the protocol buffer compiler on the changed .proto files.
You will need Docker installed and configured to run as non-root user to generate the protobuf stubs. Then run,
$ make all
to generate the Go and Python files under gen/.
With the standardization of post-quantum cryptography signing algorithms by NIST, ML-DSA (FIPS 204, Dilithium) and SLH-DSA (FIPS 205, SPHINCS+), and with ongoing work to standardize another set of algorithms, Sigstore will be accepting additional algorithms to sign artifacts and verification material.
To add a new algorithm, you must first get consensus with the community through an update to the algorithm registry specification. Tag client maintainers to make sure that the new algorithm can be supported by their ecosystem. Algorithms do not have to be supported by all clients, but you should not propose an algorithm that is not widely standardized. Algorithms must be supported in Go since Fulcio and Rekor will need to be updated to support signature verification, and the Go libraries should be well-known and vetted and not based on C implementations with Go bindings.
After updating the specification, update the
PublicKeyDetails
to include the new signing algorithm identifier. If the algorithm also uses a new hashing algorithm, update
HashAlgorithm.
- Effective January 17th, 2025: the jsonschema generated files in gen/jsonschema/schemas/ are formally deprecated. They will be removed in 6 months from this repository and not built repeatedly going forward. If you are using them, please open an issue on this repository and let us know.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
