Allow signature-less envelopes.

This supports cases where the consumer is not expected to verify anything, so the producer doesn't need to use a dummy signature.
secure-systems-lab · Jun 15, 2021 · a1aef95 · a1aef95
1 parent 882f8d0
commit a1aef95
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/envelope.md b/envelope.md
@@ -52,12 +52,26 @@ envelopes with individual signatures.
 }
 ```
 
+### No signatures
+
+An envelope MAY have zero signatures to indicate unsigned data. For example,
+[SLSA 1](https://github.com/slsa-framework/slsa) does not require authenticated
+[in-toto provenance](https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md),
+in which case an envelope with zero signatures may be useful.
+
+```json
+{
+  "payload": "<Base64(SERIALIZED_BODY)>",
+  "payloadType": "<PAYLOAD_TYPE>"
+}
+```
+
 ### Parsing rules
 
 *   The following fields are REQUIRED and MUST be set, even if empty: `payload`,
-    `payloadType`, `signature`, `signature.sig`.
-*   The following fields are OPTIONAL and MAY be unset: `signature.keyid`.
-    An unset field MUST be treated the same as set-but-empty.
+    `payloadType`, `signature.sig`.
+*   The following fields are OPTIONAL and MAY be unset: `signature`,
+    `signature.keyid`. An unset field MUST be treated the same as set-but-empty.
 *   Consumers MUST ignore unrecognized fields.
 
 ## Other data structures

diff --git a/envelope.proto b/envelope.proto
@@ -19,7 +19,7 @@ message Envelope {
   //     le64(n) := 64-bit little-endian encoding of integer `n`, 0 <= n < 2^63
   //     len(s) := number of octets in byte sequence `s`
   //     utf8(s) := UTF-8 encoding of unicode string `s`
-  // REQUIRED (length >= 1).
+  // OPTIONAL.
   repeated Signature signatures = 3;
 }