From 0606c22cb98424a7c6ebcee3ffe0a55dda9c35c5 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Fri, 9 Aug 2024 14:12:29 -0400
Subject: [PATCH] sigstore_rekor: clarify inclusion_promise requirement (#380)

---
 gen/jsonschema/schemas/Bundle.schema.json     |   2 +-
 gen/jsonschema/schemas/Input.schema.json      |   2 +-
 .../schemas/TransparencyLogEntry.schema.json  |   2 +-
 .../schemas/VerificationMaterial.schema.json  |   2 +-
 gen/pb-go/rekor/v1/sigstore_rekor.pb.go       |   7 +++++--
 .../dev/sigstore/rekor/v1/__init__.py         |   7 +++++--
 .../src/generated/dev.sigstore.rekor.v1.rs    |   7 +++++--
 .../src/generated/file_descriptor_set.bin     | Bin 118386 -> 118553 bytes
 .../src/__generated__/sigstore_rekor.ts       |   7 +++++--
 protos/sigstore_rekor.proto                   |   7 +++++--
 10 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json
index 5d2c83a1..768f9dba 100644
--- a/gen/jsonschema/schemas/Bundle.schema.json
+++ b/gen/jsonschema/schemas/Bundle.schema.json
@@ -319,7 +319,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
index 3e65bf5d..1e9e8421 100644
--- a/gen/jsonschema/schemas/Input.schema.json
+++ b/gen/jsonschema/schemas/Input.schema.json
@@ -512,7 +512,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
index cc3d6a2e..c548f868 100644
--- a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
+++ b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
@@ -25,7 +25,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json
index 5bb1ac50..14faa461 100644
--- a/gen/jsonschema/schemas/VerificationMaterial.schema.json
+++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json
@@ -236,7 +236,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
index 0ab50bf7..ef5efe48 100644
--- a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
+++ b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
@@ -326,8 +326,11 @@ type TransparencyLogEntry struct {
 	IntegratedTime int64 `protobuf:"varint,4,opt,name=integrated_time,json=integratedTime,proto3" json:"integrated_time,omitempty"`
 	// The inclusion promise/signed entry timestamp from the log.
 	// Required for v0.1 bundles, and MUST be verified.
-	// Optional for >= v0.2 bundles, and SHOULD be verified when present.
-	// Also may be used as a signed timestamp.
+	// Optional for >= v0.2 bundles if another suitable source of
+	// time is present (such as another source of signed time,
+	// or the current system time for long-lived certificates).
+	// MUST be verified if no other suitable source of time is present,
+	// and SHOULD be verified otherwise.
 	InclusionPromise *InclusionPromise `protobuf:"bytes,5,opt,name=inclusion_promise,json=inclusionPromise,proto3" json:"inclusion_promise,omitempty"`
 	// The inclusion proof can be used for offline or online verification
 	// that the entry was appended to the log, and that the log has not been
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
index d45068f6..927ed6f2 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
@@ -127,8 +127,11 @@ class TransparencyLogEntry(betterproto.Message):
     inclusion_promise: "InclusionPromise" = betterproto.message_field(5)
     """
     The inclusion promise/signed entry timestamp from the log. Required for
-    v0.1 bundles, and MUST be verified. Optional for >= v0.2 bundles, and
-    SHOULD be verified when present. Also may be used as a signed timestamp.
+    v0.1 bundles, and MUST be verified. Optional for >= v0.2 bundles if another
+    suitable source of time is present (such as another source of signed time,
+    or the current system time for long-lived certificates). MUST be verified
+    if no other suitable source of time is present, and SHOULD be verified
+    otherwise.
     """
 
     inclusion_proof: "InclusionProof" = betterproto.message_field(6)
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
index 9fed5246..80556e38 100644
--- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
+++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
@@ -131,8 +131,11 @@ pub struct TransparencyLogEntry {
     pub integrated_time: i64,
     /// The inclusion promise/signed entry timestamp from the log.
     /// Required for v0.1 bundles, and MUST be verified.
-    /// Optional for >= v0.2 bundles, and SHOULD be verified when present.
-    /// Also may be used as a signed timestamp.
+    /// Optional for >= v0.2 bundles if another suitable source of
+    /// time is present (such as another source of signed time,
+    /// or the current system time for long-lived certificates).
+    /// MUST be verified if no other suitable source of time is present,
+    /// and SHOULD be verified otherwise.
     #[prost(message, optional, tag = "5")]
     pub inclusion_promise: ::core::option::Option<InclusionPromise>,
     /// The inclusion proof can be used for offline or online verification
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
index 71a7c58b33af146dd4824fc3346ec27214dc9215..66e9233bca24e1218e9c397aeef337c2fc860372 100644
GIT binary patch
delta 505
zcmZ{gKTpC?6vcV;mDU$Q(gFVs-pPpaXLEI7FhrseNL<vE@(M3PtM9cKCyWEECJw}e
zxEQ~INf+IXpT$W(fIcdX(ZuoGdw%Dh-1o6|d#7DKqI4;KvlSR6RKYV(n?y6zRBRZW
z0jkG?=Q7$$qG6CaKyNsGtq_cH92<(O7niP-(Ps^1MsSGyJ}?_h$MxEjgYcPWHaZl9
z>vM~OYZLHTmjV-T%Bi4^2W!H&+F*(wDDr|}Er&KkB1gdGAVb0OIiGOiLU^?M9cRm3
z$8}oy4(s<MVNvcen^~quMYceoQm@vaL7_*v97}`j=(zA-$-f=tanor+b$hqIQ~H$?
zCY&=t3xv!PRlcN%6O*SbOeIEAEv`pOkt$yx_b7ayYA9l~e1sm#LeESssszORYNR9}
zvJtN8Qf*Yp9MR<^RUhjyImqpk7cI<77<dqnWAv)543M5A$*@rZ$uUYnB$bKlqk;M-
EU)0rs*Z=?k

delta 343
zcmbO^kNwje_J%Et0xryNY`LZ@q%ewZ*KlDpXW^V`%Ed0k%E!>My-<NMlxh23FU9~~
z#+L1T5sYtG1YR<7v9Pc(u?R8eaOg|jW}N;%gi&m|LM&rxy^ca+UW!7nhkvM#i$YSW
zLRo52W?E)yib8otYMw$tQEG8&UWp!;f@4l`zCvzdB}h$aF;G6SSRqlNI5RyD$S%pu
zO)V}-%q`I4;^N_A1zE)gvP%NSV+8UfwO~AEAWv71YcbGO>_D}wLd*rz55+Mq^(x>H
zgQ{T#>L?IbgYkem3N&H*Svi0_?O-l`E)I}xjyW6*KmnZ~t`qEFZ?XxoG;iM+&v=Si
ezL}AOmx~wdA~r^#Fe9G=jLQsCH7l91J{tg_NJp;#

diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
index d33b5933..1e9ab6fa 100644
--- a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
+++ b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
@@ -103,8 +103,11 @@ export interface TransparencyLogEntry {
   /**
    * The inclusion promise/signed entry timestamp from the log.
    * Required for v0.1 bundles, and MUST be verified.
-   * Optional for >= v0.2 bundles, and SHOULD be verified when present.
-   * Also may be used as a signed timestamp.
+   * Optional for >= v0.2 bundles if another suitable source of
+   * time is present (such as another source of signed time,
+   * or the current system time for long-lived certificates).
+   * MUST be verified if no other suitable source of time is present,
+   * and SHOULD be verified otherwise.
    */
   inclusionPromise:
     | InclusionPromise
diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto
index 424ff40c..89159601 100644
--- a/protos/sigstore_rekor.proto
+++ b/protos/sigstore_rekor.proto
@@ -104,8 +104,11 @@ message TransparencyLogEntry {
         int64 integrated_time = 4 [(google.api.field_behavior) = REQUIRED];
         // The inclusion promise/signed entry timestamp from the log.
         // Required for v0.1 bundles, and MUST be verified.
-        // Optional for >= v0.2 bundles, and SHOULD be verified when present.
-        // Also may be used as a signed timestamp.
+        // Optional for >= v0.2 bundles if another suitable source of
+        // time is present (such as another source of signed time,
+        // or the current system time for long-lived certificates).
+        // MUST be verified if no other suitable source of time is present,
+        // and SHOULD be verified otherwise.
         InclusionPromise inclusion_promise = 5;
         // The inclusion proof can be used for offline or online verification
         // that the entry was appended to the log, and that the log has not been