common: message_digest is not required

In most verification flows, this field will never be used. Signed-off-by: William Woodruff <william@trailofbits.com>
trail-of-forks · Jul 28, 2023 · c273b46 · c273b46
1 parent 629b7aa
commit c273b46
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto
@@ -71,6 +71,8 @@ message HashOutput {
 // MessageSignature stores the computed signature over a message.
 message MessageSignature {
         // Message digest can be used to identify the artifact.
+        // Clients MUST NOT attempt to use this digest to verify the associated
+        // signature; it is intended solely for identification.
         HashOutput message_digest = 1 [(google.api.field_behavior) = REQUIRED];
         // The raw bytes as returned from the signature algorithm.
         // The signature algorithm (and so the format of the signature bytes)