sigstore 0.14.0

An experimental crate to interact with sigstore
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

//
// Copyright 2026 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

use serde::Serialize;

use crate::cosign::bundle::Bundle;

/// Evidence that a signature was recorded in a transparency log.
///
/// Cosign supports two provenance formats:
///
/// - [`BundleContent::RekorBundle`]: the legacy cosign-specific format,
///   consisting of a Signed Entry Timestamp (SET) and a payload with body,
///   integrated time, log index, and log ID.  Stored as OCI annotations on
///   tag-based cosign signature layers.
///
/// - [`BundleContent::SigstoreBundle`]: the protobuf-based Sigstore bundle
///   format (v0.1–v0.3), carrying a full [`TransparencyLogEntry`](sigstore_protobuf_specs::dev::sigstore::rekor::v1::TransparencyLogEntry).
///   The entry is verified (SET / inclusion promise, Merkle inclusion proof, and body
///   consistency) during [`SignatureLayer`](super::signature_layers::SignatureLayer)
///   construction; the verified entry is retained here for downstream verifiers.
#[derive(Clone, Debug, Serialize)]
pub enum BundleContent {
    /// Legacy cosign-specific Rekor bundle stored as OCI annotations.
    /// Contains a Signed Entry Timestamp (SET) and a payload with body,
    /// integrated time, log index, and log ID.
    RekorBundle(Bundle),
    /// Protobuf-based Sigstore bundle transparency log entry (v0.1–v0.3).
    /// The entry has been fully verified (SET / inclusion promise, Merkle
    /// inclusion proof, and body consistency) prior to being stored here.
    SigstoreBundle(sigstore_protobuf_specs::dev::sigstore::rekor::v1::TransparencyLogEntry),
}

impl BundleContent {
    /// Returns the UNIX timestamp from the transparency log when the entry
    /// was persisted.
    pub fn integrated_time(&self) -> i64 {
        match self {
            BundleContent::RekorBundle(b) => b.payload.integrated_time,
            BundleContent::SigstoreBundle(entry) => entry.integrated_time,
        }
    }
}