sigstore
diff --git a/‎sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java
Lines changed: 103 additions & 35 deletions b/‎sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java
Lines changed: 103 additions & 35 deletions
diff --git a/‎sigstore-java/src/test/java/dev/sigstore/KeylessVerifierTest.java
Lines changed: 54 additions & 3 deletions b/‎sigstore-java/src/test/java/dev/sigstore/KeylessVerifierTest.java
Lines changed: 54 additions & 3 deletions
diff --git a/‎sigstore-java/src/test/resources/dev/sigstore/samples/bundles/bundle.dsse.rekor-v2.bad-signature.sigstore
Lines changed: 1 addition & 0 deletions b/‎sigstore-java/src/test/resources/dev/sigstore/samples/bundles/bundle.dsse.rekor-v2.bad-signature.sigstore
Lines changed: 1 addition & 0 deletions
@@ -33,7 +33,9 @@
 import dev.sigstore.fulcio.client.FulcioVerifier;
 import dev.sigstore.json.ProtoJson;
 import dev.sigstore.proto.common.v1.HashAlgorithm;
+import dev.sigstore.proto.rekor.v2.DSSELogEntryV002;
 import dev.sigstore.proto.rekor.v2.HashedRekordLogEntryV002;
+import dev.sigstore.proto.rekor.v2.Signature;
 import dev.sigstore.rekor.client.HashedRekordRequest;
 import dev.sigstore.rekor.client.RekorEntry;
 import dev.sigstore.rekor.client.RekorTypeException;
@@ -306,18 +308,22 @@ private void checkMessageSignature(
         throw new KeylessVerificationException(
             "Could not parse HashedRekordLogEntryV002 from log entry body");
       }
+
       if (!logEntrySpec.getData().getAlgorithm().equals(HashAlgorithm.SHA2_256)) {
         throw new KeylessVerificationException(
             "Unsupported digest algorithm in log entry: " + logEntrySpec.getData().getAlgorithm());
       }
+
       if (!Arrays.equals(logEntrySpec.getData().getDigest().toByteArray(), artifactDigest)) {
         throw new KeylessVerificationException(
             "Artifact digest does not match digest in log entry spec");
       }
+
       if (!Arrays.equals(logEntrySpec.getSignature().getContent().toByteArray(), signature)) {
         throw new KeylessVerificationException(
             "Signature does not match signature in log entry spec");
       }
+
       var verifier = logEntrySpec.getSignature().getVerifier();
       if (!verifier.hasX509Certificate()) {
         throw new KeylessVerificationException("Rekor entry verifier is missing X.509 certificate");
@@ -399,46 +405,108 @@ private void checkDsseEnvelope(
       throw new KeylessVerificationException("Signature could not be processed", se);
     }
 
-    // check if the digest over the dsse payload matches the digest in the transparency log entry
-    Dsse rekorDsse;
-    try {
-      rekorDsse = RekorTypes.getDsse(rekorEntry);
-    } catch (RekorTypeException re) {
-      throw new KeylessVerificationException("Unexpected rekor type", re);
-    }
+    String version = rekorEntry.getBodyDecoded().getApiVersion();
+    if ("0.0.1".equals(version)) {
+      Dsse rekorDsse;
+      try {
+        rekorDsse = RekorTypes.getDsse(rekorEntry);
+      } catch (RekorTypeException re) {
+        throw new KeylessVerificationException("Unexpected rekor type", re);
+      }
 
-    var algorithm = rekorDsse.getPayloadHash().getAlgorithm();
-    if (algorithm != PayloadHash.Algorithm.SHA_256) {
-      throw new KeylessVerificationException(
-          "Cannot process DSSE entry with hashing algorithm " + algorithm.toString());
-    }
+      var algorithm = rekorDsse.getPayloadHash().getAlgorithm();
+      if (algorithm != PayloadHash.Algorithm.SHA_256) {
+        throw new KeylessVerificationException(
+            "Cannot process DSSE entry with hashing algorithm " + algorithm.toString());
+      }
 
-    byte[] payloadDigest;
-    try {
-      payloadDigest = Hex.decode(rekorDsse.getPayloadHash().getValue());
-    } catch (DecoderException de) {
-      throw new KeylessVerificationException(
-          "Could not decode hex sha256 artifact hash in hashrekord", de);
-    }
+      // check if the digest over the dsse payload matches the digest in the transparency log entry
+      byte[] payloadDigest;
+      try {
+        payloadDigest = Hex.decode(rekorDsse.getPayloadHash().getValue());
+      } catch (DecoderException de) {
+        throw new KeylessVerificationException(
+            "Could not decode hex sha256 artifact hash in hashrekord", de);
+      }
 
-    byte[] calculatedDigest = Hashing.sha256().hashBytes(dsseEnvelope.getPayload()).asBytes();
-    if (!Arrays.equals(calculatedDigest, payloadDigest)) {
-      throw new KeylessVerificationException(
-          "Digest of DSSE payload in bundle does not match DSSE payload digest in log entry");
-    }
+      byte[] calculatedDigest = Hashing.sha256().hashBytes(dsseEnvelope.getPayload()).asBytes();
+      if (!Arrays.equals(calculatedDigest, payloadDigest)) {
+        throw new KeylessVerificationException(
+            "Digest of DSSE payload in bundle does not match DSSE payload digest in log entry");
+      }
 
-    // check if the signature over the dsse payload matches the signature in the rekorEntry
-    if (rekorDsse.getSignatures().size() != 1) {
-      throw new KeylessVerificationException(
-          "DSSE log entry must have exactly 1 signature, but found: "
-              + rekorDsse.getSignatures().size());
-    }
+      // check if the signature over the dsse payload matches the signature in the rekorEntry
+      if (rekorDsse.getSignatures().size() != 1) {
+        throw new KeylessVerificationException(
+            "DSSE log entry must have exactly 1 signature, but found: "
+                + rekorDsse.getSignatures().size());
+      }
 
-    if (!Base64.getEncoder()
-        .encodeToString(dsseEnvelope.getSignature())
-        .equals(rekorDsse.getSignatures().get(0).getSignature())) {
-      throw new KeylessVerificationException(
-          "Provided DSSE signature materials are inconsistent with DSSE log entry");
+      if (!Base64.getEncoder()
+          .encodeToString(dsseEnvelope.getSignature())
+          .equals(rekorDsse.getSignatures().get(0).getSignature())) {
+        throw new KeylessVerificationException(
+            "Provided DSSE signature materials are inconsistent with DSSE log entry");
+      }
+    } else if ("0.0.2".equals(version)) {
+      DSSELogEntryV002 logEntrySpec;
+      try {
+        DSSELogEntryV002.Builder builder = DSSELogEntryV002.newBuilder();
+        ProtoJson.parser()
+            .merge(
+                new Gson()
+                    .toJson(
+                        rekorEntry.getBodyDecoded().getSpec().getAsJsonObject().get("dsseV002")),
+                builder);
+        logEntrySpec = builder.build();
+      } catch (InvalidProtocolBufferException ipbe) {
+        throw new KeylessVerificationException(
+            "Could not parse DSSELogEntryV002 from log entry body", ipbe);
+      }
+
+      if (!logEntrySpec.getPayloadHash().getAlgorithm().equals(HashAlgorithm.SHA2_256)) {
+        throw new KeylessVerificationException(
+            "Unsupported digest algorithm in log entry: "
+                + logEntrySpec.getPayloadHash().getAlgorithm());
+      }
+
+      // check if the digest over the dsse payload matches the digest in the transparency log entry
+      byte[] calculatedDigest = Hashing.sha256().hashBytes(dsseEnvelope.getPayload()).asBytes();
+      if (!Arrays.equals(
+          logEntrySpec.getPayloadHash().getDigest().toByteArray(), calculatedDigest)) {
+        throw new KeylessVerificationException(
+            "Digest of DSSE payload in bundle does not match DSSE payload digest in log entry");
+      }
+
+      // check if the signature over the dsse payload matches the signature in the rekorEntry
+      if (logEntrySpec.getSignaturesCount() != 1) {
+        throw new KeylessVerificationException(
+            "Log entry spec must have exactly 1 signature, but found: "
+                + logEntrySpec.getSignaturesCount());
+      }
+
+      Signature logSignature = logEntrySpec.getSignatures(0);
+      if (!Arrays.equals(dsseEnvelope.getSignature(), logSignature.getContent().toByteArray())) {
+        throw new KeylessVerificationException(
+            "Signature in DSSE envelope does not match signature in log entry spec");
+      }
+
+      var verifier = logSignature.getVerifier();
+      if (!verifier.hasX509Certificate()) {
+        throw new KeylessVerificationException(
+            "Rekor entry DSSE verifier is missing X.509 certificate");
+      }
+      try {
+        byte[] certFromRekor = verifier.getX509Certificate().getRawBytes().toByteArray();
+        byte[] certFromBundle = leafCert.getEncoded();
+        if (!Arrays.equals(certFromRekor, certFromBundle)) {
+          throw new KeylessVerificationException(
+              "Certificate in rekor entry does not match certificate in bundle");
+        }
+      } catch (CertificateEncodingException e) {
+        throw new KeylessVerificationException(
+            "Could not encode leaf certificate for comparison", e);
+      }
     }
   }
 }
@@ -436,19 +436,33 @@ static Stream<Arguments> badDsseProvider() {
             "Digest of DSSE payload in bundle does not match DSSE payload digest in log entry"),
         Arguments.arguments(
             "bundle.dsse.mismatched-signature.sigstore",
-            "Provided DSSE signature materials are inconsistent with DSSE log entry"));
+            "Provided DSSE signature materials are inconsistent with DSSE log entry"),
+        Arguments.arguments(
+            "bundle.dsse.rekor-v2.bad-signature.sigstore", "DSSE signature was not valid"),
+        Arguments.arguments(
+            "bundle.dsse.rekor-v2.mismatched-payload.sigstore",
+            "Digest of DSSE payload in bundle does not match DSSE payload digest in log entry"),
+        Arguments.arguments(
+            "bundle.dsse.rekor-v2.mismatched-signature.sigstore",
+            "Signature in DSSE envelope does not match signature in log entry spec"));
   }
 
   @ParameterizedTest
   @MethodSource("badDsseProvider")
-  public void testVerify_dsseBundleBadSignature_rekorV1(String bundleName, String expectedError)
+  public void testVerify_dsseBundleInvalid(String bundleName, String expectedError)
       throws Exception {
     var bundleFile =
         Resources.toString(
             Resources.getResource("dev/sigstore/samples/bundles/" + bundleName),
             StandardCharsets.UTF_8);
     var artifact = Resources.getResource("dev/sigstore/samples/bundles/artifact.txt").getPath();
-    var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
+    var builder = KeylessVerifier.builder();
+    if (bundleName.contains("rekor-v2")) {
+      builder.sigstoreStagingDefaults();
+    } else {
+      builder.sigstorePublicDefaults();
+    }
+    var verifier = builder.build();
 
     var ex =
         Assertions.assertThrows(
@@ -682,6 +696,43 @@ public void testVerify_canVerifyV03Bundle_rekorV2() throws Exception {
         Path.of(artifact), Bundle.from(new StringReader(bundleFile)), VerificationOptions.empty());
   }
 
+  @Test
+  public void testVerify_dsseBundle_rekorV2() throws Exception {
+    var artifact = Resources.getResource("dev/sigstore/samples/bundles/artifact.txt").getPath();
+    var bundleFile =
+        Resources.toString(
+            Resources.getResource("dev/sigstore/samples/bundles/bundle.dsse.rekor-v2.sigstore"),
+            StandardCharsets.UTF_8);
+
+    var verifier = KeylessVerifier.builder().sigstoreStagingDefaults().build();
+    verifier.verify(
+        Path.of(artifact), Bundle.from(new StringReader(bundleFile)), VerificationOptions.empty());
+  }
+
+  @Test
+  public void testVerify_dsseBundleArtifactNotInSubjects_rekorV2() throws Exception {
+    var bundleFile =
+        Resources.toString(
+            Resources.getResource("dev/sigstore/samples/bundles/bundle.dsse.rekor-v2.sigstore"),
+            StandardCharsets.UTF_8);
+    var badArtifactDigest =
+        Hashing.sha256().hashString("nonsense", StandardCharsets.UTF_8).asBytes();
+    var verifier = KeylessVerifier.builder().sigstoreStagingDefaults().build();
+
+    var ex =
+        Assertions.assertThrows(
+            KeylessVerificationException.class,
+            () ->
+                verifier.verify(
+                    badArtifactDigest,
+                    Bundle.from(new StringReader(bundleFile)),
+                    VerificationOptions.empty()));
+    MatcherAssert.assertThat(
+        ex.getMessage(),
+        CoreMatchers.startsWith(
+            "Provided artifact digest does not match any subject sha256 digests in DSSE payload"));
+  }
+
   @Test
   public void testVerify_noRfc3161Timestamps_rekorV2() throws Exception {
     var artifact = Resources.getResource("dev/sigstore/samples/bundles/artifact.txt").getPath();
 
@@ -0,0 +1 @@
+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyzCCAlKgAwIBAgIUKV93VRE8+giR4U3JmE46FfjWQPEwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNzIyMTg0NjI4WhcNMjUwNzIyMTg1NjI4WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEibOnv7mMVdCDKGzvkqnOG6Edv2c3/iGzYezZsyS75ZUtYWh1rnzT7rmrrMdqtetsZ1+lFAYKm8RKY8FmOm9cIqOCAXEwggFtMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUxwW/jGsI9VVYFl8GGAHjP0BeVeMwHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwIQYDVR0RAQH/BBcwFYETYWFyb25sZXdAZ29vZ2xlLmNvbTApBgorBgEEAYO/MAEBBBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wKwYKKwYBBAGDvzABCAQdDBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wgYoGCisGAQQB1nkCBAIEfAR6AHgAdgArMLzcaIjJ4uHYJiledB9IOTGWAvKcM8teQ0D+sqyGegAAAZgzdWZsAAAEAwBHMEUCIEKunFqu8GdmhXDsFwg/xbT67q99jPfAxsckPMFVwVgUAiEAvHnFz6h5BCXlyTCj225FD0bWKyDTmz/3fG0SiN51C2IwCgYIKoZIzj0EAwMDZwAwZAIwZeLswpKDDMuxCywKKM+phTSbvHN+024YeOGEoGOevo4GrBMGcm2QXapyN4U+MKY2AjAY8oryNBlotXqECqeYVUHCsBOu2I/G43KjTagDNhTmxPJc4oKsZeEmY8azL6H6QfQ="}, "tlogEntries": [{"logIndex": "6599", "logId": {"keyId": "8w1amZ2S5mJIQkQmPxdMuOrL/oJkvFg9MnQXmeOCXck="}, "kindVersion": {"kind": "dsse", "version": "0.0.2"}, "inclusionProof": {"logIndex": "6599", "rootHash": "dkGnJ+1zBeCDPO3w+CMSyZBL30cTl8vfPPO5OJjgpFk=", "treeSize": "6600", "hashes": ["1o6HtTnpjCIPmqgZaNcQVZO+XD95kYFUyFpIiuQt08c=", "7fw4fFrLFNo4v9ao7ecWVaihhyP1AONn8XqKVlbdMB0=", "63rDNjdnW14mVVe5PB9vf249qu9JU0qCbWtREGFp0Q0=", "A+VlB+XR92aS2txcqdoEfCb3QqZ89UHRDE87bcK7JiU=", "HhgSw1jzUj25LbExsCl8FbDRO6eJnxb9iGu259pM3ms=", "gpAC2IEHOQH0Mluo3QTOJzs2KTswWJ+2JiODSInqpyg=", "Ag03a73jphtOkMBVhp+MkrJwDkx2NE69NESHMFcwcfI=", "xbDsGnxf1siByWHEuiK85p0reQCaKKWUjf8YNl9s/Vo="], "checkpoint": {"envelope": "log2025-alpha1.rekor.sigstage.dev\n6600\ndkGnJ+1zBeCDPO3w+CMSyZBL30cTl8vfPPO5OJjgpFk=\n\n\u2014 log2025-alpha1.rekor.sigstage.dev 8w1amcTOF4cFBuJnrIMtTVD+a7oPZBzShJDajugc2wuxq/cfw+ImFdwU2mnKf+F334vPvOTWzqiK19Frf4q3F45yegI=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZHNzZVYwMDIiOnsicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoiU0hBMl8yNTYiLCJkaWdlc3QiOiIxcklKdXAzZU94N2w3ZXU0alJzYmtYdHk3cllVTW81N3BtZjF0NnR3NlljPSJ9LCJzaWduYXR1cmVzIjpbeyJjb250ZW50IjoiTUVZQ0lRRGRXeVBqTUJ4R1YxS1drVURVWm1TR05yVlMzYUN3K3M3S2oxM0tIT1lyaWdJaEFPR2Z4clkyeVhhREpKMUVLQWd0aVdjSEhYY2ZDS09aTHkveDZnYllGYW5KIiwidmVyaWZpZXIiOnsia2V5RGV0YWlscyI6IlBLSVhfRUNEU0FfUDI1Nl9TSEFfMjU2IiwieDUwOUNlcnRpZmljYXRlIjp7InJhd0J5dGVzIjoiTUlJQ3l6Q0NBbEtnQXdJQkFnSVVLVjkzVlJFOCtnaVI0VTNKbUU0NkZmaldRUEV3Q2dZSUtvWkl6ajBFQXdNd056RVZNQk1HQTFVRUNoTU1jMmxuYzNSdmNtVXVaR1YyTVI0d0hBWURWUVFERXhWemFXZHpkRzl5WlMxcGJuUmxjbTFsWkdsaGRHVXdIaGNOTWpVd056SXlNVGcwTmpJNFdoY05NalV3TnpJeU1UZzFOakk0V2pBQU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWliT252N21NVmRDREtHenZrcW5PRzZFZHYyYzMvaUd6WWV6WnN5Uzc1WlV0WVdoMXJuelQ3cm1yck1kcXRldHNaMStsRkFZS204UktZOEZtT205Y0lxT0NBWEV3Z2dGdE1BNEdBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVV4d1cvakdzSTlWVllGbDhHR0FIalAwQmVWZU13SHdZRFZSMGpCQmd3Rm9BVWNZWXdwaFI4WW0vNTk5YjBCUnAvWC8vcmI2d3dJUVlEVlIwUkFRSC9CQmN3RllFVFlXRnliMjVzWlhkQVoyOXZaMnhsTG1OdmJUQXBCZ29yQmdFRUFZTy9NQUVCQkJ0b2RIUndjem92TDJGalkyOTFiblJ6TG1kdmIyZHNaUzVqYjIwd0t3WUtLd1lCQkFHRHZ6QUJDQVFkREJ0b2RIUndjem92TDJGalkyOTFiblJ6TG1kdmIyZHNaUzVqYjIwd2dZb0dDaXNHQVFRQjFua0NCQUlFZkFSNkFIZ0FkZ0FyTUx6Y2FJako0dUhZSmlsZWRCOUlPVEdXQXZLY004dGVRMEQrc3F5R2VnQUFBWmd6ZFdac0FBQUVBd0JITUVVQ0lFS3VuRnF1OEdkbWhYRHNGd2cveGJUNjdxOTlqUGZBeHNja1BNRlZ3VmdVQWlFQXZIbkZ6Nmg1QkNYbHlUQ2oyMjVGRDBiV0t5RFRtei8zZkcwU2lONTFDMkl3Q2dZSUtvWkl6ajBFQXdNRFp3QXdaQUl3WmVMc3dwS0RETXV4Q3l3S0tNK3BoVFNidkhOKzAyNFllT0dFb0dPZXZvNEdyQk1HY20yUVhhcHlONFUrTUtZMkFqQVk4b3J5TkJsb3RYcUVDcWVZVlVIQ3NCT3UySS9HNDNLalRhZ0ROaFRteFBKYzRvS3NaZUVtWThhekw2SDZRZlE9In19fV19fX0="}], "timestampVerificationData": {"rfc3161Timestamps": [{"signedTimestamp": "MIIE6DADAgEAMIIE3wYJKoZIhvcNAQcCoIIE0DCCBMwCAQMxDTALBglghkgBZQMEAgEwgcIGCyqGSIb3DQEJEAEEoIGyBIGvMIGsAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgLe3+Y0/EGJLgaObiPUd56aqMZHDIPVmcwL4g52XYMmsCFCnmDigcquRsTW0ceewSf7Nu4jatGA8yMDI1MDcyMjE4NDYyOFowAwIBAQIJAO/M+RPO/W6HoDKkMDAuMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxFTATBgNVBAMTDHNpZ3N0b3JlLXRzYaCCAhMwggIPMIIBlqADAgECAhQKNaEGYdXiQXPGiZan8n3yfgN8pzAKBggqhkjOPQQDAzA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkMB4XDTI1MDMyODA5MTQwNloXDTM1MDMyNjA4MTQwNlowLjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MRUwEwYDVQQDEwxzaWdzdG9yZS10c2EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATHW/kXcekP16Ae6SekEWVHPtAFEMm7hp5XO33MktFjSW+bHWUXtYEzZz0A3xkY9CyYOoeUk3ZH/v5HEuS+UvORzX0g7Hfy3uYYYRwHtqBQN0IX8rLdFMtIrRej/QCAdB2jajBoMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUqPxk9ijeLuY7c09UjFLE4ZzdU6UwHwYDVR0jBBgwFoAUOyBGWV61Mk1HMM5uY+5zdEfyBH0wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwCgYIKoZIzj0EAwMDZwAwZAIwRK9VLoYa0Xff4nX1N/AQ1YleNG/iLT8dAXAtRKRfpN9XuDScbxWeo0cku8SkC06NAjBQPe7LBNeitA/UOBtXT2sX1h6f4ISqz+ISmJ4lY+y3bzRJI5nk1r53I9WT3/xIWToxggHaMIIB1gIBATBRMDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQCFAo1oQZh1eJBc8aJlqfyffJ+A3ynMAsGCWCGSAFlAwQCAaCB/DAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTI1MDcyMjE4NDYyOFowLwYJKoZIhvcNAQkEMSIEIFoIhOeb/JcbKTcAdjaFtJFAJY1EG8InbA7xmYcN4z+mMIGOBgsqhkiG9w0BCRACLzF/MH0wezB5BCAG9P/gR/6zWZm3M7DXoyNQHPwY5MAzZqhF13U250snRDBVMD2kOzA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkAhQKNaEGYdXiQXPGiZan8n3yfgN8pzAKBggqhkjOPQQDAgRmMGQCMDWotxN6KqroQvcfh9K2D+BAUQu3WhowMAFQYtPpX878/y6s+ingRwDO8773sLoOOAIwWnO0DWUtymNLHKikkq/pr+cKnFry1UMj3udsXHEEkUDpdInnIzlaQi2/re2yPo6o"}]}}, "dsseEnvelope": {"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiYS50eHQiLCJkaWdlc3QiOnsic2hhMjU2IjoiYTBjZmM3MTI3MWQ2ZTI3OGU1N2NkMzMyZmY5NTdjM2Y3MDQzZmRkYTM1NGM0Y2JiMTkwYTMwZDU2ZWZhMDFiZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vYWN0aW9ucy5naXRodWIuaW8vYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2xvb3NlYmF6b29rYS9hYS10ZXN0IiwicGF0aCI6Ii5naXRodWIvd29ya2Zsb3dzL3Byb3ZlbmFuY2UueWFtbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiODkxNzE1NDQ0IiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjEzMDQ4MjYiLCJydW5uZXJfZW52aXJvbm1lbnQiOiJnaXRodWItaG9zdGVkIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sb29zZWJhem9va2EvYWEtdGVzdEByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiZWJmZjhkZmJkNjA5YjdiMjIyMzdjNzcxOWNlMDdmMmRjNzkzNGY1ZiJ9fV19LCJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbG9vc2ViYXpvb2thL2FhLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcHJvdmVuYW5jZS55YW1sQHJlZnMvaGVhZHMvbWFpbiJ9LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2dpdGh1Yi5jb20vbG9vc2ViYXpvb2thL2FhLXRlc3QvYWN0aW9ucy9ydW5zLzExOTQxNDI1NDg3L2F0dGVtcHRzLzEifX19fQ==", "payloadType": "application/vnd.in-toto+json", "signatures": [{"sig": "MEYCIQDdWyPjMBxGV1KWkUDUZmSGNrVS3aCw+s7Kj13KHOYrigIhAOGfxrY2yXaDJJ1EKAgtiWcHHXcfCKOZLy/x6gbYFanK"}]}}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyzCCAlKgAwIBAgIUKV93VRE8+giR4U3JmE46FfjWQPEwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNzIyMTg0NjI4WhcNMjUwNzIyMTg1NjI4WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEibOnv7mMVdCDKGzvkqnOG6Edv2c3/iGzYezZsyS75ZUtYWh1rnzT7rmrrMdqtetsZ1+lFAYKm8RKY8FmOm9cIqOCAXEwggFtMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUxwW/jGsI9VVYFl8GGAHjP0BeVeMwHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwIQYDVR0RAQH/BBcwFYETYWFyb25sZXdAZ29vZ2xlLmNvbTApBgorBgEEAYO/MAEBBBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wKwYKKwYBBAGDvzABCAQdDBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wgYoGCisGAQQB1nkCBAIEfAR6AHgAdgArMLzcaIjJ4uHYJiledB9IOTGWAvKcM8teQ0D+sqyGegAAAZgzdWZsAAAEAwBHMEUCIEKunFqu8GdmhXDsFwg/xbT67q99jPfAxsckPMFVwVgUAiEAvHnFz6h5BCXlyTCj225FD0bWKyDTmz/3fG0SiN51C2IwCgYIKoZIzj0EAwMDZwAwZAIwZeLswpKDDMuxCywKKM+phTSbvHN+024YeOGEoGOevo4GrBMGcm2QXapyN4U+MKY2AjAY8oryNBlotXqECqeYVUHCsBOu2I/G43KjTagDNhTmxPJc4oKsZeEmY8azL6H6QfQ="}, "tlogEntries": [{"logIndex": "6599", "logId": {"keyId": "8w1amZ2S5mJIQkQmPxdMuOrL/oJkvFg9MnQXmeOCXck="}, "kindVersion": {"kind": "dsse", "version": "0.0.2"}, "inclusionProof": {"logIndex": "6599", "rootHash": "dkGnJ+1zBeCDPO3w+CMSyZBL30cTl8vfPPO5OJjgpFk=", "treeSize": "6600", "hashes": ["1o6HtTnpjCIPmqgZaNcQVZO+XD95kYFUyFpIiuQt08c=", "7fw4fFrLFNo4v9ao7ecWVaihhyP1AONn8XqKVlbdMB0=", "63rDNjdnW14mVVe5PB9vf249qu9JU0qCbWtREGFp0Q0=", "A+VlB+XR92aS2txcqdoEfCb3QqZ89UHRDE87bcK7JiU=", "HhgSw1jzUj25LbExsCl8FbDRO6eJnxb9iGu259pM3ms=", "gpAC2IEHOQH0Mluo3QTOJzs2KTswWJ+2JiODSInqpyg=", "Ag03a73jphtOkMBVhp+MkrJwDkx2NE69NESHMFcwcfI=", "xbDsGnxf1siByWHEuiK85p0reQCaKKWUjf8YNl9s/Vo="], "checkpoint": {"envelope": "log2025-alpha1.rekor.sigstage.dev\n6600\ndkGnJ+1zBeCDPO3w+CMSyZBL30cTl8vfPPO5OJjgpFk=\n\n\u2014 log2025-alpha1.rekor.sigstage.dev 8w1amcTOF4cFBuJnrIMtTVD+a7oPZBzShJDajugc2wuxq/cfw+ImFdwU2mnKf+F334vPvOTWzqiK19Frf4q3F45yegI=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZHNzZVYwMDIiOnsicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoiU0hBMl8yNTYiLCJkaWdlc3QiOiIxcklKdXAzZU94N2w3ZXU0alJzYmtYdHk3cllVTW81N3BtZjF0NnR3NlljPSJ9LCJzaWduYXR1cmVzIjpbeyJjb250ZW50IjoiTUVZQ0lRRGRXeVBqTUJ4R1YxS1drVURVWm1TR05yVlMzYUN3K3M3S2oxM0tIT1lyaWdJaEFPR2Z4clkyeVhhREpKMUVLQWd0aVdjSEhYY2ZDS09aTHkveDZnYllGYW5KIiwidmVyaWZpZXIiOnsia2V5RGV0YWlscyI6IlBLSVhfRUNEU0FfUDI1Nl9TSEFfMjU2IiwieDUwOUNlcnRpZmljYXRlIjp7InJhd0J5dGVzIjoiTUlJQ3l6Q0NBbEtnQXdJQkFnSVVLVjkzVlJFOCtnaVI0VTNKbUU0NkZmaldRUEV3Q2dZSUtvWkl6ajBFQXdNd056RVZNQk1HQTFVRUNoTU1jMmxuYzNSdmNtVXVaR1YyTVI0d0hBWURWUVFERXhWemFXZHpkRzl5WlMxcGJuUmxjbTFsWkdsaGRHVXdIaGNOTWpVd056SXlNVGcwTmpJNFdoY05NalV3TnpJeU1UZzFOakk0V2pBQU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWliT252N21NVmRDREtHenZrcW5PRzZFZHYyYzMvaUd6WWV6WnN5Uzc1WlV0WVdoMXJuelQ3cm1yck1kcXRldHNaMStsRkFZS204UktZOEZtT205Y0lxT0NBWEV3Z2dGdE1BNEdBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVV4d1cvakdzSTlWVllGbDhHR0FIalAwQmVWZU13SHdZRFZSMGpCQmd3Rm9BVWNZWXdwaFI4WW0vNTk5YjBCUnAvWC8vcmI2d3dJUVlEVlIwUkFRSC9CQmN3RllFVFlXRnliMjVzWlhkQVoyOXZaMnhsTG1OdmJUQXBCZ29yQmdFRUFZTy9NQUVCQkJ0b2RIUndjem92TDJGalkyOTFiblJ6TG1kdmIyZHNaUzVqYjIwd0t3WUtLd1lCQkFHRHZ6QUJDQVFkREJ0b2RIUndjem92TDJGalkyOTFiblJ6TG1kdmIyZHNaUzVqYjIwd2dZb0dDaXNHQVFRQjFua0NCQUlFZkFSNkFIZ0FkZ0FyTUx6Y2FJako0dUhZSmlsZWRCOUlPVEdXQXZLY004dGVRMEQrc3F5R2VnQUFBWmd6ZFdac0FBQUVBd0JITUVVQ0lFS3VuRnF1OEdkbWhYRHNGd2cveGJUNjdxOTlqUGZBeHNja1BNRlZ3VmdVQWlFQXZIbkZ6Nmg1QkNYbHlUQ2oyMjVGRDBiV0t5RFRtei8zZkcwU2lONTFDMkl3Q2dZSUtvWkl6ajBFQXdNRFp3QXdaQUl3WmVMc3dwS0RETXV4Q3l3S0tNK3BoVFNidkhOKzAyNFllT0dFb0dPZXZvNEdyQk1HY20yUVhhcHlONFUrTUtZMkFqQVk4b3J5TkJsb3RYcUVDcWVZVlVIQ3NCT3UySS9HNDNLalRhZ0ROaFRteFBKYzRvS3NaZUVtWThhekw2SDZRZlE9In19fV19fX0="}], "timestampVerificationData": {"rfc3161Timestamps": [{"signedTimestamp": "MIIE6DADAgEAMIIE3wYJKoZIhvcNAQcCoIIE0DCCBMwCAQMxDTALBglghkgBZQMEAgEwgcIGCyqGSIb3DQEJEAEEoIGyBIGvMIGsAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgLe3+Y0/EGJLgaObiPUd56aqMZHDIPVmcwL4g52XYMmsCFCnmDigcquRsTW0ceewSf7Nu4jatGA8yMDI1MDcyMjE4NDYyOFowAwIBAQIJAO/M+RPO/W6HoDKkMDAuMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxFTATBgNVBAMTDHNpZ3N0b3JlLXRzYaCCAhMwggIPMIIBlqADAgECAhQKNaEGYdXiQXPGiZan8n3yfgN8pzAKBggqhkjOPQQDAzA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkMB4XDTI1MDMyODA5MTQwNloXDTM1MDMyNjA4MTQwNlowLjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MRUwEwYDVQQDEwxzaWdzdG9yZS10c2EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATHW/kXcekP16Ae6SekEWVHPtAFEMm7hp5XO33MktFjSW+bHWUXtYEzZz0A3xkY9CyYOoeUk3ZH/v5HEuS+UvORzX0g7Hfy3uYYYRwHtqBQN0IX8rLdFMtIrRej/QCAdB2jajBoMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUqPxk9ijeLuY7c09UjFLE4ZzdU6UwHwYDVR0jBBgwFoAUOyBGWV61Mk1HMM5uY+5zdEfyBH0wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwCgYIKoZIzj0EAwMDZwAwZAIwRK9VLoYa0Xff4nX1N/AQ1YleNG/iLT8dAXAtRKRfpN9XuDScbxWeo0cku8SkC06NAjBQPe7LBNeitA/UOBtXT2sX1h6f4ISqz+ISmJ4lY+y3bzRJI5nk1r53I9WT3/xIWToxggHaMIIB1gIBATBRMDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQCFAo1oQZh1eJBc8aJlqfyffJ+A3ynMAsGCWCGSAFlAwQCAaCB/DAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTI1MDcyMjE4NDYyOFowLwYJKoZIhvcNAQkEMSIEIFoIhOeb/JcbKTcAdjaFtJFAJY1EG8InbA7xmYcN4z+mMIGOBgsqhkiG9w0BCRACLzF/MH0wezB5BCAG9P/gR/6zWZm3M7DXoyNQHPwY5MAzZqhF13U250snRDBVMD2kOzA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkAhQKNaEGYdXiQXPGiZan8n3yfgN8pzAKBggqhkjOPQQDAgRmMGQCMDWotxN6KqroQvcfh9K2D+BAUQu3WhowMAFQYtPpX878/y6s+ingRwDO8773sLoOOAIwWnO0DWUtymNLHKikkq/pr+cKnFry1UMj3udsXHEEkUDpdInnIzlaQi2/re2yPo6o"}]}}, "dsseEnvelope": {"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiYS50eHQiLCJkaWdlc3QiOnsic2hhMjU2IjoiYTBjZmM3MTI3MWQ2ZTI3OGU1N2NkMzMyZmY5NTdjM2Y3MDQzZmRkYTM1NGM0Y2JiMTkwYTMwZDU2ZWZhMDFiZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vYWN0aW9ucy5naXRodWIuaW8vYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2xvb3NlYmF6b29rYS9hYS10ZXN0IiwicGF0aCI6Ii5naXRodWIvd29ya2Zsb3dzL3Byb3ZlbmFuY2UueWFtbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiODkxNzE1NDQ0IiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjEzMDQ4MjYiLCJydW5uZXJfZW52aXJvbm1lbnQiOiJnaXRodWItaG9zdGVkIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sb29zZWJhem9va2EvYWEtdGVzdEByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiZWJmZjhkZmJkNjA5YjdiMjIyMzdjNzcxOWNlMDdmMmRjNzkzNGY1ZiJ9fV19LCJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbG9vc2ViYXpvb2thL2FhLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcHJvdmVuYW5jZS55YW1sQHJlZnMvaGVhZHMvbWFpbiJ9LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2dpdGh1Yi5jb20vbG9vc2ViYXpvb2thL2FhLXRlc3QvYWN0aW9ucy9ydW5zLzExOTQxNDI1NDg3L2F0dGVtcHRzLzEifX19fQ==", "payloadType": "application/vnd.in-toto+json", "signatures": [{"sig": "MEYCIQDdWyPjMBxGV1KWkUDUZmSGNrVS3aCw+s7Kj13KHOYrigIhAOGfxrY2yXaDJJ1EKAgtiWcHHXcfCKOZLy/x6gbYFanK"}]}}