--- /dev/null
+// Copyright 2018 The Grafeas Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grafeas.v1beta1.build;
+
+import "google/devtools/containeranalysis/v1beta1/provenance/provenance.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1beta1/build;build";
+option java_multiple_files = true;
+option java_package = "io.grafeas.v1beta1.build";
+option objc_class_prefix = "GRA";
+
+// Note holding the version of the provider's builder and the signature of the
+// provenance message in linked BuildDetails.
+message Build {
+ // Version of the builder which produced this Note.
+ string builder_version = 1;
+
+ // Signature of the build in Occurrences pointing to the Note containing this
+ // `BuilderDetails`.
+ BuildSignature signature = 2;
+}
+
+// Message encapsulating the signature of the verified build.
+message BuildSignature {
+ // Public key of the builder which can be used to verify that the related
+ // findings are valid and unchanged. If `key_type` is empty, this defaults
+ // to PEM encoded public keys.
+ //
+ // This field may be empty if `key_id` references an external key.
+ //
+ // For Cloud Container Builder based signatures, this is a PEM encoded public
+ // key. To verify the Cloud Container Builder signature, place the contents of
+ // this field into a file (public.pem). The signature field is base64-decoded
+ // into its binary representation in signature.bin, and the provenance bytes
+ // from `BuildDetails` are base64-decoded into a binary representation in
+ // signed.bin. OpenSSL can then verify the signature:
+ // `openssl sha256 -verify public.pem -signature signature.bin signed.bin`
+ string public_key = 1;
+
+ // Signature of the related `BuildProvenance`. In JSON, this is base-64
+ // encoded.
+ bytes signature = 2;
+
+ // An ID for the key used to sign. This could be either an Id for the key
+ // stored in `public_key` (such as the Id or fingerprint for a PGP key, or the
+ // CN for a cert), or a reference to an external key (such as a reference to a
+ // key in Cloud Key Management Service).
+ string key_id = 3;
+
+ // Public key formats
+ enum KeyType {
+ // `KeyType` is not set.
+ KEY_TYPE_UNSPECIFIED = 0;
+ // `PGP ASCII Armored` public key.
+ PGP_ASCII_ARMORED = 1;
+ // `PKIX PEM` public key.
+ PKIX_PEM = 2;
+ }
+
+ // The type of the key, either stored in `public_key` or referenced in
+ // `key_id`
+ KeyType key_type = 4;
+}
+
+// Details of a build occurrence.
+message Details {
+ // The actual provenance for the build.
+ grafeas.v1beta1.provenance.BuildProvenance provenance = 1;
+
+ // Serialized JSON representation of the provenance, used in generating the
+ // `BuildSignature` in the corresponding Result. After verifying the
+ // signature, `provenance_bytes` can be unmarshalled and compared to the
+ // provenance to confirm that it is unchanged. A base64-encoded string
+ // representation of the provenance bytes is used for the signature in order
+ // to interoperate with openssl which expects this format for signature
+ // verification.
+ //
+ // The serialized form is captured both to avoid ambiguity in how the
+ // provenance is marshalled to json as well to prevent incompatibilities with
+ // future changes.
+ string provenance_bytes = 2;
+}