Sign API Reference
sign/v1/sign_service.proto
SignRequest
SignRequestProvider
| Field |
Type |
Label |
Description |
| oidc |
SignWithOIDC |
|
Sign with OIDC provider |
| key |
SignWithKey |
|
Sign with PEM-encoded public key |
SignResponse
| Field |
Type |
Label |
Description |
| signature |
Signature |
|
Cryptographic signature of the record |
SignWithKey
| Field |
Type |
Label |
Description |
| private_key |
bytes |
|
Private key used for signing |
| password |
bytes |
optional |
Password to unlock the private key |
SignWithOIDC
SignWithOIDC.SignOpts
List of sign options for OIDC
| Field |
Type |
Label |
Description |
| fulcio_url |
string |
optional |
Fulcio authority access URL (default value: https://fulcio.sigstage.dev) |
| rekor_url |
string |
optional |
Rekor validator access URL (default value: https://rekor.sigstage.dev) |
| timestamp_url |
string |
optional |
Timestamp authority access URL (default value: https://timestamp.sigstage.dev/api/v1/timestamp) |
| oidc_provider_url |
string |
optional |
OIDC provider access URL (default value: https://oauth2.sigstage.dev/auth) |
Signature
| Field |
Type |
Label |
Description |
| annotations |
Signature.AnnotationsEntry |
repeated |
Metadata associated with the signature. |
| signed_at |
string |
|
Signing timestamp of the record in the RFC3339 format. Specs: https://www.rfc-editor.org/rfc/rfc3339.html |
| algorithm |
string |
|
The signature algorithm used (e.g., "ECDSA_P256_SHA256"). |
| signature |
string |
|
Base64-encoded signature. |
| certificate |
string |
|
Base64-encoded signing certificate. |
| content_type |
string |
|
Type of the signature content bundle. |
| content_bundle |
string |
|
Base64-encoded signature bundle produced by the signer. It is up to the client to interpret the content of the bundle. |
Signature.AnnotationsEntry
VerifyRequest
VerifyRequestProvider
VerifyResponse
| Field |
Type |
Label |
Description |
| success |
bool |
|
The verify process result |
| error_message |
string |
optional |
Optional error message if verification failed |
VerifyWithKey
| Field |
Type |
Label |
Description |
| public_key |
bytes |
|
Public key to validate the signed record |
VerifyWithOIDC
| Field |
Type |
Label |
Description |
| expected_issuer |
string |
|
Expected issuer in the signed record |
| expected_signer |
string |
|
Expected signer in the signed record |
SignService
| Method Name |
Request Type |
Response Type |
Description |
| Sign |
SignRequest |
SignResponse |
Sign record using keyless OIDC based provider or using PEM-encoded private key with an optional passphrase |
| Verify |
VerifyRequest |
VerifyResponse |
Verify signed record using keyless OIDC based provider or using PEM-encoded formatted PEM public key encrypted |
Scalar Value Types
| .proto Type |
Notes |
C++ |
Java |
Python |
Go |
C# |
PHP |
Ruby |
| double |
|
double |
double |
float |
float64 |
double |
float |
Float |
| float |
|
float |
float |
float |
float32 |
float |
float |
Float |
| int32 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
| int64 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
| uint32 |
Uses variable-length encoding. |
uint32 |
int |
int/long |
uint32 |
uint |
integer |
Bignum or Fixnum (as required) |
| uint64 |
Uses variable-length encoding. |
uint64 |
long |
int/long |
uint64 |
ulong |
integer/string |
Bignum or Fixnum (as required) |
| sint32 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
| sint64 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
| fixed32 |
Always four bytes. More efficient than uint32 if values are often greater than 2^28. |
uint32 |
int |
int |
uint32 |
uint |
integer |
Bignum or Fixnum (as required) |
| fixed64 |
Always eight bytes. More efficient than uint64 if values are often greater than 2^56. |
uint64 |
long |
int/long |
uint64 |
ulong |
integer/string |
Bignum |
| sfixed32 |
Always four bytes. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
| sfixed64 |
Always eight bytes. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
| bool |
|
bool |
boolean |
boolean |
bool |
bool |
boolean |
TrueClass/FalseClass |
| string |
A string must always contain UTF-8 encoded or 7-bit ASCII text. |
string |
String |
str/unicode |
string |
string |
string |
String (UTF-8) |
| bytes |
May contain any arbitrary sequence of bytes. |
string |
ByteString |
str |
[]byte |
ByteString |
string |
String (ASCII-8BIT) |