Package dev.sigstore.proto.trustroot.v1

Interface SigningConfigOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
SigningConfig, SigningConfig.Builder
public interface SigningConfigOrBuilder extends com.google.protobuf.MessageOrBuilder

  • Method Details

    • getMediaType

      String getMediaType()
       MUST be application/vnd.dev.sigstore.signingconfig.v0.2+json
 Clients MAY choose to also support
 application/vnd.dev.sigstore.signingconfig.v0.1+json
      string media_type = 5;
      Returns:
      The mediaType.

    • getMediaTypeBytes

      com.google.protobuf.ByteString getMediaTypeBytes()
       MUST be application/vnd.dev.sigstore.signingconfig.v0.2+json
 Clients MAY choose to also support
 application/vnd.dev.sigstore.signingconfig.v0.1+json
      string media_type = 5;
      Returns:
      The bytes for mediaType.

    • getCaUrlsList

      List<Service> getCaUrlsList()
       URLs to Fulcio-compatible CAs, capable of receiving
 Certificate Signing Requests (CSRs) and responding with
 issued certificates.

 These URLs MUST be the "base" URL for the CAs, which clients
 should construct an appropriate CSR endpoint on top of.
 For example, if a CA URL is `https://example.com/ca`, then
 the client MAY construct the CSR endpoint as
 `https://example.com/ca/api/v2/signingCert`.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service ca_urls = 6;

    • getCaUrls

      Service getCaUrls(int index)
       URLs to Fulcio-compatible CAs, capable of receiving
 Certificate Signing Requests (CSRs) and responding with
 issued certificates.

 These URLs MUST be the "base" URL for the CAs, which clients
 should construct an appropriate CSR endpoint on top of.
 For example, if a CA URL is `https://example.com/ca`, then
 the client MAY construct the CSR endpoint as
 `https://example.com/ca/api/v2/signingCert`.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service ca_urls = 6;

    • getCaUrlsCount

      int getCaUrlsCount()
       URLs to Fulcio-compatible CAs, capable of receiving
 Certificate Signing Requests (CSRs) and responding with
 issued certificates.

 These URLs MUST be the "base" URL for the CAs, which clients
 should construct an appropriate CSR endpoint on top of.
 For example, if a CA URL is `https://example.com/ca`, then
 the client MAY construct the CSR endpoint as
 `https://example.com/ca/api/v2/signingCert`.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service ca_urls = 6;

    • getCaUrlsOrBuilderList

      List<? extends ServiceOrBuilder> getCaUrlsOrBuilderList()
       URLs to Fulcio-compatible CAs, capable of receiving
 Certificate Signing Requests (CSRs) and responding with
 issued certificates.

 These URLs MUST be the "base" URL for the CAs, which clients
 should construct an appropriate CSR endpoint on top of.
 For example, if a CA URL is `https://example.com/ca`, then
 the client MAY construct the CSR endpoint as
 `https://example.com/ca/api/v2/signingCert`.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service ca_urls = 6;

    • getCaUrlsOrBuilder

      ServiceOrBuilder getCaUrlsOrBuilder(int index)
       URLs to Fulcio-compatible CAs, capable of receiving
 Certificate Signing Requests (CSRs) and responding with
 issued certificates.

 These URLs MUST be the "base" URL for the CAs, which clients
 should construct an appropriate CSR endpoint on top of.
 For example, if a CA URL is `https://example.com/ca`, then
 the client MAY construct the CSR endpoint as
 `https://example.com/ca/api/v2/signingCert`.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service ca_urls = 6;

    • getOidcUrlsList

      List<Service> getOidcUrlsList()
       URLs to OpenID Connect identity providers.

 These URLs MUST be the "base" URLs for the OIDC IdPs, which clients
 should perform well-known OpenID Connect discovery against.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service oidc_urls = 7;

    • getOidcUrls

      Service getOidcUrls(int index)
       URLs to OpenID Connect identity providers.

 These URLs MUST be the "base" URLs for the OIDC IdPs, which clients
 should perform well-known OpenID Connect discovery against.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service oidc_urls = 7;

    • getOidcUrlsCount

      int getOidcUrlsCount()
       URLs to OpenID Connect identity providers.

 These URLs MUST be the "base" URLs for the OIDC IdPs, which clients
 should perform well-known OpenID Connect discovery against.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service oidc_urls = 7;

    • getOidcUrlsOrBuilderList

      List<? extends ServiceOrBuilder> getOidcUrlsOrBuilderList()
       URLs to OpenID Connect identity providers.

 These URLs MUST be the "base" URLs for the OIDC IdPs, which clients
 should perform well-known OpenID Connect discovery against.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service oidc_urls = 7;

    • getOidcUrlsOrBuilder

      ServiceOrBuilder getOidcUrlsOrBuilder(int index)
       URLs to OpenID Connect identity providers.

 These URLs MUST be the "base" URLs for the OIDC IdPs, which clients
 should perform well-known OpenID Connect discovery against.

 Clients MUST select only one Service with the highest API version
 that the client is compatible with, that is within its
 validity period, and has the newest validity start date.
 Client SHOULD select the first Service that meets this requirement.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.
      repeated .dev.sigstore.trustroot.v1.Service oidc_urls = 7;

    • getRekorTlogUrlsList

      List<Service> getRekorTlogUrlsList()
       URLs to Rekor transparency logs.

 These URL MUST be the "base" URLs for the transparency logs,
 which clients should construct appropriate API endpoints on top of.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `rekor_tlog_config`.
      repeated .dev.sigstore.trustroot.v1.Service rekor_tlog_urls = 8;

    • getRekorTlogUrls

      Service getRekorTlogUrls(int index)
       URLs to Rekor transparency logs.

 These URL MUST be the "base" URLs for the transparency logs,
 which clients should construct appropriate API endpoints on top of.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `rekor_tlog_config`.
      repeated .dev.sigstore.trustroot.v1.Service rekor_tlog_urls = 8;

    • getRekorTlogUrlsCount

      int getRekorTlogUrlsCount()
       URLs to Rekor transparency logs.

 These URL MUST be the "base" URLs for the transparency logs,
 which clients should construct appropriate API endpoints on top of.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `rekor_tlog_config`.
      repeated .dev.sigstore.trustroot.v1.Service rekor_tlog_urls = 8;

    • getRekorTlogUrlsOrBuilderList

      List<? extends ServiceOrBuilder> getRekorTlogUrlsOrBuilderList()
       URLs to Rekor transparency logs.

 These URL MUST be the "base" URLs for the transparency logs,
 which clients should construct appropriate API endpoints on top of.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `rekor_tlog_config`.
      repeated .dev.sigstore.trustroot.v1.Service rekor_tlog_urls = 8;

    • getRekorTlogUrlsOrBuilder

      ServiceOrBuilder getRekorTlogUrlsOrBuilder(int index)
       URLs to Rekor transparency logs.

 These URL MUST be the "base" URLs for the transparency logs,
 which clients should construct appropriate API endpoints on top of.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `rekor_tlog_config`.
      repeated .dev.sigstore.trustroot.v1.Service rekor_tlog_urls = 8;

    • hasRekorTlogConfig

      boolean hasRekorTlogConfig()
       Specifies how a client should select the set of Rekor transparency
 logs to write to.
      .dev.sigstore.trustroot.v1.ServiceConfiguration rekor_tlog_config = 9;
      Returns:
      Whether the rekorTlogConfig field is set.

    • getRekorTlogConfig

      ServiceConfiguration getRekorTlogConfig()
       Specifies how a client should select the set of Rekor transparency
 logs to write to.
      .dev.sigstore.trustroot.v1.ServiceConfiguration rekor_tlog_config = 9;
      Returns:
      The rekorTlogConfig.

    • getRekorTlogConfigOrBuilder

      ServiceConfigurationOrBuilder getRekorTlogConfigOrBuilder()
       Specifies how a client should select the set of Rekor transparency
 logs to write to.
      .dev.sigstore.trustroot.v1.ServiceConfiguration rekor_tlog_config = 9;

    • getTsaUrlsList

      List<Service> getTsaUrlsList()
       URLs to RFC 3161 Time Stamping Authorities (TSA).

 These URLs MUST be the *full* URL for the TSA, meaning that it
 should be suitable for submitting Time Stamp Requests (TSRs) to
 via HTTP, per RFC 3161.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `tsa_config`.
      repeated .dev.sigstore.trustroot.v1.Service tsa_urls = 10;

    • getTsaUrls

      Service getTsaUrls(int index)
       URLs to RFC 3161 Time Stamping Authorities (TSA).

 These URLs MUST be the *full* URL for the TSA, meaning that it
 should be suitable for submitting Time Stamp Requests (TSRs) to
 via HTTP, per RFC 3161.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `tsa_config`.
      repeated .dev.sigstore.trustroot.v1.Service tsa_urls = 10;

    • getTsaUrlsCount

      int getTsaUrlsCount()
       URLs to RFC 3161 Time Stamping Authorities (TSA).

 These URLs MUST be the *full* URL for the TSA, meaning that it
 should be suitable for submitting Time Stamp Requests (TSRs) to
 via HTTP, per RFC 3161.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `tsa_config`.
      repeated .dev.sigstore.trustroot.v1.Service tsa_urls = 10;

    • getTsaUrlsOrBuilderList

      List<? extends ServiceOrBuilder> getTsaUrlsOrBuilderList()
       URLs to RFC 3161 Time Stamping Authorities (TSA).

 These URLs MUST be the *full* URL for the TSA, meaning that it
 should be suitable for submitting Time Stamp Requests (TSRs) to
 via HTTP, per RFC 3161.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `tsa_config`.
      repeated .dev.sigstore.trustroot.v1.Service tsa_urls = 10;

    • getTsaUrlsOrBuilder

      ServiceOrBuilder getTsaUrlsOrBuilder(int index)
       URLs to RFC 3161 Time Stamping Authorities (TSA).

 These URLs MUST be the *full* URL for the TSA, meaning that it
 should be suitable for submitting Time Stamp Requests (TSRs) to
 via HTTP, per RFC 3161.

 Clients MUST group Services by `operator` and select at most one
 Service from each operator. Clients MUST select Services with the
 highest API version that the client is compatible with, that are
 within its validity period, and have the newest validity start dates.
 All listed Services SHOULD be sorted by the `valid_for` window in
 descending order, with the newest instance first.

 Clients MUST select Services based on the selector value of
 `tsa_config`.
      repeated .dev.sigstore.trustroot.v1.Service tsa_urls = 10;

    • hasTsaConfig

      boolean hasTsaConfig()
       Specifies how a client should select the set of TSAs to request
 signed timestamps from.
      .dev.sigstore.trustroot.v1.ServiceConfiguration tsa_config = 11;
      Returns:
      Whether the tsaConfig field is set.

    • getTsaConfig

      ServiceConfiguration getTsaConfig()
       Specifies how a client should select the set of TSAs to request
 signed timestamps from.
      .dev.sigstore.trustroot.v1.ServiceConfiguration tsa_config = 11;
      Returns:
      The tsaConfig.

    • getTsaConfigOrBuilder

      ServiceConfigurationOrBuilder getTsaConfigOrBuilder()
       Specifies how a client should select the set of TSAs to request
 signed timestamps from.
      .dev.sigstore.trustroot.v1.ServiceConfiguration tsa_config = 11;