Skip to content

fix(signing): use protojson.Marshal for standard Sigstore Bundle format #275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2025
Merged

fix(signing): use protojson.Marshal for standard Sigstore Bundle format #275

merged 1 commit into from
Nov 14, 2025

Conversation

@leodido
Copy link
Contributor

@leodido leodido commented Nov 14, 2025
edited
Loading

Problem

Leeway's remote cache has 0% hit rate, causing every build to rebuild all packages locally, wasting 15-20 minutes per build (250-333 hours/month).

Fixes https://linear.app/ona-team/issue/CLC-2083/improve-att-generation

Root Cause

The attestation generation code was using Go's standard json.Marshal instead of protobuf's protojson.Marshal, which caused:

  • Field names in snake_case instead of camelCase (media_type vs mediaType)
  • Extra "Content" wrappers with capital C (protobuf oneof field names leaking into JSON)
  • Certificate in wrong location (verification_material.Content.Certificate vs verificationMaterial.certificate)
  • Incompatible with sigstore-go library
  • Incompatible with slsa-verifier
  • Result: 0% cache hit rate

Official Sigstore Bundle v0.3 format: https://docs.sigstore.dev/about/bundle/

Solution

Use protojson.MarshalOptions with explicit configuration:

// Use protojson with explicit options to generate standard Sigstore Bundle format
marshaler := protojson.MarshalOptions{
    UseProtoNames:   false,  // Use JSON names (camelCase) instead of proto names
    EmitUnpopulated: false,  // Omit empty/default fields for cleaner output
}
bundleBytes, err := marshaler.Marshal(signedBundle)

This generates a standard Sigstore Bundle v0.3 format with:

  • ✅ Field names in camelCase (mediaType, verificationMaterial)
  • ✅ No extra wrappers (direct fields: certificate, dsseEnvelope)
  • ✅ Certificate in correct location (verificationMaterial.certificate)
  • ✅ Compatible with sigstore-go library
  • ✅ Standard format matching official specification

Changes

  1. attestation.go: Use protojson.MarshalOptions with explicit configuration instead of json.Marshal
  2. attestation_test.go: Add comprehensive format verification tests:
    • TestBundleFormatCompliance: Verifies expected output format (6 subtests)
    • TestProtojsonMarshalOptions: Tests actual protobuf marshaling behavior (4 subtests)

Testing

All existing tests pass, plus new format verification tests:

cd pkg/leeway/signing && go test -v
# PASS: All 42 tests pass, including new format tests

New Tests

TestBundleFormatCompliance - Verifies expected format structure:

  • ✅ Top-level fields use camelCase (not snake_case)
  • ✅ No protobuf oneof wrappers (Content, Certificate)
  • ✅ Certificate in the correct location
  • ✅ Tlog entries use camelCase
  • ✅ DSSE envelope is direct field (not wrapped)
  • ✅ Media type value is correct

TestProtojsonMarshalOptions - Tests actual protobuf marshaling:

  • ✅ Uses camelCase field names with UseProtoNames=false
  • ✅ No protobuf oneof wrappers leak through
  • ✅ Certificate structure is correct
  • ✅ Media type value matches specification

These tests ensure our MarshalOptions configuration produces the correct format without requiring Sigstore credentials.

Expected Impact

Metric Before After Improvement
Cache hit rate 0% 80-90% +80-90%
Build time 20-25 min 5-10 min -15-20 min
Packages downloaded 0 40-45 +40-45
Time saved per build - 15-20 min -
Monthly time saved - 250-333 hours -

Verification

After deploying this fix, new attestations will have the correct format:

# Check format
jq 'keys' attestation.att
# Expected: ["dsseEnvelope", "mediaType", "verificationMaterial"]
# NOT: ["Content", "media_type", "verification_material"]

# Verify certificate location
jq '.verificationMaterial.certificate.rawBytes' attestation.att
# Expected: Base64 certificate string
# NOT: null

Risk Assessment

Low Risk:

  • ✅ Explicit MarshalOptions configuration (well-documented protobuf JSON marshaling)
  • ✅ All tests pass (42 tests including new format verification)
  • ✅ Backward compatible (old attestations → rebuild, new attestations → cache hit)
  • ✅ No changes needed in verification code
  • ✅ Tests validate actual protobuf marshaling behavior

References

Co-authored-by: Ona no-reply@ona.com

@leodido leodido self-assigned this Nov 14, 2025
@leodido leodido force-pushed the fix/sigstore-bundle-format branch from 0399053 to a544f9f Compare November 14, 2025 11:50
@leodido @ona-agent
fix(signing): use protojson.Marshal for standard Sigstore Bundle format
3b4d31e 
Use protojson.MarshalOptions instead of json.Marshal to generate
attestations in standard Sigstore Bundle v0.3 format.

Problem:
- json.Marshal on protobuf types causes oneof fields to leak (Content, Certificate)
- Field names in snake_case instead of camelCase
- Certificate in wrong location
- Incompatible with sigstore-go and slsa-verifier
- Result: 0% cache hit rate

Solution:
- Use protojson.MarshalOptions with explicit configuration
- UseProtoNames: false (use JSON names/camelCase)
- EmitUnpopulated: false (omit empty fields)

Changes:
- pkg/leeway/signing/attestation.go: Use protojson.MarshalOptions
- pkg/leeway/signing/attestation_test.go: Add format verification tests
  - TestBundleFormatCompliance: Verify expected format (6 subtests)
  - TestProtojsonMarshalOptions: Test actual marshaling (4 subtests)
- go.mod: Add direct dependencies for protobuf-specs and protobuf

Testing:
- All 42 tests pass including new format verification tests
- Tests validate actual protobuf marshaling behavior
- No Sigstore credentials required

Expected Impact:
- Cache hit rate: 0% → 80-90%
- Build time: 20-25 min → 5-10 min
- Time saved: 15-20 min per build

Refs: https://docs.sigstore.dev/about/bundle/

Co-authored-by: Ona <no-reply@ona.com>
@leodido leodido force-pushed the fix/sigstore-bundle-format branch from a544f9f to d18e524 Compare November 14, 2025 13:08
@leodido leodido changed the title Fix Sigstore Bundle format generation to use protojson.Marshal fix(signing): use protojson.Marshal for standard Sigstore Bundle format Nov 14, 2025
@leodido leodido changed the title fix(signing): use protojson.Marshal for standard Sigstore Bundle format fix(signing): use protojson.Marshal for standard Sigstore Bundle format Nov 14, 2025
geropl
geropl approved these changes Nov 14, 2025
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@leodido leodido mentioned this pull request Nov 14, 2025
Merged
@leodido leodido force-pushed the fix/sigstore-bundle-format branch from d18e524 to 3b4d31e Compare November 14, 2025 15:36
@leodido leodido merged commit 8bb85d1 into main Nov 14, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geropl geropl geropl approved these changes

@kylos101 kylos101 Awaiting requested review from kylos101

@csweichel csweichel Awaiting requested review from csweichel

@corneliusludmann corneliusludmann Awaiting requested review from corneliusludmann

Assignees

@leodido leodido

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@leodido @geropl