var (
	ServiceSelector_name = map[int32]string{
		0: "SERVICE_SELECTOR_UNDEFINED",
		1: "ALL",
		2: "ANY",
		3: "EXACT",
	}
	ServiceSelector_value = map[string]int32{
		"SERVICE_SELECTOR_UNDEFINED": 0,
		"ALL":                        1,
		"ANY":                        2,
		"EXACT":                      3,
	}
)

var File_sigstore_trustroot_proto protoreflect.FileDescriptor

type CertificateAuthority struct {

	// The root certificate MUST be self-signed, and so the subject and
	// issuer are the same.
	Subject *v1.DistinguishedName `protobuf:"bytes,1,opt,name=subject,proto3" json:"subject,omitempty"`
	// The URI identifies the certificate authority.
	//
	// It is RECOMMENDED that the URI is the base URL for the certificate
	// authority, that can be provided to any SDK/client provided
	// by the certificate authority to interact with the certificate
	// authority.
	Uri string `protobuf:"bytes,2,opt,name=uri,proto3" json:"uri,omitempty"`
	// The certificate chain for this CA. The last certificate in the chain
	// MUST be the trust anchor. The trust anchor MAY be a self-signed root
	// CA certificate or MAY be an intermediate CA certificate.
	CertChain *v1.X509CertificateChain `protobuf:"bytes,3,opt,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
	// The time the *entire* chain was valid. This is at max the
	// longest interval when *all* certificates in the chain were valid,
	// but it MAY be shorter. Clients MUST check timestamps against *both*
	// the `valid_for` time range *and* the entire certificate chain.
	//
	// The TimeRange should be considered valid *inclusive* of the
	// endpoints.
	ValidFor *v1.TimeRange `protobuf:"bytes,4,opt,name=valid_for,json=validFor,proto3" json:"valid_for,omitempty"`
	// The name of the operator of this certificate or timestamp authority.
	// Operator MUST be formatted as a scheme-less URI, e.g. sigstore.dev
	// This MUST be used when there are multiple timestamp authorities to
	// determine if the signed timestamp verification meets a specified
	// threshold, e.g. two signed timestamps from timestamp authorities
	// operated by the same operator should count as only one valid
	// timestamp.
	Operator string `protobuf:"bytes,5,opt,name=operator,proto3" json:"operator,omitempty"`
	// contains filtered or unexported fields
}

type ClientTrustConfig struct {

	// MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
	MediaType string `protobuf:"bytes,1,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"`
	// The root of trust, which MUST be present.
	TrustedRoot *TrustedRoot `protobuf:"bytes,2,opt,name=trusted_root,json=trustedRoot,proto3" json:"trusted_root,omitempty"`
	// Configuration for signing clients, which MUST be present.
	SigningConfig *SigningConfig `protobuf:"bytes,3,opt,name=signing_config,json=signingConfig,proto3" json:"signing_config,omitempty"`
	// contains filtered or unexported fields
}

type Service struct {

	// URL of the service. MUST include scheme and authority. MAY include path.
	Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
	// Specifies the major API version. A value of 0 represents a service that
	// has not yet been released.
	MajorApiVersion uint32 `protobuf:"varint,2,opt,name=major_api_version,json=majorApiVersion,proto3" json:"major_api_version,omitempty"`
	// Validity period of a service. A service that has only a start date
	// SHOULD be considered the most recent instance of that service, but
	// the client MUST NOT assume there is only one valid instance.
	// The TimeRange MUST be considered valid *inclusive* of the
	// endpoints.
	ValidFor *v1.TimeRange `protobuf:"bytes,3,opt,name=valid_for,json=validFor,proto3" json:"valid_for,omitempty"`
	// Specifies the name of the service operator. When selecting multiple
	// services, clients MUST use the operator to select services from
	// distinct operators. Operator MUST be formatted as a scheme-less
	// URI, e.g. sigstore.dev
	Operator string `protobuf:"bytes,4,opt,name=operator,proto3" json:"operator,omitempty"`
	// contains filtered or unexported fields
}

type ServiceConfiguration struct {

	// How a client should select a set of Services to connect to.
	// Clients SHOULD NOT select services from multiple API versions.
	Selector ServiceSelector `protobuf:"varint,1,opt,name=selector,proto3,enum=dev.sigstore.trustroot.v1.ServiceSelector" json:"selector,omitempty"`
	// count specifies the number of Services the client should use.
	// Only used when selector is set to EXACT, and count MUST be greater
	// than 0. count MUST be less than or equal to the number of Services.
	// Clients MUST return an error is there are not enough services
	// that meet selection criteria.
	Count uint32 `protobuf:"varint,2,opt,name=count,proto3" json:"count,omitempty"`
	// contains filtered or unexported fields
}

type ServiceSelector int32

const (
	ServiceSelector_SERVICE_SELECTOR_UNDEFINED ServiceSelector = 0
	// Clients SHOULD select all Services based on supported API version
	// and validity window.
	ServiceSelector_ALL ServiceSelector = 1
	// Clients SHOULD select one Service based on supported API version
	// and validity window. It is up to the client implementation to
	// decide how to select the Service, e.g. random or round-robin.
	ServiceSelector_ANY ServiceSelector = 2
	// Clients SHOULD select a specific number of Services based on
	// supported API version and validity window, using the provided
	// `count`. It is up to the client implementation to decide how to
	// select the Service, e.g. random or round-robin.
	ServiceSelector_EXACT ServiceSelector = 3
)

type SigningConfig struct {

	// MUST be application/vnd.dev.sigstore.signingconfig.v0.2+json
	// Clients MAY choose to also support
	// application/vnd.dev.sigstore.signingconfig.v0.1+json
	MediaType string `protobuf:"bytes,5,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"`
	// URLs to Fulcio-compatible CAs, capable of receiving
	// Certificate Signing Requests (CSRs) and responding with
	// issued certificates.
	//
	// These URLs MUST be the "base" URL for the CAs, which clients
	// should construct an appropriate CSR endpoint on top of.
	// For example, if a CA URL is `https://example.com/ca`, then
	// the client MAY construct the CSR endpoint as
	// `https://example.com/ca/api/v2/signingCert`.
	//
	// Clients MUST select only one Service with the highest API version
	// that the client is compatible with, that is within its
	// validity period, and has the newest validity start date.
	// Client SHOULD select the first Service that meets this requirement.
	// All listed Services SHOULD be sorted by the `valid_for` window in
	// descending order, with the newest instance first.
	CaUrls []*Service `protobuf:"bytes,6,rep,name=ca_urls,json=caUrls,proto3" json:"ca_urls,omitempty"`
	// URLs to OpenID Connect identity providers.
	//
	// These URLs MUST be the "base" URLs for the OIDC IdPs, which clients
	// should perform well-known OpenID Connect discovery against.
	//
	// Clients MUST select only one Service with the highest API version
	// that the client is compatible with, that is within its
	// validity period, and has the newest validity start date.
	// Client SHOULD select the first Service that meets this requirement.
	// All listed Services SHOULD be sorted by the `valid_for` window in
	// descending order, with the newest instance first.
	OidcUrls []*Service `protobuf:"bytes,7,rep,name=oidc_urls,json=oidcUrls,proto3" json:"oidc_urls,omitempty"`
	// URLs to Rekor transparency logs.
	//
	// These URL MUST be the "base" URLs for the transparency logs,
	// which clients should construct appropriate API endpoints on top of.
	//
	// Clients MUST group Services by `operator` and select at most one
	// Service from each operator. Clients MUST select Services with the
	// highest API version that the client is compatible with, that are
	// within its validity period, and have the newest validity start dates.
	// All listed Services SHOULD be sorted by the `valid_for` window in
	// descending order, with the newest instance first.
	//
	// Clients MUST select Services based on the selector value of
	// `rekor_tlog_config`.
	RekorTlogUrls []*Service `protobuf:"bytes,8,rep,name=rekor_tlog_urls,json=rekorTlogUrls,proto3" json:"rekor_tlog_urls,omitempty"`
	// Specifies how a client should select the set of Rekor transparency
	// logs to write to.
	RekorTlogConfig *ServiceConfiguration `protobuf:"bytes,9,opt,name=rekor_tlog_config,json=rekorTlogConfig,proto3" json:"rekor_tlog_config,omitempty"`
	// URLs to RFC 3161 Time Stamping Authorities (TSA).
	//
	// These URLs MUST be the *full* URL for the TSA, meaning that it
	// should be suitable for submitting Time Stamp Requests (TSRs) to
	// via HTTP, per RFC 3161.
	//
	// Clients MUST group Services by `operator` and select at most one
	// Service from each operator. Clients MUST select Services with the
	// highest API version that the client is compatible with, that are
	// within its validity period, and have the newest validity start dates.
	// All listed Services SHOULD be sorted by the `valid_for` window in
	// descending order, with the newest instance first.
	//
	// Clients MUST select Services based on the selector value of
	// `tsa_config`.
	TsaUrls []*Service `protobuf:"bytes,10,rep,name=tsa_urls,json=tsaUrls,proto3" json:"tsa_urls,omitempty"`
	// Specifies how a client should select the set of TSAs to request
	// signed timestamps from.
	TsaConfig *ServiceConfiguration `protobuf:"bytes,11,opt,name=tsa_config,json=tsaConfig,proto3" json:"tsa_config,omitempty"`
	// contains filtered or unexported fields
}

type TransparencyLogInstance struct {

	// The base URL at which can be used to URLs for the client.
	// SHOULD match the origin on the log checkpoint:
	// https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md#note-text.
	BaseUrl string `protobuf:"bytes,1,opt,name=base_url,json=baseUrl,proto3" json:"base_url,omitempty"`
	// The hash algorithm used for the Merkle Tree.
	HashAlgorithm v1.HashAlgorithm `protobuf:"varint,2,opt,name=hash_algorithm,json=hashAlgorithm,proto3,enum=dev.sigstore.common.v1.HashAlgorithm" json:"hash_algorithm,omitempty"`
	// The public key used to verify signatures generated by the log.
	// This attribute contains the signature algorithm used by the log.
	PublicKey *v1.PublicKey `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	// The unique identifier for this transparency log.
	// Represented as the SHA-256 hash of the log's public key,
	// calculated over the DER encoding of the key represented as
	// SubjectPublicKeyInfo.
	// See https://www.rfc-editor.org/rfc/rfc6962#section-3.2
	// MUST set checkpoint_key_id if multiple logs use the same
	// signing key.
	// Deprecated: Use checkpoint_key_id instead, since log_id is not
	// guaranteed to be unique across multiple deployments. Clients
	// must use the key name and key ID from a checkpoint to determine
	// the correct TransparencyLogInstance to verify a proof.
	//
	// Deprecated: Marked as deprecated in sigstore_trustroot.proto.
	LogId *v1.LogId `protobuf:"bytes,4,opt,name=log_id,json=logId,proto3" json:"log_id,omitempty"`
	// The unique identifier for the log, used in the checkpoint.
	// Its calculation is described in
	// https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures
	// SHOULD be set for all logs. When not set, clients MUST use log_id.
	//
	// For Ed25519 signatures, the key ID is computed per the C2SP spec:
	// key ID = SHA-256(key name || 0x0A || 0x01 || 32-byte Ed25519 public key)[:4]
	// For ECDSA signatures, the key ID is computed per the C2SP spec:
	// key ID = SHA-256(PKIX ASN.1 DER-encoded public key, in SubjectPublicKeyInfo format)[:4]
	// For RSA signatures, the signature type will be 0xff with an appended identifier for the format,
	// "PKIX-RSA-PKCS#1v1.5":
	// key ID = SHA-256(key name || 0x0A || 0xff || PKIX-RSA-PKCS#1v1.5 || PKIX ASN.1 DER-encoded public key)[:4]
	//
	// This is provided for convenience. Clients can also calculate the
	// checkpoint key ID given the log's public key.
	// SHOULD be 4 bytes long, as a truncated hash.
	//
	// To find a matching TransparencyLogInstance in the TrustedRoot,
	// clients will parse the checkpoint, and for each signature line,
	// use the key name (i.e. log origin, base_url from TrustedRoot)
	// and checkpoint key ID (i.e. checkpoint_key_id from TrustedRoot)
	// which can then be compared against the TrustedRoot log instances.
	CheckpointKeyId *v1.LogId `protobuf:"bytes,5,opt,name=checkpoint_key_id,json=checkpointKeyId,proto3" json:"checkpoint_key_id,omitempty"`
	// The name of the operator of this log deployment. Operator MUST be
	// formatted as a scheme-less URI, e.g. sigstore.dev
	// This MUST be used when there are multiple transparency log instances
	// to determine if log proof verification meets a specified threshold,
	// e.g. two proofs from log deployments operated by the same operator
	// should count as only one valid proof.
	Operator string `protobuf:"bytes,6,opt,name=operator,proto3" json:"operator,omitempty"`
	// contains filtered or unexported fields
}

type TrustedRoot struct {

	// MUST be application/vnd.dev.sigstore.trustedroot.v0.1+json
	// when encoded as JSON.
	// Clients MUST be able to process and parse content with the media
	// type defined in the old format:
	// application/vnd.dev.sigstore.trustedroot+json;version=0.1
	MediaType string `protobuf:"bytes,1,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"`
	// A set of trusted Rekor servers.
	Tlogs []*TransparencyLogInstance `protobuf:"bytes,2,rep,name=tlogs,proto3" json:"tlogs,omitempty"`
	// A set of trusted certificate authorities (e.g Fulcio), and any
	// intermediate certificates they provide.
	// If a CA is issuing multiple intermediate certificate, each
	// combination shall be represented as separate chain. I.e, a single
	// root cert may appear in multiple chains but with different
	// intermediate and/or leaf certificates.
	// The certificates are intended to be used for verifying artifact
	// signatures.
	CertificateAuthorities []*CertificateAuthority `protobuf:"bytes,3,rep,name=certificate_authorities,json=certificateAuthorities,proto3" json:"certificate_authorities,omitempty"`
	// A set of trusted certificate transparency logs.
	Ctlogs []*TransparencyLogInstance `protobuf:"bytes,4,rep,name=ctlogs,proto3" json:"ctlogs,omitempty"`
	// A set of trusted timestamping authorities.
	TimestampAuthorities []*CertificateAuthority `protobuf:"bytes,5,rep,name=timestamp_authorities,json=timestampAuthorities,proto3" json:"timestamp_authorities,omitempty"`
	// contains filtered or unexported fields
}