Converter for newer bundle versions

[haydentherapper]

We've got a lot of bundle versions floating out there. Well, really just two. But soon, there will be three!

What do y'all thinking about a CLI to "upgrade" a bundle to the latest version? The converter would need to understand the breaking changes between each version to resolve them (and prompt users when the change could not be automatically resolved, but I don't think we have this need currently). Roughly, this would include:

• For v1->v2, automatically fetching an inclusion proof if one is not present.
• Also for v1->v2, checking all newly required Rekor messages and fields are populated
• For v2->v3, removing the certificate chain and placing the leaf certificate in the new certificate field, which could be done automatically if the cert was issued by the public Fulcio

This converter could also be used by package repositories that are persisting Sigstore bundles to keep bundles "fresh". We'll need a converter per-language then. Initially I was planning to throw one together just as a CLI.

Thoughts @woodruffw @bdehamer @loosebazooka @steiza?

[kommendorkapten]

At least providing clear documentation on how to upgrade would be a good start.

If this where built in a cli, where would such a cli live?

[loosebazooka]

Pretty sure we would not be able to edit maven central bundles.

I think the java client would just have to contain parsing logic for all supported bundle types. v2 -> vX

[woodruffw]

I like the idea of a CLI to start! Fully agreed with the rationale 🙂

[steiza]

Generally makes sense to me.

We'll need a converter per-language then.

Maybe - I think it depends on if we're upgrading bundles on-the-fly or at rest. If we're doing one-off bundle format migration for data at rest, I don't know that we'd need a per-language tool to do so.

[haydentherapper]

If this where built in a cli, where would such a cli live?

Either in this repo, or in the repo that matches the language this was built in (so probably sigstore-go?)

Pretty sure we would not be able to edit maven central bundles.

Yea, this isn't a requirement for package registries, just an option if they want to keep up with the latest bundle format. Just curious, is there a specific reason why in this case? Just lacking support?

Maybe - I think it depends on if we're upgrading bundles on-the-fly or at rest

Agreed, up to the registries if they want on the fly upgrades.

Thanks all!

[codysoyland]

I wrote this: https://github.com/codysoyland/sigstore-bundle-upgrade

I can make this a PR to sigstore-go if that makes sense.