Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 58. SignatureIntegrationService

58.1. ListSignatureIntegrations
Copy link

GET /v1/signatureintegrations

58.1.1. Description
Copy link

58.1.2. Parameters
Copy link

58.1.3. Return Type
Copy link

V1ListSignatureIntegrationsResponse

58.1.4. Content Type
Copy link

  • application/json

58.1.5. Responses
Copy link

Expand
Table 58.1. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

V1ListSignatureIntegrationsResponse

0

An unexpected error response.

RuntimeError

58.1.6. Samples
Copy link

58.1.7. Common object reference
Copy link

58.1.7.1. CosignPublicKeyVerificationPublicKey
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

name

  

String

  

publicKeyPemEnc

  

String

  

58.1.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

58.1.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

58.1.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

58.1.7.4. StorageCosignCertificateVerification
Copy link

Holds all verification data for verifying certificates attached to cosign signatures. If only the certificate is given, the Fulcio trusted root chain will be assumed and verified against. If only the chain is given, this will be used over the Fulcio trusted root chain for verification. If no certificate or chain is given, the Fulcio trusted root chain will be assumed and verified against.

Expand
Field NameRequiredNullableTypeDescriptionFormat

certificatePemEnc

  

String

PEM encoded certificate to use for verification.

 

certificateChainPemEnc

  

String

PEM encoded certificate chain to use for verification.

 

certificateOidcIssuer

  

String

Certificate OIDC issuer to verify against. This supports regular expressions following the RE2 syntax: https://github.com/google/re2/wiki/Syntax. In case the certificate does not specify an OIDC issuer, you may use '.*' as the OIDC issuer. However, it is recommended to use Fulcio compatible certificates according to the specification: https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md.

 

certificateIdentity

  

String

Certificate identity to verify against. This supports regular expressions following the RE2 syntax: https://github.com/google/re2/wiki/Syntax. In case the certificate does not specify an identity, you may use '.*' as the identity. However, it is recommended to use Fulcio compatible certificates according to the specification: https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md.

 

58.1.7.5. StorageCosignPublicKeyVerification
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

publicKeys

  

List of CosignPublicKeyVerificationPublicKey

  

58.1.7.6. StorageSignatureIntegration
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

cosign

  

StorageCosignPublicKeyVerification

  

cosignCertificates

  

List of StorageCosignCertificateVerification

  

58.1.7.7. V1ListSignatureIntegrationsResponse
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

integrations

  

List of StorageSignatureIntegration

  

58.2. DeleteSignatureIntegration
Copy link

DELETE /v1/signatureintegrations/{id}

58.2.1. Description
Copy link

58.2.2. Parameters
Copy link

58.2.2.1. Path Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

id

 

X

null

 

58.2.3. Return Type
Copy link

Object

58.2.4. Content Type
Copy link

  • application/json

58.2.5. Responses
Copy link

Expand
Table 58.2. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

Object

0

An unexpected error response.

RuntimeError

58.2.6. Samples
Copy link

58.2.7. Common object reference
Copy link

58.2.7.1. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

58.2.7.1.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

58.2.7.2. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

58.3. GetSignatureIntegration
Copy link

GET /v1/signatureintegrations/{id}

58.3.1. Description
Copy link

58.3.2. Parameters
Copy link

58.3.2.1. Path Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

id

 

X

null

 

58.3.3. Return Type
Copy link

StorageSignatureIntegration

58.3.4. Content Type
Copy link

  • application/json

58.3.5. Responses
Copy link

Expand
Table 58.3. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

StorageSignatureIntegration

0

An unexpected error response.

RuntimeError

58.3.6. Samples
Copy link

58.3.7. Common object reference
Copy link

58.3.7.1. CosignPublicKeyVerificationPublicKey
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

name

  

String

  

publicKeyPemEnc

  

String

  

58.3.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

58.3.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

58.3.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

58.3.7.4. StorageCosignCertificateVerification
Copy link

Holds all verification data for verifying certificates attached to cosign signatures. If only the certificate is given, the Fulcio trusted root chain will be assumed and verified against. If only the chain is given, this will be used over the Fulcio trusted root chain for verification. If no certificate or chain is given, the Fulcio trusted root chain will be assumed and verified against.

Expand
Field NameRequiredNullableTypeDescriptionFormat

certificatePemEnc

  

String

PEM encoded certificate to use for verification.

 

certificateChainPemEnc

  

String

PEM encoded certificate chain to use for verification.

 

certificateOidcIssuer

  

String

Certificate OIDC issuer to verify against. This supports regular expressions following the RE2 syntax: https://github.com/google/re2/wiki/Syntax. In case the certificate does not specify an OIDC issuer, you may use '.*' as the OIDC issuer. However, it is recommended to use Fulcio compatible certificates according to the specification: https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md.

 

certificateIdentity

  

String

Certificate identity to verify against. This supports regular expressions following the RE2 syntax: https://github.com/google/re2/wiki/Syntax. In case the certificate does not specify an identity, you may use '.*' as the identity. However, it is recommended to use Fulcio compatible certificates according to the specification: https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md.

 

58.3.7.5. StorageCosignPublicKeyVerification
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

publicKeys

  

List of CosignPublicKeyVerificationPublicKey

  

58.3.7.6. StorageSignatureIntegration
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

cosign

  

StorageCosignPublicKeyVerification

  

cosignCertificates

  

List of StorageCosignCertificateVerification

  

58.4. PutSignatureIntegration
Copy link

PUT /v1/signatureintegrations/{id}

58.4.1. Description
Copy link

58.4.2. Parameters
Copy link

58.4.2.1. Path Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

id

 

X

null

 

58.4.2.2. Body Parameter
Copy link

Expand
NameDescriptionRequiredDefaultPattern

body

StorageSignatureIntegration

X

  

58.4.3. Return Type
Copy link

Object

58.4.4. Content Type
Copy link

  • application/json

58.4.5. Responses
Copy link

Expand
Table 58.4. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

Object

0

An unexpected error response.

RuntimeError

58.4.6. Samples
Copy link

58.4.7. Common object reference
Copy link

58.4.7.1. CosignPublicKeyVerificationPublicKey
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

name

  

String

  

publicKeyPemEnc

  

String

  

58.4.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

58.4.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

58.4.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

58.4.7.4. StorageCosignCertificateVerification
Copy link

Holds all verification data for verifying certificates attached to cosign signatures. If only the certificate is given, the Fulcio trusted root chain will be assumed and verified against. If only the chain is given, this will be used over the Fulcio trusted root chain for verification. If no certificate or chain is given, the Fulcio trusted root chain will be assumed and verified against.

Expand
Field NameRequiredNullableTypeDescriptionFormat

certificatePemEnc

  

String

PEM encoded certificate to use for verification.

 

certificateChainPemEnc

  

String

PEM encoded certificate chain to use for verification.

 

certificateOidcIssuer

  

String

Certificate OIDC issuer to verify against. This supports regular expressions following the RE2 syntax: https://github.com/google/re2/wiki/Syntax. In case the certificate does not specify an OIDC issuer, you may use '.*' as the OIDC issuer. However, it is recommended to use Fulcio compatible certificates according to the specification: https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md.

 

certificateIdentity

  

String

Certificate identity to verify against. This supports regular expressions following the RE2 syntax: https://github.com/google/re2/wiki/Syntax. In case the certificate does not specify an identity, you may use '.*' as the identity. However, it is recommended to use Fulcio compatible certificates according to the specification: https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md.

 

58.4.7.5. StorageCosignPublicKeyVerification
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

publicKeys

  

List of CosignPublicKeyVerificationPublicKey

  

58.4.7.6. StorageSignatureIntegration
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

cosign

  

StorageCosignPublicKeyVerification

  

cosignCertificates

  

List of StorageCosignCertificateVerification

  

58.5. PostSignatureIntegration
Copy link

POST /v1/signatureintegrations

Integration id should not be set. Returns signature integration with id filled.

58.5.1. Description
Copy link

58.5.2. Parameters
Copy link

58.5.2.1. Body Parameter
Copy link

Expand
NameDescriptionRequiredDefaultPattern

body

StorageSignatureIntegration

X

  

58.5.3. Return Type
Copy link

StorageSignatureIntegration

58.5.4. Content Type
Copy link

  • application/json

58.5.5. Responses
Copy link

Expand
Table 58.5. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

StorageSignatureIntegration

0

An unexpected error response.

RuntimeError

58.5.6. Samples
Copy link

58.5.7. Common object reference
Copy link

58.5.7.1. CosignPublicKeyVerificationPublicKey
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

name

  

String

  

publicKeyPemEnc

  

String

  

58.5.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

58.5.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

58.5.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

58.5.7.4. StorageCosignCertificateVerification
Copy link

Holds all verification data for verifying certificates attached to cosign signatures. If only the certificate is given, the Fulcio trusted root chain will be assumed and verified against. If only the chain is given, this will be used over the Fulcio trusted root chain for verification. If no certificate or chain is given, the Fulcio trusted root chain will be assumed and verified against.

Expand
Field NameRequiredNullableTypeDescriptionFormat

certificatePemEnc

  

String

PEM encoded certificate to use for verification.

 

certificateChainPemEnc

  

String

PEM encoded certificate chain to use for verification.

 

certificateOidcIssuer

  

String

Certificate OIDC issuer to verify against. This supports regular expressions following the RE2 syntax: https://github.com/google/re2/wiki/Syntax. In case the certificate does not specify an OIDC issuer, you may use '.*' as the OIDC issuer. However, it is recommended to use Fulcio compatible certificates according to the specification: https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md.

 

certificateIdentity

  

String

Certificate identity to verify against. This supports regular expressions following the RE2 syntax: https://github.com/google/re2/wiki/Syntax. In case the certificate does not specify an identity, you may use '.*' as the identity. However, it is recommended to use Fulcio compatible certificates according to the specification: https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md.

 

58.5.7.5. StorageCosignPublicKeyVerification
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

publicKeys

  

List of CosignPublicKeyVerificationPublicKey

  

58.5.7.6. StorageSignatureIntegration
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

cosign

  

StorageCosignPublicKeyVerification

  

cosignCertificates

  

List of StorageCosignCertificateVerification

  
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top