git.stella-ops.org/src/__Libraries/StellaOps.Provcache/Export/BundleSignature.cs

using System;
using System.Collections.Generic;
using System.Text.Json.Serialization;

namespace StellaOps.Provcache;

/// <summary>
/// DSSE signature envelope for bundle integrity.
/// </summary>
public sealed record BundleSignature
{
    /// <summary>
    /// Signature algorithm (e.g., "ES256", "RS256", "Ed25519").
    /// </summary>
    [JsonPropertyName("algorithm")]
    public required string Algorithm { get; init; }

    /// <summary>
    /// Key identifier used for signing.
    /// </summary>
    [JsonPropertyName("keyId")]
    public required string KeyId { get; init; }

    /// <summary>
    /// Base64-encoded signature bytes.
    /// </summary>
    [JsonPropertyName("signature")]
    public required string SignatureBytes { get; init; }

    /// <summary>
    /// UTC timestamp when bundle was signed.
    /// </summary>
    [JsonPropertyName("signedAt")]
    public required DateTimeOffset SignedAt { get; init; }

    /// <summary>
    /// Optional certificate chain for verification.
    /// </summary>
    [JsonPropertyName("certificateChain")]
    public IReadOnlyList<string>? CertificateChain { get; init; }
}