Fix scaffolding trust root (#1486)

jku · web-flow · commit 702db8b4fd9a · 2025-03-02T13:56:55.000-07:00
* workflows: Add a test that uses trusted_root.json

Scaffolding TUF setup includes a generated trusted_root.json
but it is never tested: Add a cosign invocation that does so.

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;

* repo: Use correct-er LogID calculation

logid used in trusted_root.json (which is an artifact in the TUF repository
that scaffolding generates) is a hash of **DER** key.

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;

---------

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/.github/workflows/fulcio-rekor-kind.yaml b/.github/workflows/fulcio-rekor-kind.yaml
@@ -176,6 +176,22 @@ jobs:
         --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
         --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
 
+    - name: Sign a blob with signature bundle format
+      run: |
+        cosign sign-blob --yes --new-bundle-format=true --bundle=bundle.json --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL --identity-token $OIDC_TOKEN README.md
+
+    - name: Verify blob with signature bundle format using trusted_root.json
+      run: |
+        # the trusted_root.json is in the TUF target cache: Use --trusted-root while cosign does not
+        # use it by default
+        cosign verify-blob \
+            --certificate-identity-regexp="https://kubernetes.io/namespaces/default/serviceaccounts/default" \
+            --certificate-oidc-issuer-regexp="https://kubernetes.default.svc.cluster.local" \
+            --bundle=bundle.json  --new-bundle-format \
+            --rekor-url $REKOR_URL \
+            --trusted-root=$HOME/.sigstore/root/targets/trusted_root.json \
+            README.md
+
     # Test with cosign in 'airgapped mode'
     # Uncomment these once modified cosign goes in.
     #- name: Checkout modified cosign for testing.
diff --git a/pkg/repo/repo.go b/pkg/repo/repo.go
@@ -287,8 +287,8 @@ func constructTrustedRoot(targets []TargetWithMetadata) (*TargetWithMetadata, er
 }
 
 func pubkeyToTransparencyLogInstance(keyBytes []byte, tm time.Time) (*root.TransparencyLog, string, error) {
-	logID := sha256.Sum256(keyBytes)
 	der, _ := pem.Decode(keyBytes)
+	logID := sha256.Sum256(der.Bytes)
 	key, keyDetails, err := getKeyWithDetails(der.Bytes)
 	if err != nil {
 		return nil, "", err

Original file line number	Diff line number	Diff line change
`@@ -287,8 +287,8 @@ func constructTrustedRoot(targets []TargetWithMetadata) (*TargetWithMetadata, er`
`287`	`287`	`}`
`288`	`288`
`289`	`289`	`func pubkeyToTransparencyLogInstance(keyBytes []byte, tm time.Time) (*root.TransparencyLog, string, error) {`
`290`		`- logID := sha256.Sum256(keyBytes)`
`291`	`290`	`der, _ := pem.Decode(keyBytes)`
	`291`	`+ logID := sha256.Sum256(der.Bytes)`
`292`	`292`	`key, keyDetails, err := getKeyWithDetails(der.Bytes)`
`293`	`293`	`if err != nil {`
`294`	`294`	`return nil, "", err`