Use signingconfig from "--trust-config"

[jku]

Currently I believe we don't use all of the information in the signingconfig part of --trust-config (or the signingconfig from TUF). It would be useful for #1340 if we did as we can then try to provide a "sigstore-in-a-box" test setup that comes with a trustedroot and signingconfig.

Basically, if we have signingconfig we should select the used services from there when signing

• interactive oidc url: this needs work
• fulcio url (EDIT: this is already covered when using --trust-config)
• rekor urls (EDIT: this is already covered when using --trust-config)

In addition:

• --production and --staging should actually use the signing config from TUF

To fix these issues:

• _internal.trust has to contain a SigningConfig implementation and should use a method provided by _internal.tuf to fetch it (special casing is currently needed for production since there is no signingconfig yet). I have an almost ready branch for this.
• deps: bump protobuf-specs #1276 is sort of a blocker: signingconfig has had changes and it would probably make sense to only support the current version

[woodruffw]

Currently I believe we don't use much of the information in the signingconfig part of --trust-config (or the signingconfig from TUF).

Hmm, I might be wrong, but I think we do use the signing config if the user explicitly passes it. For example, the signing flow:

sigstore-python/sigstore/_cli.py

Line 651 in 69b3740

signing_ctx = SigningContext._from_trust_config(trust_config)

and then in _from_trust_config, we load the Fulcio and Rekor states from the signing config's URLs:

sigstore-python/sigstore/sign.py

Lines 349 to 363 in 69b3740

	def _from_trust_config(cls, trust_config: ClientTrustConfig) -> SigningContext:
	"""
	Create a `SigningContext` from the given `ClientTrustConfig`.
	@api private
	"""
	return cls(
	fulcio=FulcioClient(trust_config._inner.signing_config.ca_url),
	rekor=RekorClient(trust_config._inner.signing_config.tlog_urls[0]),
	trusted_root=trust_config.trusted_root,
	tsa_clients=[
	TimestampAuthorityClient(tsa_url)
	for tsa_url in trust_config._inner.signing_config.tsa_urls
	],
	)

(and a similar thing happens in the verify flow.)

OTOH, you're right that we don't use the signing config from staging/prod TUF by default; we should probably do that rather than hard-baking those URLs/states 🙂

[jku]

Yeah you are right, the missing bits seem to be:

• OIDC URL from signingconfig
• using signingconfig with TUF (production doesn't have a signingconfig yet though)

I think the first point I will need to fix...

[jku]

OIDC URL from signingconfig

maybe this is not as critical as I thought: every client including sigstore-python supports something like --identity-token so we could use that when running with a "testing sigstore instance"... I'd like to be able to test clients with the full sigstore process including oidc but --identity-token seems usable for now