Merge pull request #491 from sigstore/add-tuf-root-for-staging

Use tuf cdn, add staging

Author: loosebazooka

sigstore-java/src/main/java/dev/sigstore/tuf/SigstoreTufClient.java

@@ -72,7 +72,7 @@ public Builder usePublicGoodInstance() {
       }
       try {
         tufMirror(
-            new URL("https://storage.googleapis.com/sigstore-tuf-root/"),
+            new URL("https://tuf-repo-cdn.sigstore.dev"),
             Path.of(
                 Resources.getResource("dev/sigstore/tuf/sigstore-tuf-root/root.json").getPath()));
       } catch (MalformedURLException e) {
@@ -81,6 +81,27 @@ public Builder usePublicGoodInstance() {
       return this;
     }
 
+    public Builder useStagingInstance() {
+      if (remoteMirror != null || trustedRoot != null) {
+        throw new IllegalStateException(
+            "Using staging after configuring remoteMirror and trustedRoot");
+      }
+      try {
+        tufMirror(
+            new URL("https://tuf-repo-cdn.sigstage.dev"),
+            Path.of(
+                Resources.getResource("dev/sigstore/tuf/tuf-root-staging/root.json").getPath()));
+      } catch (MalformedURLException e) {
+        throw new AssertionError(e);
+      }
+      tufCacheLocation =
+          Path.of(System.getProperty("user.home"))
+              .resolve(".sigstore-java")
+              .resolve("staging")
+              .resolve("root");
+      return this;
+    }
+
     public Builder tufMirror(URL mirror, Path trustedRoot) {
       this.remoteMirror = mirror;
       this.trustedRoot = trustedRoot;

sigstore-java/src/main/resources/dev/sigstore/tuf/tuf-root-staging/1.root.json

@@ -1,87 +1,65 @@
 {
-  "signatures": [
-    {
-      "keyid": "baf73fa38311c699f6b2583a6493afb3e3974b333ed61c4a370d0787e2012093",
-      "sig": "2f8194ea672740abe0bd38464f35af43ec6de5c8ef8fa43c49525e2bf9ae4dcd243c8f95d1975ea2137e58b7c0e305280ac940fe617b8ac2e37290f4059e6f04"
-    }
-  ],
-  "signed": {
-    "_type": "root",
-    "consistent_snapshot": false,
-    "expires": "2032-04-28T20:21:11Z",
-    "keys": {
-      "26599e08a9fe425a8863c9a4bc2b87ba0d55a9540695eb49b8d267f5578f6bc0": {
-        "keyid_hash_algorithms": [
-          "sha256",
-          "sha512"
-        ],
-        "keytype": "ed25519",
-        "keyval": {
-          "public": "6625fa57e94e34a2f27a3c486eb88dc69da0162e425a5f16d1b5c9d4dad79aca"
-        },
-        "scheme": "ed25519"
-      },
-      "baf73fa38311c699f6b2583a6493afb3e3974b333ed61c4a370d0787e2012093": {
-        "keyid_hash_algorithms": [
-          "sha256",
-          "sha512"
-        ],
-        "keytype": "ed25519",
-        "keyval": {
-          "public": "f10da95f3c08b4906e366e1a9a1222659793bce03ce80a3c448fbedeb8974ef6"
-        },
-        "scheme": "ed25519"
-      },
-      "da02af6aec8ca4c93d4558b83b81ce7deb0ea4566879d017ccfb087a3a031321": {
-        "keyid_hash_algorithms": [
-          "sha256",
-          "sha512"
-        ],
-        "keytype": "ed25519",
-        "keyval": {
-          "public": "e66efde4c3db6bfdac5fc4e3f54260f2655afa2aa9167da5b135e4986aeadf5a"
-        },
-        "scheme": "ed25519"
-      },
-      "dbb3cc3a3752fd0a51066f840075262b1fd28d93c3098975e4773f669943507e": {
-        "keyid_hash_algorithms": [
-          "sha256",
-          "sha512"
-        ],
-        "keytype": "ed25519",
-        "keyval": {
-          "public": "2af53c16edb6db039cc209b56f8fdbbff9e77a23516823b0f560134803f3a072"
-        },
-        "scheme": "ed25519"
-      }
-    },
-    "roles": {
-      "root": {
-        "keyids": [
-          "baf73fa38311c699f6b2583a6493afb3e3974b333ed61c4a370d0787e2012093"
-        ],
-        "threshold": 1
-      },
-      "snapshot": {
-        "keyids": [
-          "da02af6aec8ca4c93d4558b83b81ce7deb0ea4566879d017ccfb087a3a031321"
-        ],
-        "threshold": 1
-      },
-      "targets": {
-        "keyids": [
-          "dbb3cc3a3752fd0a51066f840075262b1fd28d93c3098975e4773f669943507e"
-        ],
-        "threshold": 1
-      },
-      "timestamp": {
-        "keyids": [
-          "26599e08a9fe425a8863c9a4bc2b87ba0d55a9540695eb49b8d267f5578f6bc0"
-        ],
-        "threshold": 1
-      }
-    },
-    "spec_version": "1.0",
-    "version": 1
-  }
+	"signed": {
+		"_type": "root",
+		"spec_version": "1.0",
+		"version": 3,
+		"expires": "2029-02-17T23:05:14Z",
+		"keys": {
+			"314ae73abd3012fc73bfcc3783e31d03852716597642b891d6a33155c4baf600": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXMZ7rD8tWDE4lK/+naJN7INMxNC7\nbMMANDqTQE7WpzyzffWOg59hc/MwbvJtvuxhO9mEu3GD3Cn0HffFlmVRiA==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"c8e09a68b5821b75462ae0df52151c81deb7f1838246dc1da8c34cc91ec12bda": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEL3vL/VeaH6nBbo4rekyO4cc/QthS\n+nlyJXCXSnyIMAtLmVTa8Pf0qG6YIVaR0TmLkyk9YoSVsZakxuMTuaEwrg==\n-----END PUBLIC KEY-----\n"
+				}
+			}
+		},
+		"roles": {
+			"root": {
+				"keyids": [
+					"c8e09a68b5821b75462ae0df52151c81deb7f1838246dc1da8c34cc91ec12bda"
+				],
+				"threshold": 1
+			},
+			"snapshot": {
+				"keyids": [
+					"314ae73abd3012fc73bfcc3783e31d03852716597642b891d6a33155c4baf600"
+				],
+				"threshold": 1
+			},
+			"targets": {
+				"keyids": [
+					"c8e09a68b5821b75462ae0df52151c81deb7f1838246dc1da8c34cc91ec12bda"
+				],
+				"threshold": 1
+			},
+			"timestamp": {
+				"keyids": [
+					"314ae73abd3012fc73bfcc3783e31d03852716597642b891d6a33155c4baf600"
+				],
+				"threshold": 1
+			}
+		},
+		"consistent_snapshot": true
+	},
+	"signatures": [
+		{
+			"keyid": "c8e09a68b5821b75462ae0df52151c81deb7f1838246dc1da8c34cc91ec12bda",
+			"sig": "3045022061a67fc07a5dd88f0087f394d4d3ef15237115d2ee24261f2d35db07715da097022100a0efc621c0b0ba697ae75827e579dd90eef30f7bc5fdbef2c44338f791a67eeb"
+		}
+	]
 }