Merge pull request #1165 from sigstore/rekor_v2_prod_test

loosebazooka · web-flow · commit cdc01b9f1754 · 2026-01-23T09:51:00.000-05:00
Add test for rekor v2 in prod
diff --git a/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java b/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java
@@ -22,8 +22,12 @@
 import dev.sigstore.testkit.annotations.DisabledIfSkipStaging;
 import dev.sigstore.testkit.annotations.EnabledIfOidcExists;
 import dev.sigstore.testkit.annotations.OidcProviderType;
+import dev.sigstore.trustroot.ImmutableSigstoreSigningConfig;
+import dev.sigstore.trustroot.Service;
+import dev.sigstore.tuf.SigstoreTufClient;
 import java.io.IOException;
 import java.io.StringReader;
+import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -84,6 +88,38 @@ public void sign_production() throws Exception {
     }
   }
 
+  /**
+   * This test injects rekor v2 into the signing config since it's not quite pushed out to prod yet.
+   * Should be merged into "sign_production" above when ready.
+   */
+  @Test
+  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
+  public void sign_production_rekorV2() throws Exception {
+    var prodTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
+    prodTufClient.update();
+    var prodSigningConfig = prodTufClient.getSigstoreSigningConfig();
+    var signingConfig =
+        ImmutableSigstoreSigningConfig.builder()
+            .from(prodSigningConfig)
+            .addTLogs(Service.of(URI.create("https://log2025-1.rekor.sigstore.dev"), 2))
+            .build();
+    var signer =
+        KeylessSigner.builder()
+            .sigstorePublicDefaults()
+            .signingConfigProvider(() -> signingConfig)
+            .enableRekorV2(true)
+            .build();
+    var results = signer.sign(artifactDigests);
+
+    verifySigningResult(results, true);
+
+    var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
+    for (int i = 0; i < results.size(); i++) {
+      verifier.verify(artifactDigests.get(i), results.get(i), VerificationOptions.empty());
+      checkBundleSerialization(results.get(i));
+    }
+  }
+
   @ParameterizedTest
   @ValueSource(booleans = {true, false})
   @EnabledIfOidcExists(provider = OidcProviderType.ANY)
