trust: Start returning RekorV2Client from signingconfig

If signingconfig contains rekor v2, let's start preferring it

Make sure we test the status quo (no rekor v2 in signing config)
and the case where there is a rekor v2 in signing config.

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: jku

sigstore/_internal/trust.py

@@ -60,7 +60,9 @@
 )
 
 from sigstore._internal.fulcio.client import FulcioClient
+from sigstore._internal.rekor import RekorLogSubmitter
 from sigstore._internal.rekor.client import RekorClient
+from sigstore._internal.rekor.client_v2 import RekorV2Client
 from sigstore._internal.timestamp import TimestampAuthorityClient
 from sigstore._internal.tuf import DEFAULT_TUF_URL, STAGING_TUF_URL, TrustUpdater
 from sigstore._utils import (
@@ -73,7 +75,7 @@
 from sigstore.errors import Error, MetadataError, TUFError, VerificationError
 
 # Versions supported by this client
-REKOR_VERSIONS = [1]
+REKOR_VERSIONS = [1, 2]
 TSA_VERSIONS = [1]
 FULCIO_VERSIONS = [1]
 OIDC_VERSIONS = [1]
@@ -420,11 +422,19 @@ def _get_valid_services(
 
         return result[:count]
 
-    def get_tlogs(self) -> list[RekorClient]:
+    def get_tlogs(self) -> list[RekorLogSubmitter]:
         """
         Returns the rekor transparency log clients to sign with.
         """
-        return [RekorClient(tlog.url) for tlog in self._tlogs]
+        result: list[RekorLogSubmitter] = []
+        for tlog in self._tlogs:
+            if tlog.major_api_version == 1:
+                result.append(RekorClient(tlog.url))
+            elif tlog.major_api_version == 2:
+                result.append(RekorV2Client(tlog.url))
+            else:
+                raise AssertionError(f"Unexpected Rekor v{tlog.major_api_version}")
+        return result
 
     def get_fulcio(self) -> FulcioClient:
         """

test/assets/signing_config/signingconfig-only-v1-rekor.v2.json

@@ -0,0 +1,53 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
+  "caUrls": [
+    {
+      "url": "https://fulcio.example.com",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2023-04-14T21:38:40Z"
+      }
+    },
+    {
+      "url": "https://fulcio-old.example.com",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2022-04-14T21:38:40Z",
+        "end": "2023-04-14T21:38:40Z"
+      }
+    }
+  ],
+  "oidcUrls": [
+    {
+      "url": "https://oauth2.example.com/auth",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2025-04-16T00:00:00Z"
+      }
+    }
+  ],
+  "rekorTlogUrls": [
+    {
+      "url": "https://rekor.example.com",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2021-01-12T11:53:27Z"
+      }
+    }
+  ],
+  "tsaUrls": [
+    {
+      "url": "https://timestamp.example.com/api/v1/timestamp",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2025-04-09T00:00:00Z"
+      }
+    }
+  ],
+  "rekorTlogConfig": {
+    "selector": "ANY"
+  },
+  "tsaConfig": {
+    "selector": "ANY"
+  }
+}

test/unit/internal/test_trust.py

@@ -28,6 +28,7 @@
 
 from sigstore._internal.fulcio.client import FulcioClient
 from sigstore._internal.rekor.client import RekorClient
+from sigstore._internal.rekor.client_v2 import RekorV2Client
 from sigstore._internal.timestamp import TimestampAuthorityClient
 from sigstore._internal.trust import (
     CertificateAuthority,
@@ -83,16 +84,27 @@ def test_good(self, asset):
         assert fulcio.url == "https://fulcio.example.com"
         assert signing_config.get_oidc_url() == "https://oauth2.example.com/auth"
 
+        # signing config contains v1 and v2, we pick v2
         tlogs = signing_config.get_tlogs()
         assert len(tlogs) == 1
-        assert isinstance(tlogs[0], RekorClient)
-        assert tlogs[0].url == "https://rekor.example.com/api/v1"
+        assert isinstance(tlogs[0], RekorV2Client)
+        assert tlogs[0].url == "https://rekor-v2.example.com/api/v2"
 
         tsas = signing_config.get_tsas()
         assert len(tsas) == 1
         assert isinstance(tsas[0], TimestampAuthorityClient)
         assert tsas[0].url == "https://timestamp.example.com/api/v1/timestamp"
 
+    def test_good_only_v1_rekor(self, asset):
+        """Test case where a rekor 2 instance is not available"""
+        path = asset("signing_config/signingconfig-only-v1-rekor.v2.json")
+        signing_config = SigningConfig.from_file(path)
+
+        tlogs = signing_config.get_tlogs()
+        assert len(tlogs) == 1
+        assert isinstance(tlogs[0], RekorClient)
+        assert tlogs[0].url == "https://rekor.example.com/api/v1"
+
     @pytest.mark.parametrize(
         "services, versions, config, expected_result",
         [