bump embedded signing configs

Author: woodruffw

sigstore/_internal/trust.py

@@ -616,13 +616,7 @@ def from_tuf(
             sc_path = updater.get_signing_config_path()
             inner_sc = trustroot_v1.SigningConfig.from_json(Path(sc_path).read_bytes())
         except TUFError as e:
-            # TUF repo may not have signing config yet: hard code values for prod:
-            # https://github.com/sigstore/sigstore-python/issues/1388
-            if url == DEFAULT_TUF_URL:
-                embedded = read_embedded("signing_config.v0.2.json", url)
-                inner_sc = trustroot_v1.SigningConfig.from_json(embedded)
-            else:
-                raise e
+            raise e
 
         return cls(
             trustroot_v1.ClientTrustConfig(

sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/signing_config.v0.2.json

@@ -6,7 +6,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2022-04-14T21:38:40Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "oidcUrls": [
@@ -15,7 +16,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2025-04-16T00:00:00Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "rekorTlogUrls": [
@@ -24,7 +26,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2021-01-12T11:53:27Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "tsaUrls": [
@@ -33,7 +36,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2025-04-09T00:00:00Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "rekorTlogConfig": {
@@ -42,4 +46,4 @@
   "tsaConfig": {
     "selector": "ANY"
   }
-}
+}

sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/signing_config.v0.2.json

@@ -1,22 +1,23 @@
 {
-  "comment": "Place holder for use until prod actually has a signing config: see ClientTrustConfig.from_tuf()",
   "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
   "caUrls": [
     {
       "url": "https://fulcio.sigstore.dev",
       "majorApiVersion": 1,
       "validFor": {
         "start": "2022-04-13T20:06:15.000Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "oidcUrls": [
     {
       "url": "https://oauth2.sigstore.dev/auth",
       "majorApiVersion": 1,
       "validFor": {
-        "start": "2025-04-30T00:00:00Z"
-      }
+        "start": "2022-04-13T20:06:15.000Z"
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "rekorTlogUrls": [
@@ -25,15 +26,24 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2021-01-12T11:53:27.000Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "tsaUrls": [
+    {
+      "url": "https://timestamp.sigstore.dev/api/v1/timestamp",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2025-07-04T00:00:00Z"
+      },
+      "operator": "sigstore.dev"
+    }
   ],
   "rekorTlogConfig": {
     "selector": "ANY"
   },
   "tsaConfig": {
-    "selector": "ALL"
+    "selector": "ANY"
   }
-}
+}

test/unit/conftest.py

@@ -252,7 +252,7 @@ def signer():
         trust_config = ClientTrustConfig.staging()
         trust_config.signing_config._tlogs.append(
             Service(
-                url="https://log2025-alpha1.rekor.sigstage.dev", major_api_version=2
+                url="https://log2025-alpha1.rekor.sigstage.dev", major_api_version=2, operator="sigstage.dev"
             )
         )
         return SigningContext.from_trust_config(trust_config)