Add helper script to generate Sigstore trust configuration

[SequeI]

User description

This script creates a client trust configuration JSON file from a trusted root, which can be used with the --trust_config flag for private Sigstore instances (e.g., Red Hat Trusted Artifact Signer).

Usage: ./generate-trust-config.sh <trusted_root.json> <output.json> [urls...]

The script supports both CLI arguments and environment variables for configuring CA, OIDC, Rekor, and TSA URLs.

Summary

Checklist

• All commits are signed-off, using DCO
• All new code has docstrings and type annotations
• All new code is covered by tests. Aim for at least 90% coverage. CI is configured to highlight lines not covered by tests.
• Public facing changes are paired with documentation changes
• Release note has been added to CHANGELOG.md if needed

---

PR Type

Enhancement

---

Description

• Add bash script to generate Sigstore trust configuration JSON

• Wraps trusted root with signing configuration for private instances

• Supports CLI arguments and environment variables for URL configuration

• Includes checkpoint key ID transformation for compatibility

---

Diagram Walkthrough

flowchart LR
  A["Trusted Root JSON"] -->|transform_checkpoint| B["Transform checkpointKeyId to logId"]
  B -->|jq merge| C["Signing Configuration"]
  C -->|combine| D["Client Trust Config JSON"]
  E["CLI/Env URLs"] -->|CA, OIDC, Rekor, TSA| C

Loading

File Walkthrough

Relevant files

Enhancement

generate-trust-config.sh Bash script for Sigstore trust config generation                  generate-trust-config.sh New bash script that generates Sigstore client trust configuration JSON files Accepts trusted root JSON input and outputs wrapped configuration with signing details Supports URL configuration via CLI arguments or environment variables (CA_URL, OIDC_URL, TLOG_URL, TSA_URL) Includes checkpoint key ID to log ID transformation for trusted root compatibility Validates jq dependency and input file existence with error handling +108/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing validation handling: The script does not explicitly validate that the input trusted root is valid JSON nor provide actionable, contextual errors for jq failures or output write failures beyond the raw command error. Referred Code # Transform checkpointKeyId to logId in the trusted root # If 'checkpointKeyId' exists, rename it to 'logId'; otherwise leave as-is (1.3 trust root issue) transform_checkpoint() { jq 'walk(if type == "object" and has("checkpointKeyId") then .logId = .checkpointKeyId | del(.checkpointKeyId) else . end)' } jq -n \ --argjson trustedRoot "$(cat "$INPUT_FILE" | transform_checkpoint)" \ --arg caUrl "$CA_URL" \ --arg oidcUrl "$OIDC_URL" \ --arg tlogUrl "$TLOG_URL" \ --arg tsaUrl "$TSA_URL" \ '{ mediaType: "application/vnd.dev.sigstore.clienttrustconfig.v0.1+json", trustedRoot: $trustedRoot, signingConfig: { mediaType: "application/vnd.dev.sigstore.signingconfig.v0.2+json", caUrls: [{ url: $caUrl, ... (clipped 26 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated external inputs: The script accepts external inputs (URLs via CLI/env and JSON via file) without validating URL format/scheme or JSON structure before embedding into the generated trust configuration. Referred Code INPUT_FILE="$1" OUTPUT_FILE="$2" CA_URL="${3:-${CA_URL:-fulcio}}" OIDC_URL="${4:-${OIDC_URL:-oauth}}" TLOG_URL="${5:-${TLOG_URL:-rekor}}" TSA_URL_BASE="${6:-${TSA_URL:-https://timestamp.example.com}}" TSA_URL="${TSA_URL_BASE%/}/api/v1/timestamp" if [ ! -f "$INPUT_FILE" ]; then echo "Error: Input file '$INPUT_FILE' not found." exit 1 fi # Transform checkpointKeyId to logId in the trusted root # If 'checkpointKeyId' exists, rename it to 'logId'; otherwise leave as-is (1.3 trust root issue) transform_checkpoint() { jq 'walk(if type == "object" and has("checkpointKeyId") then .logId = .checkpointKeyId | del(.checkpointKeyId) else . end)' } ... (clipped 39 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Make the script configurable and language-consistent The script should allow configuration of hardcoded values like operator and validFor dates via arguments or environment variables. Consider rewriting the script in Python to improve portability and remove the jq dependency. Examples: generate-trust-config.sh [82-83] validFor: { start: "2023-04-14T21:38:40Z" }, operator: "example.com" generate-trust-config.sh [88-89] validFor: { start: "2025-04-16T00:00:00Z" }, operator: "example.com" Solution Walkthrough: Before: #!/bin/bash # ... (argument parsing for URLs) jq -n \ --arg caUrl "$CA_URL" \ ... '{ ... caUrls: [{ url: $caUrl, ... validFor: { start: "2023-04-14T21:38:40Z" }, operator: "example.com" }], ... }' > "$OUTPUT_FILE" After: #!/bin/bash # ... (argument parsing for URLs, operator, and validFor dates) OPERATOR="${7:-${OPERATOR:-example.com}}" CA_VALID_FOR="${8:-${CA_VALID_FOR:-...}}" # ... jq -n \ --arg caUrl "$CA_URL" \ --arg operator "$OPERATOR" \ --arg caValidFor "$CA_VALID_FOR" \ ... '{ ... caUrls: [{ url: $caUrl, ... validFor: { start: $caValidFor }, operator: $operator }], ... }' > "$OUTPUT_FILE" Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that hardcoded operator and validFor values severely limit the script's utility for its stated purpose of configuring private Sigstore instances, making this a critical design flaw.	High
General	Add jq version check Add a check to ensure the installed jq version is 1.5 or greater, as the script relies on the walk filter introduced in that version. generate-trust-config.sh [42-45] if ! command -v jq &> /dev/null; then echo "Error: 'jq' is required but not installed." exit 1 fi +# Verify jq version supports 'walk' +jq_version=$(jq --version | sed 's/jq-//') +if awk 'BEGIN {exit !(ENVIRON["jq_version"] < "1.5")}' jq_version="$jq_version"; then + echo "Error: jq ≥ 1.5 is required to use 'walk' filter." >&2 + exit 1 +fi [Suggestion processed] Suggestion importance[1-10]: 6 __ Why: This suggestion improves the script's reliability by adding a version check for jq, ensuring a critical dependency (walk filter) is available and preventing runtime errors.	Low
	✅ Validate the number of script arguments Suggestion Impact: The script's argument count check was updated to also fail when more than six arguments are passed, and it now prints an explicit "Error: Too many arguments." message in that case. code diff: -if [ "$#" -lt 2 ]; then +if [ "$#" -lt 2 ] || [ "$#" -gt 6 ]; then show_usage + if [ "$#" -gt 6 ]; then + echo "" + echo "Error: Too many arguments." + fi exit 1 fi Add a check to validate that the number of script arguments does not exceed the maximum of six, and show an error if it does. generate-trust-config.sh [36-39] -if [ "$#" -lt 2 ]; then +if [ "$#" -lt 2 ] || [ "$#" -gt 6 ]; then show_usage + if [ "$#" -gt 6 ]; then + echo "" + echo "Error: Too many arguments." + fi exit 1 fi [Suggestion processed] Suggestion importance[1-10]: 5 __ Why: This suggestion improves the script's robustness by adding validation for the maximum number of command-line arguments, preventing silent failures.	Low
	✅ Remove unnecessary cat usage Suggestion Impact: The pipeline using `cat` was replaced with input redirection when invoking `transform_checkpoint`, eliminating the unnecessary `cat` process. code diff: jq -n \ - --argjson trustedRoot "$(cat "$INPUT_FILE" | transform_checkpoint)" \ + --argjson trustedRoot "$(transform_checkpoint < "$INPUT_FILE")" \ --arg caUrl "$CA_URL" \ Replace cat "$INPUT_FILE" | transform_checkpoint with transform_checkpoint < "$INPUT_FILE" to avoid an unnecessary use of cat. generate-trust-config.sh [69] ---argjson trustedRoot "$(cat "$INPUT_FILE" | transform_checkpoint)" \ +--argjson trustedRoot "$(transform_checkpoint < "$INPUT_FILE")" \ [Suggestion processed] Suggestion importance[1-10]: 4 __ Why: This is a good shell scripting practice that removes an unnecessary cat process by using input redirection, making the command more efficient.	Low
	✅ Fix script name in usage comment Suggestion Impact: The usage comment at the top of the script was updated to reference ./generate-trust-config.sh instead of ./python_config.sh. code diff: -# Usage: ./python_config.sh <trusted_root_input.json> <output.json> [caUrl] [oidcUrl] [tlogUrl] [tsaUrl] +# Usage: ./generate-trust-config.sh <trusted_root_input.json> <output.json> [caUrl] [oidcUrl] [tlogUrl] [tsaUrl] Correct the script name in the usage comment from ./python_config.sh to ./generate-trust-config.sh. generate-trust-config.sh [3] -# Usage: ./python_config.sh <trusted_root_input.json> <output.json> [caUrl] [oidcUrl] [tlogUrl] [tsaUrl] +# Usage: ./generate-trust-config.sh <trusted_root_input.json> <output.json> [caUrl] [oidcUrl] [tlogUrl] [tsaUrl] [Suggestion processed] Suggestion importance[1-10]: 3 __ Why: This is a valid but minor correction to a comment, improving the script's documentation and preventing user confusion.	Low
Update