lazy init fulcio root (#519)

Signed-off-by: Asra Ali <asraa@google.com>

cmd/cosign/cli/fulcio/fulcio.go

@@ -27,6 +27,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"sync"
 
 	"github.com/go-openapi/runtime"
 	httptransport "github.com/go-openapi/runtime/client"
@@ -179,9 +180,19 @@ func (f *Signer) PublicKey(opts ...signature.PublicKeyOption) (crypto.PublicKey,
 
 var _ signature.Signer = &Signer{}
 
-var Roots *x509.CertPool
+var (
+	rootsOnce sync.Once
+	roots     *x509.CertPool
+)
+
+func GetRoots() *x509.CertPool {
+	rootsOnce.Do(func() {
+		roots = initRoots()
+	})
+	return roots
+}
 
-func init() {
+func initRoots() *x509.CertPool {
 	cp := x509.NewCertPool()
 	rootEnv := os.Getenv(altRoot)
 	if rootEnv != "" {
@@ -195,5 +206,5 @@ func init() {
 	} else if !cp.AppendCertsFromPEM([]byte(rootPem)) {
 		panic("error creating root cert pool")
 	}
-	Roots = cp
+	return cp
 }

cmd/cosign/cli/verify.go

@@ -113,7 +113,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) {
 
 	co := &cosign.CheckOpts{
 		Annotations:        *c.Annotations,
-		RootCerts:          fulcio.Roots,
+		RootCerts:          fulcio.GetRoots(),
 		RegistryClientOpts: DefaultRegistryClientOpts(ctx),
 	}
 	if c.CheckClaims {

cmd/cosign/cli/verify_attestation.go

@@ -105,7 +105,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err
 	}
 
 	co := &cosign.CheckOpts{
-		RootCerts:            fulcio.Roots,
+		RootCerts:            fulcio.GetRoots(),
 		RegistryClientOpts:   DefaultRegistryClientOpts(ctx),
 		SigTagSuffixOverride: cosign.AttestationTagSuffix,
 	}

cmd/cosign/cli/verify_blob.go

@@ -195,7 +195,7 @@ func VerifyBlobCmd(ctx context.Context, ko KeyOpts, certRef, sigRef, blobRef str
 	}
 
 	if cert != nil { // cert
-		if err := cosign.TrustedCert(cert, fulcio.Roots); err != nil {
+		if err := cosign.TrustedCert(cert, fulcio.GetRoots()); err != nil {
 			return err
 		}
 		fmt.Fprintln(os.Stderr, "Certificate is trusted by Fulcio Root CA")

cmd/sget/cli/sget.go

@@ -43,7 +43,7 @@ func SgetCmd(ctx context.Context, imageRef, keyRef string) (io.ReadCloser, error
 	co := &cosign.CheckOpts{
 		ClaimVerifier: cosign.SimpleClaimVerifier,
 		VerifyBundle:  true,
-		RootCerts:     fulcio.Roots,
+		RootCerts:     fulcio.GetRoots(),
 		RegistryClientOpts: []remote.Option{
 			remote.WithAuthFromKeychain(authn.DefaultKeychain),
 			remote.WithContext(ctx),

copasetic/main.go

@@ -197,7 +197,7 @@ func main() {
 				VerifyOpts:    []signature.VerifyOption{ctxOpt},
 				PKOpts:        []signature.PublicKeyOption{ctxOpt},
 				ClaimVerifier: cosign.SimpleClaimVerifier,
-				RootCerts:     fulcio.Roots,
+				RootCerts:     fulcio.GetRoots(),
 				RegistryClientOpts: []remote.Option{
 					remote.WithAuthFromKeychain(authn.DefaultKeychain),
 					remote.WithContext(bctx.Context),