Client library returns unhelpful error for non-201 responses

[tstromberg]

TL;DR, if Fulcio returns anything other than a 201, the resulting error message in cosign is:

getting signer: getting key from Fulcio: retrieving cert:

This appears to be generated from pkg/api/client.go, hence the issue being opened here.

---

I had an issue today where cosign was behaving strangely in my local test environment:

Invocation:

SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=$HOME/sigstore-local/ct_public.pem                                                                                    
       COSIGN_EXPERIMENTAL=1 $HOME/go/bin/cosign sign \                                                                                                 
           --oidc-issuer=http://localhost:5556 \                                                                                                        
           --fulcio-url=http://localhost:5000 \                                                                                                         
           --rekor-url=http://localhost:3000 \                                                                                                          
           localhost:1338/demo/rekor-cli-e3df3bc7cfcbe584a2639931193267e9                                                                               

Error:

Generating ephemeral keys...                                                                                                                            
Retrieving signed certificate...                                                                                                                        
Your browser will now be opened to:                                                                                                                     
http://localhost:5556/auth?access_type=online&client_id=sigstore&code_challenge=wlIW5x8YQYa5Ga_lpZ49NntC_t7yC2a_TRXdheQOKA8&code_challenge_method=S256&n
once=24ej2kT98j0u4SmMg0gTNWGnnIe&redirect_uri=http%3A%2F%2Flocalhost%3A61457%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=24ej2qjH6nhz0
s94bJ7ukGs9kpt                                                                                                                                          
Error: signing [localhost:1338/demo/rekor-cli-e3df3bc7cfcbe584a2639931193267e9]: getting signer: getting key from Fulcio: retrieving cert:              
main.go:46: error during command execution: signing [localhost:1338/demo/rekor-cli-e3df3bc7cfcbe584a2639931193267e9]: getting signer: getting key from Fulcio: retrieving cert:  

After adding some debug messages, it turns out that an unrelated service, AirPlay, was listening on localhost:5000 (::1), which evidently took precedence over fulcio listening at 127.0.0.1:5000. AirPlay was returning a 403, but you couldn't tell from that error message.