Implement standardized CI extensions for GitHub

[haydentherapper]

This adds the set of standardized extensions and creates the mapping for GitHub Actions. All extension values are DER-encoded strings.

This also creates a duplicated issuer extension to match the encoding that was used for the new extensions. OIDs 1.1 through 1.6 will be deprecated but still present in the certificates until a future major version of Fulcio. Updated the OID numbers so that the issuer is the first of the new OIDs.

A future refactor will be ideal when implementing the extensions for other CI platforms. For now, this PR is optimized for just this one platform.

Fixes #754

Fixes #900

Summary

Release Note

Added a set of extensions for additional values for GitHub Actions. Added a second issuer extension with the proper DER encoding.

Documentation

[haydentherapper]

Tested locally with a token from GHA:

$ openssl x509 -in test.cert -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1d:a9:f0:46:ec:18:dd:f7:d1:7f:9a:51:7c:8f:09:47:0e:08:ff:2a
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = USA, ST = WA, L = Kirkland, street = 767 6th St S, postalCode = 98033, O = sigstore
        Validity
            Not Before: Mar 21 03:48:04 2023 GMT
            Not After : Mar 21 03:58:04 2023 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:19:59:ad:8f:10:1e:1f:18:17:04:6d:19:96:47:
                    aa:82:4c:8a:56:36:17:ad:1a:65:ea:93:fe:8e:d8:
                    8e:65:54:1c:41:4c:d0:ef:14:63:8b:51:3c:60:08:
                    4d:e1:39:e9:79:e9:ae:3c:4b:21:be:c2:ba:5e:7d:
                    c5:e7:fc:22:f5:6e:49:51:46:4a:f4:fa:9b:27:09:
                    36:73:97:55:e5:02:08:02:f3:00:59:04:ec:b7:24:
                    50:12:fa:98:c6:bb:f8
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Subject Key Identifier:
                1F:75:6F:8E:37:A6:C8:5B:97:89:B8:19:93:D5:62:8A:82:AF:CB:43
            X509v3 Authority Key Identifier:
                03:73:BB:02:E1:D3:75:0B:3B:70:92:45:B9:A6:9D:4E:B5:1E:96:29
            X509v3 Subject Alternative Name: critical
                URI:https://github.com/haydentherapper/test-repository/.github/workflows/test.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.1:
                https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.2:
                workflow_dispatch
            1.3.6.1.4.1.57264.1.3:
                618f07451338511a79a44612ae6bc87622e2f6ec
            1.3.6.1.4.1.57264.1.4:
                Test
            1.3.6.1.4.1.57264.1.5:
                haydentherapper/test-repository
            1.3.6.1.4.1.57264.1.6:
                refs/heads/main
            1.3.6.1.4.1.57264.1.8:
                .+https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.9:
                .^https://github.com/haydentherapper/test-repository/.github/workflows/test.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.10:
                .(618f07451338511a79a44612ae6bc87622e2f6ec
            1.3.6.1.4.1.57264.1.11:
github-hosted   .
            1.3.6.1.4.1.57264.1.12:
                .2https://github.com/haydentherapper/test-repository
            1.3.6.1.4.1.57264.1.13:
                .(618f07451338511a79a44612ae6bc87622e2f6ec
            1.3.6.1.4.1.57264.1.14:
                ..refs/heads/main
            1.3.6.1.4.1.57264.1.15:
                ..606210217
            1.3.6.1.4.1.57264.1.16:
                ."https://github.com/haydentherapper
            1.3.6.1.4.1.57264.1.17:
                ..8418760
            1.3.6.1.4.1.57264.1.18:
                .^https://github.com/haydentherapper/test-repository/.github/workflows/test.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.19:
                .(618f07451338511a79a44612ae6bc87622e2f6ec
            1.3.6.1.4.1.57264.1.20:
                ..workflow_dispatch
            1.3.6.1.4.1.57264.1.21:
                .Uhttps://github.com/haydentherapper/test-repository/actions/runs/4475344120/attempts/1
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:20:70:de:2e:0a:fc:14:b5:a1:d2:f3:52:6d:ea:82:
        30:02:c9:1b:c1:74:40:89:1a:f6:a8:c9:1f:7a:48:a0:19:73:
        02:21:00:f2:b5:8d:00:77:ca:f2:9c:e2:7f:af:e7:5a:9e:3b:
        d3:3c:25:f8:07:c5:19:ec:6c:f5:40:7e:5f:60:d1:7b:94

-----BEGIN CERTIFICATE-----
MIIGlzCCBj2gAwIBAgIUHanwRuwY3ffRf5pRfI8JRw4I/yowCgYIKoZIzj0EAwIw
aDEMMAoGA1UEBhMDVVNBMQswCQYDVQQIEwJXQTERMA8GA1UEBxMIS2lya2xhbmQx
FTATBgNVBAkTDDc2NyA2dGggU3QgUzEOMAwGA1UEERMFOTgwMzMxETAPBgNVBAoT
CHNpZ3N0b3JlMB4XDTIzMDMyMTAzNDgwNFoXDTIzMDMyMTAzNTgwNFowADB2MBAG
ByqGSM49AgEGBSuBBAAiA2IABBlZrY8QHh8YFwRtGZZHqoJMilY2F60aZeqT/o7Y
jmVUHEFM0O8UY4tRPGAITeE56XnprjxLIb7Cul59xef8IvVuSVFGSvT6mycJNnOX
VeUCCALzAFkE7LckUBL6mMa7+KOCBQ4wggUKMA4GA1UdDwEB/wQEAwIHgDATBgNV
HSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUH3VvjjemyFuXibgZk9ViioKvy0Mw
HwYDVR0jBBgwFoAUA3O7AuHTdQs7cJJFuaadTrUelikwbAYDVR0RAQH/BGIwYIZe
aHR0cHM6Ly9naXRodWIuY29tL2hheWRlbnRoZXJhcHBlci90ZXN0LXJlcG9zaXRv
cnkvLmdpdGh1Yi93b3JrZmxvd3MvdGVzdC55YW1sQHJlZnMvaGVhZHMvbWFpbjA5
BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNv
bnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisG
AQQBg78wAQMEKDYxOGYwNzQ1MTMzODUxMWE3OWE0NDYxMmFlNmJjODc2MjJlMmY2
ZWMwEgYKKwYBBAGDvzABBAQEVGVzdDAtBgorBgEEAYO/MAEFBB9oYXlkZW50aGVy
YXBwZXIvdGVzdC1yZXBvc2l0b3J5MB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMv
bWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRo
dWJ1c2VyY29udGVudC5jb20wbgYKKwYBBAGDvzABCQRgDF5odHRwczovL2dpdGh1
Yi5jb20vaGF5ZGVudGhlcmFwcGVyL3Rlc3QtcmVwb3NpdG9yeS8uZ2l0aHViL3dv
cmtmbG93cy90ZXN0LnlhbWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoE
KgwoNjE4ZjA3NDUxMzM4NTExYTc5YTQ0NjEyYWU2YmM4NzYyMmUyZjZlYzAdBgor
BgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwQgYKKwYBBAGDvzABDAQ0DDJodHRw
czovL2dpdGh1Yi5jb20vaGF5ZGVudGhlcmFwcGVyL3Rlc3QtcmVwb3NpdG9yeTA4
BgorBgEEAYO/MAENBCoMKDYxOGYwNzQ1MTMzODUxMWE3OWE0NDYxMmFlNmJjODc2
MjJlMmY2ZWMwHwYKKwYBBAGDvzABDgQRDA9yZWZzL2hlYWRzL21haW4wGQYKKwYB
BAGDvzABDwQLDAk2MDYyMTAyMTcwMgYKKwYBBAGDvzABEAQkDCJodHRwczovL2dp
dGh1Yi5jb20vaGF5ZGVudGhlcmFwcGVyMBcGCisGAQQBg78wAREECQwHODQxODc2
MDBuBgorBgEEAYO/MAESBGAMXmh0dHBzOi8vZ2l0aHViLmNvbS9oYXlkZW50aGVy
YXBwZXIvdGVzdC1yZXBvc2l0b3J5Ly5naXRodWIvd29ya2Zsb3dzL3Rlc3QueWFt
bEByZWZzL2hlYWRzL21haW4wOAYKKwYBBAGDvzABEwQqDCg2MThmMDc0NTEzMzg1
MTFhNzlhNDQ2MTJhZTZiYzg3NjIyZTJmNmVjMCEGCisGAQQBg78wARQEEwwRd29y
a2Zsb3dfZGlzcGF0Y2gwZQYKKwYBBAGDvzABFQRXDFVodHRwczovL2dpdGh1Yi5j
b20vaGF5ZGVudGhlcmFwcGVyL3Rlc3QtcmVwb3NpdG9yeS9hY3Rpb25zL3J1bnMv
NDQ3NTM0NDEyMC9hdHRlbXB0cy8xMAoGCCqGSM49BAMCA0gAMEUCIHDeLgr8FLWh
0vNSbeqCMALJG8F0QIka9qjJH3pIoBlzAiEA8rWNAHfK8pzif6/nWp470zwl+AfF
Gexs9UB+X2DRe5Q=
-----END CERTIFICATE-----

[haydentherapper]

cc @laurentsimon @steiza

[codecov]

Codecov Report

Merging #1073 (00f2715) into main (3621219) will increase coverage by 0.82%.
The diff coverage is 66.66%.

@@            Coverage Diff             @@
##             main    #1073      +/-   ##
==========================================
+ Coverage   55.08%   55.91%   +0.82%     
==========================================
  Files          48       48              
  Lines        2525     2783     +258     
==========================================
+ Hits         1391     1556     +165     
- Misses       1034     1097      +63     
- Partials      100      130      +30     

Impacted Files	Coverage Δ
pkg/certificate/extensions.go	63.81% <53.03%> (-36.19%)	⬇️
pkg/identity/github/principal.go	95.16% <100.00%> (+4.68%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[feelepxyz]

Nice work on this! 🙇 Changes look good to me, left a couple very minor comments

[cpanato]

looks nice

[haydentherapper]

Thanks for the reviews, updated!

[feelepxyz]

🎉

[wlynch]

LGTM! Few minor comments.

[haydentherapper]

With the changes, confirmed the extensions are still the same:

       X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Subject Key Identifier:
                1F:75:6F:8E:37:A6:C8:5B:97:89:B8:19:93:D5:62:8A:82:AF:CB:43
            X509v3 Authority Key Identifier:
                5C:31:C1:66:6A:A3:F4:D1:72:70:26:BA:15:3F:C7:89:44:B5:E3:76
            X509v3 Subject Alternative Name: critical
                URI:https://github.com/haydentherapper/test-repository/.github/workflows/test.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.1:
                https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.2:
                workflow_dispatch
            1.3.6.1.4.1.57264.1.3:
                618f07451338511a79a44612ae6bc87622e2f6ec
            1.3.6.1.4.1.57264.1.4:
                Test
            1.3.6.1.4.1.57264.1.5:
                haydentherapper/test-repository
            1.3.6.1.4.1.57264.1.6:
                refs/heads/main
            1.3.6.1.4.1.57264.1.8:
                .+https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.9:
                .^https://github.com/haydentherapper/test-repository/.github/workflows/test.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.10:
                .(618f07451338511a79a44612ae6bc87622e2f6ec
            1.3.6.1.4.1.57264.1.11:
github-hosted   .
            1.3.6.1.4.1.57264.1.12:
                .2https://github.com/haydentherapper/test-repository
            1.3.6.1.4.1.57264.1.13:
                .(618f07451338511a79a44612ae6bc87622e2f6ec
            1.3.6.1.4.1.57264.1.14:
                ..refs/heads/main
            1.3.6.1.4.1.57264.1.15:
                ..606210217
            1.3.6.1.4.1.57264.1.16:
                ."https://github.com/haydentherapper
            1.3.6.1.4.1.57264.1.17:
                ..8418760
            1.3.6.1.4.1.57264.1.18:
                .^https://github.com/haydentherapper/test-repository/.github/workflows/test.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.19:
                .(618f07451338511a79a44612ae6bc87622e2f6ec
            1.3.6.1.4.1.57264.1.20:
                ..workflow_dispatch
            1.3.6.1.4.1.57264.1.21:
                .Uhttps://github.com/haydentherapper/test-repository/actions/runs/4515368585/attempts/1

[feelepxyz]

@haydentherapper amazing 🎉 is this deployed to staging? Happy to test this out.

[haydentherapper]

Will be in a few hours, I’ll update the pr once it’s live.

[haydentherapper]

@feelepxyz It's now in staging

[feelepxyz]

@haydentherapper Nice! 🎉 I successfully generated a sigstore bundle against staging fulcio but struggling to verify it using sigstore-js, seems to be picking the wrong tuf mirror so will dig in a bit further.

I can see the cert extensions:

echo "MIIHWjCCBuCgAwIBAgIUEgFW4Ong91y9RE278ai5ncwWHjIwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMzI5MTAzNjI3WhcNMjMwMzI5MTA0NjI3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK92kEXCRnhkOpjIDr2AnnnSuSOfW8VfLDuyo15OMNuBAQ2odCX++Rv1KoqYJ7KtVks0hJGR/8CVr8w5a7dkSQ6OCBf8wggX7MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUKieD2ISA3Q9jS5SeYfYO8bMloPkwHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwgYQGA1UdEQEB/wR6MHiGdmh0dHBzOi8vZ2l0aHViLmNvbS9naXRodWIvcGFja2FnZS1zZWN1cml0eS1sZWFybmluZy1sYWJzLy5naXRodWIvd29ya2Zsb3dzL3NpZ3N0b3JlLXN0YWdpbmctYnVuZGxlLnltbEByZWZzL2hlYWRzL21haW4wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAfBgorBgEEAYO/MAECBBF3b3JrZmxvd19kaXNwYXRjaDA2BgorBgEEAYO/MAEDBCgwYjc5MjJlYTA5MzY5NDU4OTBkYWMyOGIxZTMxMzcyMzYzMjNkN2U5MCUGCisGAQQBg78wAQQEF3NpZ3N0b3JlLXN0YWdpbmctYnVuZGxlMDMGCisGAQQBg78wAQUEJWdpdGh1Yi9wYWNrYWdlLXNlY3VyaXR5LWxlYXJuaW5nLWxhYnMwHQYKKwYBBAGDvzABBgQPcmVmcy9oZWFkcy9tYWluMDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBhgYKKwYBBAGDvzABCQR4DHZodHRwczovL2dpdGh1Yi5jb20vZ2l0aHViL3BhY2thZ2Utc2VjdXJpdHktbGVhcm5pbmctbGFicy8uZ2l0aHViL3dvcmtmbG93cy9zaWdzdG9yZS1zdGFnaW5nLWJ1bmRsZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoMGI3OTIyZWEwOTM2OTQ1ODkwZGFjMjhiMWUzMTM3MjM2MzIzZDdlOTAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwSAYKKwYBBAGDvzABDAQ6DDhodHRwczovL2dpdGh1Yi5jb20vZ2l0aHViL3BhY2thZ2Utc2VjdXJpdHktbGVhcm5pbmctbGFiczA4BgorBgEEAYO/MAENBCoMKDBiNzkyMmVhMDkzNjk0NTg5MGRhYzI4YjFlMzEzNzIzNjMyM2Q3ZTkwHwYKKwYBBAGDvzABDgQRDA9yZWZzL2hlYWRzL21haW4wGQYKKwYBBAGDvzABDwQLDAk0OTE2MjQ4ODIwKQYKKwYBBAGDvzABEAQbDBlodHRwczovL2dpdGh1Yi5jb20vZ2l0aHViMBQGCisGAQQBg78wAREEBgwEOTkxOTCBhgYKKwYBBAGDvzABEgR4DHZodHRwczovL2dpdGh1Yi5jb20vZ2l0aHViL3BhY2thZ2Utc2VjdXJpdHktbGVhcm5pbmctbGFicy8uZ2l0aHViL3dvcmtmbG93cy9zaWdzdG9yZS1zdGFnaW5nLWJ1bmRsZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMGI3OTIyZWEwOTM2OTQ1ODkwZGFjMjhiMWUzMTM3MjM2MzIzZDdlOTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMGsGCisGAQQBg78wARUEXQxbaHR0cHM6Ly9naXRodWIuY29tL2dpdGh1Yi9wYWNrYWdlLXNlY3VyaXR5LWxlYXJuaW5nLWxhYnMvYWN0aW9ucy9ydW5zLzQ1NTMwMTgzMTgvYXR0ZW1wdHMvMTCBigYKKwYBBAHWeQIEAgR8BHoAeAB2ACswvNxoiMni4dgmKV50H0g5MZYC8pwzy15DQP6yrIZ6AAABhyzwvGkAAAQDAEcwRQIhAK/dx2Jq/r3XsRlfn1JkYLF4KHlJk1mMOb9d6Wzfj5rYAiBBELQNKVigrjjpyklQUxL7FZwH7Pek0tJWwTX3VZINtDAKBggqhkjOPQQDAwNoADBlAjEAoEVYQ7RQGswusag8fOL98/kkL06DG90RirHXUEcnI8iOpnfuwDF+5g880HB9jgayAjAgSYppo6Yv/BTQhnlZT7FWM1lQ1UHQRyqRTr1ne98S3S+bB0WbmKR592WSufmoTYU=" | base64 -d | openssl x509 -inform der -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            12:01:56:e0:e9:e0:f7:5c:bd:44:4d:bb:f1:a8:b9:9d:cc:16:1e:32
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: O = sigstore.dev, CN = sigstore-intermediate
        Validity
            Not Before: Mar 29 10:36:27 2023 GMT
            Not After : Mar 29 10:46:27 2023 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:2b:dd:a4:11:70:91:9e:19:0e:a6:32:03:af:60:
                    27:9e:74:ae:48:e7:d6:f1:57:cb:0e:ec:a8:d7:93:
                    8c:36:e0:40:43:6a:1d:09:7f:be:46:fd:4a:a2:a6:
                    09:ec:ab:55:92:cd:21:24:64:7f:f0:25:6b:f3:0e:
                    5a:ed:d9:12:43
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Subject Key Identifier:
                2A:27:83:D8:84:80:DD:0F:63:4B:94:9E:61:F6:0E:F1:B3:25:A0:F9
            X509v3 Authority Key Identifier:
                71:86:30:A6:14:7C:62:6F:F9:F7:D6:F4:05:1A:7F:5F:FF:EB:6F:AC
            X509v3 Subject Alternative Name: critical
                URI:https://github.com/github/package-security-learning-labs/.github/workflows/sigstore-staging-bundle.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.1:
                https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.2:
                workflow_dispatch
            1.3.6.1.4.1.57264.1.3:
                0b7922ea0936945890dac28b1e3137236323d7e9
            1.3.6.1.4.1.57264.1.4:
                sigstore-staging-bundle
            1.3.6.1.4.1.57264.1.5:
                github/package-security-learning-labs
            1.3.6.1.4.1.57264.1.6:
                refs/heads/main
            1.3.6.1.4.1.57264.1.8:
                .+https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.9:
                .vhttps://github.com/github/package-security-learning-labs/.github/workflows/sigstore-staging-bundle.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.10:
                .(0b7922ea0936945890dac28b1e3137236323d7e9
            1.3.6.1.4.1.57264.1.11:
github-hosted   .
            1.3.6.1.4.1.57264.1.12:
                .8https://github.com/github/package-security-learning-labs
            1.3.6.1.4.1.57264.1.13:
                .(0b7922ea0936945890dac28b1e3137236323d7e9
            1.3.6.1.4.1.57264.1.14:
                ..refs/heads/main
            1.3.6.1.4.1.57264.1.15:
                ..491624882
            1.3.6.1.4.1.57264.1.16:
                ..https://github.com/github
            1.3.6.1.4.1.57264.1.17:
                ..9919
            1.3.6.1.4.1.57264.1.18:
                .vhttps://github.com/github/package-security-learning-labs/.github/workflows/sigstore-staging-bundle.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.19:
                .(0b7922ea0936945890dac28b1e3137236323d7e9
            1.3.6.1.4.1.57264.1.20:
                ..workflow_dispatch
            1.3.6.1.4.1.57264.1.21:
                .[https://github.com/github/package-security-learning-labs/actions/runs/4553018318/attempts/1
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 2B:30:BC:DC:68:88:C9:E2:E1:D8:26:29:5E:74:1F:48:
                                39:31:96:02:F2:9C:33:CB:5E:43:40:FE:B2:AC:86:7A
                    Timestamp : Mar 29 10:36:27.113 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:AF:DD:C7:62:6A:FE:BD:D7:B1:19:5F:
                                9F:52:64:60:B1:78:28:79:49:93:59:8C:39:BF:5D:E9:
                                6C:DF:8F:9A:D8:02:20:41:10:B4:0D:29:58:A0:AE:38:
                                E9:CA:49:50:53:12:FB:15:9C:07:EC:F7:A4:D2:D2:56:
                                C1:35:F7:55:92:0D:B4
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:65:02:31:00:a0:45:58:43:b4:50:1a:cc:2e:b1:a8:3c:7c:
        e2:fd:f3:f9:24:2f:4e:83:1b:dd:11:8a:b1:d7:50:47:27:23:
        c8:8e:a6:77:ee:c0:31:7e:e6:0f:3c:d0:70:7d:8e:06:b2:02:
        30:20:49:8a:69:a3:a6:2f:fc:14:d0:86:79:59:4f:b1:56:33:
        59:50:d5:41:d0:47:2a:91:4e:bd:67:7b:df:12:dd:2f:9b:07:
        45:9b:98:a4:79:f7:65:92:b9:f9:a8:4d:85

[haydentherapper]

Is Sigstore-js expecting trusted_root.json, because we don’t have that in the staging TUF repo. It was manually set up once as a hacky solution. We can regenerate it with that file if needed, and long term make staging more like the prod repo

[feelepxyz]

Is Sigstore-js expecting trusted_root.json, because we don’t have that in the staging TUF repo

Yep I think so, I was initially seeing weird results where it was using the prod tuf cache but clearing this it seems like the issue is that the staging repo doesn't have the new trusted root target.

Regenerating with this file would be ace!

cc @bdehamer

[haydentherapper]

This came up yesterday too for sigstore-python too. sigstore/root-signing#755 to track

[haydentherapper]

@feelepxyz this should now be in prod

[haydentherapper]

@feelepxyz Actually not yet, ran into some rollout issues

[feelepxyz]

@haydentherapper I'm out for the next week so won't be able to test this further. Are you still wanting to get the trusted root changes up on staging before we push this to prod? @bdehamer would you be up for doing a round of staging cert verification with sigstore-js when the staging root is up?

[haydentherapper]

Oh sorry, this is out in prod now! It was released last week while I was out.

[haydentherapper]

The trusted root file has also been rolled out to staging.

[feelepxyz]

Oh sorry, this is out in prod now! It was released last week while I was out.

Oh even better! 🎉