[SECURESIGN-1397] embed sigstore-rs into tough

deny.toml

@@ -94,4 +94,3 @@ skip-tree = [
 # Deny crates from unknown registries or git repositories.
 unknown-registry = "deny"
 unknown-git = "deny"
-allow-git = ["https://github.com/securesign/sigstore-rs.git"]

tuftool/Cargo.toml

@@ -10,11 +10,18 @@ edition = "2018"
 
 [features]
 integ = []
-default = ["aws-sdk-rust","sigstore_protobuf_specs"]
+default = ["aws-sdk-rust","sigstore_protobuf_specs","sigstore-trust-root"]
 aws-sdk-rust = ["aws-sdk-rust-rustls"]
 aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-ssm/rustls", "aws-sdk-kms/rustls", ]
 sigstore = ["sigstore_protobuf_specs"]
 
+sigstore-trust-root = [
+  "sigstore_protobuf_specs",
+  "futures-util",
+  "regex",
+  "tokio/sync",
+]
+
 [dependencies]
 aws-config = "1"
 aws-sdk-kms = "1"
@@ -33,7 +40,7 @@ serde = "1"
 serde_json = "1"
 serial_test = "3.1.1"
 simplelog = "0.12"
-sigstore = { git = "https://github.com/securesign/sigstore-rs.git", branch = "main" }
+
 sigstore_protobuf_specs = { version = "0.3.2", optional = true }
 snafu = { version = "0.8", features = ["backtraces-impl-backtrace-crate"] }
 sha2 = "0.9"
@@ -47,6 +54,15 @@ url = "2"
 walkdir = "2"
 indexmap = { version = "2.5.0", features = ["serde"] }
 
+rustls-webpki = { version = "0.102.1", features = ["alloc"] }
+thiserror = "1.0.30"
+base64 = "0.22.0"
+futures-util = { version = "0.3.30", optional = true }
+tokio-util = { version = "0.7.10", features = ["io-util"] }
+tracing = "0.1.31"
+rstest = "0.22.0"
+regex = { version = "1.5.5", optional = true }
+
 [dev-dependencies]
 assert_cmd = "2"
 futures = "0.3"

tuftool/src/main.rs

@@ -26,6 +26,7 @@ mod remove_key_role;
 mod remove_role;
 mod rhtas;
 mod root;
+mod sigstore_trust;
 mod source;
 mod transfer_metadata;
 mod update;

tuftool/src/rhtas.rs

@@ -5,6 +5,8 @@ use crate::build_targets;
 use crate::common::UNUSED_URL;
 use crate::datetime::parse_datetime;
 use crate::error::{self, Result};
+#[cfg(feature = "sigstore-trust-root")]
+use crate::sigstore_trust::trust::sigstore::{SigstoreTrustRoot, Target, TargetType};
 use crate::source::parse_key_source;
 use crate::TargetName;
 use chrono::{DateTime, Utc};
@@ -13,7 +15,6 @@ use prost_types::Timestamp;
 use serde_json::from_reader;
 use serde_json::json;
 use sha2::{Digest, Sha256};
-use sigstore::trust::sigstore::{SigstoreTrustRoot, Target, TargetType};
 use sigstore_protobuf_specs::dev::sigstore::{
     common::v1::{
         DistinguishedName, LogId, PublicKey, TimeRange, X509Certificate, X509CertificateChain,

tuftool/src/sigstore_trust/Cargo.toml

@@ -0,0 +1,240 @@
+[package]
+name = "sigstore"
+description = "An experimental crate to interact with sigstore"
+version = "0.9.0"
+edition = "2021"
+authors = ["sigstore-rs developers"]
+license = "Apache-2.0"
+readme = "README.md"
+repository = "https://github.com/sigstore/sigstore-rs"
+
+[package.metadata.docs.rs]
+all-features = true
+
+[features]
+default = ["full-native-tls", "cached-client", "sigstore-trust-root", "bundle"]
+wasm = ["getrandom/js", "ring/wasm32_unknown_unknown_js", "chrono/wasmbind"]
+
+full-native-tls = [
+  "fulcio-native-tls",
+  "rekor-native-tls",
+  "cosign-native-tls",
+  "mock-client-native-tls",
+]
+full-rustls-tls = [
+  "fulcio-rustls-tls",
+  "rekor-rustls-tls",
+  "cosign-rustls-tls",
+  "mock-client-rustls-tls",
+]
+
+# This features is used by tests that use docker to create a registry
+test-registry = []
+
+oauth-native-tls = ["openidconnect/native-tls", "oauth"]
+oauth-rustls-tls = ["openidconnect/rustls-tls", "oauth"]
+oauth = ["openidconnect"]
+
+fulcio-native-tls = ["oauth-native-tls", "reqwest/native-tls", "fulcio"]
+fulcio-rustls-tls = ["oauth-rustls-tls", "reqwest/rustls-tls", "fulcio"]
+fulcio = ["oauth", "serde_with"]
+
+rekor-native-tls = ["reqwest/native-tls", "rekor"]
+rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"]
+rekor = ["reqwest"]
+
+sign = ["sigstore_protobuf_specs", "fulcio", "rekor", "cert"]
+verify = ["sigstore_protobuf_specs", "fulcio", "rekor", "cert"]
+bundle = ["sign", "verify"]
+
+sigstore-trust-root = [
+  "sigstore_protobuf_specs",
+  "futures-util",
+  "tough",
+  "regex",
+  "tokio/sync",
+]
+
+cosign-native-tls = [
+  "oci-distribution/native-tls",
+  "cert",
+  "cosign",
+  "registry-native-tls",
+]
+cosign-rustls-tls = [
+  "oci-distribution/rustls-tls",
+  "cert",
+  "cosign",
+  "registry-rustls-tls",
+]
+cosign = ["olpc-cjson"]
+cert = []
+
+registry-native-tls = ["oci-distribution/native-tls", "registry"]
+registry-rustls-tls = ["oci-distribution/rustls-tls", "registry"]
+registry = ["olpc-cjson"]
+
+mock-client-native-tls = ["oci-distribution/native-tls", "mock-client"]
+mock-client-rustls-tls = ["oci-distribution/rustls-tls", "mock-client"]
+mock-client = []
+
+cached-client = ["cached"]
+
+[dependencies]
+async-trait = "0.1.52"
+base64 = "0.22.0"
+cached = { version = "0.53.1", optional = true, features = ["async"] }
+cfg-if = "1.0.0"
+chrono = { version = "0.4.27", default-features = false, features = [
+  "now",
+  "serde",
+] }
+const-oid = { version = "0.9.6", features = ["db"] }
+digest = { version = "0.10.3", default-features = false }
+ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] }
+ed25519 = { version = "2.2.1", features = ["alloc"] }
+ed25519-dalek = { version = "2.0.0-rc.2", features = ["pkcs8", "rand_core"] }
+elliptic-curve = { version = "0.13.5", features = ["arithmetic", "pem"] }
+futures = "0.3"
+futures-util = { version = "0.3.30", optional = true }
+lazy_static = "1.4.0"
+oci-distribution = { version = "0.11", default-features = false, optional = true }
+olpc-cjson = { version = "0.1", optional = true }
+openidconnect = { version = "3.0", default-features = false, features = [
+  "reqwest",
+], optional = true }
+p256 = "0.13"
+p384 = "0.13"
+webbrowser = "1.0.1"
+pem = { version = "3.0", features = ["serde"] }
+pkcs1 = { version = "0.7.5", features = ["std"] }
+pkcs8 = { version = "0.10.2", features = [
+  "pem",
+  "alloc",
+  "pkcs5",
+  "encryption",
+] }
+rand = { version = "0.8.5", features = ["getrandom", "std"] }
+getrandom = "0.2.8"
+regex = { version = "1.5.5", optional = true }
+reqwest = { version = "0.12", default-features = false, features = [
+  "json",
+  "multipart",
+], optional = true }
+rsa = "0.9.2"
+scrypt = "0.11.0"
+serde = { version = "1.0.136", features = ["derive"] }
+serde_json = "1.0.79"
+serde_with = { version = "3.4.0", features = [
+  "base64",
+  "json",
+], optional = true }
+sha2 = { version = "0.10.6", features = ["oid"] }
+signature = { version = "2.0" }
+sigstore_protobuf_specs = { version = "0.3.2", optional = true }
+thiserror = "1.0.30"
+tokio = { version = "1.17.0", features = ["rt"] }
+tokio-util = { version = "0.7.10", features = ["io-util"] }
+tough = { version = "0.18.0", features = ["http"], optional = true }
+tracing = "0.1.31"
+url = "2.2.2"
+x509-cert = { version = "0.2.5", features = ["builder", "pem", "std", "sct"] }
+crypto_secretbox = "0.1.1"
+zeroize = "1.5.7"
+rustls-webpki = { version = "0.102.1", features = ["alloc"] }
+serde_repr = "0.1.16"
+hex = "0.4.3"
+json-syntax = { version = "0.12.2", features = ["canonicalize", "serde"] }
+tls_codec = { version = "0.4.1", features = ["derive"] }
+ring = "0.17.6"
+prost-types = "0.12.6"
+
+[dev-dependencies]
+anyhow = { version = "1.0", features = ["backtrace"] }
+assert-json-diff = "2.0.2"
+chrono = "0.4.31"
+clap = { version = "4.0.8", features = ["derive"] }
+docker_credential = "1.1.0"
+openssl = "0.10.38"
+rstest = "0.22.0"
+serial_test = "3.0.0"
+tempfile = "3.3.0"
+testcontainers = "0.21"
+tokio = { version = "1.17.0", features = ["rt", "rt-multi-thread"] }
+tracing-subscriber = { version = "0.3.9", features = ["env-filter"] }
+
+# cosign example mappings
+
+[[example]]
+name = "verify"
+path = "examples/cosign/verify/main.rs"
+
+[[example]]
+name = "verify-blob"
+path = "examples/cosign/verify-blob/main.rs"
+
+[[example]]
+name = "verify-bundle"
+path = "examples/cosign/verify-bundle/main.rs"
+
+[[example]]
+name = "sign"
+path = "examples/cosign/sign/main.rs"
+
+# openidconnect example mappings
+
+[[example]]
+name = "openidconnect"
+path = "examples/openidflow/openidconnect/main.rs"
+
+# key interface mappings
+
+[[example]]
+name = "key_pair_gen_sign_verify"
+path = "examples/key_interface/key_pair_gen_sign_verify/main.rs"
+
+[[example]]
+name = "key_pair_gen_and_export"
+path = "examples/key_interface/key_pair_gen_and_export/main.rs"
+
+[[example]]
+name = "key_pair_import"
+path = "examples/key_interface/key_pair_import/main.rs"
+
+# rekor example mappings
+
+[[example]]
+name = "create_log_entry"
+path = "examples/rekor/create_log_entry/main.rs"
+
+[[example]]
+name = "get_log_entry_by_index"
+path = "examples/rekor/get_log_entry_by_index/main.rs"
+
+[[example]]
+name = "get_log_entry_by_uuid"
+path = "examples/rekor/get_log_entry_by_uuid/main.rs"
+
+[[example]]
+name = "get_log_info"
+path = "examples/rekor/get_log_info/main.rs"
+
+[[example]]
+name = "get_log_proof"
+path = "examples/rekor/get_log_proof/main.rs"
+
+[[example]]
+name = "get_public_key"
+path = "examples/rekor/get_public_key/main.rs"
+
+[[example]]
+name = "search_index"
+path = "examples/rekor/search_index/main.rs"
+
+[[example]]
+name = "search_log_query"
+path = "examples/rekor/search_log_query/main.rs"
+
+[[example]]
+name = "fulcio_cert"
+path = "examples/fulcio/cert/main.rs"

tuftool/src/sigstore_trust/errors.rs

@@ -0,0 +1,59 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! The errors that can be raised by sigstore-rs
+
+use thiserror::Error;
+
+pub type Result<T> = std::result::Result<T, SigstoreError>;
+
+#[derive(Error, Debug)]
+#[allow(clippy::enum_variant_names)]
+pub enum SigstoreError {
+    #[error("failed to parse URL: {0}")]
+    UrlParseError(#[from] url::ParseError),
+
+    #[error(transparent)]
+    JoinError(#[from] tokio::task::JoinError),
+
+    #[cfg(feature = "sigstore-trust-root")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "sigstore-trust-root")))]
+    #[error(transparent)]
+    TufError(#[from] Box<tough::error::Error>),
+
+    #[error("TUF target {0} not found inside of repository")]
+    TufTargetNotFoundError(String),
+
+    #[error("{0}")]
+    TufMetadataError(String),
+
+    #[error(transparent)]
+    IOError(#[from] std::io::Error),
+
+    #[error("{0}")]
+    UnexpectedError(String),
+
+    #[error(transparent)]
+    SerdeJsonError(#[from] serde_json::error::Error),
+
+    #[error(transparent)]
+    Utf8Error(#[from] std::str::Utf8Error),
+
+    #[error(transparent)]
+    WebPKIError(#[from] webpki::Error),
+
+    #[error("serialization error: {0}")]
+    SerializationError(String),
+}

tuftool/src/sigstore_trust/mod.rs

@@ -0,0 +1,2 @@
+pub mod errors;
+pub mod trust;

tuftool/src/sigstore_trust/trust/mod.rs

@@ -0,0 +1,52 @@
+//
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use webpki::types::CertificateDer;
+
+#[cfg_attr(docsrs, doc(cfg(feature = "sigstore-trust-root")))]
+#[cfg(feature = "sigstore-trust-root")]
+pub mod sigstore;
+
+/// A `TrustRoot` owns all key material necessary for establishing a root of trust.
+#[allow(dead_code)]
+#[allow(clippy::module_name_repetitions)]
+pub trait TrustRoot {
+    fn fulcio_certs(&self) -> crate::sigstore_trust::errors::Result<Vec<CertificateDer<'_>>>;
+    fn rekor_keys(&self) -> crate::sigstore_trust::errors::Result<Vec<&[u8]>>;
+    fn ctfe_keys(&self) -> crate::sigstore_trust::errors::Result<Vec<&[u8]>>;
+}
+
+/// A `ManualTrustRoot` is a [`TrustRoot`] with out-of-band trust materials.
+/// As it does not establish a trust root with TUF, users must initialize its materials themselves.
+#[derive(Debug, Default)]
+pub struct ManualTrustRoot<'a> {
+    pub fulcio_certs: Vec<CertificateDer<'a>>,
+    pub rekor_keys: Vec<Vec<u8>>,
+    pub ctfe_keys: Vec<Vec<u8>>,
+}
+
+impl TrustRoot for ManualTrustRoot<'_> {
+    fn fulcio_certs(&self) -> crate::sigstore_trust::errors::Result<Vec<CertificateDer<'_>>> {
+        Ok(self.fulcio_certs.clone())
+    }
+
+    fn rekor_keys(&self) -> crate::sigstore_trust::errors::Result<Vec<&[u8]>> {
+        Ok(self.rekor_keys.iter().map(|key| &key[..]).collect())
+    }
+
+    fn ctfe_keys(&self) -> crate::sigstore_trust::errors::Result<Vec<&[u8]>> {
+        Ok(self.ctfe_keys.iter().map(|v| &v[..]).collect())
+    }
+}

tuftool/src/sigstore_trust/trust/sigstore/constants.rs

@@ -0,0 +1,36 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+pub(crate) const SIGSTORE_METADATA_BASE: &str = "https://tuf-repo-cdn.sigstore.dev";
+pub(crate) const SIGSTORE_TARGET_BASE: &str = "https://tuf-repo-cdn.sigstore.dev/targets";
+
+macro_rules! impl_static_resource {
+    {$($name:literal,)+} => {
+        #[inline]
+        pub(crate) fn static_resource<N>(name: N) -> Option<&'static [u8]> where N: AsRef<str> {
+            match name.as_ref() {
+            $(
+                $name => Some(include_bytes!(concat!(env!("CARGO_MANIFEST_DIR"), "/trust_root/prod/", $name)))
+            ),+,
+                    _ => None,
+            }
+        }
+    };
+}
+
+impl_static_resource! {
+    "root.json",
+    "trusted_root.json",
+}

tuftool/trust_root/prod/root.json

@@ -0,0 +1,156 @@
+{
+	"signed": {
+		"_type": "root",
+		"spec_version": "1.0",
+		"version": 5,
+		"expires": "2023-04-18T18:13:43Z",
+		"keys": {
+			"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"
+				}
+			}
+		},
+		"roles": {
+			"root": {
+				"keyids": [
+					"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
+					"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+					"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+					"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+					"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"
+				],
+				"threshold": 3
+			},
+			"snapshot": {
+				"keyids": [
+					"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b"
+				],
+				"threshold": 1
+			},
+			"targets": {
+				"keyids": [
+					"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
+					"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+					"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+					"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+					"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"
+				],
+				"threshold": 3
+			},
+			"timestamp": {
+				"keyids": [
+					"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a"
+				],
+				"threshold": 1
+			}
+		},
+		"consistent_snapshot": true
+	},
+	"signatures": [
+		{
+			"keyid": "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
+			"sig": "3045022100fc1c2be509ce50ea917bbad1d9efe9d96c8c2ebea04af2717aa3d9c6fe617a75022012eef282a19f2d8bd4818aa333ef48a06489f49d4d34a20b8fe8fc867bb25a7a"
+		},
+		{
+			"keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+			"sig": "30450221008a4392ae5057fc00778b651e61fea244766a4ae58db84d9f1d3810720ab0f3b702207c49e59e8031318caf02252ecea1281cecc1e5986c309a9cef61f455ecf7165d"
+		},
+		{
+			"keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+			"sig": "3046022100da1b8dc5d53aaffbbfac98de3e23ee2d2ad3446a7bed09fac0f88bae19be2587022100b681c046afc3919097dfe794e0d819be891e2e850aade315bec06b0c4dea221b"
+		},
+		{
+			"keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de",
+			"sig": "3046022100b534e0030e1b271133ecfbdf3ba9fbf3becb3689abea079a2150afbb63cdb7c70221008c39a718fd9495f249b4ab8788d5b9dc269f0868dbe38b272f48207359d3ded9"
+		},
+		{
+			"keyid": "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97",
+			"sig": "3045022100fc1c2be509ce50ea917bbad1d9efe9d96c8c2ebea04af2717aa3d9c6fe617a75022012eef282a19f2d8bd4818aa333ef48a06489f49d4d34a20b8fe8fc867bb25a7a"
+		},
+		{
+			"keyid": "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b",
+			"sig": "30450221008a4392ae5057fc00778b651e61fea244766a4ae58db84d9f1d3810720ab0f3b702207c49e59e8031318caf02252ecea1281cecc1e5986c309a9cef61f455ecf7165d"
+		},
+		{
+			"keyid": "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209",
+			"sig": "3046022100da1b8dc5d53aaffbbfac98de3e23ee2d2ad3446a7bed09fac0f88bae19be2587022100b681c046afc3919097dfe794e0d819be891e2e850aade315bec06b0c4dea221b"
+		},
+		{
+			"keyid": "75e867ab10e121fdef32094af634707f43ddd79c6bab8ad6c5ab9f03f4ea8c90",
+			"sig": "3046022100b534e0030e1b271133ecfbdf3ba9fbf3becb3689abea079a2150afbb63cdb7c70221008c39a718fd9495f249b4ab8788d5b9dc269f0868dbe38b272f48207359d3ded9"
+		}
+	]
+}

tuftool/trust_root/prod/trusted_root.json

@@ -0,0 +1,91 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
+  "tlogs": [
+    {
+      "baseUrl": "https://rekor.sigstore.dev",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwrkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "2021-01-12T11:53:27.000Z"
+        }
+      },
+      "logId": {
+        "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+      }
+    }
+  ],
+  "certificateAuthorities": [
+    {
+      "subject": {
+        "organization": "sigstore.dev",
+        "commonName": "sigstore"
+      },
+      "uri": "https://fulcio.sigstore.dev",
+      "certChain": {
+        "certificates": [
+          {
+            "rawBytes": "MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAqMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIxMDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSyA7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0JcastaRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2uSu1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJxVe/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uupHr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ=="
+          }
+        ]
+      },
+      "validFor": {
+        "start": "2021-03-07T03:20:29.000Z",
+        "end": "2022-12-31T23:59:59.999Z"
+      }
+    },
+    {
+      "subject": {
+        "organization": "sigstore.dev",
+        "commonName": "sigstore"
+      },
+      "uri": "https://fulcio.sigstore.dev",
+      "certChain": {
+        "certificates": [
+          {
+            "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
+          },
+          {
+            "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
+          }
+        ]
+      },
+      "validFor": {
+        "start": "2022-04-13T20:06:15.000Z"
+      }
+    }
+  ],
+  "ctlogs": [
+    {
+      "baseUrl": "https://ctfe.sigstore.dev/test",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3PyudDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "2021-03-14T00:00:00.000Z",
+          "end": "2022-10-31T23:59:59.999Z"
+        }
+      },
+      "logId": {
+        "keyId": "CGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3I="
+      }
+    },
+    {
+      "baseUrl": "https://ctfe.sigstore.dev/2022",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "2022-10-20T00:00:00.000Z"
+        }
+      },
+      "logId": {
+        "keyId": "3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4="
+      }
+    }
+  ],
+  "timestampAuthorities": []
+}