TUF trusted_root.json generated for scaffolding action is invalid #1459
Description
Description
The trusted_root.json generated for the TUF mirror for the scaffolding action seems to be incorrect.
Running cosign from main (8f58513a1554869f0a9f4e184e84d5b7d9a117ad), verifying a blob using the protobuf bundle format and the trusted root flag fails:
$ go run cmd/cosign/main.go verify-blob --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' --rekor-url ${REKOR_URL} --bundle /tmp/bundle --new-bundle-format --trusted-root=$HOME/.sigstore/root/targets/trusted_root.json /tmp/blob
Error: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1
error during command execution: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1
exit status 1
If I use cosign and the other key material in the cache to generate my own trusted_root.json, it works:
$ go run cmd/cosign/main.go trusted-root create --certificate-chain=$HOME/.sigstore/root/targets/fulcio_v1.crt.pem --ctfe-key=$HOME/.sigstore/root/targets/ctfe.pub --rekor-key=$HOME/.sigstore/root/targets/rekor.pub -out /tmp/trusted_root.json
WARNING: the -out flag is deprecated and will be removed in a future release. Please use the --out flag instead.
$ go run cmd/cosign/main.go verify-blob --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' --rekor-url ${REKOR_URL} --bundle /tmp/bundle --new-bundle-format --trusted-root=/tmp/trusted_root.json /tmp/blob
Verified OK
This should be the exact same verification material, but it's not.
The log IDs in the different trusted roots seem to be different:
$ jq .tlogs[0].logId.keyId ~/.sigstore/root/targets/trusted_root.json
"9/L1l66PVj4cTFv+hfMRR6wh8n7fuhVaAE2kuzGayWY="
$ jq .tlogs[0].logId.keyId /tmp/trusted_root.json
"kIgKUd9jBEFHoNu2LU0BHvQ1TpGs0ymaB9dqJno1kP4="
Relates to #1001
Version
cosign: 8f58513a1554869f0a9f4e184e84d5b7d9a117ad
scaffolding: a8649cd