Use TrustConfig to initialize components

This change makes almost all code paths now use TrustConfig to choose
the sigstore instance (urls, keys, validity periods, etc).

* OIDC url now comes from signingconfig too
* Some production()/staging() methods remain because they're used by
  tests or special cases like "fix-bundle"
* Likewise some hard coded urls are left in the code since they are used
  by some special case

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Author: jku

sigstore/_cli.py

@@ -39,7 +39,7 @@
 from sigstore._internal.fulcio.client import ExpiredCertificate
 from sigstore._internal.rekor import _hashedrekord_from_parts
 from sigstore._internal.rekor.client import RekorClient
-from sigstore._internal.trust import ClientTrustConfig, TrustedRoot
+from sigstore._internal.trust import ClientTrustConfig
 from sigstore._utils import sha256_digest
 from sigstore.dsse import StatementBuilder, Subject
 from sigstore.dsse._predicate import (
@@ -51,7 +51,6 @@
 from sigstore.hashes import Hashed
 from sigstore.models import Bundle, InvalidBundle
 from sigstore.oidc import (
-    DEFAULT_OAUTH_ISSUER_URL,
     ExpiredIdentity,
     IdentityToken,
     Issuer,
@@ -229,8 +228,8 @@ def _add_shared_oidc_options(
         "--oidc-issuer",
         metavar="URL",
         type=str,
-        default=os.getenv("SIGSTORE_OIDC_ISSUER", DEFAULT_OAUTH_ISSUER_URL),
-        help="The OpenID Connect issuer to use (conflicts with --staging)",
+        default=os.getenv("SIGSTORE_OIDC_ISSUER", None),
+        help="The OpenID Connect issuer to use",
     )
     group.add_argument(
         "--oauth-force-oob",
@@ -630,11 +629,7 @@ def _get_identity_token(args: argparse.Namespace) -> None:
     """
     Output the OIDC authentication token
     """
-
-    trust_config: ClientTrustConfig | None = None
-    if args.trust_config:
-        trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
-    identity = _get_identity(args, trust_config)
+    identity = _get_identity(args, _get_trust_config(args))
     if identity:
         print(identity)
     else:
@@ -654,19 +649,8 @@ def _sign_common(
     not, it will use a hashedrekord.
     """
     # Select the signing context to use.
-    if args.trust_config:
-        trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
-        signing_ctx = SigningContext._from_trust_config(trust_config)
-    elif args.staging:
-        _logger.debug("sign: staging instances requested")
-        trust_config = None  # signingconfig 0.2 is not in staging TUF yet
-        signing_ctx = SigningContext.staging()
-    else:
-        # If the user didn't request the staging instance or pass in an
-        # explicit client trust config, we're using the public good (i.e.
-        # production) instance.
-        trust_config = None  # signingconfig 0.2 is not in staging TUF yet
-        signing_ctx = SigningContext.production()
+    trust_config = _get_trust_config(args)
+    signing_ctx = SigningContext.from_trust_config(trust_config)
 
     # The order of precedence for identities is as follows:
     #
@@ -1022,14 +1006,8 @@ def _collect_verification_state(
                 f"Missing verification materials for {(hashed)}: {', '.join(missing)}",
             )
 
-    if args.staging:
-        _logger.debug("verify: staging instances requested")
-        verifier = Verifier.staging(offline=args.offline)
-    elif args.trust_config:
-        trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
-        verifier = Verifier._from_trust_config(trust_config)
-    else:
-        verifier = Verifier.production(offline=args.offline)
+    trust_config = _get_trust_config(args)
+    verifier = Verifier(trusted_root=trust_config.trusted_root)
 
     all_materials = []
     for file_or_hashed, materials in input_map.items():
@@ -1180,8 +1158,23 @@ def _verify_common(
         return None
 
 
+def _get_trust_config(args: argparse.Namespace) -> ClientTrustConfig:
+    """
+    Return the client trust configuration (Sigstore service URLs, key material and lifetimes)
+
+    The configuration may come from explicit argument (--trust-config) or from the TUF
+    repository of the used Sigstore instance.
+    """
+    if args.trust_config:
+        return ClientTrustConfig.from_json(args.trust_config.read_text())
+    elif args.staging:
+        return ClientTrustConfig.staging(offline=args.offline)
+    else:
+        return ClientTrustConfig.production(offline=args.offline)
+
+
 def _get_identity(
-    args: argparse.Namespace, trust_config: ClientTrustConfig | None
+    args: argparse.Namespace, trust_config: ClientTrustConfig
 ) -> Optional[IdentityToken]:
     token = None
     if not args.oidc_disable_ambient_providers:
@@ -1191,14 +1184,10 @@ def _get_identity(
     if token:
         return IdentityToken(token)
 
-    if trust_config is not None:
-        issuer = Issuer.from_trust_config(trust_config)
-    if args.staging:
-        issuer = Issuer.staging()
-    elif args.oidc_issuer == DEFAULT_OAUTH_ISSUER_URL:
-        issuer = Issuer.production()
-    else:
+    if args.oidc_issuer is not None:
         issuer = Issuer(args.oidc_issuer)
+    else:
+        issuer = Issuer.from_trust_config(trust_config)
 
     if args.oidc_client_secret is None:
         args.oidc_client_secret = ""  # nosec: B105
@@ -1215,6 +1204,7 @@ def _get_identity(
 def _fix_bundle(args: argparse.Namespace) -> None:
     # NOTE: We could support `--trusted-root` here in the future,
     # for custom Rekor instances.
+
     rekor = RekorClient.staging() if args.staging else RekorClient.production()
 
     raw_bundle = RawBundle.from_dict(json.loads(args.bundle.read_bytes()))
@@ -1251,13 +1241,10 @@ def _fix_bundle(args: argparse.Namespace) -> None:
 
 
 def _update_trust_root(args: argparse.Namespace) -> None:
-    # Simply creating the TrustedRoot in online mode is enough to perform
+    # Simply creating the TrustConfig in online mode is enough to perform
     # a metadata update.
-    if args.staging:
-        trusted_root = TrustedRoot.staging(offline=False)
-    else:
-        trusted_root = TrustedRoot.production(offline=False)
 
+    config = _get_trust_config(args)
     _console.print(
-        f"Trust root updated: {len(trusted_root.get_fulcio_certs())} Fulcio certificates"
+        f"Trust root & signing config updated: {len(config.trusted_root.get_fulcio_certs())} Fulcio certificates"
     )

sigstore/_internal/fulcio/client.py

@@ -39,8 +39,6 @@
 
 _logger = logging.getLogger(__name__)
 
-DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev"
-STAGING_FULCIO_URL = "https://fulcio.sigstage.dev"
 SIGNING_CERT_ENDPOINT = "/api/v2/signingCert"
 TRUST_BUNDLE_ENDPOINT = "/api/v2/trustBundle"
 
@@ -163,7 +161,7 @@ def get(self) -> FulcioTrustBundleResponse:
 class FulcioClient:
     """The internal Fulcio client"""
 
-    def __init__(self, url: str = DEFAULT_FULCIO_URL) -> None:
+    def __init__(self, url: str) -> None:
         """Initialize the client"""
         _logger.debug(f"Fulcio client using URL: {url}")
         self.url = url
@@ -180,20 +178,6 @@ def __del__(self) -> None:
         """
         self.session.close()
 
-    @classmethod
-    def production(cls) -> FulcioClient:
-        """
-        Returns a `FulcioClient` for the Sigstore production instance of Fulcio.
-        """
-        return cls(DEFAULT_FULCIO_URL)
-
-    @classmethod
-    def staging(cls) -> FulcioClient:
-        """
-        Returns a `FulcioClient` for the Sigstore staging instance of Fulcio.
-        """
-        return cls(STAGING_FULCIO_URL)
-
     @property
     def signing_cert(self) -> FulcioSigningCert:
         """

sigstore/_internal/trust.py

@@ -611,10 +611,12 @@ def from_tuf(
             else:
                 raise e
 
-        return _ClientTrustConfig(
-            ClientTrustConfig.ClientTrustConfigType.CONFIG_0_1,
-            inner_tr,
-            inner_sc,
+        return cls(
+            _ClientTrustConfig(
+                ClientTrustConfig.ClientTrustConfigType.CONFIG_0_1,
+                inner_tr,
+                inner_sc,
+            )
         )
 
     def __init__(self, inner: _ClientTrustConfig) -> None:

sigstore/oidc.py

@@ -35,9 +35,6 @@
 from sigstore._internal.trust import ClientTrustConfig
 from sigstore.errors import Error, NetworkError
 
-DEFAULT_OAUTH_ISSUER_URL = "https://oauth2.sigstore.dev/auth"
-STAGING_OAUTH_ISSUER_URL = "https://oauth2.sigstage.dev/auth"
-
 # See: https://github.com/sigstore/fulcio/blob/b2186c0/pkg/config/config.go#L182-L201
 _KNOWN_OIDC_ISSUERS = {
     "https://accounts.google.com": "email",
@@ -272,20 +269,6 @@ def __init__(self, base_url: str) -> None:
         except ValueError as exc:
             raise IssuerError(f"OIDC issuer returned invalid configuration: {exc}")
 
-    @classmethod
-    def production(cls) -> Issuer:
-        """
-        Returns an `Issuer` configured against Sigstore's production-level services.
-        """
-        return cls(DEFAULT_OAUTH_ISSUER_URL)
-
-    @classmethod
-    def staging(cls) -> Issuer:
-        """
-        Returns an `Issuer` configured against Sigstore's staging-level services.
-        """
-        return cls(STAGING_OAUTH_ISSUER_URL)
-
     @classmethod
     def from_trust_config(cls, trust_config: ClientTrustConfig) -> Issuer:
         """

sigstore/sign.py

@@ -324,29 +324,7 @@ def __init__(
         self._tsa_clients = tsa_clients or []
 
     @classmethod
-    def production(cls) -> SigningContext:
-        """
-        Return a `SigningContext` instance configured against Sigstore's production-level services.
-        """
-        return cls(
-            fulcio=FulcioClient.production(),
-            rekor=RekorClient.production(),
-            trusted_root=TrustedRoot.production(),
-        )
-
-    @classmethod
-    def staging(cls) -> SigningContext:
-        """
-        Return a `SignerContext` instance configured against Sigstore's staging-level services.
-        """
-        return cls(
-            fulcio=FulcioClient.staging(),
-            rekor=RekorClient.staging(),
-            trusted_root=TrustedRoot.staging(),
-        )
-
-    @classmethod
-    def _from_trust_config(cls, trust_config: ClientTrustConfig) -> SigningContext:
+    def from_trust_config(cls, trust_config: ClientTrustConfig) -> SigningContext:
         """
         Create a `SigningContext` from the given `ClientTrustConfig`.
 

sigstore/verify/verifier.py

@@ -46,7 +46,7 @@
     verify_sct,
 )
 from sigstore._internal.timestamp import TimestampSource, TimestampVerificationResult
-from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
+from sigstore._internal.trust import KeyringPurpose, TrustedRoot
 from sigstore._utils import base64_encode_pem_cert, sha256_digest
 from sigstore.errors import VerificationError
 from sigstore.hashes import Hashed
@@ -113,17 +113,6 @@ def staging(cls, *, offline: bool = False) -> Verifier:
             trusted_root=TrustedRoot.staging(offline=offline),
         )
 
-    @classmethod
-    def _from_trust_config(cls, trust_config: ClientTrustConfig) -> Verifier:
-        """
-        Create a `Verifier` from the given `ClientTrustConfig`.
-
-        @api private
-        """
-        return cls(
-            trusted_root=trust_config.trusted_root,
-        )
-
     def _verify_signed_timestamp(
         self, timestamp_response: TimeStampResponse, signature: bytes
     ) -> TimestampVerificationResult | None:

test/unit/internal/oidc/test_issuer.py

@@ -33,4 +33,4 @@ def test_get_identity_token_bad_code(monkeypatch):
     monkeypatch.setattr("builtins.input", lambda _: "hunter2")
 
     with pytest.raises(IdentityError, match=r"^Token request failed with .+$"):
-        Issuer.staging().identity_token(force_oob=True)
+        Issuer("https://oauth2.sigstage.dev/auth").identity_token(force_oob=True)

test/unit/test_sign.py

@@ -29,15 +29,6 @@
 from sigstore.verify.policy import UnsafeNoOp
 
 
-class TestSigningContext:
-    @pytest.mark.production
-    def test_production(self):
-        assert SigningContext.production() is not None
-
-    def test_staging(self, mock_staging_tuf):
-        assert SigningContext.staging() is not None
-
-
 @pytest.mark.parametrize("env", ["staging", "production"])
 @pytest.mark.ambient_oidc
 def test_sign_rekor_entry_consistent(sign_ctx_and_ident_for_env):
@@ -185,7 +176,7 @@ def sig_ctx(self, asset, tsa_url) -> SigningContext:
 
         trust_config._inner.signing_config.tsa_urls[0] = tsa_url
 
-        return SigningContext._from_trust_config(trust_config)
+        return SigningContext.from_trust_config(trust_config)
 
     @pytest.fixture
     def identity(self, staging):