Remove tuf methods from TrustedRoot

Probably makes sense to handle this in ClientTrustConfig only: less code
that way.

The tests will start passing once staging TUF contains signingconfig
(and we have updated our test copies of staging TUF)

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Author: jku

sigstore/_internal/trust.py

@@ -438,44 +438,6 @@ def from_file(
         inner = _TrustedRoot().from_json(Path(path).read_bytes())
         return cls(inner)
 
-    @classmethod
-    def from_tuf(
-        cls,
-        url: str,
-        offline: bool = False,
-    ) -> TrustedRoot:
-        """Create a new trust root from a TUF repository.
-
-        If `offline`, will use trust root in local TUF cache. Otherwise will
-        update the trust root from remote TUF repository.
-        """
-        path = TrustUpdater(url, offline).get_trusted_root_path()
-        return cls.from_file(path)
-
-    @classmethod
-    def production(
-        cls,
-        offline: bool = False,
-    ) -> TrustedRoot:
-        """Create new trust root from Sigstore production TUF repository.
-
-        If `offline`, will use trust root in local TUF cache. Otherwise will
-        update the trust root from remote TUF repository.
-        """
-        return cls.from_tuf(DEFAULT_TUF_URL, offline)
-
-    @classmethod
-    def staging(
-        cls,
-        offline: bool = False,
-    ) -> TrustedRoot:
-        """Create new trust root from Sigstore staging TUF repository.
-
-        If `offline`, will use trust root in local TUF cache. Otherwise will
-        update the trust root from remote TUF repository.
-        """
-        return cls.from_tuf(STAGING_TUF_URL, offline)
-
     def _get_tlog_keys(
         self, tlogs: list[TransparencyLogInstance], purpose: KeyringPurpose
     ) -> Iterable[_PublicKey]:

sigstore/verify/verifier.py

@@ -46,7 +46,7 @@
     verify_sct,
 )
 from sigstore._internal.timestamp import TimestampSource, TimestampVerificationResult
-from sigstore._internal.trust import KeyringPurpose, TrustedRoot
+from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
 from sigstore._utils import base64_encode_pem_cert, sha256_digest
 from sigstore.errors import VerificationError
 from sigstore.hashes import Hashed
@@ -96,8 +96,9 @@ def production(cls, *, offline: bool = False) -> Verifier:
         the verifier uses the Trusted Root in the local TUF cache. If `False`,
         a TUF repository refresh is attempted.
         """
+        config = ClientTrustConfig.production(offline=offline)
         return cls(
-            trusted_root=TrustedRoot.production(offline=offline),
+            trusted_root=config.trusted_root,
         )
 
     @classmethod
@@ -109,8 +110,9 @@ def staging(cls, *, offline: bool = False) -> Verifier:
         the verifier uses the Trusted Root in the local TUF cache. If `False`,
         a TUF repository refresh is attempted.
         """
+        config = ClientTrustConfig.staging(offline=offline)
         return cls(
-            trusted_root=TrustedRoot.staging(offline=offline),
+            trusted_root=config.trusted_root,
         )
 
     def _verify_signed_timestamp(

test/unit/internal/test_trust.py

@@ -96,7 +96,7 @@ def test_trust_root_tuf_caches_and_requests(mock_staging_tuf, tuf_dirs):
     # keep track of requests the TrustUpdater invoked by TrustedRoot makes
     reqs, fail_reqs = mock_staging_tuf
 
-    trust_root = TrustedRoot.staging()
+    trust_root = ClientTrustConfig.staging()
     # metadata was "downloaded" from staging
     expected = [
         "root.json",
@@ -126,7 +126,7 @@ def test_trust_root_tuf_caches_and_requests(mock_staging_tuf, tuf_dirs):
     assert fail_reqs == expected_fail_reqs
 
     # New trust root (and TrustUpdater instance), same cache dirs
-    trust_root = TrustedRoot.staging()
+    trust_root = ClientTrustConfig.staging()
 
     # Expect new timestamp and root requests
     expected_requests["timestamp.json"] += 1
@@ -148,7 +148,7 @@ def test_trust_root_tuf_offline(mock_staging_tuf, tuf_dirs):
     # keep track of requests the TrustUpdater invoked by TrustedRoot makes
     reqs, fail_reqs = mock_staging_tuf
 
-    trust_root = TrustedRoot.staging(offline=True)
+    trust_root = ClientTrustConfig.staging(offline=True)
 
     # local TUF metadata is not initialized, nothing is downloaded
     assert not os.path.exists(data_dir)
@@ -217,7 +217,7 @@ def _pem_keys(keys):
     ]
 
     # Assert that trust root from TUF contains the expected keys/certs
-    trust_root = TrustedRoot.staging()
+    trust_root = ClientTrustConfig.staging().trusted_root
     assert ctfe_keys[0] in get_public_bytes(
         [
             k.key
@@ -240,7 +240,7 @@ def _pem_keys(keys):
     assert trust_root.get_fulcio_certs() == fulcio_certs
 
     # Assert that trust root from offline TUF contains the expected keys/certs
-    trust_root = TrustedRoot.staging(offline=True)
+    trust_root = ClientTrustConfig.staging(offline=True).trust_root
     assert ctfe_keys[0] in get_public_bytes(
         [
             k.key
@@ -289,18 +289,18 @@ def _pem_keys(keys):
 
 def test_trust_root_tuf_instance_error():
     with pytest.raises(RootError):
-        TrustedRoot.from_tuf("foo.bar")
+        ClientTrustConfig.from_tuf("foo.bar")
 
 
 def test_trust_root_tuf_ctfe_keys_error(monkeypatch):
-    trust_root = TrustedRoot.staging(offline=True)
+    trust_root = ClientTrustConfig.staging(offline=True).trusted_root
     monkeypatch.setattr(trust_root._inner, "ctlogs", [])
     with pytest.raises(Exception, match="CTFE keys not found in trusted root"):
         trust_root.ct_keyring(purpose=KeyringPurpose.VERIFY)
 
 
 def test_trust_root_fulcio_certs_error(tuf_asset, monkeypatch):
-    trust_root = TrustedRoot.staging(offline=True)
+    trust_root = ClientTrustConfig.staging(offline=True).trusted_root
     monkeypatch.setattr(trust_root._inner, "certificate_authorities", [])
     with pytest.raises(
         Exception, match="Fulcio certificates not found in trusted root"