Merge pull request #118 from jku/fix-online-sigstore-keys

repo: Fix broken online sigstore signing
theupdateframework · Nov 3, 2023 · 091f483 · 091f483
2 parents e8e2495 + 7f927ec
commit 091f483
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/repo/tuf_on_ci/_repository.py b/repo/tuf_on_ci/_repository.py
@@ -10,12 +10,12 @@
 from securesystemslib.exceptions import UnverifiedSignatureError
 from securesystemslib.signer import (
     KEY_FOR_TYPE_AND_SCHEME,
+    SIGNER_FOR_URI_SCHEME,
     Signature,
     Signer,
     SigstoreKey,
     SigstoreSigner,
 )
-from sigstore.oidc import detect_credential
 from tuf.api.exceptions import UnsignedMetadataError
 from tuf.api.metadata import (
     Key,
@@ -32,6 +32,7 @@
 
 # sigstore is not a supported key by default
 KEY_FOR_TYPE_AND_SCHEME[("sigstore-oidc", "Fulcio")] = SigstoreKey
+SIGNER_FOR_URI_SCHEME[SigstoreSigner.SCHEME] = SigstoreSigner
 
 # TODO Add a metadata cache so we don't constantly open files
 # TODO; Signing status probably should include an error message when valid=False
@@ -205,11 +206,7 @@ def close(self, rolename: str, md: Metadata) -> None:
         for key in self._get_keys(rolename):
             if rolename in ["timestamp", "snapshot"]:
                 uri = key.unrecognized_fields["x-tuf-on-ci-online-uri"]
-                # WORKAROUND while sigstoresigner is not finished
-                if uri == "sigstore:":
-                    signer = SigstoreSigner(detect_credential(), key)
-                else:
-                    signer = Signer.from_priv_key_uri(uri, key)
+                signer = Signer.from_priv_key_uri(uri, key)
                 md.sign(signer, True)
             else:
                 # offline signer, add empty sig