Do not require multiple Fulcio certs in the TUF root (#1230)

cosign requires both fulcio.crt.pem and fulcio_v1.crt.pem in the TUF root which doesn't make sense when using local TUF. fulcio_v1.crt.pem was added in the embedded TUF in order to support Fulcio v1 but it shouldn't be required when users initialize cosign with their own TUF repo. Closes: #1229 Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
sigstore · Dec 17, 2021 · d318979 · d318979
1 parent 9da74c9
commit d318979
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
@@ -23,7 +23,6 @@ import (
 	"os"
 	"sync"
 
-	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/pkg/cosign/tuf"
 )
 
@@ -64,15 +63,19 @@ func initRoots() *x509.CertPool {
 		// Retrieve from the embedded or cached TUF root. If expired, a network
 		// call is made to update the root.
 		ctx := context.Background() // TODO: pass in context?
+		rootFound := false
 		for _, fulcioTarget := range []string{fulcioTargetStr, fulcioV1TargetStr} {
 			buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}}
-			if err := tuf.GetTarget(ctx, fulcioTarget, &buf); err != nil {
-				panic(errors.Wrap(err, "creating root cert pool"))
-			}
-			if !cp.AppendCertsFromPEM(buf.Bytes()) {
-				panic("error creating root cert pool")
+			if err := tuf.GetTarget(ctx, fulcioTarget, &buf); err == nil {
+				rootFound = true
+				if !cp.AppendCertsFromPEM(buf.Bytes()) {
+					panic("error creating root cert pool")
+				}
 			}
 		}
+		if !rootFound {
+			panic("none of the Fulcio roots have been found")
+		}
 	}
 	return cp
 }