Skip to content

Update Sigstore testing token source #68

Description

@jku

Problem Statement

The extremely-dangerous-public-oidc-beacon action is being deprecated. A more reliable alternative already exists: https://github.com/sigstore/sigstore-conformance/#identity-token-for-signing-tests

Proposed Solution

The switch is usually trivial as getting the token is easy:

SIGSTORE_ID_TOKEN=$(curl -sSfL https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt)

The new identity is untrusted-sa@sigstore-conformance.iam.gserviceaccount.com with issuer https://accounts.google.com.

I did not provide a patch because of two sigstore-a2a specific issues:

  • the new token is not from GitHub so the GitHub specific claims are not there so these will not work: --repository <REPO> --workflow <WORKFLOW>. If you need the GitHub specific claims, you should implement your own testing token source
  • There are some committed test signatures, I was not sure if you want to replace those at same time or not

Alternatives Considered

No response

Component

CLI

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions