Add test for fetching trusted_root.json from TUF repo

Signed-off-by: Cody Soyland <codysoyland@github.com>

Author: codysoyland

hack/gentestdata/gentestdata.go

@@ -77,7 +77,23 @@ func main() {
 		log.Fatal(err)
 	}
 
-	marshalledEntryFromMirrorFS, tufRepo, rootJSON, err := genTUFRepo(sigstoreKeysMap)
+	tufRepo, rootJSON, err := genTUFRepo(map[string][]byte{
+		"rekor.pem":  []byte(sigstoreKeysMap["rekor"]),
+		"ctfe.pem":   []byte(sigstoreKeysMap["ctfe"]),
+		"fulcio.pem": []byte(sigstoreKeysMap["fulcio"]),
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	tufRepoWithTrustedRootJSON, rootJSONWithTrustedRootJSON, err := genTUFRepo(map[string][]byte{
+		"trusted_root.json": marshalledEntry,
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	marshalledEntryFromMirrorFS, err := genTrustedRoot(sigstoreKeysMap)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -92,6 +108,8 @@ func main() {
 	mustWriteFile("marshalledEntryFromMirrorFS.json", marshalledEntryFromMirrorFS)
 	mustWriteFile("tufRepo.tar", tufRepo)
 	mustWriteFile("root.json", rootJSON)
+	mustWriteFile("tufRepoWithTrustedRootJSON.tar", tufRepoWithTrustedRootJSON)
+	mustWriteFile("rootWithTrustedRootJSON.json", rootJSONWithTrustedRootJSON)
 }
 
 func mustWriteFile(path string, data []byte) {
@@ -204,39 +222,37 @@ func genLogID(pkBytes []byte) (string, error) {
 	return cosign.GetTransparencyLogID(pk)
 }
 
-func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, error) {
-	files := map[string][]byte{}
-	files["rekor.pem"] = []byte(sigstoreKeysMap["rekor"])
-	files["ctfe.pem"] = []byte(sigstoreKeysMap["ctfe"])
-	files["fulcio.pem"] = []byte(sigstoreKeysMap["fulcio"])
-
+func genTUFRepo(files map[string][]byte) ([]byte, []byte, error) {
 	defer os.RemoveAll(path.Join(os.TempDir(), "tuf")) // TODO: Update scaffolding to use os.MkdirTemp and remove this
 	ctx := context.Background()
 	local, dir, err := repo.CreateRepo(ctx, files)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 	meta, err := local.GetMeta()
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 	rootJSON, ok := meta["root.json"]
 	if !ok {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 
 	var compressed bytes.Buffer
 	if err := repo.CompressFS(os.DirFS(dir), &compressed, map[string]bool{"keys": true, "staged": true}); err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
+	return compressed.Bytes(), rootJSON, nil
+}
 
+func genTrustedRoot(sigstoreKeysMap map[string]string) ([]byte, error) {
 	tlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap["rekor"]))
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
 	ctlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap["ctfe"]))
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
 
 	trustRoot := &config.SigstoreKeys{
@@ -257,8 +273,8 @@ func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, erro
 	}
 	err = populateLogIDs(trustRoot)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
 	trustRootBytes := []byte(protojson.Format(trustRoot))
-	return trustRootBytes, compressed.Bytes(), rootJSON, nil
+	return trustRootBytes, nil
 }

pkg/reconciler/trustroot/testdata/ctfeLogID.txt

@@ -1 +1 @@
-f233e0255ba7b06f768210de40a72dad6456c364f864fef10654e9d1f3576cdf
+1710e23da0651aaa8194bc9652cd00a97c1fda9c76fce12f14eb635e42036954

pkg/reconciler/trustroot/testdata/ctfePublicKey.pem

@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfz
-RJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMj
+ld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==
 -----END PUBLIC KEY-----

pkg/reconciler/trustroot/testdata/fulcioCertChain.pem

@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
-ByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7f
-LtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1Ud
-DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggq
-hkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88C
-IQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug==
+MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/5
+5rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1Ud
+DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggq
+hkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64C
+IHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcq
-hkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8
-LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8B
-Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX
-2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICr
-DiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk=
+MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz
+9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8B
+Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3
+eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55
+FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW
 -----END CERTIFICATE-----

pkg/reconciler/trustroot/testdata/marshalledEntry.json

@@ -1,78 +1,78 @@
 {
-  "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
-  "tlogs": [
+  "mediaType":  "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
+  "tlogs":  [
     {
-      "baseUrl": "https://rekor.example.com",
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3oWabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "1970-01-01T00:00:00Z"
+      "baseUrl":  "https://rekor.example.com",
+      "hashAlgorithm":  "SHA2_256",
+      "publicKey":  {
+        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==",
+        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
+        "validFor":  {
+          "start":  "1970-01-01T00:00:00Z"
         }
       },
-      "logId": {
-        "keyId": "ODYzMWJhMjQwZTYxN2M1ZWY2NWU2Y2QxZjcwYjhhOTU1NTQ5ZmNhYjk5NmYyZGI2MGE1ZThjYWE5OWJlMWNmMg=="
+      "logId":  {
+        "keyId":  "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ=="
       }
     }
   ],
-  "certificateAuthorities": [
+  "certificateAuthorities":  [
     {
-      "subject": {
-        "organization": "fulcio-organization",
-        "commonName": "fulcio-common-name"
+      "subject":  {
+        "organization":  "fulcio-organization",
+        "commonName":  "fulcio-common-name"
       },
-      "uri": "https://fulcio.example.com",
-      "certChain": {
-        "certificates": [
+      "uri":  "https://fulcio.example.com",
+      "certChain":  {
+        "certificates":  [
           {
-            "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7fLtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggqhkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88CIQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug=="
+            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT"
           },
           {
-            "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICrDiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk="
+            "rawBytes":  "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW"
           }
         ]
       },
-      "validFor": {
-        "start": "1970-01-01T00:00:00Z"
+      "validFor":  {
+        "start":  "1970-01-01T00:00:00Z"
       }
     }
   ],
-  "ctlogs": [
+  "ctlogs":  [
     {
-      "baseUrl": "https://ctfe.example.com",
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfzRJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "1970-01-01T00:00:00Z"
+      "baseUrl":  "https://ctfe.example.com",
+      "hashAlgorithm":  "SHA2_256",
+      "publicKey":  {
+        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==",
+        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
+        "validFor":  {
+          "start":  "1970-01-01T00:00:00Z"
         }
       },
-      "logId": {
-        "keyId": "ZjIzM2UwMjU1YmE3YjA2Zjc2ODIxMGRlNDBhNzJkYWQ2NDU2YzM2NGY4NjRmZWYxMDY1NGU5ZDFmMzU3NmNkZg=="
+      "logId":  {
+        "keyId":  "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA=="
       }
     }
   ],
-  "timestampAuthorities": [
+  "timestampAuthorities":  [
     {
-      "subject": {
-        "organization": "tsa-organization",
-        "commonName": "tsa-common-name"
+      "subject":  {
+        "organization":  "tsa-organization",
+        "commonName":  "tsa-common-name"
       },
-      "uri": "https://tsa.example.com",
-      "certChain": {
-        "certificates": [
+      "uri":  "https://tsa.example.com",
+      "certChain":  {
+        "certificates":  [
           {
-            "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCOUCx97+DsDdyvKgf/FhyiMIzd40bAquTXCeZlDeKsHUhsLHrLCa8fOV8njfl8dE2ABX/lwPA+czYfDW1myooGjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRNdydaOxYhTIQG3d3Zp22F1Rj+XDAKBggqhkjOPQQDAgNJADBGAiEA7BJb9k0usb77EKqvbCfOF1fGeBFiU3i32+4HnUXC9GcCIQCZ+/gZ+G47t2OlCVNnE+9YasE9100MR/Sm9SBCzn6UTQ=="
+            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDgjsTzgbEsFFuBFCp1LIRv4SwYLCLL1fxtq95tbtGj/wHQUmrKLxMLMxaxIzdJs54lIDP+LoKeK25+HBPftwtCjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRRiPL3dEhG22Qh+0GTFJ/G1SW1yDAKBggqhkjOPQQDAgNIADBFAiABNvVUla7gqF/135UkA55FQ57M6r84IArwk43Zy2aPPgIhAO8/F8k9VB5+I1FSiQL1qsM8yO6SUpVF9E+hNJ9n/6zU"
           },
           {
-            "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjjBapPc46v5hDtKeyNshq4Xdb+t+WX6R4Jgrwpy31o+0exhZhzlMYl1aelkZi/7u9fnNsuUVfgRjSZIC1aF+7o0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTXcnWjsWIUyEBt3d2adthdUY/lwwCgYIKoZIzj0EAwIDSQAwRgIhAOYOmibcfPIN/8DYOdEsd6JVa1RJn7dwJJueg4rNwpBzAiEAiFSpjPSVbNRUJDUOYJGPpkmj+TLh5GCoz2Bw2/oed44="
+            "rawBytes":  "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjUhxtm6QXaB2bkGKHenCToVRPhVf0PTkuS7/hTGjHhELoMrD8r3nbqyceFEl4FUTzEMDfrj/YhefX7ZbeesSho0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUYjy93RIRttkIftBkxSfxtUltcgwCgYIKoZIzj0EAwIDSQAwRgIhAJgRO/ig4ZBrlYjuNYpC/kqUIVsfSKLpS9c4/lkcTGBPAiEAq+euZ8zkevab16uWx7ZaEcElKYY3xzhTr5yQYeJPOcQ="
           }
         ]
       },
-      "validFor": {
-        "start": "1970-01-01T00:00:00Z"
+      "validFor":  {
+        "start":  "1970-01-01T00:00:00Z"
       }
     }
   ]

pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json

@@ -1,48 +1,48 @@
 {
-  "tlogs": [
+  "tlogs":  [
     {
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3oWabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "1970-01-01T00:00:00Z"
+      "hashAlgorithm":  "SHA2_256",
+      "publicKey":  {
+        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==",
+        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
+        "validFor":  {
+          "start":  "1970-01-01T00:00:00Z"
         }
       },
-      "logId": {
-        "keyId": "ODYzMWJhMjQwZTYxN2M1ZWY2NWU2Y2QxZjcwYjhhOTU1NTQ5ZmNhYjk5NmYyZGI2MGE1ZThjYWE5OWJlMWNmMg=="
+      "logId":  {
+        "keyId":  "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ=="
       }
     }
   ],
-  "certificateAuthorities": [
+  "certificateAuthorities":  [
     {
-      "certChain": {
-        "certificates": [
+      "certChain":  {
+        "certificates":  [
           {
-            "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7fLtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggqhkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88CIQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug=="
+            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT"
           },
           {
-            "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICrDiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk="
+            "rawBytes":  "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW"
           }
         ]
       },
-      "validFor": {
-        "start": "1970-01-01T00:00:00Z"
+      "validFor":  {
+        "start":  "1970-01-01T00:00:00Z"
       }
     }
   ],
-  "ctlogs": [
+  "ctlogs":  [
     {
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfzRJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "1970-01-01T00:00:00Z"
+      "hashAlgorithm":  "SHA2_256",
+      "publicKey":  {
+        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==",
+        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
+        "validFor":  {
+          "start":  "1970-01-01T00:00:00Z"
         }
       },
-      "logId": {
-        "keyId": "ZjIzM2UwMjU1YmE3YjA2Zjc2ODIxMGRlNDBhNzJkYWQ2NDU2YzM2NGY4NjRmZWYxMDY1NGU5ZDFmMzU3NmNkZg=="
+      "logId":  {
+        "keyId":  "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA=="
       }
     }
   ]

pkg/reconciler/trustroot/testdata/rekorLogID.txt

@@ -1 +1 @@
-8631ba240e617c5ef65e6cd1f70b8a955549fcab996f2db60a5e8caa99be1cf2
+adc5151f9911ee1f001edc74cd71cd58f8a11a484a8c9709490b4d966471f411

pkg/reconciler/trustroot/testdata/rekorPublicKey.pem

@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3o
-WabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro8
+9r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==
 -----END PUBLIC KEY-----

pkg/reconciler/trustroot/testdata/root.json

@@ -3,75 +3,75 @@
   "_type": "root",
   "spec_version": "1.0",
   "version": 1,
-  "expires": "2024-09-22T15:32:01-04:00",
+  "expires": "2024-09-22T16:47:39-04:00",
   "keys": {
-   "4b22a801cd5addfbcf9646b3a2dd299d076be90a506d7173742df76a916b511f": {
+   "0c5ee15a0b35012b32989697c15e22f199d8534863a80197bea385adb908d0c9": {
     "keytype": "ed25519",
     "scheme": "ed25519",
     "keyid_hash_algorithms": [
      "sha256",
      "sha512"
     ],
     "keyval": {
-     "public": "a4d3caa7307b07ae60f8827d6a63a421caa9436818911ec4a5fec159c2e0a6ea"
+     "public": "06ba72d6fe28cc6d1d85ca8f933f7e855875af2cabb97dd075074f5d1c188249"
     }
    },
-   "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59": {
+   "b2cf295def74b86b6a50211bfcf3ab3839a2bdbed936d95cfacce1f4c31deedd": {
     "keytype": "ed25519",
     "scheme": "ed25519",
     "keyid_hash_algorithms": [
      "sha256",
      "sha512"
     ],
     "keyval": {
-     "public": "2e9da73f5b4a9abbcaf343214f54f897cd2d66b02199ed039fe1d4d3bd002b8b"
+     "public": "97c5f9488951eb67f16ea9328c9537c2ade4485a0b924ec0486a236f50e80f96"
     }
    },
-   "93a9525c20dcad686288e943a3a1c5c26b185d838fa25d7ca07c6bd6a80a9093": {
+   "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d": {
     "keytype": "ed25519",
     "scheme": "ed25519",
     "keyid_hash_algorithms": [
      "sha256",
      "sha512"
     ],
     "keyval": {
-     "public": "4c20f29a8b91b19ed8c2446354067fc52d234412ffc9432785f966a0cde6af93"
+     "public": "4b92888524b5cd2de6cad461f83fb86b3f5590792c037b416132811ba71e1e8b"
     }
    },
-   "a182898f8f07aa5a376da7aeaf62dbe13a23f21dc8088e28936b67a08bbefb87": {
+   "fcf4d6c6bfa6fccb41df570cc60e6ef63cfe45baed10c0ead716de97f4a25264": {
     "keytype": "ed25519",
     "scheme": "ed25519",
     "keyid_hash_algorithms": [
      "sha256",
      "sha512"
     ],
     "keyval": {
-     "public": "d5a909f2ecbbe521323e5c84970b2937955e098605d43e6aa9fe14d682eef3b3"
+     "public": "6f98dc24fc1df15ed2888658f711dbe59433aa7b0a62334080100fa52a483716"
     }
    }
   },
   "roles": {
    "root": {
     "keyids": [
-     "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59"
+     "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d"
     ],
     "threshold": 1
    },
    "snapshot": {
     "keyids": [
-     "a182898f8f07aa5a376da7aeaf62dbe13a23f21dc8088e28936b67a08bbefb87"
+     "b2cf295def74b86b6a50211bfcf3ab3839a2bdbed936d95cfacce1f4c31deedd"
     ],
     "threshold": 1
    },
    "targets": {
     "keyids": [
-     "4b22a801cd5addfbcf9646b3a2dd299d076be90a506d7173742df76a916b511f"
+     "fcf4d6c6bfa6fccb41df570cc60e6ef63cfe45baed10c0ead716de97f4a25264"
     ],
     "threshold": 1
    },
    "timestamp": {
     "keyids": [
-     "93a9525c20dcad686288e943a3a1c5c26b185d838fa25d7ca07c6bd6a80a9093"
+     "0c5ee15a0b35012b32989697c15e22f199d8534863a80197bea385adb908d0c9"
     ],
     "threshold": 1
    }
@@ -80,8 +80,8 @@
  },
  "signatures": [
   {
-   "keyid": "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59",
-   "sig": "053c49473376571093b419ce3f4a6fcf350d6b7bead1234fe5eae685ee3914b5c28b9cc1ccfdfa84a276374a54eefe06c0545c1ada32dd42194e5fa86f69510a"
+   "keyid": "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d",
+   "sig": "0eca8e52cd9d8e18dc02593925bde4c44f2eac3e173199ff30a8a875391636f419914563fafe171d5b4b22917b8a6604ad77af5ea9f88166b3f8ca6c15332201"
   }
  ]
 }

pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json

@@ -0,0 +1,87 @@
+{
+ "signed": {
+  "_type": "root",
+  "spec_version": "1.0",
+  "version": 1,
+  "expires": "2024-09-22T16:47:40-04:00",
+  "keys": {
+   "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505": {
+    "keytype": "ed25519",
+    "scheme": "ed25519",
+    "keyid_hash_algorithms": [
+     "sha256",
+     "sha512"
+    ],
+    "keyval": {
+     "public": "3bfd19c0931a80cd3279322fc22b04b90831b1804f5dbc72c31676ca2ac82f97"
+    }
+   },
+   "5dd6940e523073d10a6252f38a4dc2ebf33e23641c103682e43cb351a5672f43": {
+    "keytype": "ed25519",
+    "scheme": "ed25519",
+    "keyid_hash_algorithms": [
+     "sha256",
+     "sha512"
+    ],
+    "keyval": {
+     "public": "d64a13987f3b0ccfcbfab8c5631acff1b69dda70e40c1aae0cb1f0f9575716cb"
+    }
+   },
+   "8b635809713e0b6ae3370afeb6fa83d7aae2039b355e56d1211049246c3d1a4d": {
+    "keytype": "ed25519",
+    "scheme": "ed25519",
+    "keyid_hash_algorithms": [
+     "sha256",
+     "sha512"
+    ],
+    "keyval": {
+     "public": "ecf8b527a4a4ce34718286dc9a67a5969060053bf1750e2dc74e065c9ab30ec1"
+    }
+   },
+   "d263be84f7043dd0b4636fb797cfd1c9b455b9168f282cad8f48ff0ca47465fc": {
+    "keytype": "ed25519",
+    "scheme": "ed25519",
+    "keyid_hash_algorithms": [
+     "sha256",
+     "sha512"
+    ],
+    "keyval": {
+     "public": "e7f35e9f47b6e2f38e62b184d9f9a54f085843c57bb102cab0fe684dabe1e0bd"
+    }
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505"
+    ],
+    "threshold": 1
+   },
+   "snapshot": {
+    "keyids": [
+     "8b635809713e0b6ae3370afeb6fa83d7aae2039b355e56d1211049246c3d1a4d"
+    ],
+    "threshold": 1
+   },
+   "targets": {
+    "keyids": [
+     "5dd6940e523073d10a6252f38a4dc2ebf33e23641c103682e43cb351a5672f43"
+    ],
+    "threshold": 1
+   },
+   "timestamp": {
+    "keyids": [
+     "d263be84f7043dd0b4636fb797cfd1c9b455b9168f282cad8f48ff0ca47465fc"
+    ],
+    "threshold": 1
+   }
+  },
+  "consistent_snapshot": false
+ },
+ "signatures": [
+  {
+   "keyid": "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505",
+   "sig": "1050176114e44eec30b0661a9016b0a1ce607b4168d8e84ab1d4c15d73c3bdb051f0c0b21b67f03c77d4a98ea7dabc5fd1404bbef2eaac605ddfa2a6145d0709"
+  }
+ ]
+}

pkg/reconciler/trustroot/testdata/tsaCertChain.pem

@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
-ByqGSM49AgEGCCqGSM49AwEHA0IABCOUCx97+DsDdyvKgf/FhyiMIzd40bAquTXC
-eZlDeKsHUhsLHrLCa8fOV8njfl8dE2ABX/lwPA+czYfDW1myooGjMzAxMA4GA1Ud
-DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRNdydaOxYhTIQG3d3Zp22F1Rj+XDAKBggq
-hkjOPQQDAgNJADBGAiEA7BJb9k0usb77EKqvbCfOF1fGeBFiU3i32+4HnUXC9GcC
-IQCZ+/gZ+G47t2OlCVNnE+9YasE9100MR/Sm9SBCzn6UTQ==
+MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABDgjsTzgbEsFFuBFCp1LIRv4SwYLCLL1fxtq
+95tbtGj/wHQUmrKLxMLMxaxIzdJs54lIDP+LoKeK25+HBPftwtCjMzAxMA4GA1Ud
+DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRRiPL3dEhG22Qh+0GTFJ/G1SW1yDAKBggq
+hkjOPQQDAgNIADBFAiABNvVUla7gqF/135UkA55FQ57M6r84IArwk43Zy2aPPgIh
+AO8/F8k9VB5+I1FSiQL1qsM8yO6SUpVF9E+hNJ9n/6zU
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcq
-hkjOPQIBBggqhkjOPQMBBwNCAAQjjBapPc46v5hDtKeyNshq4Xdb+t+WX6R4Jgrw
-py31o+0exhZhzlMYl1aelkZi/7u9fnNsuUVfgRjSZIC1aF+7o0IwQDAOBgNVHQ8B
-Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTXcnWjsWIUyEBt3d
-2adthdUY/lwwCgYIKoZIzj0EAwIDSQAwRgIhAOYOmibcfPIN/8DYOdEsd6JVa1RJ
-n7dwJJueg4rNwpBzAiEAiFSpjPSVbNRUJDUOYJGPpkmj+TLh5GCoz2Bw2/oed44=
+MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAARjUhxtm6QXaB2bkGKHenCToVRPhVf0PTkuS7/h
+TGjHhELoMrD8r3nbqyceFEl4FUTzEMDfrj/YhefX7ZbeesSho0IwQDAOBgNVHQ8B
+Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUYjy93RIRttkIftB
+kxSfxtUltcgwCgYIKoZIzj0EAwIDSQAwRgIhAJgRO/ig4ZBrlYjuNYpC/kqUIVsf
+SKLpS9c4/lkcTGBPAiEAq+euZ8zkevab16uWx7ZaEcElKYY3xzhTr5yQYeJPOcQ=
 -----END CERTIFICATE-----

pkg/reconciler/trustroot/testdata/tufRepo.tar

@@ -240,7 +240,6 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con
 	ret := &config.SigstoreKeys{}
 
 	// if there is a "trusted_root.json" target, we can use that instead of the custom metadata
-	// TODO: Write tests for this
 	if _, ok := targets["trusted_root.json"]; ok {
 		dl := newDownloader()
 		if err = tufClient.Download("trusted_root.json", &dl); err != nil {

pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar

@@ -168,6 +168,14 @@ var validRepository = testdata.Get("tufRepo.tar")
 // rootJSON is a valid root.json for above TUF repository.
 var rootJSON = testdata.Get("root.json")
 
+// validRepositoryWithTrustedRootJSON is a valid tarred repository representing
+// an air-gap TUF repository containing trusted_root.json.
+var validRepositoryWithTrustedRootJSON = testdata.Get("tufRepoWithTrustedRootJSON.tar")
+
+// IMPORTANT: The next expiration is on 2024-09-21
+// rootJSON is a valid root.json for above TUF repository.
+var rootWithTrustedRootJSON = testdata.Get("rootWithTrustedRootJSON.json")
+
 func TestReconcile(t *testing.T) {
 	table := TableTest{{
 		Name: "bad workqueue key",
@@ -342,7 +350,7 @@ func TestReconcile(t *testing.T) {
 			),
 		},
 		WantCreates: []runtime.Object{
-			makeConfigMapWithMirrorFS(),
+			makeConfigMapWithMirrorFS(marshalledEntryFromMirrorFS),
 		},
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: NewTrustRoot(trName,
@@ -352,6 +360,30 @@ func TestReconcile(t *testing.T) {
 				WithTrustRootFinalizer,
 				MarkReadyTrustRoot,
 			)}},
+	}, {
+		Name: "With repository containing trusted_root.json",
+		Key:  testKey,
+
+		SkipNamespaceValidation: true, // Cluster scoped
+		Objects: []runtime.Object{
+			NewTrustRoot(trName,
+				WithTrustRootUID(uid),
+				WithTrustRootResourceVersion(resourceVersion),
+				WithRepository("targets", rootWithTrustedRootJSON, validRepositoryWithTrustedRootJSON),
+				WithTrustRootFinalizer,
+			),
+		},
+		WantCreates: []runtime.Object{
+			makeConfigMapWithMirrorFS(marshalledEntry),
+		},
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: NewTrustRoot(trName,
+				WithTrustRootUID(uid),
+				WithTrustRootResourceVersion(resourceVersion),
+				WithRepository("targets", rootWithTrustedRootJSON, validRepositoryWithTrustedRootJSON),
+				WithTrustRootFinalizer,
+				MarkReadyTrustRoot,
+			)}},
 	}}
 
 	logger := logtesting.TestLogger(t)
@@ -395,13 +427,13 @@ func makeConfigMapWithSigstoreKeys() *corev1.ConfigMap {
 	return ret
 }
 
-func makeConfigMapWithMirrorFS() *corev1.ConfigMap {
+func makeConfigMapWithMirrorFS(entry string) *corev1.ConfigMap {
 	return &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: system.Namespace(),
 			Name:      config.SigstoreKeysConfigName,
 		},
-		Data: map[string]string{"test-trustroot": marshalledEntryFromMirrorFS},
+		Data: map[string]string{"test-trustroot": entry},
 	}
 }