Do not load trusted root when CT env key is set

cmurphy · cmurphy · commit b1261098fbe8 · 2025-06-17T12:16:56.000-07:00
In 32a2d62 the ability to use TUF to read and refresh trusted_root.json was added. Prior, there was already a --trusted-root flag for verify* commands, to read trusted_root.json directly without using a TUF client. This did not exist for the sign* commands, which still need key material to verifyi the CT key. The workaround for the sign commands was to use the SIGSTORE_CT_LOG_PUBLIC_KEY_FILE environment variable, but when the TUF client was updated, this workaround regressed. This change makes it so that this flag will still work and that the machine's cached trusted root is not used if it's not intended to be used. The permanent fix going forward should be to add the --trusted-root flags to the sign* commands. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go
@@ -24,6 +24,7 @@ import (
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/spf13/cobra"
 )
 
@@ -99,7 +100,7 @@ func Attest() *cobra.Command {
 				TSAServerURL:             o.TSAServerURL,
 				NewBundleFormat:          o.NewBundleFormat,
 			}
-			if o.Key == "" { // Get the trusted root if using fulcio for signing
+			if o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { // Get the trusted root if using fulcio for signing
 				trustedMaterial, err := cosign.TrustedRoot()
 				if err != nil {
 					ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go
@@ -22,6 +22,7 @@ import (
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/spf13/cobra"
 )
 
@@ -84,7 +85,7 @@ func AttestBlob() *cobra.Command {
 				BundlePath:               o.BundlePath,
 				NewBundleFormat:          o.NewBundleFormat,
 			}
-			if o.Key == "" { // Get the trusted root if using fulcio for signing
+			if o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { // Get the trusted root if using fulcio for signing
 				trustedMaterial, err := cosign.TrustedRoot()
 				if err != nil {
 					ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go
@@ -25,6 +25,7 @@ import (
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/spf13/cobra"
 )
 
@@ -130,7 +131,7 @@ race conditions or (worse) malicious tampering.
 				TSAServerURL:                   o.TSAServerURL,
 				IssueCertificateForExistingKey: o.IssueCertificate,
 			}
-			if o.Key == "" || o.IssueCertificate {
+			if (o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" {
 				trustedMaterial, err := cosign.TrustedRoot()
 				if err != nil {
 					ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go
@@ -25,6 +25,7 @@ import (
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -98,7 +99,7 @@ func SignBlob() *cobra.Command {
 				RFC3161TimestampPath:           o.RFC3161TimestampPath,
 				IssueCertificateForExistingKey: o.IssueCertificate,
 			}
-			if o.Key == "" || o.IssueCertificate {
+			if (o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" {
 				trustedMaterial, err := cosign.TrustedRoot()
 				if err != nil {
 					ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
