chore: use verification out of band

Signed-off-by: hectorj2f <hectorf@vmware.com>

actions/setup/README.md

@@ -50,8 +50,8 @@ The following environmental variables are exported.
  * SIGSTORE_ROOT_FILE
    Alternate sigstore root file, since we are using non-standard root for
    sigstore components.
- * SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY
-   Necessary to be set to true so that we can validate against non-standard
+ * SIGSTORE_REKOR_API_PUBLIC_KEY
+   Necessary to be set with the location of the public key file, so that we can validate against non-standard
    Rekor instance that we use above.
  * ISSUER_URL
    This is the URL for fetching OIDC tokens off the cluster that you can then use as inputs to --identity-token to cosign

actions/setup/action.yml

@@ -119,7 +119,12 @@ runs:
         kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem
         echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV
 
-        echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV
+        # And also grab the rekor pub key.
+        REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
+        echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
+        curl -s $REKOR_URL/api/v1/log/publicKey > ./rekor-public.pem
+        echo "SIGSTORE_REKOR_PUBLIC_KEY=./rekor-public.pem" >> $GITHUB_ENV
+
       else
         echo "This version does have support for TUF"
         curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${tag}/setup-scaffolding-from-release.sh