Problem
Private Sigstore signing (#408) lets an org sign against a self-hosted Fulcio/Rekor, but aicr verify can only verify against the public-good trusted root. verifySigstoreBundle calls trust.GetTrustedMaterial() (pkg/bundler/verifier/trust.go), which has no override for a private CA root or a custom TUF trust root. So privately-signed bundles fail verification.
Proposal
Allow aicr verify to load a custom Sigstore trusted root so bundles signed against private Fulcio/Rekor verify against the matching root of trust.
Behavior
- A flag (e.g.
--trust-root <path> / --certificate-chain) or a TUF root URL supplies the private root of trust to the sigstore-go verifier.
- Public-good remains the default when unset.
- Composes with the keyless identity-pinning path (the identity matcher is unchanged; only the root material differs).
Dependencies
Success criteria
- A bundle signed via
aicr bundle --fulcio-url <private> --rekor-url <private> verifies with the corresponding private trust root.
- Public Sigstore verification is unchanged when no custom root is supplied.
make test / make lint pass.
Problem
Private Sigstore signing (#408) lets an org sign against a self-hosted Fulcio/Rekor, but
aicr verifycan only verify against the public-good trusted root.verifySigstoreBundlecallstrust.GetTrustedMaterial()(pkg/bundler/verifier/trust.go), which has no override for a private CA root or a custom TUF trust root. So privately-signed bundles fail verification.Proposal
Allow
aicr verifyto load a custom Sigstore trusted root so bundles signed against private Fulcio/Rekor verify against the matching root of trust.Behavior
--trust-root <path>/--certificate-chain) or a TUF root URL supplies the private root of trust to the sigstore-go verifier.Dependencies
Success criteria
aicr bundle --fulcio-url <private> --rekor-url <private>verifies with the corresponding private trust root.make test/make lintpass.