Switch to cosign initialize

Signed-off-by: Aaron Lew <[email protected]>

Author: aaronlew02

.github/workflows/prober-prod.yml

@@ -33,5 +33,6 @@ jobs:
       PAGERDUTY_INTEGRATION_KEY: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }}
     with:
       triggerPagerDutyTest: ${{ github.event.inputs.triggerPagerDutyTest }}
+      tuf_repo: "https://tuf-repo-cdn.sigstore.dev"
       rekor_v2_url: ${{ github.event.inputs.rekor_v2_url }}
       rekor_v2_public_key: ${{ github.event.inputs.rekor_v2_public_key }}

.github/workflows/prober-staging.yml

@@ -34,7 +34,6 @@ jobs:
     with:
       enable_staging: true
       tuf_repo: "https://tuf-repo-cdn.sigstage.dev"
-      tuf_preprod_repo: "https://sigstore.github.io/root-signing-staging"
       tuf_root_path: ".github/assets/sigstage.root.json"
       triggerPagerDutyTest: ${{ github.event.inputs.triggerPagerDutyTest }}
       rekor_v2_url: ${{ github.event.inputs.rekor_v2_url }}

.github/workflows/reusable-prober.yml

@@ -21,17 +21,11 @@ on:
       tuf_repo:
         required: false
         type: string
-        default: 'https://tuf-repo-cdn.sigstore.dev'
         description: 'TUF Repo'
-      tuf_preprod_repo:
-        required: false
-        type: string
-        default: 'https://sigstore.github.io/root-signing'
-        description: 'Preprod TUF Repo'
       tuf_root_path:
         required: false
         type: string
-        default: ".github/assets/sigstore.root.json"
+        default: '.github/assets/sigstore.root.json'
         description: "path to the tuf root"
       triggerPagerDutyTest:
         description: 'Trigger PagerDuty test message'
@@ -107,18 +101,7 @@ jobs:
           metadata_url: ${{ inputs.tuf_repo }}
           valid_days: 2
           offline_valid_days: 15
-          metadata_dir: tuf/prod/
-          compare_source: false
-
-      - name: Verify preprod TUF repository state (and the upgrade from prod)
-        if: ${{ inputs.enable_staging == false }}
-        uses: theupdateframework/tuf-on-ci/actions/test-repository@0ef66318d40656f421781f28df93de9c69ccb9ba # v0.18.0
-        with:
-          metadata_url: ${{ inputs.tuf_preprod_repo }}
-          update_base_url:  ${{ inputs.tuf_repo }}
-          valid_days: 2
-          offline_valid_days: 15
-          metadata_dir: tuf/preprod/
+          metadata_dir: tuf/
           compare_source: false
 
       - name: Set messages
@@ -186,7 +169,9 @@ jobs:
           docker cp binaries:/usr/local/bin/crane /usr/local/bin/
 
       - name: Install cosign
-        uses: sigstore/[email protected]
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: main
 
       # Setup the registry on port 1338
       - run: |
@@ -199,25 +184,29 @@ jobs:
           docker tag ghcr.io/linuxcontainers/alpine ${IMAGE}
           docker push ${IMAGE}
 
-      - name: Install tufie
+      - name: Initialize TUF root
         run: |
-          bash <(curl -s https://raw.githubusercontent.com/kairoaraujo/tufie/main/install.sh)
-
-      - name: Set initial root.json
-        run: cp "${{ inputs.tuf_root_path }}" ./root.json
+          for i in {1..5}
+          do
+            if cosign initialize --mirror=${{ inputs.tuf_repo }} --root=${{ inputs.tuf_root_path }}; then
+              echo "Successfully initialized" && exit 0
+            else
+              echo "Failed to initialize" && sleep 10
+            fi
+          done
+          exit 1
 
-      - name: Add TUF repository to tufie
+      - name: List cosign TUF root contents
         run: |
-          tufie repository add \
-          --name sigstore \
-          --metadata-url ${{ inputs.tuf_repo }} \
-          --artifact-url ${{ inputs.tuf_repo }}/targets \
-          --root ./root.json
+          TUF_TARGETS_DIR=~/.sigstore/root/$(echo ${{ inputs.tuf_repo }} | sed -e 's#^https://##' -e 's#/$##')/targets
+          echo "These are the contents of the cosign TUF root: "
+          ls $TUF_TARGETS_DIR
 
-      - name: Download TUF signing config and trusted root
+      - name: Prepare signing config and trusted root
         run: |
-          tufie download signing_config.v0.2.json --artifact-hash
-          tufie download trusted_root.json --artifact-hash
+          TUF_TARGETS_DIR=~/.sigstore/root/$(echo ${{ inputs.tuf_repo }} | sed -e 's#^https://##' -e 's#/$##')/targets
+          cp ${TUF_TARGETS_DIR}/signing_config.v0.2.json ./signing_config.v0.2.json
+          cp ${TUF_TARGETS_DIR}/trusted_root.json ./trusted_root.json
 
       - name: Configure signing config for Rekor v1
         if: matrix.version == 'v1'
@@ -263,7 +252,7 @@ jobs:
           cosign attest --predicate ./prober/attestation.json --type slsaprovenance --signing-config signing_config.v0.2.json --trusted-root trusted_root.json ${IMAGE} --new-bundle-format
           cosign verify-attestation --type=slsaprovenance ${IMAGE} --trusted-root trusted_root.json --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX" --new-bundle-format ${{ env.TIMESTAMP_VERIFY_FLAG }}
 
-      - name: Read entries from all Rekor shards
+      - name: Read entries from all Rekor v1 shards
         if: matrix.version == 'v1'
         run: |
           # Assume the signing config contains a single Rekor v1 URL