diff --git a/pkg/cmd/attestation/trustedroot/trustedroot.go b/pkg/cmd/attestation/trustedroot/trustedroot.go index 4e55e27ab..7ae19616d 100644 --- a/pkg/cmd/attestation/trustedroot/trustedroot.go +++ b/pkg/cmd/attestation/trustedroot/trustedroot.go @@ -122,7 +122,7 @@ func getTrustedRoot(makeTUF tufClientInstantiator, opts *Options) error { var tufOptions []tufConfig var defaultTR = "trusted_root.json" - tufOpt := verification.DefaultOptionsWithCacheSetting(o.None[string]()) + tufOpt := verification.DefaultOptionsWithCacheSetting(o.None[string](), nil) // Disable local caching, so we get up-to-date response from TUF repository tufOpt.CacheValidity = 0 @@ -151,7 +151,7 @@ func getTrustedRoot(makeTUF tufClientInstantiator, opts *Options) error { targets: []string{defaultTR}, }) - tufOpt = verification.GitHubTUFOptions(o.None[string]()) + tufOpt = verification.GitHubTUFOptions(o.None[string](), nil) tufOpt.CacheValidity = 0 tufOptions = append(tufOptions, tufConfig{ tufOptions: tufOpt, diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index 34558a4cc..169188a2e 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -73,7 +73,7 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, erro return liveVerifier, nil } if !config.NoPublicGood { - publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir) + publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir, config.HttpClient) if err != nil { return nil, err } @@ -350,8 +350,8 @@ func newGitHubVerifierWithTrustedRoot(trustedRoot *root.TrustedRoot) (*verify.Si return gv, nil } -func newPublicGoodVerifier(tufMetadataDir o.Option[string]) (*verify.SignedEntityVerifier, error) { - opts := DefaultOptionsWithCacheSetting(tufMetadataDir) +func newPublicGoodVerifier(tufMetadataDir o.Option[string], hc *http.Client) (*verify.SignedEntityVerifier, error) { + opts := DefaultOptionsWithCacheSetting(tufMetadataDir, hc) client, err := tuf.New(opts) if err != nil { return nil, fmt.Errorf("failed to create TUF client: %v", err) diff --git a/pkg/cmd/attestation/verification/tuf.go b/pkg/cmd/attestation/verification/tuf.go index 94455d343..2c38f7cdf 100644 --- a/pkg/cmd/attestation/verification/tuf.go +++ b/pkg/cmd/attestation/verification/tuf.go @@ -2,9 +2,11 @@ package verification import ( _ "embed" + "net/http" "os" "path/filepath" + "github.com/cenkalti/backoff/v5" o "github.com/cli/cli/v2/pkg/option" "github.com/cli/go-gh/v2/pkg/config" "github.com/sigstore/sigstore-go/pkg/tuf" @@ -43,7 +45,7 @@ func DefaultOptionsWithCacheSetting(tufMetadataDir o.Option[string], hc *http.Cl } func GitHubTUFOptions(tufMetadataDir o.Option[string], hc *http.Client) *tuf.Options { - opts := DefaultOptionsWithCacheSetting(tufMetadataDir) + opts := DefaultOptionsWithCacheSetting(tufMetadataDir, hc) opts.Root = githubRoot opts.RepositoryBaseURL = GitHubTUFMirror diff --git a/pkg/cmd/attestation/verification/tuf_test.go b/pkg/cmd/attestation/verification/tuf_test.go index e8b6ecf98..41f766ac9 100644 --- a/pkg/cmd/attestation/verification/tuf_test.go +++ b/pkg/cmd/attestation/verification/tuf_test.go @@ -12,7 +12,7 @@ import ( func TestGitHubTUFOptionsNoMetadataDir(t *testing.T) { os.Setenv("CODESPACES", "true") - opts := GitHubTUFOptions(o.None[string]()) + opts := GitHubTUFOptions(o.None[string](), nil) require.Equal(t, GitHubTUFMirror, opts.RepositoryBaseURL) require.NotNil(t, opts.Root) @@ -21,6 +21,6 @@ func TestGitHubTUFOptionsNoMetadataDir(t *testing.T) { } func TestGitHubTUFOptionsWithMetadataDir(t *testing.T) { - opts := GitHubTUFOptions(o.Some("anything")) + opts := GitHubTUFOptions(o.Some("anything"), nil) require.Equal(t, "anything", opts.CachePath) }