kwctl `>= 1.15` fails to fetch Sigstore trust root from TUF repository

[viccuad]

Since 1.15 inclusive, kwctl fails for kwctl run when obtaining the Sigstore trust root automatically (the default behavior).

This happens regardless of cleaning ~/{.config,cache}/kubewarden.

This happens to me in 2 separate machines, from the released binaries, and current kwctl built from main.

$ kwctl-1.16 -v run --request-path test_data/namespace_with_no_labels.json --settings-path test_data/setting_all_modes_set.json annotated-policy.wasm
2024-08-30T12:53:35.761425Z DEBUG kwctl: building Sigstore trust root from Sigstore's TUF repository
Error: Failed to fetch https://tuf-repo-cdn.sigstore.dev/6.root.json: Transport 'other' error fetching 'https://tuf-repo-cdn.sigstore.dev/6.root.json': The HTTP client could not be built: builder error

Caused by:
    0: Transport 'other' error fetching 'https://tuf-repo-cdn.sigstore.dev/6.root.json': The HTTP client could not be built: builder error
    1: The HTTP client could not be built: builder error
    2: builder error
    3: Permission denied (os error 13)

Looked a bit into policy-fetcher, but didn't find the issue.

[flavio]

I cannot reproduce that.

This is what I've done:

rm -rf ~/.config/kubewarden/fulcio_and_rekor_data
rm -rf ~/.sigstore # not used, but just to be extra safe

Then, inside of the kwctl repository checkout:

kwctl-1.16.1 verify --verification-config-path tests/data/sigstore/verification-config-keyless.yml registry://ghcr.io/kubewarden/tests/capabilities-psp:v0.1.9

The command works fine, after that I can see ~/.config/kubewarden/fulcio_and_rekor_data has been created and is filled with the contents of the TUF repository. The ~/.sigstore directory does not exist, which is fine.