tests: more client support

[jku]

I was not originally convinced that root-signing should test all clients as it moves the testing burden on root-signing instead of the clients, but I changed my mind after discussions in kubecon:

• production root-signing currently tests with more clients than root-signing-staging does
• not all clients are testing against staging TUF yet

I think we should add the same clients to our tests that current prod root-signing uses to ensure the migration to tuf-on-ci is smooth: This should not be a large amount of work and after both prod production and staging are running tuf-on-ci successfully and all clients are testing against staging, we can maybe start removing tests from root-signing.

sub-issues:

• 89

• 90

• 91

[jku]

@kommendorkapten is there a good reason to test with tuf clients like root-signing tuf_client_tests.yml does?

My instinct was to use sigstore clients instead so the actual trust root changes get tested

[kommendorkapten]

@jku Testing with Sigstore client is of course better. But the reason it's not done universially is that most of the Sigstore clients are just language packages, and so any integration for testing would be more complicated (need to write more custom code). With that reason the tests has mostly been using the underlying TUF client as the ones currently in the test file have some limited cli.

[jku]

most of the Sigstore clients are just language packages

can you eloborate what makes this an issue? Do you mean that there is no straightforward way to run the sigstore client in general, or that modifying the TUF repository URL is tricky?

These are the (sigstore equivalents to) currently tested TUF clients in tuf_client_tests.yml:

• sigstore-python is doable
• cosign is doable
• sigstore-rs doesn't seem to support staging at all so that's a problem but it does contain demo apps... So for production this seems doable with similar tricks as sigstore-python (replace the URLs in source, recompile, run the demo app)
• so is the problem just that sigstore-js does not provide a CLI app example? This can't be surmountable for someone who knows js, the API looks sensible (and I would assume sigstore-js would like an example app in their sources...)

EDIT: there is a sigstore-js CLI -- then I really don't know what the issue is...

[kommendorkapten]

Oh, I wasn't aware that the sigstore-js cli exposed that option.

For sigstore-go I'm not sure if there is a good OSS client that can initialize the TUF repo. There is simple cli to use it for verification (which will init the TUF root), maybe that can be bent into only init the TUF root.

Cosign is used in the client tests today: https://github.com/sigstore/root-signing/blob/main/.github/workflows/cosign-test.yml#L48

[jku]

another custom-test.yml feature I've thought about but not written down: would be great to test with both

• older signature bundles (to verify nothing important has been dropped from trusted_root.json)
• fresh signature created with current trusted_root.json (this is how the current tests work)

Every client does not have to do this but one of them could...

[jku]

Closing this: -js and -go have been added, -rs was not since there's no client application (just a library)