Add opt-in support for tests that include providing a custom trust root

[steiza]

This will help us address https://github.com/sigstore/sigstore-conformance/issues/30

Summary

Previously the tests assumed the public-good trust root, but supplying a custom trust root lets us exercise additional failure paths, without having to compromise the public-good service.

Release Note

• Added client CLI option --trusted-root FILE to support additional test cases
  • If your client doesn't yet support --trusted-root, in your Action workflow you can specify xfail: "test_verify_with_trust_root" to skip this test for now

Documentation

N/A

[woodruffw]

Thanks @steiza! I've tagged myself and @tnytown to review.

[woodruffw]

Do any clients support this yet?

sigstore-python doesn't yet, not sure about the others.

[steiza]

Do any clients support this yet?

The just-released https://github.com/github/sigstore-go does! As of https://github.com/github/sigstore-go/pull/4.

[woodruffw]

Awesome! That gives us the design impetus to copy --trusted-root for sigstore-python as well; I'll file a tracking issue 🙂

[loosebazooka]

I think we can plumb this into Java relatively painlessly.

[woodruffw]

Thanks @steiza!

[woodruffw]

xref https://github.com/sigstore/sigstore-python/issues/821 for changes needed to sigstore-python's conformance runner.