jarsigner: VerificationException: Could not find public key for provided keyId

[tsmock]

Description

The jarsigner task uses https://www.googleapis.com/oauth2/v3/certs to get provider certificate information.

Version sigstore:0.4.0:jarsign

Additional Information

Stacktrace

``` [INFO] --- sigstore:0.4.0:jarsign (sigstore-jarsign) @ josm --- [INFO] generating keypair using EC with secp256r1 parameters Please open the following address in your browser: https://oauth2.sigstore.dev/auth/auth?client_id=sigstore&code_challenge=&code_challenge_method=S256&redirect_uri=http://localhost:53394/Callback&response_type=code&scope=openid%20email Attempting to open that address in the default browser now... Nov 09, 2023 7:03:38 AM com.google.api.client.auth.openidconnect.IdTokenVerifier verify SEVERE: id token signature verification failed. Please see docs for IdTokenVerifier for default settings and configuration options com.google.api.client.auth.openidconnect.IdTokenVerifier$VerificationException: Could not find public key for provided keyId: at com.google.api.client.auth.openidconnect.IdTokenVerifier.verifySignature(IdTokenVerifier.java:306) at com.google.api.client.auth.openidconnect.IdTokenVerifier.verify(IdTokenVerifier.java:243) at dev.sigstore.plugin.JarSign.getIDToken(JarSign.java:346) at dev.sigstore.plugin.JarSign.execute(JarSign.java:207) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:126) at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:328) at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:316) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:174) at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:75) at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:162) at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:159) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:105) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:53) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:118) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:261) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:173) at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:101) at org.apache.maven.cli.MavenCli.execute(MavenCli.java:906) at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:283) at org.apache.maven.cli.MavenCli.main(MavenCli.java:206) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:283) at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:226) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:407) at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:348) ```

Looking at the code, it looks like it is using the default certificates from https://www.googleapis.com/oauth2/v3/certs for verification. I assume this is wrong, and that the IdTokenVerifier should be initialized using a builder.