haydentherapper
commented
1 month ago Can we upstream or align this with the existing testing in sigstore-go? In https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/client_test.go, we have stubbed out the TUF repo so that you can initialize a real client that doesn't make outbound network calls.
Following #768
For folks using slsa-verifier as a library, it could be useful to export the mocks we already have for the TUF client
newMockSigstoreTUFClient, and it's implementation forGetTarget. We may also include some sample data for the mock.https://github.com/slsa-framework/slsa-verifier/blob/97ea5f811ca8b91e75d59cb96082721709d59416/verifiers/internal/gha/npm_sigstore_tuf_test.go#L88-L106