Add providers for signing config and legacy helper

And some other minor associated changes

Signed-off-by: Appu Goundan <appu@google.com>

Author: loosebazooka

sigstore-java/src/main/java/dev/sigstore/SigningConfigProvider.java

@@ -0,0 +1,74 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore;
+
+import com.google.common.base.Preconditions;
+import dev.sigstore.trustroot.SigstoreConfigurationException;
+import dev.sigstore.trustroot.SigstoreSigningConfig;
+import dev.sigstore.tuf.SigstoreTufClient;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+@FunctionalInterface
+public interface SigningConfigProvider {
+
+  SigstoreSigningConfig get() throws SigstoreConfigurationException;
+
+  static SigningConfigProvider from(SigstoreTufClient.Builder tufClientBuilder) {
+    Preconditions.checkNotNull(tufClientBuilder);
+    return () -> {
+      try {
+        SigstoreTufClient tufClient = tufClientBuilder.build();
+        tufClient.update();
+        return tufClient.getSigstoreSigningConfig();
+      } catch (IOException ex) {
+        throw new SigstoreConfigurationException(
+            "Could not initialize signing config from provided tuf client", ex);
+      }
+    };
+  }
+
+  // Temporary while the tuf repos catches up, this will still fail if the remove TUF isn't
+  // available to check for signing config
+  static SigningConfigProvider fromOrDefault(
+      SigstoreTufClient.Builder tufClientBuilder, SigstoreSigningConfig defaultConfig) {
+    Preconditions.checkNotNull(tufClientBuilder);
+    return () -> {
+      try {
+        var tufClient = tufClientBuilder.build();
+        tufClient.update();
+        var fromTuf = tufClient.getSigstoreSigningConfig();
+        return fromTuf == null ? defaultConfig : fromTuf;
+      } catch (IOException ex) {
+        throw new SigstoreConfigurationException(
+            "Could not initialize signing config from provided tuf client", ex);
+      }
+    };
+  }
+
+  static SigningConfigProvider from(Path signingConfig) {
+    Preconditions.checkNotNull(signingConfig);
+    return () -> {
+      try {
+        return SigstoreSigningConfig.from(Files.newInputStream(signingConfig));
+      } catch (IOException ex) {
+        throw new SigstoreConfigurationException(
+            "Could not initialize signing config from " + signingConfig, ex);
+      }
+    };
+  }
+}

sigstore-java/src/main/java/dev/sigstore/TrustedRootProvider.java

@@ -36,7 +36,8 @@ static TrustedRootProvider from(SigstoreTufClient.Builder tufClientBuilder) {
         tufClient.update();
         return tufClient.getSigstoreTrustedRoot();
       } catch (IOException ex) {
-        throw new SigstoreConfigurationException(ex);
+        throw new SigstoreConfigurationException(
+            "Could not initialize trusted root from provided tuf client", ex);
       }
     };
   }
@@ -47,7 +48,8 @@ static TrustedRootProvider from(Path trustedRoot) {
       try (var is = Files.newInputStream(trustedRoot)) {
         return SigstoreTrustedRoot.from(is);
       } catch (IOException ex) {
-        throw new SigstoreConfigurationException(ex);
+        throw new SigstoreConfigurationException(
+            "Could not initialize trusted root from " + trustedRoot, ex);
       }
     };
   }

sigstore-java/src/main/java/dev/sigstore/trustroot/LegacySigningConfig.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import dev.sigstore.trustroot.Service.Config.Selector;
+import java.net.URI;
+import java.time.Instant;
+
+/**
+ * Internal use only: legacy signing config that contains all the necessary information to keep
+ * signers working without signing config being available on a TUF repo
+ */
+public class LegacySigningConfig {
+
+  static final URI REKOR_PUBLIC_GOOD_URI = URI.create("https://rekor.sigstore.dev");
+  static final URI REKOR_STAGING_URI = URI.create("https://rekor.sigstage.dev");
+
+  static final URI FULCIO_PUBLIC_GOOD_URI = URI.create("https://fulcio.sigstore.dev");
+  static final URI FULCIO_STAGING_URI = URI.create("https://fulcio.sigstage.dev");
+
+  static final URI DEX_PUBLIC_GOOD_URI = URI.create("https://oauth2.sigstore.dev/auth");
+  static final URI DEX_STAGING_GOOD_URI = URI.create("https://oauth2.sigstage.dev/auth");
+
+  static final URI TSA_PUBLIC_GOOD_URI = URI.create("https://tsa.sigstore.dev/api/v1/timestamp");
+  static final URI TSA_STAGING_URI = URI.create("https://tsa.sigstage.dev/api/v1/timestamp");
+
+  static SigstoreSigningConfig from(URI fulcioUrl, URI rekorUrl, URI dexUrl, URI tsaUrl) {
+    var anySelector = ImmutableConfig.builder().selector(Selector.ANY).build();
+    var now = ImmutableValidFor.builder().start(Instant.now()).build();
+    return ImmutableSigstoreSigningConfig.builder()
+        .tLogConfig(anySelector)
+        .tsaConfig(anySelector)
+        .addCas(ImmutableService.builder().apiVersion(1).url(fulcioUrl).validFor(now).build())
+        .addTLogs(ImmutableService.builder().apiVersion(1).url(rekorUrl).validFor(now).build())
+        .addOidcProviders(
+            ImmutableService.builder().apiVersion(1).url(dexUrl).validFor(now).build())
+        .addTsas(ImmutableService.builder().apiVersion(1).url(tsaUrl).validFor(now).build())
+        .build();
+  }
+
+  public static final SigstoreSigningConfig PUBLIC_GOOD =
+      from(FULCIO_PUBLIC_GOOD_URI, REKOR_PUBLIC_GOOD_URI, DEX_PUBLIC_GOOD_URI, TSA_PUBLIC_GOOD_URI);
+  public static SigstoreSigningConfig STAGING =
+      from(FULCIO_STAGING_URI, REKOR_STAGING_URI, DEX_STAGING_GOOD_URI, TSA_STAGING_URI);
+}

sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreTrustedRoot.java

@@ -16,6 +16,7 @@
 package dev.sigstore.trustroot;
 
 import com.google.api.client.util.Lists;
+import com.google.common.base.Strings;
 import dev.sigstore.json.ProtoJson;
 import dev.sigstore.proto.trustroot.v1.TrustedRoot;
 import dev.sigstore.proto.trustroot.v1.TrustedRootOrBuilder;
@@ -43,7 +44,7 @@ public interface SigstoreTrustedRoot {
   /** A list of timestamping authorities associated with this trustroot. */
   List<CertificateAuthority> getTSAs();
 
-  /** Create an instance from an input stream of a json representation of a trustedroot. */
+  /** Parse the trusted root from an input stream and close the stream */
   static SigstoreTrustedRoot from(InputStream json) throws SigstoreConfigurationException {
     var trustedRootBuilder = TrustedRoot.newBuilder();
     try (var reader = new InputStreamReader(json, StandardCharsets.UTF_8)) {
@@ -57,13 +58,19 @@ static SigstoreTrustedRoot from(InputStream json) throws SigstoreConfigurationEx
   /** Create an instance from a parsed proto definition of a trustedroot. */
   static SigstoreTrustedRoot from(TrustedRootOrBuilder proto)
       throws SigstoreConfigurationException {
+    if (!Strings.isNullOrEmpty(proto.getMediaType())
+        && !proto
+            .getMediaType()
+            .equals("application/vnd.dev.sigstore.trustedroot+json;version=0.1")) {
+      throw new SigstoreConfigurationException(
+          "Unsupported trusted root mediaType: " + proto.getMediaType());
+    }
     List<CertificateAuthority> cas = Lists.newArrayList();
     for (var certAuthority : proto.getCertificateAuthoritiesList()) {
       try {
         cas.add(CertificateAuthority.from(certAuthority));
       } catch (CertificateException ce) {
-        throw new SigstoreConfigurationException(
-            "Could not parse certificates in trusted root", ce);
+        throw new SigstoreConfigurationException("Could not parse certificate in trusted root", ce);
       }
     }
 

sigstore-java/src/main/java/dev/sigstore/tuf/Updater.java

@@ -144,8 +144,6 @@ public void downloadTarget(String targetName) throws IOException {
   void updateRoot()
       throws IOException,
           RoleExpiredException,
-          NoSuchAlgorithmException,
-          InvalidKeySpecException,
           FileExceedsMaxLengthException,
           RollbackVersionException,
           SignatureVerificationException {