Add support for custom trusted root target path (#1608)

* Add TrustedRootTarget field Signed-off-by: Cody Soyland <codysoyland@github.com> * Add support for custom trusted root target Signed-off-by: Cody Soyland <codysoyland@github.com> * Regenerate test data and add support for custom trusted root target path Signed-off-by: Cody Soyland <codysoyland@github.com> * Update calls to GetSigstoreKeysFromTuf Signed-off-by: Cody Soyland <codysoyland@github.com> --------- Signed-off-by: Cody Soyland <codysoyland@github.com>
sigstore · Sep 4, 2024 · 231ae3c · 231ae3c
1 parent 430c242
commit 231ae3c
Show file tree

Hide file tree

Showing 22 changed files with 308 additions and 151 deletions.
diff --git a/cmd/tester/trustroot.go b/cmd/tester/trustroot.go
@@ -33,14 +33,14 @@ func GetKeysFromTrustRoot(ctx context.Context, tr *v1alpha1.TrustRoot) (*config.
  if err != nil {
  return nil, fmt.Errorf("failed to initialize TUF client from remote: %w", err)
  }
- return trustroot.GetSigstoreKeysFromTuf(ctx, client)
+ return trustroot.GetSigstoreKeysFromTuf(ctx, client, "")
  case tr.Spec.Repository != nil:
  client, err := tuf.ClientFromSerializedMirror(context.Background(), tr.Spec.Repository.MirrorFS, tr.Spec.Repository.Root, tr.Spec.Repository.Targets, v1alpha1.DefaultTUFRepoPrefix)
  if err != nil {
  return nil, fmt.Errorf("failed to initialize TUF client from remote: %w", err)
  }
 
- return trustroot.GetSigstoreKeysFromTuf(ctx, client)
+ return trustroot.GetSigstoreKeysFromTuf(ctx, client, "")
  case tr.Spec.SigstoreKeys != nil:
  return config.ConvertSigstoreKeys(context.Background(), tr.Spec.SigstoreKeys)
  }

diff --git a/config/300-trustroot.yaml b/config/300-trustroot.yaml
@@ -54,6 +54,9 @@ spec:
  targets:
  description: Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted.
  type: string
+ trustedRootTarget:
+ description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used.
+ type: string
  repository:
  description: Repository contains the serialized TUF remote repository.
  type: object
@@ -67,6 +70,9 @@ spec:
  targets:
  description: Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted.
  type: string
+ trustedRootTarget:
+ description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used.
+ type: string
  sigstoreKeys:
  description: SigstoreKeys contains the serialized keys.
  type: object

diff --git a/docs/api-types/index-v1alpha1.md b/docs/api-types/index-v1alpha1.md
@@ -64,6 +64,7 @@ Remote specifies the TUF with trusted initial root and remote mirror where to fe
 | root | Root is the base64 encoded, json trusted initial root. | []byte | true |
 | mirror | Mirror is the remote mirror, for example: https://tuf-repo-cdn.sigstore.dev | apis.URL | true |
 | targets | Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted. | string | false |
+| trustedRootTarget | TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. | string | false |
 
 [Back to TOC](#table-of-contents)
 
@@ -76,6 +77,7 @@ Repository specifies an airgapped TUF. Specifies the trusted initial root as wel
 | root | Root is the base64 encoded, json trusted initial root. | []byte | true |
 | mirrorFS | MirrorFS is the base64 tarred, gzipped, and base64 encoded remote repository that can be used for example in air-gap environments. Will not make outbound network connections, and must then be kept up to date in some other manner. The repository must contain metadata as well as targets. | []byte | true |
 | targets | Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted. | string | false |
+| trustedRootTarget | TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. | string | false |
 
 [Back to TOC](#table-of-contents)
 

diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go
@@ -93,6 +93,13 @@ func main() {
  log.Fatal(err)
  }
 
+ tufRepoWithCustomTrustedRootJSON, rootJSONWithCustomTrustedRootJSON, err := genTUFRepo(map[string][]byte{
+ "custom_trusted_root.json": marshalledEntry,
+ })
+ if err != nil {
+ log.Fatal(err)
+ }
+
  marshalledEntryFromMirrorFS, err := genTrustedRoot(sigstoreKeysMap)
  if err != nil {
  log.Fatal(err)
@@ -110,6 +117,8 @@ func main() {
  mustWriteFile("root.json", rootJSON)
  mustWriteFile("tufRepoWithTrustedRootJSON.tar", tufRepoWithTrustedRootJSON)
  mustWriteFile("rootWithTrustedRootJSON.json", rootJSONWithTrustedRootJSON)
+ mustWriteFile("tufRepoWithCustomTrustedRootJSON.tar", tufRepoWithCustomTrustedRootJSON)
+ mustWriteFile("rootWithCustomTrustedRootJSON.json", rootJSONWithCustomTrustedRootJSON)
 }
 
 func mustWriteFile(path string, data []byte) {

diff --git a/pkg/apis/policy/v1alpha1/trustroot_types.go b/pkg/apis/policy/v1alpha1/trustroot_types.go
@@ -107,6 +107,11 @@ type Remote struct {
  // If not specified 'targets' is defaulted.
  // +optional
  Targets string `json:"targets,omitempty"`
+
+ // TrustedRootTarget is the name of the target containing the JSON trusted
+ // root. If not specified, `trusted_root.json` is used.
+ // +optional
+ TrustedRootTarget string `json:"trustedRootTarget,omitempty"`
 }
 
 // Repository specifies an airgapped TUF. Specifies the trusted initial root as
@@ -126,6 +131,11 @@ type Repository struct {
  // above. If not specified 'targets' is defaulted.
  // +optional
  Targets string `json:"targets,omitempty"`
+
+ // TrustedRootTarget is the name of the target containing the JSON trusted
+ // root. If not specified, `trusted_root.json` is used.
+ // +optional
+ TrustedRootTarget string `json:"trustedRootTarget,omitempty"`
 }
 
 // TransparencyLogInstance describes the immutable parameters from a

diff --git a/pkg/reconciler/testing/v1alpha1/trustroot.go b/pkg/reconciler/testing/v1alpha1/trustroot.go
@@ -104,12 +104,13 @@ func WithSigstoreKeys(sk map[string]string) TrustRootOption {
 
 // WithRepository constructs a TrustRootOption which is suitable
 // for reconciler table driven testing.
-func WithRepository(targets string, root, repository []byte) TrustRootOption {
+func WithRepository(targets string, root, repository []byte, trustedRootTarget string) TrustRootOption {
  return func(tr *v1alpha1.TrustRoot) {
  tr.Spec.Repository = &v1alpha1.Repository{
- Root: root,
- Targets: targets,
- MirrorFS: repository,
+ Root: root,
+ MirrorFS: repository,
+ Targets: targets,
+ TrustedRootTarget: trustedRootTarget,
  }
  }
 }

diff --git a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt
@@ -1 +1 @@
-1710e23da0651aaa8194bc9652cd00a97c1fda9c76fce12f14eb635e42036954
+df8dc4f435a63e8cd48d2557c3c228e9558e04dca899fab5612a6d60d515e8f0
diff --git a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMj
-ld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEklvaOetNsPoZt+BHsE0bbHybxHsk
+ImD/Swu8QyDZONn2hnJNxEImaz6Xzv7+/bzns9y0/b9NadWbeDht3KGBBg==
 -----END PUBLIC KEY-----
diff --git a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
-ByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/5
-5rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1Ud
-DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggq
-hkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64C
-IHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT
+MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDzENMAsGA1UEAxMEbGVhZjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABAJCeHCU8sFwES7vmf4dAABk7HC2hclCwgAM
+CwPbdJAXRyA9wWFQhWM8osvic/LMq5m0AfVi4y1hjhFkrLjfbHejMzAxMA4GA1Ud
+DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRQn62BEmrPPx7tr1ZIcgrTbMrj8DAKBggq
+hkjOPQQDAgNHADBEAiAS77lBrjWbbYKGBJ/i5ag/Rmsml+oECQ/GMmxdEZ/MzAIg
+cjfmUGYXufT/lX2VXsvkFzfVQH1fG0g5i03NWSFYDB4=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcq
-hkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz
-9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8B
-Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3
-eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55
-FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW
+MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDTELMAkGA1UEAxMCY2EwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAAR3h5jys9TUi2KTcvbxjCpkC+qoHcVikiWRdkp1
+WAMg1fJAQvqPX8kB8OSXc2v8pTBKmzMteEvZJW+9kkybobtKo0IwQDAOBgNVHQ8B
+Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUJ+tgRJqzz8e7a9W
+SHIK02zK4/AwCgYIKoZIzj0EAwIDSAAwRQIgUVBM1Lkvf7DVjG6hygMVTK2cWkHD
+djL4MW8wCFaKV9YCIQC2DtPtWvu/VgaI0QGI+v7iGNnPf7USY0qlJwWWGvAaWw==
 -----END CERTIFICATE-----
diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntry.json b/pkg/reconciler/trustroot/testdata/marshalledEntry.json
@@ -1,78 +1,78 @@
 {
- "mediaType":  "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
- "tlogs":  [
+ "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
+ "tlogs": [
  {
- "baseUrl":  "https://rekor.example.com",
- "hashAlgorithm":  "SHA2_256",
- "publicKey":  {
- "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==",
- "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
- "validFor":  {
- "start":  "1970-01-01T00:00:00Z"
+ "baseUrl": "https://rekor.example.com",
+ "hashAlgorithm": "SHA2_256",
+ "publicKey": {
+ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoM/qB3YtDs6+rXvxfxZNXH0dfXY85qgGuiJJezpzXjCm6jbiUp15VpzNcdJGzExHNZYZj7l+ma1Fjer68+1+tA==",
+ "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+ "validFor": {
+ "start": "1970-01-01T00:00:00Z"
  }
  },
- "logId":  {
- "keyId":  "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ=="
+ "logId": {
+ "keyId": "Yzk5MjkxODU0M2MxNmIwZGY2Y2NkMGQ4ODE2NjVkNDljZGQxZWYzZjM4M2IxNmY5YzRkNjRiODhjZWRmZTAxMA=="
  }
  }
  ],
- "certificateAuthorities":  [
+ "certificateAuthorities": [
  {
- "subject":  {
- "organization":  "fulcio-organization",
- "commonName":  "fulcio-common-name"
+ "subject": {
+ "organization": "fulcio-organization",
+ "commonName": "fulcio-common-name"
  },
- "uri":  "https://fulcio.example.com",
- "certChain":  {
- "certificates":  [
+ "uri": "https://fulcio.example.com",
+ "certChain": {
+ "certificates": [
  {
- "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT"
+ "rawBytes": "MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJCeHCU8sFwES7vmf4dAABk7HC2hclCwgAMCwPbdJAXRyA9wWFQhWM8osvic/LMq5m0AfVi4y1hjhFkrLjfbHejMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRQn62BEmrPPx7tr1ZIcgrTbMrj8DAKBggqhkjOPQQDAgNHADBEAiAS77lBrjWbbYKGBJ/i5ag/Rmsml+oECQ/GMmxdEZ/MzAIgcjfmUGYXufT/lX2VXsvkFzfVQH1fG0g5i03NWSFYDB4="
  },
  {
- "rawBytes":  "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW"
+ "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3h5jys9TUi2KTcvbxjCpkC+qoHcVikiWRdkp1WAMg1fJAQvqPX8kB8OSXc2v8pTBKmzMteEvZJW+9kkybobtKo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUJ+tgRJqzz8e7a9WSHIK02zK4/AwCgYIKoZIzj0EAwIDSAAwRQIgUVBM1Lkvf7DVjG6hygMVTK2cWkHDdjL4MW8wCFaKV9YCIQC2DtPtWvu/VgaI0QGI+v7iGNnPf7USY0qlJwWWGvAaWw=="
  }
  ]
  },
- "validFor":  {
- "start":  "1970-01-01T00:00:00Z"
+ "validFor": {
+ "start": "1970-01-01T00:00:00Z"
  }
  }
  ],
- "ctlogs":  [
+ "ctlogs": [
  {
- "baseUrl":  "https://ctfe.example.com",
- "hashAlgorithm":  "SHA2_256",
- "publicKey":  {
- "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==",
- "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
- "validFor":  {
- "start":  "1970-01-01T00:00:00Z"
+ "baseUrl": "https://ctfe.example.com",
+ "hashAlgorithm": "SHA2_256",
+ "publicKey": {
+ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEklvaOetNsPoZt+BHsE0bbHybxHskImD/Swu8QyDZONn2hnJNxEImaz6Xzv7+/bzns9y0/b9NadWbeDht3KGBBg==",
+ "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+ "validFor": {
+ "start": "1970-01-01T00:00:00Z"
  }
  },
- "logId":  {
- "keyId":  "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA=="
+ "logId": {
+ "keyId": "ZGY4ZGM0ZjQzNWE2M2U4Y2Q0OGQyNTU3YzNjMjI4ZTk1NThlMDRkY2E4OTlmYWI1NjEyYTZkNjBkNTE1ZThmMA=="
  }
  }
  ],
- "timestampAuthorities":  [
+ "timestampAuthorities": [
  {
- "subject":  {
- "organization":  "tsa-organization",
- "commonName":  "tsa-common-name"
+ "subject": {
+ "organization": "tsa-organization",
+ "commonName": "tsa-common-name"
  },
- "uri":  "https://tsa.example.com",
- "certChain":  {
- "certificates":  [
+ "uri": "https://tsa.example.com",
+ "certChain": {
+ "certificates": [
  {
- "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDgjsTzgbEsFFuBFCp1LIRv4SwYLCLL1fxtq95tbtGj/wHQUmrKLxMLMxaxIzdJs54lIDP+LoKeK25+HBPftwtCjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRRiPL3dEhG22Qh+0GTFJ/G1SW1yDAKBggqhkjOPQQDAgNIADBFAiABNvVUla7gqF/135UkA55FQ57M6r84IArwk43Zy2aPPgIhAO8/F8k9VB5+I1FSiQL1qsM8yO6SUpVF9E+hNJ9n/6zU"
+ "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFRMP78f6+Bm7cYAIcANQphYMj0YJHD620uGHPNck0Ei1IKqDCRPCGQDAHprk3y/sBIcLPZU8Hxig5xV0w28qAKjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRB+eA8vn2NROBb/iTfLHyr/c1BmDAKBggqhkjOPQQDAgNIADBFAiEA7r8SEfLto3dQDZIqf/0qQy5+q8hiRNbZ3R4JPxPJtugCIFfiAfFrpzUYp6XuJSuOHfgFP2378zn2jl9kUoQYCjNs"
  },
  {
- "rawBytes":  "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjUhxtm6QXaB2bkGKHenCToVRPhVf0PTkuS7/hTGjHhELoMrD8r3nbqyceFEl4FUTzEMDfrj/YhefX7ZbeesSho0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUYjy93RIRttkIftBkxSfxtUltcgwCgYIKoZIzj0EAwIDSQAwRgIhAJgRO/ig4ZBrlYjuNYpC/kqUIVsfSKLpS9c4/lkcTGBPAiEAq+euZ8zkevab16uWx7ZaEcElKYY3xzhTr5yQYeJPOcQ="
+ "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrdvjuuS7ZO/piTX2pxT56yBKhwq+SHeXt8MsaNYPBG84m5G/3m3uLB5YxCRq4o6vhKM0HEU4UcQ3LdKL92Axao0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUQfngPL59jUTgW/4k3yx8q/3NQZgwCgYIKoZIzj0EAwIDSAAwRQIgXeSyRZXqJZPSba7S56k9fce1xLppSN4m9MtfTw7MdpoCIQD3L40eRQUu2YV+74MWm1nGbma5IVfp9tgZxaAw80brWg=="
  }
  ]
  },
- "validFor":  {
- "start":  "1970-01-01T00:00:00Z"
+ "validFor": {
+ "start": "1970-01-01T00:00:00Z"
  }
  }
  ]

diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json
@@ -1,48 +1,48 @@
 {
- "tlogs":  [
+ "tlogs": [
  {
- "hashAlgorithm":  "SHA2_256",
- "publicKey":  {
- "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==",
- "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
- "validFor":  {
- "start":  "1970-01-01T00:00:00Z"
+ "hashAlgorithm": "SHA2_256",
+ "publicKey": {
+ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoM/qB3YtDs6+rXvxfxZNXH0dfXY85qgGuiJJezpzXjCm6jbiUp15VpzNcdJGzExHNZYZj7l+ma1Fjer68+1+tA==",
+ "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+ "validFor": {
+ "start": "1970-01-01T00:00:00Z"
  }
  },
- "logId":  {
- "keyId":  "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ=="
+ "logId": {
+ "keyId": "Yzk5MjkxODU0M2MxNmIwZGY2Y2NkMGQ4ODE2NjVkNDljZGQxZWYzZjM4M2IxNmY5YzRkNjRiODhjZWRmZTAxMA=="
  }
  }
  ],
- "certificateAuthorities":  [
+ "certificateAuthorities": [
  {
- "certChain":  {
- "certificates":  [
+ "certChain": {
+ "certificates": [
  {
- "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT"
+ "rawBytes": "MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJCeHCU8sFwES7vmf4dAABk7HC2hclCwgAMCwPbdJAXRyA9wWFQhWM8osvic/LMq5m0AfVi4y1hjhFkrLjfbHejMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRQn62BEmrPPx7tr1ZIcgrTbMrj8DAKBggqhkjOPQQDAgNHADBEAiAS77lBrjWbbYKGBJ/i5ag/Rmsml+oECQ/GMmxdEZ/MzAIgcjfmUGYXufT/lX2VXsvkFzfVQH1fG0g5i03NWSFYDB4="
  },
  {
- "rawBytes":  "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW"
+ "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3h5jys9TUi2KTcvbxjCpkC+qoHcVikiWRdkp1WAMg1fJAQvqPX8kB8OSXc2v8pTBKmzMteEvZJW+9kkybobtKo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUJ+tgRJqzz8e7a9WSHIK02zK4/AwCgYIKoZIzj0EAwIDSAAwRQIgUVBM1Lkvf7DVjG6hygMVTK2cWkHDdjL4MW8wCFaKV9YCIQC2DtPtWvu/VgaI0QGI+v7iGNnPf7USY0qlJwWWGvAaWw=="
  }
  ]
  },
- "validFor":  {
- "start":  "1970-01-01T00:00:00Z"
+ "validFor": {
+ "start": "1970-01-01T00:00:00Z"
  }
  }
  ],
- "ctlogs":  [
+ "ctlogs": [
  {
- "hashAlgorithm":  "SHA2_256",
- "publicKey":  {
- "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==",
- "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
- "validFor":  {
- "start":  "1970-01-01T00:00:00Z"
+ "hashAlgorithm": "SHA2_256",
+ "publicKey": {
+ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEklvaOetNsPoZt+BHsE0bbHybxHskImD/Swu8QyDZONn2hnJNxEImaz6Xzv7+/bzns9y0/b9NadWbeDht3KGBBg==",
+ "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+ "validFor": {
+ "start": "1970-01-01T00:00:00Z"
  }
  },
- "logId":  {
- "keyId":  "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA=="
+ "logId": {
+ "keyId": "ZGY4ZGM0ZjQzNWE2M2U4Y2Q0OGQyNTU3YzNjMjI4ZTk1NThlMDRkY2E4OTlmYWI1NjEyYTZkNjBkNTE1ZThmMA=="
  }
  }
  ]

diff --git a/pkg/reconciler/trustroot/testdata/rekorLogID.txt b/pkg/reconciler/trustroot/testdata/rekorLogID.txt
@@ -1 +1 @@
-adc5151f9911ee1f001edc74cd71cd58f8a11a484a8c9709490b4d966471f411
+c992918543c16b0df6ccd0d881665d49cdd1ef3f383b16f9c4d64b88cedfe010