fix: use TrustedRoot from TUF cache for key-based verification

[SequeI]

The key-based verification path (--public-key) bypassed the modern TUF cache and always fetched Rekor public keys via the legacy TUF client, which fails with expired root.json after cosign v3's initialize stopped populating the legacy cache.

Move cosign.TrustedRoot() out of the keyless-only branch so both workflows use the modern cache first, falling back to legacy fetches when unavailable.

https://redhat.atlassian.net/browse/EC-1755?atlOrigin=eyJpIjoiNDA4YmEzNTk0YzZjNGUyNTg1ZGQ3YjNmMzE5Y2IxNDUiLCJwIjoiaiJ9 for more info

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7f83e9c7-4cb5-471e-b58f-a4363e8337db

📥 Commits

Reviewing files that changed from the base of the PR and between b84ac3b and ea10de5.

📒 Files selected for processing (1)

• internal/policy/policy.go

---

📝 Walkthrough

Walkthrough

Restructured control flow in checkOpts function to move trusted-root loading logic outside the keyless-workflow conditional block. Trusted-root now loads based on environment overrides regardless of keyless status, but Fulcio/CT-log material population is conditional on specific policy and options states.

Changes

Cohort / File(s)	Summary
Trusted-Root Loading Refactoring internal/policy/policy.go	Reorganized conditional nesting in checkOpts to execute trusted-root loading independently of keyless workflow status. Fulcio/CT-log material population now occurs only when p.PublicKey == "" and opts.TrustedMaterial == nil, altering when these roots and intermediates are fetched from remote sources.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: moving TrustedRoot usage to support key-based verification with the TUF cache.
Description check	✅ Passed	The description clearly explains the problem (key-based verification bypassing modern TUF cache) and the solution (moving cosign.TrustedRoot() out of keyless-only branch).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Fix: Use TrustedRoot from TUF cache for key-based verification

🐞 Bug fix

Walkthroughs

Description

• Move TrustedRoot TUF cache lookup outside keyless-only branch
• Both key-based and keyless workflows now use modern TUF cache first
• Fulcio/CT log fallback restricted to keyless path only (p.PublicKey == "")

Diagram

flowchart LR
  A["checkOpts()"] --> B{"PublicKey set?"}
  B -- "yes" --> C["Set SigVerifier"]
  B -- "no" --> D["Set Identities (keyless)"]
  C --> E{"hasSigstoreEnvOverrides?"}
  D --> E
  E -- "no" --> F["cosign.TrustedRoot()"]
  F -- "success" --> G["opts.TrustedMaterial = trustedRoot"]
  F -- "fail" --> H{"PublicKey == '' AND TrustedMaterial == nil?"}
  E -- "yes" --> H
  G --> I["Return opts"]
  H -- "yes" --> J["Fetch Fulcio roots, intermediates, CT log keys"]
  H -- "no" --> I
  J --> I

Loading

File Changes

1. internal/policy/policy.go 🐞 Bug fix +21/-21

Extend TUF trusted root usage to key-based verification path

• Moved cosign.TrustedRoot() TUF cache lookup outside the keyless-only branch so key-based
 (--public-key) verification also benefits from the modern TUF cache.
• Fulcio root/intermediate certs and CT log public key fetches are now guarded by `p.PublicKey == ""
 && opts.TrustedMaterial == nil`, restricting them to the keyless fallback path only.
• Sigstore env override check now applies to both key-based and keyless workflows.

internal/policy/policy.go

---

[qodo-code-review]

Code Review by Qodo

Looking for bugs?

Check back in a few minutes. An AI review agent is analyzing this pull request.