Add support for custom trusted root target path (#1608)

* Add TrustedRootTarget field Signed-off-by: Cody Soyland <[email protected]> * Add support for custom trusted root target Signed-off-by: Cody Soyland <[email protected]> * Regenerate test data and add support for custom trusted root target path Signed-off-by: Cody Soyland <[email protected]> * Update calls to GetSigstoreKeysFromTuf Signed-off-by: Cody Soyland <[email protected]> --------- Signed-off-by: Cody Soyland <[email protected]>
sigstore · Sep 4, 2024 · 231ae3c · 231ae3c
1 parent 430c242
commit 231ae3c
Show file tree

Hide file tree

Showing 22 changed files with 308 additions and 151 deletions.
diff --git a/cmd/tester/trustroot.go b/cmd/tester/trustroot.go
@@ -33,14 +33,14 @@ func GetKeysFromTrustRoot(ctx context.Context, tr *v1alpha1.TrustRoot) (*config.
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize TUF client from remote: %w", err)
 		}
-		return trustroot.GetSigstoreKeysFromTuf(ctx, client)
+		return trustroot.GetSigstoreKeysFromTuf(ctx, client, "")
 	case tr.Spec.Repository != nil:
 		client, err := tuf.ClientFromSerializedMirror(context.Background(), tr.Spec.Repository.MirrorFS, tr.Spec.Repository.Root, tr.Spec.Repository.Targets, v1alpha1.DefaultTUFRepoPrefix)
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize TUF client from remote: %w", err)
 		}
 
-		return trustroot.GetSigstoreKeysFromTuf(ctx, client)
+		return trustroot.GetSigstoreKeysFromTuf(ctx, client, "")
 	case tr.Spec.SigstoreKeys != nil:
 		return config.ConvertSigstoreKeys(context.Background(), tr.Spec.SigstoreKeys)
 	}

diff --git a/config/300-trustroot.yaml b/config/300-trustroot.yaml
@@ -54,6 +54,9 @@ spec:
                     targets:
                       description: Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted.
                       type: string
+                    trustedRootTarget:
+                      description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used.
+                      type: string
                 repository:
                   description: Repository contains the serialized TUF remote repository.
                   type: object
@@ -67,6 +70,9 @@ spec:
                     targets:
                       description: Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted.
                       type: string
+                    trustedRootTarget:
+                      description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used.
+                      type: string
                 sigstoreKeys:
                   description: SigstoreKeys contains the serialized keys.
                   type: object

diff --git a/docs/api-types/index-v1alpha1.md b/docs/api-types/index-v1alpha1.md
@@ -64,6 +64,7 @@ Remote specifies the TUF with trusted initial root and remote mirror where to fe
 | root | Root is the base64 encoded, json trusted initial root. | []byte | true |
 | mirror | Mirror is the remote mirror, for example: https://tuf-repo-cdn.sigstore.dev | apis.URL | true |
 | targets | Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted. | string | false |
+| trustedRootTarget | TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. | string | false |
 
 [Back to TOC](#table-of-contents)
 
@@ -76,6 +77,7 @@ Repository specifies an airgapped TUF. Specifies the trusted initial root as wel
 | root | Root is the base64 encoded, json trusted initial root. | []byte | true |
 | mirrorFS | MirrorFS is the base64 tarred, gzipped, and base64 encoded remote repository that can be used for example in air-gap environments. Will not make outbound network connections, and must then be kept up to date in some other manner. The repository must contain metadata as well as targets. | []byte | true |
 | targets | Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted. | string | false |
+| trustedRootTarget | TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. | string | false |
 
 [Back to TOC](#table-of-contents)
 

diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go
@@ -93,6 +93,13 @@ func main() {
 		log.Fatal(err)
 	}
 
+	tufRepoWithCustomTrustedRootJSON, rootJSONWithCustomTrustedRootJSON, err := genTUFRepo(map[string][]byte{
+		"custom_trusted_root.json": marshalledEntry,
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	marshalledEntryFromMirrorFS, err := genTrustedRoot(sigstoreKeysMap)
 	if err != nil {
 		log.Fatal(err)
@@ -110,6 +117,8 @@ func main() {
 	mustWriteFile("root.json", rootJSON)
 	mustWriteFile("tufRepoWithTrustedRootJSON.tar", tufRepoWithTrustedRootJSON)
 	mustWriteFile("rootWithTrustedRootJSON.json", rootJSONWithTrustedRootJSON)
+	mustWriteFile("tufRepoWithCustomTrustedRootJSON.tar", tufRepoWithCustomTrustedRootJSON)
+	mustWriteFile("rootWithCustomTrustedRootJSON.json", rootJSONWithCustomTrustedRootJSON)
 }
 
 func mustWriteFile(path string, data []byte) {

diff --git a/pkg/apis/policy/v1alpha1/trustroot_types.go b/pkg/apis/policy/v1alpha1/trustroot_types.go
@@ -107,6 +107,11 @@ type Remote struct {
 	// If not specified 'targets' is defaulted.
 	// +optional
 	Targets string `json:"targets,omitempty"`
+
+	// TrustedRootTarget is the name of the target containing the JSON trusted
+	// root. If not specified, `trusted_root.json` is used.
+	// +optional
+	TrustedRootTarget string `json:"trustedRootTarget,omitempty"`
 }
 
 // Repository specifies an airgapped TUF. Specifies the trusted initial root as
@@ -126,6 +131,11 @@ type Repository struct {
 	// above. If not specified 'targets' is defaulted.
 	// +optional
 	Targets string `json:"targets,omitempty"`
+
+	// TrustedRootTarget is the name of the target containing the JSON trusted
+	// root. If not specified, `trusted_root.json` is used.
+	// +optional
+	TrustedRootTarget string `json:"trustedRootTarget,omitempty"`
 }
 
 // TransparencyLogInstance describes the immutable parameters from a

diff --git a/pkg/reconciler/testing/v1alpha1/trustroot.go b/pkg/reconciler/testing/v1alpha1/trustroot.go
@@ -104,12 +104,13 @@ func WithSigstoreKeys(sk map[string]string) TrustRootOption {
 
 // WithRepository constructs a TrustRootOption which is suitable
 // for reconciler table driven testing.
-func WithRepository(targets string, root, repository []byte) TrustRootOption {
+func WithRepository(targets string, root, repository []byte, trustedRootTarget string) TrustRootOption {
 	return func(tr *v1alpha1.TrustRoot) {
 		tr.Spec.Repository = &v1alpha1.Repository{
-			Root:     root,
-			Targets:  targets,
-			MirrorFS: repository,
+			Root:              root,
+			MirrorFS:          repository,
+			Targets:           targets,
+			TrustedRootTarget: trustedRootTarget,
 		}
 	}
 }

diff --git a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt
@@ -1 +1 @@
-1710e23da0651aaa8194bc9652cd00a97c1fda9c76fce12f14eb635e42036954
+df8dc4f435a63e8cd48d2557c3c228e9558e04dca899fab5612a6d60d515e8f0
diff --git a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMj
-ld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEklvaOetNsPoZt+BHsE0bbHybxHsk
+ImD/Swu8QyDZONn2hnJNxEImaz6Xzv7+/bzns9y0/b9NadWbeDht3KGBBg==
 -----END PUBLIC KEY-----
diff --git a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
-ByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/5
-5rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1Ud
-DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggq
-hkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64C
-IHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT
+MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDzENMAsGA1UEAxMEbGVhZjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABAJCeHCU8sFwES7vmf4dAABk7HC2hclCwgAM
+CwPbdJAXRyA9wWFQhWM8osvic/LMq5m0AfVi4y1hjhFkrLjfbHejMzAxMA4GA1Ud
+DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRQn62BEmrPPx7tr1ZIcgrTbMrj8DAKBggq
+hkjOPQQDAgNHADBEAiAS77lBrjWbbYKGBJ/i5ag/Rmsml+oECQ/GMmxdEZ/MzAIg
+cjfmUGYXufT/lX2VXsvkFzfVQH1fG0g5i03NWSFYDB4=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcq
-hkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz
-9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8B
-Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3
-eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55
-FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW
+MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDTELMAkGA1UEAxMCY2EwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAAR3h5jys9TUi2KTcvbxjCpkC+qoHcVikiWRdkp1
+WAMg1fJAQvqPX8kB8OSXc2v8pTBKmzMteEvZJW+9kkybobtKo0IwQDAOBgNVHQ8B
+Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUJ+tgRJqzz8e7a9W
+SHIK02zK4/AwCgYIKoZIzj0EAwIDSAAwRQIgUVBM1Lkvf7DVjG6hygMVTK2cWkHD
+djL4MW8wCFaKV9YCIQC2DtPtWvu/VgaI0QGI+v7iGNnPf7USY0qlJwWWGvAaWw==
 -----END CERTIFICATE-----
diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntry.json b/pkg/reconciler/trustroot/testdata/marshalledEntry.json
@@ -1,78 +1,78 @@
 {
-  "mediaType":  "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
-  "tlogs":  [
+  "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
+  "tlogs": [
     {
-      "baseUrl":  "https://rekor.example.com",
-      "hashAlgorithm":  "SHA2_256",
-      "publicKey":  {
-        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==",
-        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
-        "validFor":  {
-          "start":  "1970-01-01T00:00:00Z"
+      "baseUrl": "https://rekor.example.com",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoM/qB3YtDs6+rXvxfxZNXH0dfXY85qgGuiJJezpzXjCm6jbiUp15VpzNcdJGzExHNZYZj7l+ma1Fjer68+1+tA==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "1970-01-01T00:00:00Z"
         }
       },
-      "logId":  {
-        "keyId":  "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ=="
+      "logId": {
+        "keyId": "Yzk5MjkxODU0M2MxNmIwZGY2Y2NkMGQ4ODE2NjVkNDljZGQxZWYzZjM4M2IxNmY5YzRkNjRiODhjZWRmZTAxMA=="
       }
     }
   ],
-  "certificateAuthorities":  [
+  "certificateAuthorities": [
     {
-      "subject":  {
-        "organization":  "fulcio-organization",
-        "commonName":  "fulcio-common-name"
+      "subject": {
+        "organization": "fulcio-organization",
+        "commonName": "fulcio-common-name"
       },
-      "uri":  "https://fulcio.example.com",
-      "certChain":  {
-        "certificates":  [
+      "uri": "https://fulcio.example.com",
+      "certChain": {
+        "certificates": [
           {
-            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT"
+            "rawBytes": "MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJCeHCU8sFwES7vmf4dAABk7HC2hclCwgAMCwPbdJAXRyA9wWFQhWM8osvic/LMq5m0AfVi4y1hjhFkrLjfbHejMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRQn62BEmrPPx7tr1ZIcgrTbMrj8DAKBggqhkjOPQQDAgNHADBEAiAS77lBrjWbbYKGBJ/i5ag/Rmsml+oECQ/GMmxdEZ/MzAIgcjfmUGYXufT/lX2VXsvkFzfVQH1fG0g5i03NWSFYDB4="
           },
           {
-            "rawBytes":  "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW"
+            "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3h5jys9TUi2KTcvbxjCpkC+qoHcVikiWRdkp1WAMg1fJAQvqPX8kB8OSXc2v8pTBKmzMteEvZJW+9kkybobtKo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUJ+tgRJqzz8e7a9WSHIK02zK4/AwCgYIKoZIzj0EAwIDSAAwRQIgUVBM1Lkvf7DVjG6hygMVTK2cWkHDdjL4MW8wCFaKV9YCIQC2DtPtWvu/VgaI0QGI+v7iGNnPf7USY0qlJwWWGvAaWw=="
           }
         ]
       },
-      "validFor":  {
-        "start":  "1970-01-01T00:00:00Z"
+      "validFor": {
+        "start": "1970-01-01T00:00:00Z"
       }
     }
   ],
-  "ctlogs":  [
+  "ctlogs": [
     {
-      "baseUrl":  "https://ctfe.example.com",
-      "hashAlgorithm":  "SHA2_256",
-      "publicKey":  {
-        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==",
-        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
-        "validFor":  {
-          "start":  "1970-01-01T00:00:00Z"
+      "baseUrl": "https://ctfe.example.com",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEklvaOetNsPoZt+BHsE0bbHybxHskImD/Swu8QyDZONn2hnJNxEImaz6Xzv7+/bzns9y0/b9NadWbeDht3KGBBg==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "1970-01-01T00:00:00Z"
         }
       },
-      "logId":  {
-        "keyId":  "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA=="
+      "logId": {
+        "keyId": "ZGY4ZGM0ZjQzNWE2M2U4Y2Q0OGQyNTU3YzNjMjI4ZTk1NThlMDRkY2E4OTlmYWI1NjEyYTZkNjBkNTE1ZThmMA=="
       }
     }
   ],
-  "timestampAuthorities":  [
+  "timestampAuthorities": [
     {
-      "subject":  {
-        "organization":  "tsa-organization",
-        "commonName":  "tsa-common-name"
+      "subject": {
+        "organization": "tsa-organization",
+        "commonName": "tsa-common-name"
       },
-      "uri":  "https://tsa.example.com",
-      "certChain":  {
-        "certificates":  [
+      "uri": "https://tsa.example.com",
+      "certChain": {
+        "certificates": [
           {
-            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDgjsTzgbEsFFuBFCp1LIRv4SwYLCLL1fxtq95tbtGj/wHQUmrKLxMLMxaxIzdJs54lIDP+LoKeK25+HBPftwtCjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRRiPL3dEhG22Qh+0GTFJ/G1SW1yDAKBggqhkjOPQQDAgNIADBFAiABNvVUla7gqF/135UkA55FQ57M6r84IArwk43Zy2aPPgIhAO8/F8k9VB5+I1FSiQL1qsM8yO6SUpVF9E+hNJ9n/6zU"
+            "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFRMP78f6+Bm7cYAIcANQphYMj0YJHD620uGHPNck0Ei1IKqDCRPCGQDAHprk3y/sBIcLPZU8Hxig5xV0w28qAKjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRB+eA8vn2NROBb/iTfLHyr/c1BmDAKBggqhkjOPQQDAgNIADBFAiEA7r8SEfLto3dQDZIqf/0qQy5+q8hiRNbZ3R4JPxPJtugCIFfiAfFrpzUYp6XuJSuOHfgFP2378zn2jl9kUoQYCjNs"
           },
           {
-            "rawBytes":  "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjUhxtm6QXaB2bkGKHenCToVRPhVf0PTkuS7/hTGjHhELoMrD8r3nbqyceFEl4FUTzEMDfrj/YhefX7ZbeesSho0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUYjy93RIRttkIftBkxSfxtUltcgwCgYIKoZIzj0EAwIDSQAwRgIhAJgRO/ig4ZBrlYjuNYpC/kqUIVsfSKLpS9c4/lkcTGBPAiEAq+euZ8zkevab16uWx7ZaEcElKYY3xzhTr5yQYeJPOcQ="
+            "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrdvjuuS7ZO/piTX2pxT56yBKhwq+SHeXt8MsaNYPBG84m5G/3m3uLB5YxCRq4o6vhKM0HEU4UcQ3LdKL92Axao0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUQfngPL59jUTgW/4k3yx8q/3NQZgwCgYIKoZIzj0EAwIDSAAwRQIgXeSyRZXqJZPSba7S56k9fce1xLppSN4m9MtfTw7MdpoCIQD3L40eRQUu2YV+74MWm1nGbma5IVfp9tgZxaAw80brWg=="
           }
         ]
       },
-      "validFor":  {
-        "start":  "1970-01-01T00:00:00Z"
+      "validFor": {
+        "start": "1970-01-01T00:00:00Z"
       }
     }
   ]

diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json
@@ -1,48 +1,48 @@
 {
-  "tlogs":  [
+  "tlogs": [
     {
-      "hashAlgorithm":  "SHA2_256",
-      "publicKey":  {
-        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==",
-        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
-        "validFor":  {
-          "start":  "1970-01-01T00:00:00Z"
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoM/qB3YtDs6+rXvxfxZNXH0dfXY85qgGuiJJezpzXjCm6jbiUp15VpzNcdJGzExHNZYZj7l+ma1Fjer68+1+tA==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "1970-01-01T00:00:00Z"
         }
       },
-      "logId":  {
-        "keyId":  "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ=="
+      "logId": {
+        "keyId": "Yzk5MjkxODU0M2MxNmIwZGY2Y2NkMGQ4ODE2NjVkNDljZGQxZWYzZjM4M2IxNmY5YzRkNjRiODhjZWRmZTAxMA=="
       }
     }
   ],
-  "certificateAuthorities":  [
+  "certificateAuthorities": [
     {
-      "certChain":  {
-        "certificates":  [
+      "certChain": {
+        "certificates": [
           {
-            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT"
+            "rawBytes": "MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJCeHCU8sFwES7vmf4dAABk7HC2hclCwgAMCwPbdJAXRyA9wWFQhWM8osvic/LMq5m0AfVi4y1hjhFkrLjfbHejMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRQn62BEmrPPx7tr1ZIcgrTbMrj8DAKBggqhkjOPQQDAgNHADBEAiAS77lBrjWbbYKGBJ/i5ag/Rmsml+oECQ/GMmxdEZ/MzAIgcjfmUGYXufT/lX2VXsvkFzfVQH1fG0g5i03NWSFYDB4="
           },
           {
-            "rawBytes":  "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW"
+            "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDgzMDE4NTczOFoXDTM0MDgzMDE4NTczOFowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3h5jys9TUi2KTcvbxjCpkC+qoHcVikiWRdkp1WAMg1fJAQvqPX8kB8OSXc2v8pTBKmzMteEvZJW+9kkybobtKo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUJ+tgRJqzz8e7a9WSHIK02zK4/AwCgYIKoZIzj0EAwIDSAAwRQIgUVBM1Lkvf7DVjG6hygMVTK2cWkHDdjL4MW8wCFaKV9YCIQC2DtPtWvu/VgaI0QGI+v7iGNnPf7USY0qlJwWWGvAaWw=="
           }
         ]
       },
-      "validFor":  {
-        "start":  "1970-01-01T00:00:00Z"
+      "validFor": {
+        "start": "1970-01-01T00:00:00Z"
       }
     }
   ],
-  "ctlogs":  [
+  "ctlogs": [
     {
-      "hashAlgorithm":  "SHA2_256",
-      "publicKey":  {
-        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==",
-        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
-        "validFor":  {
-          "start":  "1970-01-01T00:00:00Z"
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEklvaOetNsPoZt+BHsE0bbHybxHskImD/Swu8QyDZONn2hnJNxEImaz6Xzv7+/bzns9y0/b9NadWbeDht3KGBBg==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "1970-01-01T00:00:00Z"
         }
       },
-      "logId":  {
-        "keyId":  "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA=="
+      "logId": {
+        "keyId": "ZGY4ZGM0ZjQzNWE2M2U4Y2Q0OGQyNTU3YzNjMjI4ZTk1NThlMDRkY2E4OTlmYWI1NjEyYTZkNjBkNTE1ZThmMA=="
       }
     }
   ]

diff --git a/pkg/reconciler/trustroot/testdata/rekorLogID.txt b/pkg/reconciler/trustroot/testdata/rekorLogID.txt
@@ -1 +1 @@
-adc5151f9911ee1f001edc74cd71cd58f8a11a484a8c9709490b4d966471f411
+c992918543c16b0df6ccd0d881665d49cdd1ef3f383b16f9c4d64b88cedfe010