feat: refactor: use sigstore-go for fetching TrustedRoot

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/gorilla/mux v1.8.1
 	github.com/in-toto/attestation v1.1.0
 	github.com/sigstore/cosign/v2 v2.2.4
-	github.com/sigstore/sigstore-go v0.2.0
+	github.com/sigstore/sigstore-go v0.4.0
 	github.com/slsa-framework/slsa-github-generator v1.9.0
 	github.com/spf13/cobra v1.8.0
 	golang.org/x/mod v0.18.0
@@ -39,7 +39,7 @@ require (
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
@@ -92,7 +92,7 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/sigstore/fulcio v1.4.5
-	github.com/sigstore/protobuf-specs v0.3.0
+	github.com/sigstore/protobuf-specs v0.3.2
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
@@ -108,13 +108,13 @@ require (
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
 	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8
 	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
 	google.golang.org/grpc v1.62.1 // indirect
 	google.golang.org/protobuf v1.34.1
 	gopkg.in/ini.v1 v1.67.0 // indirect

go.sum

@@ -443,20 +443,22 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm
 github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDFJro=
 github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y=
 github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc=
 github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8=
-github.com/sigstore/protobuf-specs v0.3.0 h1:E49qS++llp4psM+3NNVEb+C4AD422bT9VkOQIPrNLpA=
-github.com/sigstore/protobuf-specs v0.3.0/go.mod h1:ynKzXpqr3dUj2Xk9O/5ZUhjnpi0F53DNi5AdH6pS3jc=
+github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWwQvORuRQo=
+github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
 github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4=
 github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs=
-github.com/sigstore/sigstore-go v0.2.0 h1:pbDfn8voPQZCySzCpiDE+3qljzsczHUX26dQsnjH2Cg=
-github.com/sigstore/sigstore-go v0.2.0/go.mod h1:M6iQfFjmK0wbez+lRTg+O7cJxjYa7s++zfW30rzZBKk=
+github.com/sigstore/sigstore-go v0.4.0 h1:0BxofjPnd+1LzyiCgsFP0NviMg8l20ZMf4aitkvYEU8=
+github.com/sigstore/sigstore-go v0.4.0/go.mod h1:KZQFwvDItf1sr5P8YhVIjjXBe1ZyeFuC4odn7/2Uie0=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g=
@@ -509,8 +511,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 h1:SsiWxSpJ9AD71/vqiZVUjXW1Uusv1wlKn4zPKFNq25w=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141/go.mod h1:D7dcS4bZMmF3pXOgUo8Vs6GLYM9sdrFFd37JqiP3hN4=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
@@ -559,8 +561,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY=
 golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -604,14 +606,14 @@ golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
-golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

verifiers/internal/gha/builder.go

@@ -22,9 +22,6 @@ var (
 	certOidcIssuer            = "https://token.actions.githubusercontent.com"
 	githubCom                 = "github.com/"
 	httpsGithubCom            = "https://" + githubCom
-	// This is used in cosign's CheckOpts for validating the certificate. We
-	// do specific builder verification after this.
-	certSubjectRegexp = httpsGithubCom + "*"
 )
 
 var defaultArtifactTrustedReusableWorkflows = map[string]bool{

verifiers/internal/gha/bundle.go

@@ -13,6 +13,7 @@ import (
 	bundle_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
 	v1 "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1"
 	"github.com/sigstore/rekor/pkg/generated/models"
+	sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root"
 	"google.golang.org/protobuf/encoding/protojson"
 )
 
@@ -36,7 +37,7 @@ func IsSigstoreBundle(bytes []byte) bool {
 // verifyRekorEntryFromBundle extracts and verifies the Rekor entry from the Sigstore
 // bundle verification material, validating the SignedEntryTimestamp.
 func verifyRekorEntryFromBundle(ctx context.Context, tlogEntry *v1.TransparencyLogEntry,
-	trustedRoot *TrustedRoot) (
+	trustedRoot *sigstoreRoot.TrustedRoot) (
 	*models.LogEntryAnon, error,
 ) {
 	canonicalBody := tlogEntry.GetCanonicalizedBody()
@@ -53,7 +54,7 @@ func verifyRekorEntryFromBundle(ctx context.Context, tlogEntry *v1.TransparencyL
 
 	// Verify tlog entry.
 	if _, err := verifyTlogEntry(ctx, *rekorEntry, false,
-		trustedRoot.RekorPubKeys); err != nil {
+		trustedRoot); err != nil {
 		return nil, err
 	}
 
@@ -159,7 +160,7 @@ func matchRekorEntryWithEnvelope(tlogEntry *v1.TransparencyLogEntry, env *dsseli
 // returns the verified DSSE envelope containing the provenance
 // and the signing certificate given the provenance.
 func VerifyProvenanceBundle(ctx context.Context, bundleBytes []byte,
-	trustedRoot *TrustedRoot) (
+	trustedRoot *sigstoreRoot.TrustedRoot) (
 	*SignedAttestation, error,
 ) {
 	proposedSignedAtt, err := verifyBundleAndEntryFromBytes(ctx, bundleBytes, trustedRoot, true)
@@ -176,7 +177,7 @@ func VerifyProvenanceBundle(ctx context.Context, bundleBytes []byte,
 // verifyBundleAndEntry validates the rekor entry inn the bundle
 // and that the entry (cert, signatures) matches the data in the bundle.
 func verifyBundleAndEntry(ctx context.Context, bundle *bundle_v1.Bundle,
-	trustedRoot *TrustedRoot, requireCert bool,
+	trustedRoot *sigstoreRoot.TrustedRoot, requireCert bool,
 ) (*SignedAttestation, error) {
 	// We only expect one TLOG entry. If this changes in the future, we must iterate
 	// for a matching one.
@@ -226,7 +227,7 @@ func verifyBundleAndEntry(ctx context.Context, bundle *bundle_v1.Bundle,
 // verifyBundleAndEntryFromBytes validates the rekor entry inn the bundle
 // and that the entry (cert, signatures) matches the data in the bundle.
 func verifyBundleAndEntryFromBytes(ctx context.Context, bundleBytes []byte,
-	trustedRoot *TrustedRoot, requireCert bool,
+	trustedRoot *sigstoreRoot.TrustedRoot, requireCert bool,
 ) (*SignedAttestation, error) {
 	// Extract the SigningCert, Envelope, and RekorEntry from the bundle.
 	var bundle bundle_v1.Bundle

verifiers/internal/gha/bundle_test.go

@@ -8,13 +8,14 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+	"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
 )
 
 func Test_verifyBundle(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	trustedRoot, err := TrustedRootSingleton(ctx)
+	trustedRoot, err := utils.GetSigstoreTrustedRoot()
 	if err != nil {
 		t.Fatal(err)
 	}

verifiers/internal/gha/cosign.go

@@ -0,0 +1,66 @@
+package gha
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/sigstore/pkg/fulcioroots"
+	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+)
+
+var (
+	// defaultCosignCheckOpts are the default options for cosign checks.
+	defaultCosignCheckOpts *cosign.CheckOpts
+
+	// defaultCosignCheckOptsOnce is used for initializing the defaultCosignCheckOpts.
+	defaultCosignCheckOptsOnce = new(sync.Once)
+)
+
+// getDefaultCosignCheckOpts returns the default cosign check options.
+// This is cached in memory.
+// CheckOpts.RegistryClientOpts must be added by the receiver.
+func getDefaultCosignCheckOpts(ctx context.Context) (*cosign.CheckOpts, error) {
+	var getErr error
+	// Initialize the defaultCosignCheckOpts.
+	// defaultCosignCheckOptsOnce is reinitialized upon error.
+	defaultCosignCheckOptsOnce.Do(func() {
+		rootCerts, err := fulcioroots.Get()
+		if err != nil {
+			getErr = fmt.Errorf("%w: %s", serrors.ErrorInternal, err)
+			defaultCosignCheckOptsOnce = new(sync.Once)
+			return
+		}
+		intermediateCerts, err := fulcioroots.GetIntermediates()
+		if err != nil {
+			getErr = fmt.Errorf("%w: %s", serrors.ErrorInternal, err)
+			defaultCosignCheckOptsOnce = new(sync.Once)
+			return
+		}
+		rekorPubKeys, err := cosign.GetRekorPubs(ctx)
+		if err != nil {
+			getErr = fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, err)
+			defaultCosignCheckOptsOnce = new(sync.Once)
+			return
+		}
+		ctPubKeys, err := cosign.GetCTLogPubs(ctx)
+		if err != nil {
+			// this is unexpected, hold on to this error.
+			getErr = fmt.Errorf("%w: %s", serrors.ErrorInternal, err)
+			defaultCosignCheckOptsOnce = new(sync.Once)
+			return
+		}
+
+		defaultCosignCheckOpts = &cosign.CheckOpts{
+			RootCerts:         rootCerts,
+			IntermediateCerts: intermediateCerts,
+			RekorPubKeys:      rekorPubKeys,
+			CTLogPubKeys:      ctPubKeys,
+		}
+	})
+	if getErr != nil {
+		return nil, getErr
+	}
+	return defaultCosignCheckOpts, nil
+}

verifiers/internal/gha/npm.go

@@ -13,6 +13,7 @@ import (
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root"
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
 	"github.com/slsa-framework/slsa-verifier/v2/options"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance"
@@ -50,7 +51,7 @@ func (b *BundleBytes) UnmarshalJSON(data []byte) error {
 
 type Npm struct {
 	ctx                   context.Context
-	root                  *TrustedRoot
+	root                  *sigstoreRoot.TrustedRoot
 	verifiedBuilderID     *utils.TrustedBuilderID
 	verifiedProvenanceAtt *SignedAttestation
 	verifiedPublishAtt    *SignedAttestation
@@ -66,7 +67,7 @@ func (n *Npm) ProvenanceLeafCertificate() *x509.Certificate {
 	return n.verifiedProvenanceAtt.SigningCert
 }
 
-func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*Npm, error) {
+func NpmNew(ctx context.Context, root *sigstoreRoot.TrustedRoot, attestationBytes []byte) (*Npm, error) {
 	var aSet attestationSet
 	if err := json.Unmarshal(attestationBytes, &aSet); err != nil {
 		return nil, fmt.Errorf("%w: json.Unmarshal: %v", errrorInvalidAttestations, err)

verifiers/internal/gha/npm_test.go

@@ -719,7 +719,7 @@ func Test_verifyPackageName(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	trustedRoot, err := TrustedRootSingleton(ctx)
+	trustedRoot, err := utils.GetSigstoreTrustedRoot()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -802,7 +802,7 @@ func Test_verifyPublishAttestationSubjectDigest(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	trustedRoot, err := TrustedRootSingleton(ctx)
+	trustedRoot, err := utils.GetSigstoreTrustedRoot()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -880,7 +880,7 @@ func Test_verifyPackageVersion(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	trustedRoot, err := TrustedRootSingleton(ctx)
+	trustedRoot, err := utils.GetSigstoreTrustedRoot()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1061,7 +1061,7 @@ func Test_verifyIntotoHeaders(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	trustedRoot, err := TrustedRootSingleton(ctx)
+	trustedRoot, err := utils.GetSigstoreTrustedRoot()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1150,7 +1150,7 @@ func Test_NpmNew(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	trustedRoot, err := TrustedRootSingleton(ctx)
+	trustedRoot, err := utils.GetSigstoreTrustedRoot()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1198,7 +1198,7 @@ func Test_verifyPublishAttestationSignature(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	trustedRoot, err := TrustedRootSingleton(ctx)
+	trustedRoot, err := utils.GetSigstoreTrustedRoot()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1245,7 +1245,7 @@ func Test_verifyProvenanceAttestationSignature(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	trustedRoot, err := TrustedRootSingleton(ctx)
+	trustedRoot, err := utils.GetSigstoreTrustedRoot()
 	if err != nil {
 		t.Fatal(err)
 	}

verifiers/internal/gha/provenance.go

@@ -11,6 +11,7 @@ import (
 	dsselib "github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/rekor/pkg/generated/client"
 	"github.com/sigstore/rekor/pkg/generated/models"
+	sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root"
 
 	proto_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 	"github.com/slsa-framework/slsa-github-generator/signing/envelope"
@@ -209,7 +210,7 @@ func verifyDigest(prov iface.Provenance, expectedHash string) error {
 
 // VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance
 // and the signing certificate given the provenance and artifact hash.
-func VerifyProvenanceSignature(ctx context.Context, trustedRoot *TrustedRoot,
+func VerifyProvenanceSignature(ctx context.Context, trustedRoot *sigstoreRoot.TrustedRoot,
 	rClient *client.Rekor,
 	provenance []byte, artifactHash string) (
 	*SignedAttestation, error,