Add dsse tests for rekor v2 entries

selftest-requirements.txt

@@ -1,3 +1,3 @@
 # Requirements for the self test client sigstore-python-conformance
 # Use a commit from main until 4.x release with support for SigningConfigv0.2 and rekorv2 is available
-sigstore @ git+https://github.com/sigstore/sigstore-python.git@b7d2138044786e56719cb66acc6c16e6805102e2
+sigstore @ git+https://github.com/sigstore/sigstore-python.git@3adc3d4a154a872621b0bf38a5e1a55cd1eecab4

test/assets/bundle-verify/dsse-invalid-sig_fail/README

@@ -0,0 +1 @@
+The signature in the dsse envelope is incorrect

test/assets/bundle-verify/dsse-mismatch-sig_fail/README

@@ -1 +1,4 @@
-DSSE signature does not match
+DSSE signature does not match
+
+This was created by repeating a signing operation over the same payload
+with the same ECDSA key resulting in two valid, but different signatures.

test/assets/bundle-verify/rekor2-dsse-happy-path/README

@@ -0,0 +1,5 @@
+Valid bundle with dsse 0.0.2 envelope that comes from a Rekor v2 instance. It is 
+generated using custom code from sigstore-java.
+
+The test uses a custom trusted root (it's just the staging trust root: once prod has a rekor
+v2 instance the test bundle could be replaced and the custom trust root removed)

test/assets/bundle-verify/rekor2-dsse-happy-path/bundle.sigstore.json

@@ -0,0 +1 @@
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"tlogEntries":[{"logIndex":"7131","logId":{"keyId":"8w1amZ2S5mJIQkQmPxdMuOrL/oJkvFg9MnQXmeOCXck="},"kindVersion":{"kind":"dsse","version":"0.0.2"},"inclusionProof":{"logIndex":"7131","rootHash":"oxP/ea30nl5qRXK7CWd0YGGajQNclTGmRbyTqZVS0AU=","treeSize":"7132","hashes":["eIPps+HNec1qJD+hj0OaGSnS1mMfjOY2aJq1GCrY1Us=","YiPZsMZGcPP3uS5OKU9hh5Knum7bBAWAln81HCjjKPk=","rqnJYjr4VGLNdwwkEs6RpWOH00oLxHQg08Ce28gEawI=","tNKXP501Rq2LRexOZ0mjuzgGl6gUJZXGR20d53xzuf4=","Ga1x4WtdiuV3gtHEYeIXHuGxrlow41ao63M6byFl61Q=","RukyhhMq/Qm3GIDOeslmldD6pNRreWvVZc4FaAbftC8=","GTPCahGF4mCS94ZUpR5dC9b1j2Mpo9ki7HYJdP27ufc=","tnv06iEfRP1UrMtn7D7v4lA+1VfpdI3ioGcQRJLMoP0=","Ag03a73jphtOkMBVhp+MkrJwDkx2NE69NESHMFcwcfI=","xbDsGnxf1siByWHEuiK85p0reQCaKKWUjf8YNl9s/Vo="],"checkpoint":{"envelope":"log2025-alpha1.rekor.sigstage.dev\n7132\noxP/ea30nl5qRXK7CWd0YGGajQNclTGmRbyTqZVS0AU=\n\n— log2025-alpha1.rekor.sigstage.dev 8w1amVmcxxHofaeiQdnXseduy+i75L3TKSG91maGEGjUkBbuRQ4oDZ08bVTO9M+MQJMfz0+vbuOeBrr8yYsofI36egQ=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZHNzZVYwMDIiOnsicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoiU0hBMl8yNTYiLCJkaWdlc3QiOiIxcklKdXAzZU94N2w3ZXU0alJzYmtYdHk3cllVTW81N3BtZjF0NnR3NlljPSJ9LCJzaWduYXR1cmVzIjpbeyJjb250ZW50IjoiTUVZQ0lRRDgxSEpFSkY0OVpPS05RRGNnY0c1S2lOYkdVK3NpY2RFU3VYT1JkVWg0MkFJaEFLR2RUbEZNQXo0OTRuaUIwUlA0Y084YkhIeU1tdDI0dSt4UFBZRVdMb0pqIiwidmVyaWZpZXIiOnsia2V5RGV0YWlscyI6IlBLSVhfRUNEU0FfUDI1Nl9TSEFfMjU2IiwieDUwOUNlcnRpZmljYXRlIjp7InJhd0J5dGVzIjoiTUlJSU16Q0NCN2lnQXdJQkFnSVVWKzNKR2c0b0NaTzBJaG1YdlowN0NPY0tmTmN3Q2dZSUtvWkl6ajBFQXdNd056RVZNQk1HQTFVRUNoTU1jMmxuYzNSdmNtVXVaR1YyTVI0d0hBWURWUVFERXhWemFXZHpkRzl5WlMxcGJuUmxjbTFsWkdsaGRHVXdIaGNOTWpVd056STFNVGsxTXpBMFdoY05NalV3TnpJMU1qQXdNekEwV2pBQU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTZYSVQwRkdhUm9VblkyNGNicU9ueHRHTGFZR1hhUWdndVU2Y3pCYy9oUjNxZzBNYklZcGFHWkJqeklMZXEycDdsanpPYmtCbGxlVk8vZkZoR2NGdDVxT0NCdGN3Z2diVE1BNEdBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVoUzBpNU9IdzY0SkxiektGWEdQeGVTUEc1WW93SHdZRFZSMGpCQmd3Rm9BVWNZWXdwaFI4WW0vNTk5YjBCUnAvWC8vcmI2d3dnYVVHQTFVZEVRRUIvd1NCbWpDQmw0YUJsR2gwZEhCek9pOHZaMmwwYUhWaUxtTnZiUzl6YVdkemRHOXlaUzFqYjI1bWIzSnRZVzVqWlM5bGVIUnlaVzFsYkhrdFpHRnVaMlZ5YjNWekxYQjFZbXhwWXkxdmFXUmpMV0psWVdOdmJpOHVaMmwwYUhWaUwzZHZjbXRtYkc5M2N5OWxlSFJ5WlcxbGJIa3RaR0Z1WjJWeWIzVnpMVzlwWkdNdFltVmhZMjl1TG5sdGJFQnlaV1p6TDJobFlXUnpMMjFoYVc0d09RWUtLd1lCQkFHRHZ6QUJBUVFyYUhSMGNITTZMeTkwYjJ0bGJpNWhZM1JwYjI1ekxtZHBkR2gxWW5WelpYSmpiMjUwWlc1MExtTnZiVEFmQmdvckJnRUVBWU8vTUFFQ0JCRjNiM0pyWm14dmQxOWthWE53WVhSamFEQTJCZ29yQmdFRUFZTy9NQUVEQkNnNU56TTVOems0T1RRMVlqSmhPRFE0WlRreE1XSmpaakZrWkdSaU9UY3lPVGhqWVdSbE1HSXhNQzBHQ2lzR0FRUUJnNzh3QVFRRUgwVjRkSEpsYldWc2VTQmtZVzVuWlhKdmRYTWdUMGxFUXlCaVpXRmpiMjR3U1FZS0t3WUJCQUdEdnpBQkJRUTdjMmxuYzNSdmNtVXRZMjl1Wm05eWJXRnVZMlV2WlhoMGNtVnRaV3g1TFdSaGJtZGxjbTkxY3kxd2RXSnNhV010YjJsa1l5MWlaV0ZqYjI0d0hRWUtLd1lCQkFHRHZ6QUJCZ1FQY21WbWN5OW9aV0ZrY3k5dFlXbHVNRHNHQ2lzR0FRUUJnNzh3QVFnRUxRd3JhSFIwY0hNNkx5OTBiMnRsYmk1aFkzUnBiMjV6TG1kcGRHaDFZblZ6WlhKamIyNTBaVzUwTG1OdmJUQ0JwZ1lLS3dZQkJBR0R2ekFCQ1FTQmx3eUJsR2gwZEhCek9pOHZaMmwwYUhWaUxtTnZiUzl6YVdkemRHOXlaUzFqYjI1bWIzSnRZVzVqWlM5bGVIUnlaVzFsYkhrdFpHRnVaMlZ5YjNWekxYQjFZbXhwWXkxdmFXUmpMV0psWVdOdmJpOHVaMmwwYUhWaUwzZHZjbXRtYkc5M2N5OWxlSFJ5WlcxbGJIa3RaR0Z1WjJWeWIzVnpMVzlwWkdNdFltVmhZMjl1TG5sdGJFQnlaV1p6TDJobFlXUnpMMjFoYVc0d09BWUtLd1lCQkFHRHZ6QUJDZ1FxRENnNU56TTVOems0T1RRMVlqSmhPRFE0WlRreE1XSmpaakZrWkdSaU9UY3lPVGhqWVdSbE1HSXhNQjBHQ2lzR0FRUUJnNzh3QVFzRUR3d05aMmwwYUhWaUxXaHZjM1JsWkRCZUJnb3JCZ0VFQVlPL01BRU1CRkFNVG1oMGRIQnpPaTh2WjJsMGFIVmlMbU52YlM5emFXZHpkRzl5WlMxamIyNW1iM0p0WVc1alpTOWxlSFJ5WlcxbGJIa3RaR0Z1WjJWeWIzVnpMWEIxWW14cFl5MXZhV1JqTFdKbFlXTnZiakE0QmdvckJnRUVBWU8vTUFFTkJDb01LRGszTXprM09UZzVORFZpTW1FNE5EaGxPVEV4WW1ObU1XUmtaR0k1TnpJNU9HTmhaR1V3WWpFd0h3WUtLd1lCQkFHRHZ6QUJEZ1FSREE5eVpXWnpMMmhsWVdSekwyMWhhVzR3R1FZS0t3WUJCQUdEdnpBQkR3UUxEQWsyTXpJMU9UWTRPVGN3TndZS0t3WUJCQUdEdnpBQkVBUXBEQ2RvZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2YzJsbmMzUnZjbVV0WTI5dVptOXliV0Z1WTJVd0dRWUtLd1lCQkFHRHZ6QUJFUVFMREFreE16RTRNRFExTmpNd2dhWUdDaXNHQVFRQmc3OHdBUklFZ1pjTWdaUm9kSFJ3Y3pvdkwyZHBkR2gxWWk1amIyMHZjMmxuYzNSdmNtVXRZMjl1Wm05eWJXRnVZMlV2WlhoMGNtVnRaV3g1TFdSaGJtZGxjbTkxY3kxd2RXSnNhV010YjJsa1l5MWlaV0ZqYjI0dkxtZHBkR2gxWWk5M2IzSnJabXh2ZDNNdlpYaDBjbVZ0Wld4NUxXUmhibWRsY205MWN5MXZhV1JqTFdKbFlXTnZiaTU1Yld4QWNtVm1jeTlvWldGa2N5OXRZV2x1TURnR0Npc0dBUVFCZzc4d0FSTUVLZ3dvT1Rjek9UYzVPRGswTldJeVlUZzBPR1U1TVRGaVkyWXhaR1JrWWprM01qazRZMkZrWlRCaU1UQWhCZ29yQmdFRUFZTy9NQUVVQkJNTUVYZHZjbXRtYkc5M1gyUnBjM0JoZEdOb01JR0NCZ29yQmdFRUFZTy9NQUVWQkhRTWNtaDBkSEJ6T2k4dloybDBhSFZpTG1OdmJTOXphV2R6ZEc5eVpTMWpiMjVtYjNKdFlXNWpaUzlsZUhSeVpXMWxiSGt0WkdGdVoyVnliM1Z6TFhCMVlteHBZeTF2YVdSakxXSmxZV052Ymk5aFkzUnBiMjV6TDNKMWJuTXZNVFkxTXpBME1UUTJNVGt2WVhSMFpXMXdkSE12TVRBV0Jnb3JCZ0VFQVlPL01BRVdCQWdNQm5CMVlteHBZekNCaWdZS0t3WUJCQUhXZVFJRUFnUjhCSG9BZUFCMkFDc3d2TnhvaU1uaTRkZ21LVjUwSDBnNU1aWUM4cHd6eTE1RFFQNnlySVo2QUFBQm1FTWxjVTRBQUFRREFFY3dSUUlnTGpPbC9DY2dReTFlNFN0K3FZSk5NZjYzeU5SU3p0TWd5dmFyZlZQcDZyOENJUUN4Z0JlYlVWQkcxVDBCSGViNHFUaVNmZGYyKzdObUZ0dXZqejc0UklsVitUQUtCZ2dxaGtqT1BRUURBd05wQURCbUFqRUFxSk9nTjA4WE1SS2VzZkd1eEZaNnZLdmQwVzA3U2Z5Z21RSTJRY0lzeTNaZjZEcE0rd2VRaFZFREh5V3BtTW9EQWpFQThaSWRUN0FUZ2NYVGZIcS9zdFZCYTVmTytMR3hjOEkreWdzTWhQRkdCejNwVGZ0TFdMQWpsd01oQWVYOEtITFMifX19XX19fQ=="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIC1DADAgEAMIICywYJKoZIhvcNAQcCoIICvDCCArgCAQMxDTALBglghkgBZQMEAgEwgcIGCyqGSIb3DQEJEAEEoIGyBIGvMIGsAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgNSZgOQLhQyE5YVACG+5yEfX0yQlOrb2N+tkwHLlv7GgCFQCZYtn/MFM8QxQeqH+xjmI7OME5PRgPMjAyNTA3MjUxOTUzMDRaMAMCAQECCHIblM1fq2p9oDKkMDAuMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxFTATBgNVBAMTDHNpZ3N0b3JlLXRzYaAAMYIB2zCCAdcCAQEwUTA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkAhQKNaEGYdXiQXPGiZan8n3yfgN8pzALBglghkgBZQMEAgGggfwwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNTA3MjUxOTUzMDRaMC8GCSqGSIb3DQEJBDEiBCBXsc1vTwDV1QjwNVpngrpCFfiDZDvqh+VhxJZpzIEnJDCBjgYLKoZIhvcNAQkQAi8xfzB9MHsweQQgBvT/4Ef+s1mZtzOw16MjUBz8GOTAM2aoRdd1NudLJ0QwVTA9pDswOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZAIUCjWhBmHV4kFzxomWp/J98n4DfKcwCgYIKoZIzj0EAwIEZzBlAjEAqlP2X4CtKNPpaAwr3emNJ80/0NbBJDevWImASmZjnTILAMbI9lMVw8cEU0QvdxrFAjAnHqCSXkesDkNbGG42jE8thTigB3lhWD+zHEanwHB1CdCEa9qyhgXf1968PEZZVEM="}]},"certificate":{"rawBytes":"MIIIMzCCB7igAwIBAgIUV+3JGg4oCZO0IhmXvZ07COcKfNcwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNzI1MTk1MzA0WhcNMjUwNzI1MjAwMzA0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6XIT0FGaRoUnY24cbqOnxtGLaYGXaQgguU6czBc/hR3qg0MbIYpaGZBjzILeq2p7ljzObkBlleVO/fFhGcFt5qOCBtcwggbTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUhS0i5OHw64JLbzKFXGPxeSPG5YowHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwgaUGA1UdEQEB/wSBmjCBl4aBlGh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbi8uZ2l0aHViL3dvcmtmbG93cy9leHRyZW1lbHktZGFuZ2Vyb3VzLW9pZGMtYmVhY29uLnltbEByZWZzL2hlYWRzL21haW4wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAfBgorBgEEAYO/MAECBBF3b3JrZmxvd19kaXNwYXRjaDA2BgorBgEEAYO/MAEDBCg5NzM5Nzk4OTQ1YjJhODQ4ZTkxMWJjZjFkZGRiOTcyOThjYWRlMGIxMC0GCisGAQQBg78wAQQEH0V4dHJlbWVseSBkYW5nZXJvdXMgT0lEQyBiZWFjb24wSQYKKwYBBAGDvzABBQQ7c2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24wHQYKKwYBBAGDvzABBgQPcmVmcy9oZWFkcy9tYWluMDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBpgYKKwYBBAGDvzABCQSBlwyBlGh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbi8uZ2l0aHViL3dvcmtmbG93cy9leHRyZW1lbHktZGFuZ2Vyb3VzLW9pZGMtYmVhY29uLnltbEByZWZzL2hlYWRzL21haW4wOAYKKwYBBAGDvzABCgQqDCg5NzM5Nzk4OTQ1YjJhODQ4ZTkxMWJjZjFkZGRiOTcyOThjYWRlMGIxMB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDBeBgorBgEEAYO/MAEMBFAMTmh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbjA4BgorBgEEAYO/MAENBCoMKDk3Mzk3OTg5NDViMmE4NDhlOTExYmNmMWRkZGI5NzI5OGNhZGUwYjEwHwYKKwYBBAGDvzABDgQRDA9yZWZzL2hlYWRzL21haW4wGQYKKwYBBAGDvzABDwQLDAk2MzI1OTY4OTcwNwYKKwYBBAGDvzABEAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UwGQYKKwYBBAGDvzABEQQLDAkxMzE4MDQ1NjMwgaYGCisGAQQBg78wARIEgZcMgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoOTczOTc5ODk0NWIyYTg0OGU5MTFiY2YxZGRkYjk3Mjk4Y2FkZTBiMTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMIGCBgorBgEEAYO/MAEVBHQMcmh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbi9hY3Rpb25zL3J1bnMvMTY1MzA0MTQ2MTkvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2ACswvNxoiMni4dgmKV50H0g5MZYC8pwzy15DQP6yrIZ6AAABmEMlcU4AAAQDAEcwRQIgLjOl/CcgQy1e4St+qYJNMf63yNRSztMgyvarfVPp6r8CIQCxgBebUVBG1T0BHeb4qTiSfdf2+7NmFtuvjz74RIlV+TAKBggqhkjOPQQDAwNpADBmAjEAqJOgN08XMRKesfGuxFZ6vKvd0W07SfygmQI2QcIsy3Zf6DpM+weQhVEDHyWpmMoDAjEA8ZIdT7ATgcXTfHq/stVBa5fO+LGxc8I+ygsMhPFGBz3pTftLWLAjlwMhAeX8KHLS"}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiYS50eHQiLCJkaWdlc3QiOnsic2hhMjU2IjoiYTBjZmM3MTI3MWQ2ZTI3OGU1N2NkMzMyZmY5NTdjM2Y3MDQzZmRkYTM1NGM0Y2JiMTkwYTMwZDU2ZWZhMDFiZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vYWN0aW9ucy5naXRodWIuaW8vYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2xvb3NlYmF6b29rYS9hYS10ZXN0IiwicGF0aCI6Ii5naXRodWIvd29ya2Zsb3dzL3Byb3ZlbmFuY2UueWFtbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiODkxNzE1NDQ0IiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjEzMDQ4MjYiLCJydW5uZXJfZW52aXJvbm1lbnQiOiJnaXRodWItaG9zdGVkIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sb29zZWJhem9va2EvYWEtdGVzdEByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiZWJmZjhkZmJkNjA5YjdiMjIyMzdjNzcxOWNlMDdmMmRjNzkzNGY1ZiJ9fV19LCJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbG9vc2ViYXpvb2thL2FhLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcHJvdmVuYW5jZS55YW1sQHJlZnMvaGVhZHMvbWFpbiJ9LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2dpdGh1Yi5jb20vbG9vc2ViYXpvb2thL2FhLXRlc3QvYWN0aW9ucy9ydW5zLzExOTQxNDI1NDg3L2F0dGVtcHRzLzEifX19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQD81HJEJF49ZOKNQDcgcG5KiNbGU+sicdESuXORdUh42AIhAKGdTlFMAz494niB0RP4cO8bHHyMmt24u+xPPYEWLoJj"}]}}

test/assets/bundle-verify/rekor2-dsse-happy-path/trusted_root.json

@@ -0,0 +1,123 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
+  "tlogs": [
+    {
+      "baseUrl": "https://rekor.sigstage.dev",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDODRU688UYGuy54mNUlaEBiQdTE9nYLr0lg6RXowI/QV/RE1azBn4Eg5/2uTOMbhB1/gfcHzijzFi9Tk+g1Prg==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "2021-01-12T11:53:27Z"
+        }
+      },
+      "logId": {
+        "keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY="
+      }
+    },
+    {
+      "baseUrl": "https://log2025-alpha1.rekor.sigstage.dev",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MCowBQYDK2VwAyEAPn+AREHoBaZ7wgS1zBqpxmLSGnyhxXj4lFxSdWVB8o8=",
+        "keyDetails": "PKIX_ED25519",
+        "validFor": {
+          "start": "2025-04-16T00:00:00Z"
+        }
+      },
+      "logId": {
+        "keyId": "8w1amZ2S5mJIQkQmPxdMuOrL/oJkvFg9MnQXmeOCXck="
+      }
+    }
+  ],
+  "certificateAuthorities": [
+    {
+      "subject": {
+        "organization": "sigstore.dev",
+        "commonName": "sigstore"
+      },
+      "uri": "https://fulcio.sigstage.dev",
+      "certChain": {
+        "certificates": [
+          {
+            "rawBytes": "MIICGTCCAaCgAwIBAgITJta/okfgHvjabGm1BOzuhrwA1TAKBggqhkjOPQQDAzAqMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIyMDQxNDIxMzg0MFoXDTMyMDMyMjE2NTA0NVowNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASosAySWJQ/tK5r8T5aHqavk0oI+BKQbnLLdmOMRXHQF/4Hx9KtNfpcdjH9hNKQSBxSlLFFN3tvFCco0qFBzWYwZtsYsBe1l91qYn/9VHFTaEVwYQWIJEEvrs0fvPuAqjajezB5MA4GA1UdDwEB/wQEAwIBBjATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRxhjCmFHxib/n31vQFGn9f/+tvrDAfBgNVHSMEGDAWgBT/QjK6aH2rOnCv3AzUGuI+h49mZTAKBggqhkjOPQQDAwNnADBkAjAM1lbKkcqQlE/UspMTbWNo1y2TaJ44tx3l/FJFceTSdDZ+0W1OHHeU4twie/lq8XgCMHQxgEv26xNNiAGyPXbkYgrDPvbOqp0UeWX4mJnLSrBr3aN/KX1SBrKQu220FmVL0Q=="
+          },
+          {
+            "rawBytes": "MIIB9jCCAXugAwIBAgITDdEJvluliE0AzYaIE4jTMdnFTzAKBggqhkjOPQQDAzAqMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIyMDMyNTE2NTA0NloXDTMyMDMyMjE2NTA0NVowKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMo9BUNk9QIYisYysC24+2OytoV72YiLonYcqR3yeVnYziPt7Xv++CYE8yoCTiwedUECCWKOcvQKRCJZb9ht4Hzy+VvBx36hK+C6sECCSR0x6pPSiz+cTk1f788ZjBlUZaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP9CMrpofas6cK/cDNQa4j6Hj2ZlMB8GA1UdIwQYMBaAFP9CMrpofas6cK/cDNQa4j6Hj2ZlMAoGCCqGSM49BAMDA2kAMGYCMQD+kojuzMwztNay9Ibzjuk//ZL5m6T2OCsm45l1lY004pcb984L926BowodoirFMcMCMQDIJtFHhP/1D3a+M3dAGomOb6O4CmTry3TTPbPsAFnv22YA0Y+P21NVoxKDjdu0tkw="
+          }
+        ]
+      },
+      "validFor": {
+        "start": "2022-04-14T21:38:40Z"
+      }
+    }
+  ],
+  "ctlogs": [
+    {
+      "baseUrl": "https://ctfe.sigstage.dev/test",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MIICCgKCAgEA27A2MPQXm0I0v7/Ly5BIauDjRZF5Jor9vU+QheoE2UIIsZHcyYq3slHzSSHy2lLj1ZD2d91CtJ492ZXqnBmsr4TwZ9jQ05tW2mGIRI8u2DqN8LpuNYZGz/f9SZrjhQQmUttqWmtu3UoLfKz6NbNXUnoo+NhZFcFRLXJ8VporVhuiAmL7zqT53cXR3yQfFPCUDeGnRksnlhVIAJc3AHZZSHQJ8DEXMhh35TVv2nYhTI3rID7GwjXXw4ocz7RGDD37ky6p39Tl5NB71gT1eSqhZhGHEYHIPXraEBd5+3w9qIuLWlp5Ej/K6Mu4ELioXKCUimCbwy+Cs8UhHFlqcyg4AysOHJwIadXIa8LsY51jnVSGrGOEBZevopmQPNPtyfFY3dmXSS+6Z3RD2Gd6oDnNGJzpSyEk410Ag5uvNDfYzJLCWX9tU8lIxNwdFYmIwpd89HijyRyoGnoJ3entd63cvKfuuix5r+GHyKp1Xm1L5j5AWM6P+z0xigwkiXnt+adexAl1J9wdDxv/pUFEESRF4DG8DFGVtbdH6aR1A5/vD4krO4tC1QYUSeyL5Mvsw8WRqIFHcXtgybtxylljvNcGMV1KXQC8UFDmpGZVDSHx6v3e/BHMrZ7gjoCCfVMZ/cFcQi0W2AIHPYEMH/C95J2r4XbHMRdYXpovpOoT5Ca78gsCAwEAAQ==",
+        "keyDetails": "PKCS1_RSA_PKCS1V5",
+        "validFor": {
+          "start": "2021-03-14T00:00:00Z",
+          "end": "2022-07-31T00:00:00Z"
+        }
+      },
+      "logId": {
+        "keyId": "G3wUKk6ZK6ffHh/FdCRUE2wVekyzHEEIpSG4savnv0w="
+      }
+    },
+    {
+      "baseUrl": "https://ctfe.sigstage.dev/2022",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh99xuRi6slBFd8VUJoK/rLigy4bYeSYWO/fE6Br7r0D8NpMI94+A63LR/WvLxpUUGBpY8IJA3iU2telag5CRpA==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "2022-07-01T00:00:00Z",
+          "end": "2022-07-31T00:00:00Z"
+        }
+      },
+      "logId": {
+        "keyId": "++JKOMQt7SJ3ynUHnCfnDhcKP8/58J4TueMqXuk3HmA="
+      }
+    },
+    {
+      "baseUrl": "https://ctfe.sigstage.dev/2022-2",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8gEDKNme8AnXuPBgHjrtXdS6miHqc24CRblNEOFpiJRngeq8Ko73Y+K18yRYVf1DXD4AVLwvKyzdNdl5n0jUSQ==",
+        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+        "validFor": {
+          "start": "2022-07-01T00:00:00Z"
+        }
+      },
+      "logId": {
+        "keyId": "KzC83GiIyeLh2CYpXnQfSDkxlgLynDPLXkNA/rKshno="
+      }
+    }
+  ],
+  "timestampAuthorities": [
+    {
+      "subject": {
+        "organization": "sigstore.dev",
+        "commonName": "sigstore-tsa-selfsigned"
+      },
+      "uri": "https://timestamp.sigstage.dev/api/v1/timestamp",
+      "certChain": {
+        "certificates": [
+          {
+            "rawBytes": "MIICDzCCAZagAwIBAgIUCjWhBmHV4kFzxomWp/J98n4DfKcwCgYIKoZIzj0EAwMwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZDAeFw0yNTAzMjgwOTE0MDZaFw0zNTAzMjYwODE0MDZaMC4xFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEVMBMGA1UEAxMMc2lnc3RvcmUtdHNhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEx1v5F3HpD9egHuknpBFlRz7QBRDJu4aeVzt9zJLRY0lvmx1lF7WBM2c9AN8ZGPQsmDqHlJN2R/7+RxLkvlLzkc19IOx38t7mGGEcB7agUDdCF/Ky3RTLSK0Xo/0AgHQdo2owaDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFKj8ZPYo3i7mO3NPVIxSxOGc3VOlMB8GA1UdIwQYMBaAFDsgRlletTJNRzDObmPuc3RH8gR9MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqGSM49BAMDA2cAMGQCMESvVS6GGtF33+J19TfwENWJXjRv4i0/HQFwLUSkX6TfV7g0nG8VnqNHJLvEpAtOjQIwUD3uywTXorQP1DgbV09rF9Yen+CEqs/iEpieJWPst280SSOZ5Na+dyPVk9/8SFk6"
+          },
+          {
+            "rawBytes": "MIIB9zCCAXygAwIBAgIUCPExEFKiQh0dP4sp5ltmSYSSkFUwCgYIKoZIzj0EAwMwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZDAeFw0yNTAzMjgwOTE0MDZaFw0zNTAzMjYwODE0MDZaMDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATt0tIDWyo4ARfL9BaSo0W5bJQEbKJTU/u7llvdjSI5aTkOAJa8tixn2+LEfPG4dMFdsMPtsIuU1qn2OqFiuMk6vHv/c+az25RQVY1oo50iMb0jIL3N4FgwhPFpZnCbQPOjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQ7IEZZXrUyTUcwzm5j7nN0R/IEfTAKBggqhkjOPQQDAwNpADBmAjEA2MI1VXgbf3dUOSc95hSRypBKOab18eh2xzQtxUsHvWeY+1iFgyMluUuNR6taoSmFAjEA31m2czguZhKYX+4JSKu5pRYhBTXAd8KKQ3xdPRX/qCaLvT2qJAEQ1YQM3EJRrtI7"
+          }
+        ]
+      },
+      "validFor": {
+        "start": "2025-04-09T00:00:00Z"
+      }
+    }
+  ]
+}

test/assets/bundle-verify/rekor2-dsse-invalid-sig_fail/README

@@ -0,0 +1,10 @@
+An invalid bundle with dsse 0.0.2 envelope that comes from a Rekor v2 instance. It is 
+generated using custom code from sigstore-java. The signature is not valid for the dsse
+envelope, but the timestamp should match the signature (we don't want timestamp failures)
+
+1. Create new dsse bundle (dsse1)
+2. Create another unrelated dsse bundle for the same artifact (dsse2)
+3. Replace the signature and timestamp in dsse1 with data from dsse2
+
+The test uses a custom trusted root (it's just the staging trust root: once prod has a rekor
+v2 instance the test bundle could be replaced and the custom trust root removed)