sigstore · aaronlew02 · Dec 2, 2025
@@ -33,6 +33,21 @@ docker build ./ -f "$SCRIPT_DIR"/Dockerfile.cosign -t cosign
 COSIGN_CMD="docker run --user=$(id -u):$(id -g) --rm -v $WORKDIR/:$WORKDIR/ cosign"
 CMD="$COSIGN_CMD trusted-root create"
 
+FULCIO_SIGNING_CONFIGS=""
+
+add_fulcio_to_signing_config () {
+  if [ -n "$FULCIO_SIGNING_CONFIGS" ]; then
+    FULCIO_SIGNING_CONFIGS="$FULCIO_SIGNING_CONFIGS,
+    "
+  fi
+  FULCIO_SIGNING_CONFIGS="$FULCIO_SIGNING_CONFIGS{
+      \"url\": \"$1\",
+      \"majorApiVersion\": 1,
+      \"validFor\": { \"start\": \"2025-05-25T00:00:00Z\" },
+      \"operator\": \"scaffolding-setup-sigstore-env\"
+    }"
+}
+
 REKOR_SIGNING_CONFIGS=""
 
 add_rekor_to_signing_config () {
@@ -64,73 +79,75 @@ add_tsa_to_signing_config () {
 }
 
 while [[ "$#" -gt 0 ]]; do
-    case $1 in
-        --fulcio)
-            FULCIO_URL="$2"
-            KEYFILE="$3"
-            shift
-            shift
-
-            # copy to our WORKDIR to be mounted in our cosign container.
-            cp "$KEYFILE" "$WORKDIR"/
-            KEYFILE=$WORKDIR/$(basename "$KEYFILE")
-
-            FNAME=$(mktemp --tmpdir="$WORKDIR" fulcio_cert.XXXX.pem)
-            curl --fail -o "$FNAME" "$FULCIO_URL"/api/v1/rootCert
-            CMD="$CMD --certificate-chain $FNAME --fulcio-uri $FULCIO_URL"
-
-            CMD="$CMD --ctfe-key $KEYFILE"
-            ;;
-
-        --rekor-v1-url)
-            URL="$2"
-            shift
-
-            add_rekor_to_signing_config "$URL" 1
-
-            FNAME=$(mktemp --tmpdir="$WORKDIR" rekorv1_pub.XXXX.pem)
-            curl --fail -o "$FNAME" "$URL"/api/v1/log/publicKey
-            CMD="$CMD --rekor-key $FNAME --rekor-url $URL"
-            ;;
-
-        --rekor-v2)
-            URL="$2"
-            KEYFILE="$3"
-            HOST="$4"
-            shift
-            shift
-            shift
-
-            add_rekor_to_signing_config "$URL" 2
-
-            # copy to our WORKDIR to be mounted in our cosign container.
-            cp "$KEYFILE" "$WORKDIR"/
-            KEYFILE=$WORKDIR/$(basename "$KEYFILE")
-
-            CMD="$CMD --rekor-key $KEYFILE,$HOST --rekor-url http://$HOST"
-            ;;
-
-        --timestamp-url)
-            URL="$2"
-            shift
-
-            add_tsa_to_signing_config "$URL"
-
-            FNAME=$(mktemp --tmpdir="$WORKDIR" timestamp_certs.XXXX.pem)
-            curl --fail -o "$FNAME" "$URL"/api/v1/timestamp/certchain
-            CMD="$CMD --timestamp-certificate-chain $FNAME --timestamp-uri $URL"
-            ;;
-
-        --oidc-url)
-            OIDC_URL="$2"
-            shift
-            ;;
-
-        *) echo "Unknown parameter passed: $1"; 
-            exit 1
-            ;;
-    esac
-    shift
+  case $1 in
+    --fulcio)
+      FULCIO_URL="$2"
+      KEYFILE="$3"
+      shift
+      shift
+
+      add_fulcio_to_signing_config "$FULCIO_URL"
+
+      # copy to our WORKDIR to be mounted in our cosign container.
+      cp "$KEYFILE" "$WORKDIR"/
+      KEYFILE=$WORKDIR/$(basename "$KEYFILE")
+
+      FNAME=$(mktemp --tmpdir="$WORKDIR" fulcio_cert.XXXX.pem)
+      curl --fail -o "$FNAME" "$FULCIO_URL"/api/v1/rootCert
+      CMD="$CMD --certificate-chain $FNAME --fulcio-uri $FULCIO_URL"
+
+      CMD="$CMD --ctfe-key $KEYFILE"
+      ;;
+
+    --rekor-v1-url)
+      URL="$2"
+      shift
+
+      add_rekor_to_signing_config "$URL" 1
+
+      FNAME=$(mktemp --tmpdir="$WORKDIR" rekorv1_pub.XXXX.pem)
+      curl --fail -o "$FNAME" "$URL"/api/v1/log/publicKey
+      CMD="$CMD --rekor-key $FNAME --rekor-url $URL"
+      ;;
+
+    --rekor-v2)
+      URL="$2"
+      KEYFILE="$3"
+      HOST="$4"
+      shift
+      shift
+      shift
+
+      add_rekor_to_signing_config "$URL" 2
+
+      # copy to our WORKDIR to be mounted in our cosign container.
+      cp "$KEYFILE" "$WORKDIR"/
+      KEYFILE=$WORKDIR/$(basename "$KEYFILE")
+
+      CMD="$CMD --rekor-key $KEYFILE,$HOST --rekor-url http://$HOST"
+      ;;
+
+    --timestamp-url)
+      URL="$2"
+      shift
+
+      add_tsa_to_signing_config "$URL"
+
+      FNAME=$(mktemp --tmpdir="$WORKDIR" timestamp_certs.XXXX.pem)
+      curl --fail -o "$FNAME" "$URL"/api/v1/timestamp/certchain
+      CMD="$CMD --timestamp-certificate-chain $FNAME --timestamp-uri $URL"
+      ;;
+
+    --oidc-url)
+      OIDC_URL="$2"
+      shift
+      ;;
+
+    *) echo "Unknown parameter passed: $1"; 
+      exit 1
+      ;;
+  esac
+  shift
 done
 
 $CMD > trusted_root.json
@@ -140,12 +157,7 @@ cat << EOF > signing_config.json
 {
   "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
   "caUrls": [
-    {
-      "url": "$FULCIO_URL",
-      "majorApiVersion": 1,
-      "validFor": { "start": "2025-05-25T00:00:00Z" },
-      "operator": "scaffolding-setup-sigstore-env"
-    }
+    $FULCIO_SIGNING_CONFIGS
   ],
   "oidcUrls": [
     {

@@ -16,6 +16,22 @@
 
 # <cmd> || return is so the script can exit early without quitting your shell.
 
+START_FULCIO=true
+START_REKOR=true
+START_TSA=true
+START_REKOR_TILES=true
+
+while [[ "$#" -gt 0 ]]; do
+  case $1 in
+    --no-fulcio) START_FULCIO=false; ;;
+    --no-rekor) START_REKOR=false; ;;
+    --no-tsa) START_TSA=false; ;;
+    --no-rekor-tiles) START_REKOR_TILES=false; ;;
+    *) echo "Unknown parameter passed: $1"; exit 1 ;;
+  esac
+  shift
+done
+
 CLONE_DIR="${CLONE_DIR:-$(mktemp -d)}"
 CWD="$(pwd)"
 
@@ -43,36 +59,41 @@ popd || return
 
 echo "downloading service repos"
 pushd "$CLONE_DIR" || return
-FULCIO_REPO="${FULCIO_REPO:-sigstore/fulcio}"
-REKOR_REPO="${REKOR_REPO:-sigstore/rekor}"
-TIMESTAMP_AUTHORITY_REPO="${TIMESTAMP_AUTHORITY_REPO:-sigstore/timestamp-authority}"
-REKOR_TILES_REPO="${REKOR_TILES_REPO:-sigstore/rekor-tiles}"
-OWNER_REPOS=(
-  "$FULCIO_REPO"
-  "$REKOR_REPO"
-  "$TIMESTAMP_AUTHORITY_REPO"
-  "$REKOR_TILES_REPO"
-)
+OWNER_REPOS=()
+if [ "$START_FULCIO" = true ]; then
+  OWNER_REPOS+=("${FULCIO_REPO:-sigstore/fulcio}")
+fi
+if [ "$START_REKOR" = true ]; then
+  OWNER_REPOS+=("${REKOR_REPO:-sigstore/rekor}")
+fi
+if [ "$START_TSA" = true ]; then
+  OWNER_REPOS+=("${TIMESTAMP_AUTHORITY_REPO:-sigstore/timestamp-authority}")
+fi
+if [ "$START_REKOR_TILES" = true ]; then
+  OWNER_REPOS+=("${REKOR_TILES_REPO:-sigstore/rekor-tiles}")
+fi
 procs=${#OWNER_REPOS[@]}
 for owner_repo in "${OWNER_REPOS[@]}"; do
-    repo=$(basename "$owner_repo")
-    if [[ ! -d $repo ]]; then
-        echo "'git clone https://github.com/${owner_repo}.git'"
-    else
-        echo "'cd $repo && git pull'"
-    fi
+  repo=$(basename "$owner_repo")
+  if [[ ! -d $repo ]]; then
+    echo "'git clone https://github.com/${owner_repo}.git'"
+  else
+    echo "'cd $repo && git pull'"
+  fi
 done | xargs -P "$procs" -L1 bash -c
 export CT_LOG_KEY="$CLONE_DIR/fulcio/config/ctfe/pubkey.pem"
 
 echo "starting services"
 export FULCIO_METRICS_PORT=2113
 for owner_repo in "${OWNER_REPOS[@]}"; do
-    repo=$(basename "$owner_repo")
-    echo "'cd $repo && docker compose up --wait'"
+  repo=$(basename "$owner_repo")
+  echo "'cd $repo && docker compose up --wait'"
 done | xargs -P "$procs" -L1 bash -c
 # The fakeoidc service is in a separate Docker network. Connect the fakeoidc container to the Fulcio
 # network to enable Fulcio to reach it for token verification.
-docker network inspect fulcio_default | grep fakeoidc || docker network connect --alias fakeoidc fulcio_default fakeoidc || return
+if [ "$START_FULCIO" = true ]; then
+  docker network inspect fulcio_default | grep fakeoidc || docker network connect --alias fakeoidc fulcio_default fakeoidc || return
+fi
 export TSA_URL="http://localhost:3004"
 popd || return
 
@@ -98,13 +119,20 @@ stop_services() {
 
 echo "building trusted root"
 pushd "$CLONE_DIR" || return
-"$CWD"/build-trusted-root.sh \
-  --fulcio http://localhost:5555 "$CLONE_DIR/fulcio/config/ctfe/pubkey.pem" \
-  --timestamp-url http://localhost:3004 \
-  --oidc-url http://localhost:8080 \
-  --rekor-v1-url http://localhost:3000 \
-  --rekor-v2 http://localhost:3003 "$CLONE_DIR/rekor-tiles/tests/testdata/pki/ed25519-pub-key.pem" "rekor-local" \
-  || return
+BUILD_CMD=("$CWD/build-trusted-root.sh" --oidc-url http://localhost:8080)
+if [ "$START_FULCIO" = true ]; then
+  BUILD_CMD+=(--fulcio http://localhost:5555 "$CLONE_DIR/fulcio/config/ctfe/pubkey.pem")
+fi
+if [ "$START_TSA" = true ]; then
+  BUILD_CMD+=(--timestamp-url http://localhost:3004)
+fi
+if [ "$START_REKOR" = true ]; then
+  BUILD_CMD+=(--rekor-v1-url http://localhost:3000)
+fi
+if [ "$START_REKOR_TILES" = true ]; then
+  BUILD_CMD+=(--rekor-v2 http://localhost:3003 "$CLONE_DIR/rekor-tiles/tests/testdata/pki/ed25519-pub-key.pem" "rekor-local")
+fi
+"${BUILD_CMD[@]}" || return
 export TRUSTED_ROOT="$CLONE_DIR/trusted_root.json"
 export SIGNING_CONFIG="$CLONE_DIR/signing_config.json"
 export TRUST_CONFIG="$CLONE_DIR/trust_config.json"