jiparis
diff --git a/‎app/cli/internal/action/attestation_init.go
Lines changed: 9 additions & 3 deletions b/‎app/cli/internal/action/attestation_init.go
Lines changed: 9 additions & 3 deletions
diff --git a/‎app/cli/internal/action/workflow_run_describe.go
Lines changed: 10 additions & 1 deletion b/‎app/cli/internal/action/workflow_run_describe.go
Lines changed: 10 additions & 1 deletion
diff --git a/‎app/controlplane/api/controlplane/v1/signing.pb.go
Lines changed: 66 additions & 40 deletions b/‎app/controlplane/api/controlplane/v1/signing.pb.go
Lines changed: 66 additions & 40 deletions
diff --git a/‎app/controlplane/api/controlplane/v1/signing.proto
Lines changed: 2 additions & 0 deletions b/‎app/controlplane/api/controlplane/v1/signing.proto
Lines changed: 2 additions & 0 deletions
@@ -150,9 +150,13 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		return "", ErrRunnerContextNotFound{err.Error()}
 	}
 
-	// Identifier of this attestation instance
-	var attestationID string
-	var blockOnPolicyViolation bool
+	var (
+		// Identifier of this attestation instance
+		attestationID          string
+		blockOnPolicyViolation bool
+		// Timestamp Authority URL for new attestations
+		timestampAuthorityURL string
+	)
 
 	// Init in the control plane if needed including the runner context
 	if !action.dryRun {
@@ -176,6 +180,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		workflowMeta.WorkflowRunId = workflowRun.GetId()
 		workflowMeta.Organization = runResp.GetResult().GetOrganization()
 		blockOnPolicyViolation = runResp.GetResult().GetBlockOnPolicyViolation()
+		timestampAuthorityURL = runResp.GetResult().GetSigningOptions().GetTimestampAuthorityUrl()
 		if v := workflowMeta.Version; v != nil {
 			workflowMeta.Version.Prerelease = runResp.GetResult().GetWorkflowRun().Version.GetPrerelease()
 		}
@@ -194,6 +199,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		AttestationID:          attestationID,
 		Runner:                 discoveredRunner,
 		BlockOnPolicyViolation: blockOnPolicyViolation,
+		SigningOptions:         &crafter.SigningOpts{TimestampAuthorityURL: timestampAuthorityURL},
 	}
 
 	if err := action.c.Init(ctx, initOpts); err != nil {
 
@@ -246,7 +246,7 @@ func (action *WorkflowRunDescribe) Run(ctx context.Context, opts *WorkflowRunDes
 }
 
 func trustedRootPbToVerifier(resp *pb.GetTrustedRootResponse) (*verifier.TrustedRoot, error) {
-	tr := &verifier.TrustedRoot{Keys: make(map[string][]*x509.Certificate)}
+	tr := &verifier.TrustedRoot{Keys: make(map[string][]*x509.Certificate), TimestampAuthorities: make(map[string][]*x509.Certificate)}
 	for k, v := range resp.GetKeys() {
 		for _, c := range v.Certificates {
 			cert, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(c))
@@ -256,6 +256,15 @@ func trustedRootPbToVerifier(resp *pb.GetTrustedRootResponse) (*verifier.Trusted
 			tr.Keys[k] = append(tr.Keys[k], cert[0])
 		}
 	}
+	for k, v := range resp.GetTimestampAuthorities() {
+		for _, c := range v.Certificates {
+			cert, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(c))
+			if err != nil {
+				return nil, fmt.Errorf("loading certificate from PEM: %w", err)
+			}
+			tr.TimestampAuthorities[k] = append(tr.TimestampAuthorities[k], cert[0])
+		}
+	}
 	return tr, nil
 }
 
 
@@ -47,4 +47,6 @@ message GetTrustedRootRequest {}
 message GetTrustedRootResponse {
   // map keyID (cert SubjectKeyIdentifier) to PEM encoded chains
   map<string, CertificateChain> keys = 1;
+  // timestamp authorities
+  map<string, CertificateChain> timestamp_authorities = 2;
 }
Original file line number	Diff line number	Diff line change
`@@ -246,7 +246,7 @@ func (action WorkflowRunDescribe) Run(ctx context.Context, opts WorkflowRunDes`
`246`	`246`	`}`
`247`	`247`
`248`	`248`	`func trustedRootPbToVerifier(resp pb.GetTrustedRootResponse) (verifier.TrustedRoot, error) {`
`249`		`- tr := &verifier.TrustedRoot{Keys: make(map[string][]*x509.Certificate)}`
	`249`	`+ tr := &verifier.TrustedRoot{Keys: make(map[string][]x509.Certificate), TimestampAuthorities: make(map[string][]x509.Certificate)}`
`250`	`250`	`for k, v := range resp.GetKeys() {`
`251`	`251`	`for _, c := range v.Certificates {`
`252`	`252`	`cert, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(c))`
`@@ -256,6 +256,15 @@ func trustedRootPbToVerifier(resp pb.GetTrustedRootResponse) (verifier.Trusted`
`256`	`256`	`tr.Keys[k] = append(tr.Keys[k], cert[0])`
`257`	`257`	`}`
`258`	`258`	`}`
	`259`	`+ for k, v := range resp.GetTimestampAuthorities() {`
	`260`	`+ for _, c := range v.Certificates {`
	`261`	`+ cert, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(c))`
	`262`	`+ if err != nil {`
	`263`	`+ return nil, fmt.Errorf("loading certificate from PEM: %w", err)`
	`264`	`+ }`
	`265`	`+ tr.TimestampAuthorities[k] = append(tr.TimestampAuthorities[k], cert[0])`
	`266`	`+ }`
	`267`	`+ }`
`259`	`268`	`return tr, nil`
`260`	`269`	`}`
`261`	`270`
Original file line number	Diff line number	Diff line change
`@@ -47,4 +47,6 @@ message GetTrustedRootRequest {}`
`47`	`47`	`message GetTrustedRootResponse {`
`48`	`48`	`// map keyID (cert SubjectKeyIdentifier) to PEM encoded chains`
`49`	`49`	`map<string, CertificateChain> keys = 1;`
	`50`	`+ // timestamp authorities`
	`51`	`+ map<string, CertificateChain> timestamp_authorities = 2;`
`50`	`52`	`}`