Use the conformance token everywhere

Use the Untrusted GCP Beacon token provider dynamically in all tests
and workflow examples, mostly avoiding dependency on ambient OIDC configuration
in local development.

Signed-off-by: Appu <appu@google.com>

Author: loosebazooka

.github/workflows/examples.yaml

@@ -17,9 +17,6 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.os }}-release
       cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
-    permissions:
-      id-token: write
-
     steps:
     - name: Enable long paths in Git
       if: runner.os == 'Windows'

examples/hello-world/README.md

@@ -4,6 +4,8 @@ Simple sigstore signing examples
 
 These examples sign with sigstore (and PGP as required by Maven Central)
 
+In CI: These example use env `SIGSTORE_JAVA_ID_TOKEN` from test.sh to use a throwaway id token
+
 ## gradle
 
 ```

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/test/kotlin/dev/sigstore/gradle/SigstoreSignTest.kt

@@ -17,20 +17,18 @@
 package dev.sigstore.gradle
 
 import dev.sigstore.testkit.BaseGradleTest
-import dev.sigstore.testkit.TestedGradle
 import dev.sigstore.testkit.TestedGradleAndSigstoreJava
-import dev.sigstore.testkit.TestedSigstoreJava
-import dev.sigstore.testkit.annotations.EnabledIfOidcExists
 import org.assertj.core.api.Assertions.assertThat
 import org.gradle.util.GradleVersion
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.MethodSource
 
-@EnabledIfOidcExists
 class SigstoreSignTest: BaseGradleTest() {
     @ParameterizedTest
     @MethodSource("gradleAndSigstoreJavaVersions")
     fun `sign file`(case: TestedGradleAndSigstoreJava) {
+        val oidcToken = java.net.URL("https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt").readText().trim()
+        gradleRunner.withEnvironment(System.getenv() + mapOf("JAVA_HOME" to TEST_JAVA_HOME, "SIGSTORE_JAVA_ID_TOKEN" to oidcToken))
         val destLine =
             if (case.gradle.version < GradleVersion.version("8.0"))
                 """outputFile = file("helloProps.txt")"""

sigstore-gradle/sigstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/RemoveSigstoreAscTest.kt

@@ -19,14 +19,12 @@ package dev.sigstore.gradle
 import dev.sigstore.testkit.BaseGradleTest
 import dev.sigstore.testkit.TestedGradle
 import dev.sigstore.testkit.TestedGradleAndSigstoreJava
-import dev.sigstore.testkit.annotations.EnabledIfOidcExists
 import org.assertj.core.api.Assertions.assertThat
 import org.assertj.core.api.SoftAssertions
 import org.gradle.util.GradleVersion
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.MethodSource
 
-@EnabledIfOidcExists
 class RemoveSigstoreAscTest : BaseGradleTest() {
     companion object {
         @JvmStatic
@@ -102,6 +100,8 @@ class RemoveSigstoreAscTest : BaseGradleTest() {
     }
 
     private fun prepareBuildScripts(case: TestedGradleAndSigstoreJava) {
+        val oidcToken = java.net.URL("https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt").readText().trim()
+        gradleRunner.withEnvironment(System.getenv() + mapOf("JAVA_HOME" to TEST_JAVA_HOME, "SIGSTORE_JAVA_ID_TOKEN" to oidcToken))
         writeBuildGradle(
             """
             plugins {

sigstore-gradle/sigstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/SigstorePublishSignTest.kt

@@ -18,16 +18,16 @@ package dev.sigstore.gradle
 
 import dev.sigstore.testkit.BaseGradleTest
 import dev.sigstore.testkit.TestedGradleAndSigstoreJava
-import dev.sigstore.testkit.annotations.EnabledIfOidcExists
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.MethodSource
 
-@EnabledIfOidcExists
 class SigstorePublishSignTest : BaseGradleTest() {
     @ParameterizedTest
     @MethodSource("gradleAndSigstoreJavaVersions")
     fun `sign file`(case: TestedGradleAndSigstoreJava) {
+        val oidcToken = java.net.URL("https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt").readText().trim()
+        gradleRunner.withEnvironment(System.getenv() + mapOf("JAVA_HOME" to TEST_JAVA_HOME, "SIGSTORE_JAVA_ID_TOKEN" to oidcToken))
         writeBuildGradle(
             """
             plugins {

sigstore-java/src/test/java/dev/sigstore/KeylessTest.java

@@ -19,9 +19,12 @@
 import dev.sigstore.bundle.Bundle;
 import dev.sigstore.dsse.InTotoPayload;
 import dev.sigstore.json.JsonParseException;
+import dev.sigstore.oidc.client.OidcClients;
+import dev.sigstore.oidc.client.TokenStringOidcClient;
 import dev.sigstore.testkit.annotations.DisabledIfSkipStaging;
 import dev.sigstore.testkit.annotations.EnabledIfOidcExists;
 import dev.sigstore.testkit.annotations.OidcProviderType;
+import dev.sigstore.testkit.oidc.ConformanceTestingTokenProvider;
 import dev.sigstore.trustroot.ImmutableSigstoreSigningConfig;
 import dev.sigstore.trustroot.Service;
 import dev.sigstore.tuf.SigstoreTufClient;
@@ -50,6 +53,10 @@ public class KeylessTest {
   public static List<byte[]> artifactDigests;
   public static String payload;
 
+  private static final OidcClients CONFORMANCE_TOKEN_CLIENT = OidcClients.of(
+      TokenStringOidcClient.from(
+          ConformanceTestingTokenProvider.newProviderFromGcp()));
+
   @BeforeAll
   public static void setupArtifact() throws IOException {
     artifactDigests = new ArrayList<>();
@@ -75,7 +82,7 @@ public static void setupArtifact() throws IOException {
 
   @Test
   @EnabledIfOidcExists(provider = OidcProviderType.ANY)
-  public void sign_production() throws Exception {
+  public void sign_production_and_test_oidc() throws Exception {
     var signer = KeylessSigner.builder().sigstorePublicDefaults().build();
     var results = signer.sign(artifactDigests);
 
@@ -93,7 +100,6 @@ public void sign_production() throws Exception {
    * Should be merged into "sign_production" above when ready.
    */
   @Test
-  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
   public void sign_production_rekorV2() throws Exception {
     // TODO(#1033): Get Rekor v2 service from TUF signing config when in prod
     var prodTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
@@ -107,6 +113,7 @@ public void sign_production_rekorV2() throws Exception {
     var signer =
         KeylessSigner.builder()
             .sigstorePublicDefaults()
+            .forceCredentialProviders(CONFORMANCE_TOKEN_CLIENT)
             .signingConfigProvider(() -> signingConfig)
             .enableRekorV2(true)
             .build();
@@ -123,11 +130,14 @@ public void sign_production_rekorV2() throws Exception {
 
   @ParameterizedTest
   @ValueSource(booleans = {true, false})
-  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
   @DisabledIfSkipStaging
   public void sign_staging(boolean enableRekorV2) throws Exception {
     var signer =
-        KeylessSigner.builder().sigstoreStagingDefaults().enableRekorV2(enableRekorV2).build();
+        KeylessSigner.builder()
+            .sigstoreStagingDefaults()
+            .forceCredentialProviders(CONFORMANCE_TOKEN_CLIENT)
+            .enableRekorV2(enableRekorV2)
+            .build();
     var results = signer.sign(artifactDigests);
     verifySigningResult(results, enableRekorV2);
 
@@ -139,7 +149,6 @@ public void sign_staging(boolean enableRekorV2) throws Exception {
   }
 
   @Test
-  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
   public void attest_production() throws Exception {
     // TODO(#1033): Get Rekor v2 service from TUF signing config when in prod
     var prodTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
@@ -153,6 +162,7 @@ public void attest_production() throws Exception {
     var signer =
         KeylessSigner.builder()
             .sigstorePublicDefaults()
+            .forceCredentialProviders(CONFORMANCE_TOKEN_CLIENT)
             .signingConfigProvider(() -> signingConfig)
             .enableRekorV2(true)
             .build();
@@ -172,10 +182,12 @@ public void attest_production() throws Exception {
   }
 
   @Test
-  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
   @DisabledIfSkipStaging
   public void attest_staging() throws Exception {
-    var signer = KeylessSigner.builder().sigstoreStagingDefaults().enableRekorV2(true).build();
+    var signer = KeylessSigner.builder().sigstoreStagingDefaults()
+        .forceCredentialProviders(CONFORMANCE_TOKEN_CLIENT)
+        .enableRekorV2(true)
+        .build();
     var result = signer.attest(payload);
 
     Assertions.assertNotNull(result.getDsseEnvelope().get());

sigstore-maven-plugin/src/test/java/dev/sigstore/plugin/test/MavenTestProject.java

@@ -28,7 +28,7 @@
 
 /**
  * Initialize a test project verifier. You should use this to inject the right local repository into
- * settings.xml and the proejct version into pom.xml. Works with the test Maven projects in the
+ * settings.xml and the project version into pom.xml. Works with the test Maven projects in the
  * {@code resources/maven/projects} directory.
  */
 public class MavenTestProject {