Use the conformance token everywhere

loosebazooka · loosebazooka · commit 3fbb471ab40a · 2026-06-15T11:36:43.000-04:00
Use the Untrusted GCP Beacon token provider dynamically in all tests
and workflow examples, mostly avoiding dependency on ambient OIDC configuration
in local development.

Signed-off-by: Appu &lt;appu@google.com&gt;
diff --git a/.github/workflows/examples.yaml b/.github/workflows/examples.yaml
@@ -17,9 +17,6 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.os }}-release
       cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
-    permissions:
-      id-token: write
-
     steps:
     - name: Enable long paths in Git
       if: runner.os == 'Windows'
diff --git a/examples/hello-world/README.md b/examples/hello-world/README.md
@@ -4,6 +4,8 @@ Simple sigstore signing examples
 
 These examples sign with sigstore (and PGP as required by Maven Central)
 
+In CI: These example use env `SIGSTORE_JAVA_ID_TOKEN` from test.sh to use a throwaway id token
+
 ## gradle
 
 ```
diff --git a/sigstore-gradle/sigstore-gradle-sign-base-plugin/src/test/kotlin/dev/sigstore/gradle/SigstoreSignTest.kt b/sigstore-gradle/sigstore-gradle-sign-base-plugin/src/test/kotlin/dev/sigstore/gradle/SigstoreSignTest.kt
@@ -17,20 +17,19 @@
 package dev.sigstore.gradle
 
 import dev.sigstore.testkit.BaseGradleTest
-import dev.sigstore.testkit.TestedGradle
 import dev.sigstore.testkit.TestedGradleAndSigstoreJava
-import dev.sigstore.testkit.TestedSigstoreJava
-import dev.sigstore.testkit.annotations.EnabledIfOidcExists
+import dev.sigstore.testkit.oidc.ConformanceTestingToken
 import org.assertj.core.api.Assertions.assertThat
 import org.gradle.util.GradleVersion
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.MethodSource
 
-@EnabledIfOidcExists
 class SigstoreSignTest: BaseGradleTest() {
     @ParameterizedTest
     @MethodSource("gradleAndSigstoreJavaVersions")
     fun `sign file`(case: TestedGradleAndSigstoreJava) {
+        val oidcToken = ConformanceTestingToken.getToken()
+        gradleRunner.withEnvironment(mapOf("SIGSTORE_JAVA_ID_TOKEN" to oidcToken))
         val destLine =
             if (case.gradle.version < GradleVersion.version("8.0"))
                 """outputFile = file("helloProps.txt")"""
diff --git a/sigstore-gradle/sigstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/RemoveSigstoreAscTest.kt b/sigstore-gradle/sigstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/RemoveSigstoreAscTest.kt
@@ -19,14 +19,13 @@ package dev.sigstore.gradle
 import dev.sigstore.testkit.BaseGradleTest
 import dev.sigstore.testkit.TestedGradle
 import dev.sigstore.testkit.TestedGradleAndSigstoreJava
-import dev.sigstore.testkit.annotations.EnabledIfOidcExists
+import dev.sigstore.testkit.oidc.ConformanceTestingToken
 import org.assertj.core.api.Assertions.assertThat
 import org.assertj.core.api.SoftAssertions
 import org.gradle.util.GradleVersion
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.MethodSource
 
-@EnabledIfOidcExists
 class RemoveSigstoreAscTest : BaseGradleTest() {
     companion object {
         @JvmStatic
@@ -102,6 +101,8 @@ class RemoveSigstoreAscTest : BaseGradleTest() {
     }
 
     private fun prepareBuildScripts(case: TestedGradleAndSigstoreJava) {
+        val oidcToken = ConformanceTestingToken.getToken()
+        gradleRunner.withEnvironment(mapOf("SIGSTORE_JAVA_ID_TOKEN" to oidcToken))
         writeBuildGradle(
             """
             plugins {
diff --git a/sigstore-gradle/sigstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/SigstorePublishSignTest.kt b/sigstore-gradle/sigstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/SigstorePublishSignTest.kt
@@ -18,16 +18,17 @@ package dev.sigstore.gradle
 
 import dev.sigstore.testkit.BaseGradleTest
 import dev.sigstore.testkit.TestedGradleAndSigstoreJava
-import dev.sigstore.testkit.annotations.EnabledIfOidcExists
+import dev.sigstore.testkit.oidc.ConformanceTestingToken
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.MethodSource
 
-@EnabledIfOidcExists
 class SigstorePublishSignTest : BaseGradleTest() {
     @ParameterizedTest
     @MethodSource("gradleAndSigstoreJavaVersions")
     fun `sign file`(case: TestedGradleAndSigstoreJava) {
+        val oidcToken = ConformanceTestingToken.getToken()
+        gradleRunner.withEnvironment(mapOf("SIGSTORE_JAVA_ID_TOKEN" to oidcToken))
         writeBuildGradle(
             """
             plugins {
diff --git a/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java b/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java
@@ -19,9 +19,12 @@
 import dev.sigstore.bundle.Bundle;
 import dev.sigstore.dsse.InTotoPayload;
 import dev.sigstore.json.JsonParseException;
+import dev.sigstore.oidc.client.OidcClients;
+import dev.sigstore.oidc.client.TokenStringOidcClient;
 import dev.sigstore.testkit.annotations.DisabledIfSkipStaging;
 import dev.sigstore.testkit.annotations.EnabledIfOidcExists;
 import dev.sigstore.testkit.annotations.OidcProviderType;
+import dev.sigstore.testkit.oidc.ConformanceTestingToken;
 import dev.sigstore.trustroot.ImmutableSigstoreSigningConfig;
 import dev.sigstore.trustroot.Service;
 import dev.sigstore.tuf.SigstoreTufClient;
@@ -50,6 +53,9 @@ public class KeylessTest {
   public static List<byte[]> artifactDigests;
   public static String payload;
 
+  private static final OidcClients CONFORMANCE_TOKEN_CLIENT =
+      OidcClients.of(TokenStringOidcClient.from(ConformanceTestingToken.newProvider()));
+
   @BeforeAll
   public static void setupArtifact() throws IOException {
     artifactDigests = new ArrayList<>();
@@ -75,7 +81,7 @@ public static void setupArtifact() throws IOException {
 
   @Test
   @EnabledIfOidcExists(provider = OidcProviderType.ANY)
-  public void sign_production() throws Exception {
+  public void sign_production_and_test_oidc() throws Exception {
     var signer = KeylessSigner.builder().sigstorePublicDefaults().build();
     var results = signer.sign(artifactDigests);
 
@@ -93,7 +99,6 @@ public void sign_production() throws Exception {
    * Should be merged into "sign_production" above when ready.
    */
   @Test
-  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
   public void sign_production_rekorV2() throws Exception {
     // TODO(#1033): Get Rekor v2 service from TUF signing config when in prod
     var prodTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
@@ -107,6 +112,7 @@ public void sign_production_rekorV2() throws Exception {
     var signer =
         KeylessSigner.builder()
             .sigstorePublicDefaults()
+            .forceCredentialProviders(CONFORMANCE_TOKEN_CLIENT)
             .signingConfigProvider(() -> signingConfig)
             .enableRekorV2(true)
             .build();
@@ -123,11 +129,14 @@ public void sign_production_rekorV2() throws Exception {
 
   @ParameterizedTest
   @ValueSource(booleans = {true, false})
-  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
   @DisabledIfSkipStaging
   public void sign_staging(boolean enableRekorV2) throws Exception {
     var signer =
-        KeylessSigner.builder().sigstoreStagingDefaults().enableRekorV2(enableRekorV2).build();
+        KeylessSigner.builder()
+            .sigstoreStagingDefaults()
+            .forceCredentialProviders(CONFORMANCE_TOKEN_CLIENT)
+            .enableRekorV2(enableRekorV2)
+            .build();
     var results = signer.sign(artifactDigests);
     verifySigningResult(results, enableRekorV2);
 
@@ -139,7 +148,6 @@ public void sign_staging(boolean enableRekorV2) throws Exception {
   }
 
   @Test
-  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
   public void attest_production() throws Exception {
     // TODO(#1033): Get Rekor v2 service from TUF signing config when in prod
     var prodTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
@@ -153,6 +161,7 @@ public void attest_production() throws Exception {
     var signer =
         KeylessSigner.builder()
             .sigstorePublicDefaults()
+            .forceCredentialProviders(CONFORMANCE_TOKEN_CLIENT)
             .signingConfigProvider(() -> signingConfig)
             .enableRekorV2(true)
             .build();
@@ -172,10 +181,14 @@ public void attest_production() throws Exception {
   }
 
   @Test
-  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
   @DisabledIfSkipStaging
   public void attest_staging() throws Exception {
-    var signer = KeylessSigner.builder().sigstoreStagingDefaults().enableRekorV2(true).build();
+    var signer =
+        KeylessSigner.builder()
+            .sigstoreStagingDefaults()
+            .forceCredentialProviders(CONFORMANCE_TOKEN_CLIENT)
+            .enableRekorV2(true)
+            .build();
     var result = signer.attest(payload);
 
     Assertions.assertNotNull(result.getDsseEnvelope().get());
diff --git a/sigstore-maven-plugin/src/test/java/dev/sigstore/plugin/test/MavenTestProject.java b/sigstore-maven-plugin/src/test/java/dev/sigstore/plugin/test/MavenTestProject.java
@@ -28,7 +28,7 @@
 
 /**
  * Initialize a test project verifier. You should use this to inject the right local repository into
- * settings.xml and the proejct version into pom.xml. Works with the test Maven projects in the
+ * settings.xml and the project version into pom.xml. Works with the test Maven projects in the
  * {@code resources/maven/projects} directory.
  */
 public class MavenTestProject {
diff --git a/sigstore-testkit/src/main/java/dev/sigstore/testkit/oidc/ConformanceTestingToken.java b/sigstore-testkit/src/main/java/dev/sigstore/testkit/oidc/ConformanceTestingToken.java
@@ -29,33 +29,27 @@
  * should never be used by actual signers and should only be available in tests. Use this with the
  * {@link TokenStringOidcClient}.
  */
-public class ConformanceTestingTokenProvider implements TokenStringOidcClient.TokenStringProvider {
+public class ConformanceTestingToken {
 
-  public static ConformanceTestingTokenProvider newProviderFromGithub() {
-    return new ConformanceTestingTokenProvider(
-        "https://raw.githubusercontent.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/refs/heads/current-token/oidc-token.txt");
-  }
-
-  public static ConformanceTestingTokenProvider newProviderFromGcp() {
-    return new ConformanceTestingTokenProvider(
-        "https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt");
-  }
-
-  private final String tokenUrl;
-
-  private ConformanceTestingTokenProvider(String tokenUrl) {
-    this.tokenUrl = tokenUrl;
-  }
+  public static TokenStringOidcClient.TokenStringProvider newProvider() {
+    return new TokenStringOidcClient.TokenStringProvider() {
+      @Override
+      public String getTokenString(Map<String, String> env) throws Exception {
+        return getToken();
+      }
 
-  @Override
-  public boolean isEnabled(Map<String, String> env) {
-    return true;
+      @Override
+      public boolean isEnabled(Map<String, String> env) {
+        return true;
+      }
+    };
   }
 
-  @Override
-  public String getTokenString(Map<String, String> env) throws Exception {
+  public static String getToken() throws Exception {
     HttpClient client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).build();
-    URI fileUri = new URI(tokenUrl);
+    URI fileUri =
+        new URI(
+            "https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt");
     HttpRequest request =
         HttpRequest.newBuilder()
             .uri(fileUri)
