From f59afceea9bc4d4340f42889e912307da49c4799 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Sep 2024 19:28:26 +0000
Subject: [PATCH 1/2] build(deps): update tough requirement from 0.17.1 to
 0.18.0

Updates the requirements on [tough](https://github.com/awslabs/tough) to permit the latest version.
- [Release notes](https://github.com/awslabs/tough/releases)
- [Commits](https://github.com/awslabs/tough/compare/tough-v0.17.1...tough-v0.18.0)

---
updated-dependencies:
- dependency-name: tough
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.toml b/Cargo.toml
index 791e80ccff..54a8bf2376 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -135,7 +135,7 @@ sigstore_protobuf_specs = { version = "0.3.2", optional = true }
 thiserror = "1.0.30"
 tokio = { version = "1.17.0", features = ["rt"] }
 tokio-util = { version = "0.7.10", features = ["io-util"] }
-tough = { version = "0.17.1", features = ["http"], optional = true }
+tough = { version = "0.18.0", features = ["http"], optional = true }
 tracing = "0.1.31"
 url = "2.2.2"
 x509-cert = { version = "0.2.5", features = ["builder", "pem", "std", "sct"] }

From d80b800b17fc5cda5aed84a8435aa7e8aac41add Mon Sep 17 00:00:00 2001
From: Flavio Castelli <fcastelli@suse.com>
Date: Tue, 10 Sep 2024 11:23:34 +0200
Subject: [PATCH 2/2] fix: fetch Sigstore's TUF repository when default flags
 are disabled

Fetching Sigstore's TUF repository is done using the `aws/tough` crate.
This crate is currently using an older version of `reqwest`, which in turn
uses an older version of `hyper`.

When building the `sigstore` crate with the default features turned off and
a limited set of "verification-related" features enabled (like
`sigstore-trust-root` and `cosign-rustls-tls`), fetching the TUF
repository causes a runtime panic. The panic happens because the old
`reqwest` crate is built without TLS support.
This was not a problem before, since both sigstore and `tough` used the
same version of `reqwest`, hence enabling `cosign-rustls-tls` led to
TLS support being enabled also for tough.

This commit introduces two new feature flags:
`sigstore-trust-root-native-tls` and `sigstore-trust-root-rustl-tls`
which enable TLS support also for the old version of reqwest being
currently used by tough.

Worth of interest, building with the default flags doesn't currently
expose this issue. That happens because of a happy coincidence.
The "feature chain reaction" is the following one:
- The "enable default features" cause the `full-native-tls` feature to be enabled
- The `full-native-tls` feature enables `fulcio-native-tls` feature
- The `fulcio-native-tls` features enables the `oauth-native-tls` feature
- The `oauth-native-tls` features causes the `openidconnect` crate to be required,
  moreover it enables TLS support of `openidconnect` by enabling the
  `openidconnect/native-tls` feature.

Currently the `openidconnect` crate depends on the same old version of `reqwest` used by
aws/tough. Hence, enabling TLS support for `openidconnect` leads to TLS support being
enabled also by tough.
This coincidental fix is going to disappear as soon as `openidconnect`
moves to the latest version of `reqwest`.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
---
 Cargo.toml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/Cargo.toml b/Cargo.toml
index 54a8bf2376..89e2971b98 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -20,12 +20,14 @@ full-native-tls = [
   "rekor-native-tls",
   "cosign-native-tls",
   "mock-client-native-tls",
+  "sigstore-trust-root-native-tls",
 ]
 full-rustls-tls = [
   "fulcio-rustls-tls",
   "rekor-rustls-tls",
   "cosign-rustls-tls",
   "mock-client-rustls-tls",
+  "sigstore-trust-root-rustls-tls",
 ]
 
 # This features is used by tests that use docker to create a registry
@@ -51,9 +53,18 @@ sigstore-trust-root = [
   "sigstore_protobuf_specs",
   "futures-util",
   "tough",
+  "reqwest_0_11",
   "regex",
   "tokio/sync",
 ]
+sigstore-trust-root-native-tls = [
+  "reqwest_0_11/native-tls",
+  "sigstore-trust-root",
+]
+sigstore-trust-root-rustls-tls = [
+  "reqwest_0_11/rustls-tls",
+  "sigstore-trust-root",
+]
 
 cosign-native-tls = [
   "oci-distribution/native-tls",
@@ -121,6 +132,11 @@ reqwest = { version = "0.12", default-features = false, features = [
   "json",
   "multipart",
 ], optional = true }
+# We have to include this old version of reqwest because tough is currently using it.
+# By including it, we can configure which TLS backend it's going to use, otherwise fetching the
+# TUF sigstore repository will fail at runtime because the old version of reqwest
+# will be compiled withtout TLS support.
+reqwest_0_11 = { package = "reqwest", version = "0.11", default-features = false, optional = true }
 rsa = "0.9.2"
 scrypt = "0.11.0"
 serde = { version = "1.0.136", features = ["derive"] }