sigstore: always set TSA server endpoint to provide trusted timestamping

crazy-max · crazy-max · commit ba40ba40b2ac · 2025-10-29T18:50:40.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/src/sigstore/sigstore.ts b/src/sigstore/sigstore.ts
@@ -18,18 +18,21 @@ import {X509Certificate} from 'crypto';
 import fs from 'fs';
 import path from 'path';
 
-import {signingEndpoints, SigstoreInstance} from '@actions/attest/lib/endpoints';
+import {Endpoints} from '@actions/attest/lib/endpoints';
 import * as core from '@actions/core';
 import {signPayload} from '@actions/attest/lib/sign';
 import {bundleToJSON} from '@sigstore/bundle';
 import {Attestation} from '@actions/attest';
 import {Bundle} from '@sigstore/sign';
 
+import {GitHub} from '../github';
+
 import {Subject} from '../types/intoto/intoto';
 
 export interface SignProvenanceBlobsOpts {
   localExportDir: string;
   name?: string;
+  noTransparencyLog?: boolean;
 }
 
 export interface SignProvenanceBlobsResult extends Attestation {
@@ -39,6 +42,9 @@ export interface SignProvenanceBlobsResult extends Attestation {
 
 export class Sigstore {
   private intotoPayloadType = 'application/vnd.in-toto+json';
+  private fulcioURL = 'https://fulcio.sigstore.dev';
+  private rekorURL = 'https://rekor.sigstore.dev';
+  private tsaServerURL = 'https://timestamp.sigstore.dev';
   private searchSigstoreURL = 'https://search.sigstore.dev';
 
   public async signProvenanceBlobs(opts: SignProvenanceBlobsOpts): Promise<Record<string, SignProvenanceBlobsResult>> {
@@ -48,8 +54,7 @@ export class Sigstore {
         throw new Error('missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.');
       }
 
-      const sigstoreInstance: SigstoreInstance = 'public-good';
-      const endpoints = signingEndpoints(sigstoreInstance);
+      const endpoints = this.signingEndpoints(opts);
       core.info(`Using Sigstore signing endpoint: ${endpoints.fulcioURL}`);
 
       const provenanceBlobs = Sigstore.getProvenanceBlobs(opts);
@@ -153,4 +158,18 @@ export class Sigstore {
       tlogID: tlogID
     };
   }
+
+  private signingEndpoints(opts: SignProvenanceBlobsOpts): Endpoints {
+    if (opts.noTransparencyLog ?? GitHub.context.payload.repository?.private) {
+      return {
+        fulcioURL: this.fulcioURL,
+        tsaServerURL: this.tsaServerURL
+      };
+    }
+    return {
+      fulcioURL: this.fulcioURL,
+      rekorURL: this.rekorURL,
+      tsaServerURL: this.tsaServerURL
+    };
+  }
 }
