From ea10de5a85143c6ec5bcb6db08e55cefa9119d35 Mon Sep 17 00:00:00 2001
From: SequeI <asiek@redhat.com>
Date: Thu, 2 Apr 2026 10:51:44 +0100
Subject: [PATCH] fix: use TrustedRoot from TUF cache for key-based
 verification

The key-based verification path (--public-key) bypassed the modern
TUF cache and always fetched Rekor public keys via the legacy TUF
client, which fails with expired root.json after cosign v3's
initialize stopped populating the legacy cache.

Move cosign.TrustedRoot() out of the keyless-only branch so both
workflows use the modern cache first, falling back to legacy fetches
when unavailable.

Signed-off-by: SequeI <asiek@redhat.com>
---
 internal/policy/policy.go | 42 +++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/internal/policy/policy.go b/internal/policy/policy.go
index 5b29d9e85..b8122bf6c 100644
--- a/internal/policy/policy.go
+++ b/internal/policy/policy.go
@@ -459,32 +459,32 @@ func checkOpts(ctx context.Context, p *policy) (*cosign.CheckOpts, error) {
 		log.Debug("Using keyless workflow")
 		log.Debugf("TUF_ROOT=%s", os.Getenv("TUF_ROOT"))
 		opts.Identities = []cosign.Identity{p.identity}
+	}
 
-		if !hasSigstoreEnvOverrides() {
-			if trustedRoot, trErr := cosign.TrustedRoot(); trErr == nil {
-				log.Debug("Using trusted root from TUF for verification")
-				opts.TrustedMaterial = trustedRoot
-			} else {
-				log.Debugf("Could not fetch trusted_root.json from TUF, falling back to individual targets: %v", trErr)
-			}
+	if !hasSigstoreEnvOverrides() {
+		if trustedRoot, trErr := cosign.TrustedRoot(); trErr == nil {
+			log.Debug("Using trusted root from TUF for verification")
+			opts.TrustedMaterial = trustedRoot
 		} else {
-			log.Debug("Sigstore env overrides detected, skipping trusted root from TUF")
+			log.Debugf("Could not fetch trusted_root.json from TUF, falling back to individual targets: %v", trErr)
 		}
+	} else {
+		log.Debug("Sigstore env overrides detected, skipping trusted root from TUF")
+	}
 
-		if opts.TrustedMaterial == nil {
-			if opts.RootCerts, err = fulcio.GetRoots(); err != nil {
-				return nil, err
-			}
-			log.Debug("Fetched Fulcio root certificates")
-			if opts.IntermediateCerts, err = fulcio.GetIntermediates(); err != nil {
-				return nil, err
-			}
-			log.Debug("Fetched Fulcio intermediate certificates")
-			if opts.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx); err != nil {
-				return nil, err
-			}
-			log.Debug("Fetched CT log public keys")
+	if p.PublicKey == "" && opts.TrustedMaterial == nil {
+		if opts.RootCerts, err = fulcio.GetRoots(); err != nil {
+			return nil, err
+		}
+		log.Debug("Fetched Fulcio root certificates")
+		if opts.IntermediateCerts, err = fulcio.GetIntermediates(); err != nil {
+			return nil, err
+		}
+		log.Debug("Fetched Fulcio intermediate certificates")
+		if opts.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx); err != nil {
+			return nil, err
 		}
+		log.Debug("Fetched CT log public keys")
 	}
 
 	opts.IgnoreTlog = p.ignoreRekor