jku
diff --git a/‎sigstore/_internal/trust.py
Lines changed: 59 additions & 1 deletion b/‎sigstore/_internal/trust.py
Lines changed: 59 additions & 1 deletion
diff --git a/‎sigstore/_internal/tuf.py
Lines changed: 23 additions & 0 deletions b/‎sigstore/_internal/tuf.py
Lines changed: 23 additions & 0 deletions
diff --git a/‎sigstore/_store/prod/signing_config.v0.2.json
Lines changed: 38 additions & 0 deletions b/‎sigstore/_store/prod/signing_config.v0.2.json
Lines changed: 38 additions & 0 deletions
@@ -62,8 +62,9 @@
     PublicKey,
     key_id,
     load_der_public_key,
+    read_embedded,
 )
-from sigstore.errors import Error, MetadataError, VerificationError
+from sigstore.errors import Error, MetadataError, TUFError, VerificationError
 
 
 def _is_timerange_valid(period: TimeRange | None, *, allow_expired: bool) -> bool:
@@ -559,6 +560,63 @@ def from_json(cls, raw: str) -> ClientTrustConfig:
         inner = _ClientTrustConfig().from_json(raw)
         return cls(inner)
 
+    @classmethod
+    def production(
+        cls,
+        offline: bool = False,
+    ) -> ClientTrustConfig:
+        """Create new trust config from Sigstore production TUF repository.
+
+        If `offline`, will use data in local TUF cache. Otherwise will
+        update the data from remote TUF repository.
+        """
+        return cls.from_tuf(DEFAULT_TUF_URL, offline)
+
+    @classmethod
+    def staging(
+        cls,
+        offline: bool = False,
+    ) -> ClientTrustConfig:
+        """Create new trust config from Sigstore staging TUF repository.
+
+        If `offline`, will use data in local TUF cache. Otherwise will
+        update the data from remote TUF repository.
+        """
+        return cls.from_tuf(STAGING_TUF_URL, offline)
+
+    @classmethod
+    def from_tuf(
+        cls,
+        url: str,
+        offline: bool = False,
+    ) -> ClientTrustConfig:
+        """Create a new trust config from a TUF repository.
+
+        If `offline`, will use data in local TUF cache. Otherwise will
+        update the trust config from remote TUF repository.
+        """
+        updater = TrustUpdater(url, offline)
+
+        tr_path = updater.get_trusted_root_path()
+        inner_tr = _TrustedRoot().from_json(Path(tr_path).read_bytes())
+
+        try:
+            sc_path = updater.get_signing_config_path()
+            inner_sc = _SigningConfig().from_json(Path(sc_path).read_bytes())
+        except TUFError as e:
+            # TUF repo may not have signing config yet: hard code values for prod:
+            if url == DEFAULT_TUF_URL:
+                embedded = read_embedded("signing_config.v0.2.json", "prod")
+                inner_sc = _SigningConfig().from_json(embedded)
+            else:
+                raise e
+
+        return _ClientTrustConfig(
+            ClientTrustConfig.ClientTrustConfigType.CONFIG_0_1,
+            inner_tr,
+            inner_sc,
+        )
+
     def __init__(self, inner: _ClientTrustConfig) -> None:
         """
         @api private
 
@@ -148,3 +148,26 @@ def get_trusted_root_path(self) -> str:
 
         _logger.debug("Found and verified trusted root")
         return path
+
+    @lru_cache()
+    def get_signing_config_path(self) -> str:
+        """Return local path to currently valid signing config file"""
+        if not self._updater:
+            _logger.debug("Using unverified signing config from cache")
+            return str(self._targets_dir / "signing_config.v0.2.json")
+
+        root_info = self._updater.get_targetinfo("signing_config.v0.2.json")
+        if root_info is None:
+            raise TUFError("Unsupported TUF configuration: no signing config")
+        path = self._updater.find_cached_target(root_info)
+        if path is None:
+            try:
+                path = self._updater.download_target(root_info)
+            except (
+                TUFExceptions.DownloadError,
+                TUFExceptions.RepositoryError,
+            ) as e:
+                raise TUFError("Failed to download trusted key bundle") from e
+
+        _logger.debug("Found and verified signing config")
+        return path
@@ -0,0 +1,38 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
+  "caUrls": [
+    {
+      "url": "https://fulcio.sigstore.dev",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2022-04-13T20:06:15.000Z"
+      }
+    }
+  ],
+  "oidcUrls": [
+    {
+      "url": "https://oauth2.sigstore.dev/auth",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2025-04-30T00:00:00Z"
+      }
+    }
+  ],
+  "rekorTlogUrls": [
+    {
+      "url": "https://rekor.sigstore.dev",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2021-01-12T11:53:27.000Z"
+      }
+    }
+  ],
+  "tsaUrls": [
+  ],
+  "rekorTlogConfig": {
+    "selector": "ANY"
+  },
+  "tsaConfig": {
+    "selector": "ANY"
+  }
+}