From 444736aaad4a130dd9451108f0a77cd459fd2946 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Mon, 11 Dec 2023 17:31:18 -0500
Subject: [PATCH 01/33] Update TUF client to support options and add
 LiveTrustedRoot

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 cmd/conformance/main.go                 |  17 +-
 cmd/sigstore-go/main.go                 |  24 +-
 examples/oci-image-verification/go.mod  |  39 +-
 examples/oci-image-verification/go.sum  | 627 ++++--------------------
 examples/oci-image-verification/main.go |  22 +-
 go.mod                                  |   5 +-
 go.sum                                  |   4 +
 pkg/root/trusted_root.go                | 101 ++++
 pkg/tuf/client.go                       | 229 +++++----
 pkg/tuf/options.go                      |  81 +++
 pkg/tuf/repository/root.json            | 140 ++++++
 11 files changed, 633 insertions(+), 656 deletions(-)
 create mode 100644 pkg/tuf/options.go
 create mode 100644 pkg/tuf/repository/root.json

diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
index c78cb543..8d96e6a5 100644
--- a/cmd/conformance/main.go
+++ b/cmd/conformance/main.go
@@ -57,10 +57,19 @@ func getTrustedRoot() root.TrustedMaterial {
 		if !ok {
 			log.Fatal("unable to get path")
 		}
-
-		tufDir := path.Join(path.Dir(filename), "tufdata")
-
-		trustedRootJSON, err = tuf.GetTrustedrootJSON("tuf-repo-cdn.sigstore.dev", tufDir)
+		opts, err := tuf.DefaultOptions()
+		if err != nil {
+			log.Fatal(err)
+		}
+		opts.CachePath = path.Join(path.Dir(filename), "tufdata")
+		client, err := tuf.New(opts)
+		if err != nil {
+			log.Fatal(err)
+		}
+		trustedRootJSON, err = client.GetTarget("trusted_root.json")
+		if err != nil {
+			log.Fatal(err)
+		}
 	}
 
 	if err != nil {
diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go
index d143563f..6308276f 100644
--- a/cmd/sigstore-go/main.go
+++ b/cmd/sigstore-go/main.go
@@ -47,7 +47,6 @@ var onlineTlog *bool
 var trustedPublicKey *string
 var trustedrootJSONpath *string
 var tufRootURL *string
-var tufDirectory *string
 
 func init() {
 	artifact = flag.String("artifact", "", "Path to artifact to verify")
@@ -63,7 +62,6 @@ func init() {
 	trustedPublicKey = flag.String("publicKey", "", "Path to trusted public key")
 	trustedrootJSONpath = flag.String("trustedrootJSONpath", "examples/trusted-root-public-good.json", "Path to trustedroot JSON file")
 	tufRootURL = flag.String("tufRootURL", "", "URL of TUF root containing trusted root JSON file")
-	tufDirectory = flag.String("tufDirectory", "tufdata", "Directory to store TUF metadata")
 	flag.Parse()
 	if flag.NArg() == 0 {
 		usage()
@@ -120,20 +118,32 @@ func run() error {
 	identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
 
 	var trustedMaterial = make(root.TrustedMaterialCollection, 0)
-	var trustedrootJSON []byte
+	var trustedRootJSON []byte
 
 	if *tufRootURL != "" {
-		trustedrootJSON, err = tuf.GetTrustedrootJSON(*tufRootURL, *tufDirectory)
+		opts, err := tuf.DefaultOptions()
+		if err != nil {
+			return err
+		}
+		opts.RepositoryBaseURL = *tufRootURL
+		client, err := tuf.New(opts)
+		if err != nil {
+			return err
+		}
+		trustedRootJSON, err = client.GetTarget("trusted_root.json")
+		if err != nil {
+			return err
+		}
 	} else if *trustedrootJSONpath != "" {
-		trustedrootJSON, err = os.ReadFile(*trustedrootJSONpath)
+		trustedRootJSON, err = os.ReadFile(*trustedrootJSONpath)
 	}
 	if err != nil {
 		return err
 	}
 
-	if len(trustedrootJSON) > 0 {
+	if len(trustedRootJSON) > 0 {
 		var trustedRoot *root.TrustedRoot
-		trustedRoot, err = root.NewTrustedRootFromJSON(trustedrootJSON)
+		trustedRoot, err = root.NewTrustedRootFromJSON(trustedRootJSON)
 		if err != nil {
 			return err
 		}
diff --git a/examples/oci-image-verification/go.mod b/examples/oci-image-verification/go.mod
index dff99d88..731e44f3 100644
--- a/examples/oci-image-verification/go.mod
+++ b/examples/oci-image-verification/go.mod
@@ -1,6 +1,8 @@
 module github.com/sigstore/sigstore-go/examples/oci-image-verification
 
-go 1.21
+go 1.21.5
+
+replace github.com/sigstore/sigstore-go => ../../
 
 require (
 	github.com/google/go-containerregistry v0.18.0
@@ -15,22 +17,22 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
-	github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/docker/cli v24.0.0+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.7+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.21.4 // indirect
+	github.com/go-openapi/analysis v0.22.0 // indirect
 	github.com/go-openapi/errors v0.21.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/loads v0.21.2 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.4 // indirect
+	github.com/go-openapi/loads v0.21.5 // indirect
 	github.com/go-openapi/runtime v0.26.2 // indirect
-	github.com/go-openapi/spec v0.20.11 // indirect
+	github.com/go-openapi/spec v0.20.13 // indirect
 	github.com/go-openapi/strfmt v0.22.0 // indirect
 	github.com/go-openapi/swag v0.22.7 // indirect
 	github.com/go-openapi/validate v0.22.3 // indirect
@@ -55,29 +57,30 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/sagikazarmark/locafero v0.3.0 // indirect
+	github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/sigstore/rekor v1.3.4 // indirect
-	github.com/sigstore/timestamp-authority v1.2.0 // indirect
+	github.com/sigstore/timestamp-authority v1.2.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.10.0 // indirect
-	github.com/spf13/cast v1.5.1 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/cobra v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.17.0 // indirect
+	github.com/spf13/viper v1.18.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	go.mongodb.org/mongo-driver v1.13.1 // indirect
-	go.opentelemetry.io/otel v1.19.0 // indirect
-	go.opentelemetry.io/otel/metric v1.19.0 // indirect
-	go.opentelemetry.io/otel/trace v1.19.0 // indirect
+	go.opentelemetry.io/otel v1.21.0 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
+	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.18.0 // indirect
@@ -88,8 +91,8 @@ require (
 	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/term v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
-	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
+	google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect
 	google.golang.org/protobuf v1.32.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
diff --git a/examples/oci-image-verification/go.sum b/examples/oci-image-verification/go.sum
index 0a2237ed..3421af49 100644
--- a/examples/oci-image-verification/go.sum
+++ b/examples/oci-image-verification/go.sum
@@ -1,125 +1,77 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
 cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
 cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI=
 cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8=
 cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM=
 cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek=
-filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18 h1:rd389Q26LMy03gG4anandGFC2LW/xvjga5GezeeaxQk=
 github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18/go.mod h1:fgJuSBrJP5qZtKqaMJE0hmhS2tmRH+44IkfZvjtaf1M=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 h1:fb8kj/Dh4CSwgsOzHeZY4Xh68cFVbzXx+ONXGMY//4w=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0/go.mod h1:uReU2sSxZExRPBAg3qKzmAucSi51+SP1OhohieR821Q=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 h1:lGlwhPtrX6EVml1hO0ivjkUxsSyl4dsiw9qcA1k/3IQ=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1/go.mod h1:RKUqNu35KJYcVG/fqTRqmuXJZYNhYkBrnC/hX7yGbTA=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 h1:d81/ng9rET2YqdVkVwkb6EXeRrLJIwyGnJcAlAWKwhs=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 h1:6oNBlSdi1QqM1PNW7FPA6xOGA5UNsXnkaYZz9vdPGhA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
 github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
-github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go v1.48.7 h1:gDcOhmkohlNk20j0uWpko5cLBbwSkB+xpkshQO45F7Y=
-github.com/aws/aws-sdk-go v1.48.7/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA=
-github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM=
-github.com/aws/aws-sdk-go-v2/config v1.19.1 h1:oe3vqcGftyk40icfLymhhhNysAwk0NfiwkDi2GTPMXs=
-github.com/aws/aws-sdk-go-v2/config v1.19.1/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck=
-github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 h1:uRGw0UKo5hc7M2T7uGsK/Yg2qwecq/dnVjQbbq9RCzY=
-github.com/aws/aws-sdk-go-v2/service/kms v1.24.7/go.mod h1:z3O9CXfVrKAV3c9fMWOUUv2C6N2ggXCDHeXpOB6lAEk=
-github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k=
-github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ=
-github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8=
-github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/aws/aws-sdk-go v1.49.4 h1:qiXsqEeLLhdLgUIyfr5ot+N/dGPWALmtM1SetRmbUlY=
+github.com/aws/aws-sdk-go v1.49.4/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go-v2 v1.24.0 h1:890+mqQ+hTpNuw0gGP6/4akolQkSToDJgHfQE7AwGuk=
+github.com/aws/aws-sdk-go-v2 v1.24.0/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
+github.com/aws/aws-sdk-go-v2/config v1.26.1 h1:z6DqMxclFGL3Zfo+4Q0rLnAZ6yVkzCRxhRMsiRQnD1o=
+github.com/aws/aws-sdk-go-v2/config v1.26.1/go.mod h1:ZB+CuKHRbb5v5F0oJtGdhFTelmrxd4iWO1lf0rQwSAg=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.12 h1:v/WgB8NxprNvr5inKIiVVrXPuuTegM+K8nncFkr1usU=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.12/go.mod h1:X21k0FjEJe+/pauud82HYiQbEr9jRKY3kXEIQ4hXeTQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10 h1:w98BT5w+ao1/r5sUuiH6JkVzjowOKeOJRHERyy1vh58=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10/go.mod h1:K2WGI7vUvkIv1HoNbfBA1bvIZ+9kL3YVmWxeKuLQsiw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9 h1:v+HbZaCGmOwnTTVS86Fleq0vPzOd7tnJGbFhP0stNLs=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9/go.mod h1:Xjqy+Nyj7VDLBtCMkQYOw1QYfAEZCVLrfI0ezve8wd4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9 h1:N94sVhRACtXyVcjXxrwK1SKFIJrA9pOJ5yu2eSHnmls=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9/go.mod h1:hqamLz7g1/4EJP+GH5NBhcUMLjW+gKLQabgyz6/7WAU=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9 h1:Nf2sHxjMJR8CSImIVCONRi4g0Su3J+TSTbS7G0pUeMU=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9/go.mod h1:idky4TER38YIjr2cADF1/ugFMKvZV7p//pVeV5LZbF0=
+github.com/aws/aws-sdk-go-v2/service/kms v1.27.6 h1:zzaFokMF7UVk22/Igtb93A1ReGP50uu99ldLWaEMfHc=
+github.com/aws/aws-sdk-go-v2/service/kms v1.27.6/go.mod h1:D9FVDkZjkZnnFHymJ3fPVz0zOUlNSd0xcIIVmmrAac8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.5 h1:ldSFWz9tEHAwHNmjx2Cvy1MjP5/L9kNoR0skc6wyOOM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.5/go.mod h1:CaFfXLYL376jgbP7VKC96uFcU8Rlavak0UlAwk1Dlhc=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 h1:2k9KmFawS63euAkY4/ixVNsYYwrwnd5fIvgEKkfZFNM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5/go.mod h1:W+nd4wWDVkSUIox9bacmkBP5NMFQeTJ/xqNabpzSR38=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 h1:5UYvv8JUvllZsRnfrcMQ+hJ9jNICmcgKPAO1CER25Wg=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.5/go.mod h1:XX5gh4CB7wAs4KhcF46G6C8a2i7eupU19dcAAE+EydU=
+github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
+github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
 github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
@@ -131,8 +83,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
 github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE=
 github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
-github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647 h1:WOk5Aclr/+sZ2/SX2YyxulNFwZOUhSrDJLw5KbHKmdE=
-github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y=
+github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1GUYL7P0MlNa00M67axePTq+9nBSGddR8I=
+github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y=
 github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM=
 github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
@@ -141,23 +93,16 @@ github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig
 github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
 github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
-github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
-github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
-github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
 github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
 github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -166,33 +111,22 @@ github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc=
-github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9QyAgQRPp9y3pfo=
-github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
+github.com/go-openapi/analysis v0.22.0 h1:wQ/d07nf78HNj4u+KiSY0sT234IAyePPbMgpUjUJQR0=
+github.com/go-openapi/analysis v0.22.0/go.mod h1:acDnkkCI2QxIo8sSIPgmp1wUlRohV7vfGtAIVae73b0=
 github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY=
 github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
-github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
-github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
-github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
-github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
-github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
-github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro=
-github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw=
+github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q=
+github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs=
+github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU=
+github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4=
+github.com/go-openapi/loads v0.21.5 h1:jDzF4dSoHw6ZFADCGltDb2lE4F6De7aWSpe+IcsRzT0=
+github.com/go-openapi/loads v0.21.5/go.mod h1:PxTsnFBoBe+z89riT+wYt3prmSBP6GDAQh2l9H1Flz8=
 github.com/go-openapi/runtime v0.26.2 h1:elWyB9MacRzvIVgAZCBJmqTi7hBzU0hlKD4IvfX0Zl0=
 github.com/go-openapi/runtime v0.26.2/go.mod h1:O034jyRZ557uJKzngbMDJXkcKJVzXJiymdSfgejrcRw=
-github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
-github.com/go-openapi/spec v0.20.11 h1:J/TzFDLTt4Rcl/l1PmyErvkqlJDncGvPTMnCI39I4gY=
-github.com/go-openapi/spec v0.20.11/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
-github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
+github.com/go-openapi/spec v0.20.13 h1:XJDIN+dLH6vqXgafnl5SUIMnzaChQ6QTo0/UPMbkIaE=
+github.com/go-openapi/spec v0.20.13/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw=
 github.com/go-openapi/strfmt v0.22.0 h1:Ew9PnEYc246TwrEspvBdDHS4BVKXy/AOVsfqGDgAcaI=
 github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv27135Yr9OivU4=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-openapi/swag v0.22.7 h1:JWrc1uc/P9cSomxfnsFSVWoE1FW6bNbrVPmpQYpCcR8=
 github.com/go-openapi/swag v0.22.7/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0=
 github.com/go-openapi/validate v0.22.3 h1:KxG9mu5HBRYbecRb37KRCihvGGtND2aXziBAv0NNfyI=
@@ -203,86 +137,32 @@ github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/certificate-transparency-go v1.1.7 h1:IASD+NtgSTJLPdzkthwvAG1ZVbF2WtFg4IvoA68XGSw=
 github.com/google/certificate-transparency-go v1.1.7/go.mod h1:FSSBo8fyMVgqptbfF6j5p/XNdgQftAhSmXcIxV9iphE=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.18.0 h1:ShE7erKNPqRh5ue6Z9DUOlk04WsnFWPO6YGr3OxnfoQ=
 github.com/google/go-containerregistry v0.18.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w=
 github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM=
 github.com/google/trillian v1.5.3 h1:3ioA5p09qz+U9/t2riklZtaQdZclaStp0/eQNfewNRg=
 github.com/google/trillian v1.5.3/go.mod h1:p4tcg7eBr7aT6DxrAoILpc3uXNfcuAvZSnQKonVg+Eo=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
 github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
-github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
@@ -302,43 +182,31 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/vault/api v1.10.0 h1:/US7sIjWN6Imp4o/Rj1Ce2Nr5bki/AXi9vAW3p2tOJQ=
 github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM=
 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b h1:ZGiXF8sz7PDk6RgkP+A/SFfUD0ZR/AgG6SpRNEDKZy8=
 github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b/go.mod h1:hQmNrgofl+IY/8L+n20H6E6PWBBTokdsv+q49j0QhsU=
-github.com/jellydator/ttlcache/v3 v3.1.0 h1:0gPFG0IHHP6xyUyXq+JaD8fwkDCqgqwohXNJBcYE71g=
-github.com/jellydator/ttlcache/v3 v3.1.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4=
+github.com/jellydator/ttlcache/v3 v3.1.1 h1:RCgYJqo3jgvhl+fEWvjNW8thxGWsgxi+TPhRir1Y9y8=
+github.com/jellydator/ttlcache/v3 v3.1.1/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs=
 github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
 github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
@@ -347,9 +215,6 @@ github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e h1:RLTpX495BXT
 github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e/go.mod h1:EAuqr9VFWxBi9nD5jc/EA2MT1RFty9288TF6zdtYoCU=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@@ -361,12 +226,9 @@ github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvls
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -381,27 +243,26 @@ github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
-github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
+github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
 github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
 github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c h1:Y4Mx6GbsUbzvV41SuQfE671gKAXdILTSGdUe4+8y7DE=
+github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c/go.mod h1:3l8VADBl9myZ4VNSQtmM46iEA+jolS2ZFviLocdyWPw=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/sagikazarmark/locafero v0.3.0 h1:zT7VEGWC2DTflmccN/5T1etyKvxSxpHsjb9cJvm4SvQ=
-github.com/sagikazarmark/locafero v0.3.0/go.mod h1:w+v7UsPNFwzF1cHuOajOOzoq4U7v/ig1mpRjqV+Bu1U=
+github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
+github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A=
@@ -420,41 +281,36 @@ github.com/sigstore/rekor v1.3.4 h1:RGIia1iOZU7fOiiP2UY/WFYhhp50S5aUm7YrM8aiA6E=
 github.com/sigstore/rekor v1.3.4/go.mod h1:1GubPVO2yO+K0m0wt/3SHFqnilr/hWbsjSOe7Vzxrlg=
 github.com/sigstore/sigstore v1.8.1 h1:mAVposMb14oplk2h/bayPmIVdzbq2IhCgy4g6R0ZSjo=
 github.com/sigstore/sigstore v1.8.1/go.mod h1:02SL1158BSj15bZyOFz7m+/nJzLZfFd9A8ab3Kz7w/E=
-github.com/sigstore/sigstore-go v0.0.0-20240103204255-44c7c85ab358 h1:JxB4RLR1oXrClCIRv7qpJy5PoXXqgCYPoIKbCX/pL5M=
-github.com/sigstore/sigstore-go v0.0.0-20240103204255-44c7c85ab358/go.mod h1:WOV1MbjJBKKn28Tuz90/2f2wJqL+yQ/ClxQJayfN/sM=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.5 h1:ilufPp36exfpivctI3ElU4ZTckP3eVu6RxYebBb6u+M=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.5/go.mod h1:121n8nBnuXbcI6K0hIBo/0EMYiyXqGVzbIYd0rV0ZWw=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.5 h1:gLdNJJo+xMf7+IeFRlyA/Pjavndo9rivmf5ioYeuPmM=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.5/go.mod h1:9nJQA5YgWsXrwjrVoVaO8JfTI/TpPF+oAkpkNKZu6lo=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.5 h1:Ku3MD55VXR7+uezCS4LOY0+y2EZFlGCGFyzl+ZSoPyo=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.5/go.mod h1:FsNzxmFGATZS5ynkJLLXm9g2zHD0Xw23iJs7lM/asPo=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.5 h1:yWNBuL52Je3ukUGry1qwg00ujJF2UFWShzXFIAtmxZU=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.5/go.mod h1:EI9vDWVGG8fQU9aFMY7Bd204xJiqmXcDMSkFifCf16Q=
-github.com/sigstore/timestamp-authority v1.2.0 h1:Ffk10QsHxu6aLwySQ7WuaoWkD63QkmcKtozlEFot/VI=
-github.com/sigstore/timestamp-authority v1.2.0/go.mod h1:ojKaftH78Ovfow9DzuNl5WgTCEYSa4m5622UkKDHRXc=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.0 h1:nLaaOX85YjBKQOQHWY2UlDkbx+je8ozTEM+t1ySAb78=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.0/go.mod h1:fLxrKqPP9lIz/B3UBD4ZK6j6984eX2czu/0zxm99fkE=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.0 h1:Txd7Fjei2NVb/sjBNYybrl+FcZGptO6FXXH4pVNBQMs=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.0/go.mod h1:mZjoLdfxFzo61abWNQisk8BcUbGshTO5HCpPRjzuPUs=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.0 h1:vQKLGL2H3L6AWnTddmF4TPKKNAM6GX1CtLsvIhCtjOw=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.0/go.mod h1:eaY3HCZUSNzqfkGsvkHSCkBlTQIQ4Sym9po09fAJw5w=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.0 h1:PspwJqJtD4bo0Aboo2UBrvznNUK7ETjD270GD9WLI88=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.0/go.mod h1:8ta2z6+ZsN8o3EdxGgpSn6VCAkTqLztV0L4YnLCwrwU=
+github.com/sigstore/timestamp-authority v1.2.1 h1:j9RmqSAdvKgSofeltPO4x7d+1M3AXaROBzUJ+AA7L5Q=
+github.com/sigstore/timestamp-authority v1.2.1/go.mod h1:Ce+vWWEf0QaKLY2u6mpwEJbmYXEVeOfUk4fQ69kE6ck=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/spf13/afero v1.10.0 h1:EaGW2JJh15aKOejeuJ+wpFSHnbd7GE6Wvp3TsNhb6LY=
-github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
-github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA=
-github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48=
+github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
+github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
+github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
+github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.17.0 h1:I5txKw7MJasPL/BrfkbA0Jyo/oELqVmux4pR/UxOMfI=
-github.com/spf13/viper v1.17.0/go.mod h1:BmMMMLQXSbcHK6KAOiFLz0l5JHrU89OdIRHvsk0+yVI=
+github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
+github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -465,7 +321,6 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
@@ -474,39 +329,30 @@ github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN
 github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck=
 github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
-github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
 github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
-github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
 github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zalando/go-keyring v0.2.2 h1:f0xmpYiSrHtSNAVgwip93Cg8tuF45HJM6rHq/A5RI/4=
 github.com/zalando/go-keyring v0.2.2/go.mod h1:sI3evg9Wvpw3+n4SqplGSJUMwtDeROfD4nsFz4z9PG0=
-go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8=
 go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/vk=
 go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs=
-go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY=
-go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE=
-go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 h1:SpGay3w+nEwMpfVnbqOLH5gY52/foP8RE8UzTZ1pdSE=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
+go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
+go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo=
+go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4=
+go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM=
 go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o=
 go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A=
-go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg=
-go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo=
-go.step.sm/crypto v0.38.0 h1:kRVtzOjplP5xDh9UlenXdDAtXWCfVL6GevZgpiom1Zg=
-go.step.sm/crypto v0.38.0/go.mod h1:0Cv9UB8sHqnsLO14FhboDE/OIN993c3G0ImOafTS2AI=
+go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc=
+go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ=
+go.step.sm/crypto v0.40.0 h1:356UwJSM4Nhg5b5AjjjLlBNkf92Vw3Gi2r3vbEv72oc=
+go.step.sm/crypto v0.40.0/go.mod h1:gfQMeTQXykihbS8e2Tdn0jtd9HbsQ7vbt+kp7efLA7U=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -514,363 +360,86 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
 go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
 golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
 golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
-google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.152.0 h1:t0r1vPnfMc260S2Ci+en7kfCZaLOPs5KI0sVV/6jZrY=
-google.golang.org/api v0.152.0/go.mod h1:3qNJX5eOmhiWYc67jRA/3GsDw97UFb5ivv7Y2PrriAY=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/api v0.154.0 h1:X7QkVKZBskztmpPKWQXgjJRPA2dJYrL6r+sYPRLj050=
+google.golang.org/api v0.154.0/go.mod h1:qhSMkM85hgqiokIYsrRyKxrjfBeIhgl4Z2JmeRkYylc=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ=
-google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY=
-google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 h1:JpwMPBpFN3uKhdaekDpiNlImDdkUAyiJ6ez/uxGaUSo=
-google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f h1:ultW7fxlIvee4HYrtnaRPon9HpEgFk5zYpmfMgtKB5I=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f/go.mod h1:L9KNLi232K1/xB6f7AlSX692koaRnKaWSR0stBki0Yc=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f h1:Vn+VyHU5guc9KjB5KrjI2q0wCOWEOIh0OEsleqakHJg=
+google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f/go.mod h1:nWSwAFPb+qfNJXsoeO3Io7zf4tMSfN8EA8RlDA04GhY=
+google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f h1:2yNACc1O40tTnrsbk9Cv6oxiW8pxI/pXj0wRtdlYmgY=
+google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f/go.mod h1:Uy9bTZJqmfrw2rIBxgGLnamc78euZULUBrLZ9XTITKI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231127180814-3a041ad873d4 h1:DC7wcm+i+P1rN3Ff07vL+OndGg5OhNddHyTA+ocPqYE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231127180814-3a041ad873d4/go.mod h1:eJVxU6o+4G1PSczBr85xmyvSNYAKvAYgkub40YGomFM=
 google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
 google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
 google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/go-jose/go-jose.v2 v2.6.1 h1:qEzJlIDmG9q5VO0M/o8tGS65QMHMS1w01TQJB1VPJ4U=
 gopkg.in/go-jose/go-jose.v2 v2.6.1/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
diff --git a/examples/oci-image-verification/main.go b/examples/oci-image-verification/main.go
index 2c048795..1d9122be 100644
--- a/examples/oci-image-verification/main.go
+++ b/examples/oci-image-verification/main.go
@@ -142,20 +142,32 @@ func run() error {
 	}
 
 	var trustedMaterial = make(root.TrustedMaterialCollection, 0)
-	var trustedrootJSON []byte
+	var trustedRootJSON []byte
 
 	if *tufRootURL != "" {
-		trustedrootJSON, err = tuf.GetTrustedrootJSON(*tufRootURL, *tufDirectory)
+		opts, err := tuf.DefaultOptions()
+		if err != nil {
+			return err
+		}
+		opts.RepositoryBaseURL = *tufRootURL
+		client, err := tuf.New(opts)
+		if err != nil {
+			return err
+		}
+		trustedRootJSON, err = client.GetTarget("trusted_root.json")
+		if err != nil {
+			return err
+		}
 	} else if *trustedrootJSONpath != "" {
-		trustedrootJSON, err = os.ReadFile(*trustedrootJSONpath)
+		trustedRootJSON, err = os.ReadFile(*trustedrootJSONpath)
 	}
 	if err != nil {
 		return err
 	}
 
-	if len(trustedrootJSON) > 0 {
+	if len(trustedRootJSON) > 0 {
 		var trustedRoot *root.TrustedRoot
-		trustedRoot, err = root.NewTrustedRootFromJSON(trustedrootJSON)
+		trustedRoot, err = root.NewTrustedRootFromJSON(trustedRootJSON)
 		if err != nil {
 			return err
 		}
diff --git a/go.mod b/go.mod
index 7a5c564c..40419a22 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/sigstore-go
 
-go 1.21
+go 1.21.5
 
 require (
 	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7
@@ -10,13 +10,13 @@ require (
 	github.com/go-openapi/swag v0.22.7
 	github.com/google/certificate-transparency-go v1.1.7
 	github.com/in-toto/in-toto-golang v0.9.0
+	github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
 	github.com/sigstore/protobuf-specs v0.2.1
 	github.com/sigstore/rekor v1.3.4
 	github.com/sigstore/sigstore v1.8.1
 	github.com/sigstore/timestamp-authority v1.2.1
 	github.com/stretchr/testify v1.8.4
-	github.com/theupdateframework/go-tuf v0.7.0
 	golang.org/x/mod v0.14.0
 	google.golang.org/protobuf v1.32.0
 )
@@ -66,6 +66,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	go.mongodb.org/mongo-driver v1.13.1 // indirect
diff --git a/go.sum b/go.sum
index f30f54b4..d7a5037b 100644
--- a/go.sum
+++ b/go.sum
@@ -238,6 +238,8 @@ github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lne
 github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c h1:Y4Mx6GbsUbzvV41SuQfE671gKAXdILTSGdUe4+8y7DE=
+github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c/go.mod h1:3l8VADBl9myZ4VNSQtmM46iEA+jolS2ZFviLocdyWPw=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -273,6 +275,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.0 h1:PspwJqJtD4bo
 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.0/go.mod h1:8ta2z6+ZsN8o3EdxGgpSn6VCAkTqLztV0L4YnLCwrwU=
 github.com/sigstore/timestamp-authority v1.2.1 h1:j9RmqSAdvKgSofeltPO4x7d+1M3AXaROBzUJ+AA7L5Q=
 github.com/sigstore/timestamp-authority v1.2.1/go.mod h1:Ce+vWWEf0QaKLY2u6mpwEJbmYXEVeOfUk4fQ69kE6ck=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
diff --git a/pkg/root/trusted_root.go b/pkg/root/trusted_root.go
index dac46549..65558ba9 100644
--- a/pkg/root/trusted_root.go
+++ b/pkg/root/trusted_root.go
@@ -20,11 +20,14 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"fmt"
+	"log"
 	"os"
+	"sync"
 	"time"
 
 	protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 	prototrustroot "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1"
+	"github.com/sigstore/sigstore-go/pkg/tuf"
 	"google.golang.org/protobuf/encoding/protojson"
 )
 
@@ -256,3 +259,101 @@ func NewTrustedRootProtobuf(rootJSON []byte) (*prototrustroot.TrustedRoot, error
 	}
 	return pbTrustedRoot, nil
 }
+
+// FetchTrustedRoot fetches the Sigstore trusted root from TUF and returns it.
+func FetchTrustedRoot() (*TrustedRoot, error) {
+	opts, err := tuf.DefaultOptions()
+	if err != nil {
+		return nil, err
+	}
+	client, err := tuf.New(opts)
+	if err != nil {
+		return nil, err
+	}
+	return GetTrustedRoot(client)
+}
+
+// GetTrustedRoot returns the trusted root
+func GetTrustedRoot(c *tuf.Client) (*TrustedRoot, error) {
+	jsonBytes, err := c.GetTarget("trusted_root.json")
+	if err != nil {
+		return nil, err
+	}
+	return NewTrustedRootFromJSON(jsonBytes)
+}
+
+// LiveTrustedRoot is a wrapper around TrustedRoot that periodically
+// refreshes the trusted root from TUF. This is needed for long-running
+// processes to ensure that the trusted root does not expire.
+type LiveTrustedRoot struct {
+	*TrustedRoot
+	mu sync.RWMutex
+}
+
+// NewLiveTrustedRoot returns a LiveTrustedRoot that will periodically
+// refresh the trusted root from TUF.
+func NewLiveTrustedRoot(opts *tuf.Options) (*LiveTrustedRoot, error) {
+	client, err := tuf.New(opts)
+	if err != nil {
+		return nil, err
+	}
+	tr, err := GetTrustedRoot(client)
+	if err != nil {
+		return nil, err
+	}
+	ltr := &LiveTrustedRoot{
+		TrustedRoot: tr,
+		mu:          sync.RWMutex{},
+	}
+	ticker := time.NewTicker(time.Hour * 24)
+	go func() {
+		for {
+			select {
+			case <-ticker.C:
+				client, err = tuf.New(opts)
+				if err != nil {
+					log.Printf("error creating TUF client: %v", err)
+				}
+				newTr, err := GetTrustedRoot(client)
+				if err != nil {
+					log.Printf("error fetching trusted root: %v", err)
+					continue
+				}
+				ltr.mu.Lock()
+				ltr.TrustedRoot = newTr
+				ltr.mu.Unlock()
+			}
+		}
+	}()
+	return ltr, nil
+}
+
+func (l *LiveTrustedRoot) TSACertificateAuthorities() []CertificateAuthority {
+	l.mu.RLock()
+	defer l.mu.RUnlock()
+	return l.TrustedRoot.TSACertificateAuthorities()
+}
+
+func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority {
+	l.mu.RLock()
+	defer l.mu.RUnlock()
+	return l.TrustedRoot.FulcioCertificateAuthorities()
+}
+
+func (l *LiveTrustedRoot) TlogAuthorities() map[string]*TlogAuthority {
+	l.mu.RLock()
+	defer l.mu.RUnlock()
+	return l.TrustedRoot.TlogAuthorities()
+}
+
+func (l *LiveTrustedRoot) CTlogAuthorities() map[string]*TlogAuthority {
+	l.mu.RLock()
+	defer l.mu.RUnlock()
+	return l.TrustedRoot.CTlogAuthorities()
+}
+
+func (l *LiveTrustedRoot) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error) {
+	l.mu.RLock()
+	defer l.mu.RUnlock()
+	return l.TrustedRoot.PublicKeyVerifier(keyID)
+}
diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index cfdd7d4d..328fd573 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -15,137 +15,184 @@
 package tuf
 
 import (
-	"bytes"
-	"embed"
-	"encoding/json"
 	"fmt"
-	"path"
-
-	tufclient "github.com/theupdateframework/go-tuf/client"
-	filejsonstore "github.com/theupdateframework/go-tuf/client/filejsonstore"
-	tufdata "github.com/theupdateframework/go-tuf/data"
-	tufutil "github.com/theupdateframework/go-tuf/util"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/rdimitrov/go-tuf-metadata/metadata/config"
+	"github.com/rdimitrov/go-tuf-metadata/metadata/updater"
 )
 
-//go:embed repository
-var embeddedRepos embed.FS
-
-const TrustedRootTUFPath = "trusted_root.json"
-const RootTUFPath = "root.json"
-
-// Implementation of go-tuf/client.Destination interface
-type Writer struct {
-	Bytes []byte
+// Client is a Sigstore TUF client
+type Client struct {
+	cfg  *config.UpdaterConfig
+	up   *updater.Updater
+	opts *Options
 }
 
-func (w *Writer) Write(b []byte) (int, error) {
-	w.Bytes = append(w.Bytes, b...)
-	return len(b), nil
-}
-
-func (w *Writer) Delete() error {
-	w = nil
-	return nil
-}
-
-func GetTrustedrootJSON(tufRootURL, workPath string) (trustedrootJSON []byte, err error) {
-	// Ensure we have a RootTUFPath file for this TUF URL
-	tufPath := path.Join(workPath, tufRootURL)
-
-	fileJSONStore, err := filejsonstore.NewFileJSONStore(tufPath)
-	if err != nil {
-		return nil, err
+// New returns a new client with custom options
+func New(opts *Options) (*Client, error) {
+	var c = Client{
+		opts: opts,
 	}
+	var dir = filepath.Join(opts.CachePath, URLToPath(opts.RepositoryBaseURL))
+	var err error
 
-	tufMetaMap, err := fileJSONStore.GetMeta()
-	if err != nil {
-		return nil, err
+	if c.cfg, err = config.New(opts.RepositoryBaseURL, opts.Root); err != nil {
+		return nil, fmt.Errorf("failed to create TUF repo: %w", err)
 	}
 
-	_, ok := tufMetaMap[RootTUFPath]
-	if !ok {
-		// There isn't a RootTUFPath for this TUF URL, so see if the library has one embedded
-		_, err = checkEmbedded(tufRootURL, fileJSONStore)
-
-		if err != nil {
-			return nil, err
-		}
+	c.cfg.LocalMetadataDir = dir
+	c.cfg.LocalTargetsDir = filepath.Join(dir, "targets")
+	c.cfg.RemoteTargetsURL, err = url.JoinPath(opts.RepositoryBaseURL, "targets")
+	if err != nil {
+		return nil, fmt.Errorf("malformed config mirror: %w", err)
 	}
+	c.cfg.DisableLocalCache = c.opts.DisableLocalCache
+	c.cfg.PrefixTargetsWithHash = true
 
-	// Now that we have fileJSONStore, create a tufclient and check remote for updates
-	tufRemoteOptions := &tufclient.HTTPRemoteOptions{
-		MetadataPath: "",
-		TargetsPath:  "targets",
-		Retries:      tufclient.DefaultHTTPRetries,
+	if c.cfg.DisableLocalCache {
+		c.opts.CachePath = ""
+		c.opts.CacheValidity = 0
+		c.opts.ForceCache = false
 	}
 
-	tufRemoteStore, err := tufclient.HTTPRemoteStore(fmt.Sprintf("https://%s", tufRootURL), tufRemoteOptions, nil)
+	// Upon client creation, we may not perform a full TUF update,
+	// based on the cache control configuration. Start with a local
+	// client (only reads content on disk) and then decide if we
+	// must perform a full TUF update.
+	var tmpCfg = *c.cfg
+	tmpCfg.UnsafeLocalMode = true
+	c.up, err = updater.New(&tmpCfg)
 	if err != nil {
 		return nil, err
 	}
+	if err = c.loadMetadata(); err != nil {
+		return nil, err
+	}
 
-	tufClient := tufclient.NewClient(fileJSONStore, tufRemoteStore)
-	targetFiles, err := tufClient.Update()
+	return &c, nil
+}
+
+// DefaultClient returns a Sigstore TUF client for the public good instance
+func DefaultClient() (*Client, error) {
+	opts, err := DefaultOptions()
 	if err != nil {
 		return nil, err
 	}
+	return New(opts)
+}
 
-	// Now that we've updated, see if remote trustedroot metadata matches local disk
-	trustedrootMeta, ok := targetFiles[TrustedRootTUFPath]
-	if !ok {
-		return nil, fmt.Errorf("Unable to find %s via TUF", TrustedRootTUFPath)
+// loadMetadata controls if the client actually should perform a TUF refresh.
+// The TUF specification mandates so, but for certain Sigstore clients, it
+// may be beneficial to rely on the cache, or in air-gapped deployments it
+// it may not even be possible.
+func (c *Client) loadMetadata() error {
+	// Load the metadata into memory and verify it
+	if err := c.up.Refresh(); err != nil {
+		// this is most likely due to the lack of metadata files
+		// on disk. Perform a full update and return.
+		return c.Refresh()
 	}
 
-	trustedroot, ok := tufMetaMap[TrustedRootTUFPath]
-	if ok {
-		if ok, _ := validTarget(trustedrootMeta, trustedroot); ok {
-			return trustedroot, nil
+	var tm = c.up.GetTrustedMetadataSet()
+	if c.opts.ForceCache {
+		// Use cache until it expires
+		if tm.Timestamp.Signed.IsExpired(time.Now()) {
+			return c.Refresh()
 		}
-	}
 
-	// What's on disk didn't match, so download from TUF remote (and cache it to disk)
-	writer := &Writer{
-		Bytes: make([]byte, 0),
-	}
+		// Cache not expired, return
+		return nil
+	} else if c.opts.CacheValidity > 0 {
+		// Use cached metadata for up to CacheValidity days.
+		// This is a bit of an hack, as we don't know when the
+		// last the it was updated, fallback to check the
+		// modification time of timestamp.json
+		if tm.Timestamp.Signed.IsExpired(time.Now()) {
+			// Always update if the timestamp is expired
+			return c.Refresh()
+		}
 
-	err = tufClient.Download(TrustedRootTUFPath, writer)
-	if err != nil {
-		return nil, err
-	}
+		var p = filepath.Join(
+			c.opts.CachePath,
+			URLToPath(c.opts.RepositoryBaseURL),
+			"timestamp.json",
+		)
+		fi, err := os.Stat(p)
+		if err != nil {
+			// Failed to get info on the file, fall back
+			// and update if needed
+			return c.Refresh()
+		}
 
-	err = fileJSONStore.SetMeta(TrustedRootTUFPath, writer.Bytes)
-	if err != nil {
-		return nil, err
+		if fi.ModTime().After(time.Now().Add(
+			time.Duration(-24*c.opts.CacheValidity) * time.Hour)) {
+			// No need to update
+			return nil
+		}
+		// A TUF client refresh will now happen (c.Refresh),
+		// update the mod time for the timestamp.
+		//
+		// Ignore the error here, there is no need to fail
+		// operation only because the file's metadata could
+		// not be updated
+		//nolint:errcheck
+		os.Chtimes(p, time.Now(), time.Now())
 	}
 
-	return writer.Bytes, nil
+	return c.Refresh()
 }
 
-func checkEmbedded(tufRootURL string, fileJSONStore *filejsonstore.FileJSONStore) (json.RawMessage, error) {
-	embeddedRootPath := path.Join("repository", tufRootURL, RootTUFPath)
+// Refresh forces a refresh of the underlying TUF client.
+// As the tuf client does not support multiple refreshes during its
+// life-time, this will replace the TUF client with a new one.
+func (c *Client) Refresh() error {
+	var err error
 
-	root, err := embeddedRepos.ReadFile(embeddedRootPath)
+	c.up, err = updater.New(c.cfg)
 	if err != nil {
-		return nil, err
+		return err
 	}
+	return c.up.Refresh()
+}
 
-	err = fileJSONStore.SetMeta(RootTUFPath, root)
+// GetTarget returns a target file from the TUF repository
+func (c *Client) GetTarget(target string) ([]byte, error) {
+	ti, err := c.up.GetTargetInfo(target)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("target %s not found: %w", target, err)
 	}
 
-	return root, nil
-}
+	path, tb, err := c.up.FindCachedTarget(ti, "")
+	if err != nil {
+		return nil, fmt.Errorf("error getting target cache: %w", err)
+	}
+	if path != "" {
+		// Cached version found
+		return tb, nil
+	}
 
-func validTarget(expected tufdata.TargetFileMeta, localTarget []byte) (bool, error) {
-	got, err := tufutil.GenerateTargetFileMeta(
-		bytes.NewReader(localTarget),
-		"sha256", "sha512")
+	// Download of target is needed
+	_, tb, err = c.up.DownloadTarget(ti, "", "")
 	if err != nil {
-		return false, err
+		return nil, fmt.Errorf("failed to download target file %s - %w", target, err)
 	}
-	if err = tufutil.TargetFileMetaEqual(got, expected); err != nil {
-		return false, err
+
+	return tb, nil
+}
+
+// URLToPath converts a URL to a filename-compatible string
+func URLToPath(url string) string {
+	// Strip scheme, replace slashes with dashes
+	// e.g. https://github.github.com/prod-tuf-root -> github.github.com-prod-tuf-root
+	fn := url
+	if len(fn) > 8 && fn[:8] == "https://" {
+		fn = fn[8:]
 	}
-	return true, nil
+	fn = strings.ReplaceAll(fn, "/", "-")
+	return fn
 }
diff --git a/pkg/tuf/options.go b/pkg/tuf/options.go
new file mode 100644
index 00000000..8bd844cd
--- /dev/null
+++ b/pkg/tuf/options.go
@@ -0,0 +1,81 @@
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"embed"
+	"os"
+	"path/filepath"
+)
+
+//go:embed repository
+var embeddedRepo embed.FS
+
+const DefaultMirror = "https://tuf-repo-cdn.sigstore.dev"
+
+// Options represent the various options for a Sigstore TUF Client
+//
+// Note that currently, the cache control is not working. Upon initialization
+// the client will *ALWAYS* perform a TUF update.
+type Options struct {
+	// CacheValidity period in days (default 1)
+	CacheValidity int
+	// ForceCache controls if the cache should be used without update
+	// as long as the metadata is valid
+	ForceCache bool
+	// Root is the TUF trust anchor
+	Root []byte
+	// CachePath is the location on disk for TUF cache
+	// (default $HOME/.sigstore/tuf)
+	CachePath string
+	// RepositoryBaseURL is the TUF repository location URL
+	// (default https://tuf-repo-cdn.sigstore.dev)
+	RepositoryBaseURL string
+	// DisableLocalCache mode allows a client to work on a read-only
+	// files system if this is set, cache path is ignored.
+	DisableLocalCache bool
+}
+
+// DefaultOptions returns an options struct for the public good instance
+func DefaultOptions() (*Options, error) {
+	var opts Options
+	var err error
+
+	opts.Root, err = DefaultRoot()
+	if err != nil {
+		return nil, err
+	}
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return nil, err
+	}
+	opts.CacheValidity = 1
+	opts.CachePath = filepath.Join(home, ".sigstore", "root")
+	opts.RepositoryBaseURL = DefaultMirror
+
+	return &opts, nil
+}
+
+// DefaultRoot returns the root.json for the public good instance
+func DefaultRoot() ([]byte, error) {
+	var p = filepath.Join("repository", "root.json")
+
+	b, err := embeddedRepo.ReadFile(p)
+	if err != nil {
+		return nil, err
+	}
+
+	return b, nil
+}
diff --git a/pkg/tuf/repository/root.json b/pkg/tuf/repository/root.json
new file mode 100644
index 00000000..ff409163
--- /dev/null
+++ b/pkg/tuf/repository/root.json
@@ -0,0 +1,140 @@
+{
+	"signed": {
+		"_type": "root",
+		"spec_version": "1.0",
+		"version": 8,
+		"expires": "2024-03-26T04:38:55Z",
+		"keys": {
+			"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"
+				}
+			},
+			"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c": {
+				"keytype": "ecdsa-sha2-nistp256",
+				"scheme": "ecdsa-sha2-nistp256",
+				"keyid_hash_algorithms": [
+					"sha256",
+					"sha512"
+				],
+				"keyval": {
+					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"
+				}
+			}
+		},
+		"roles": {
+			"root": {
+				"keyids": [
+					"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
+					"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+					"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+					"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+					"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"
+				],
+				"threshold": 3
+			},
+			"snapshot": {
+				"keyids": [
+					"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b"
+				],
+				"threshold": 1
+			},
+			"targets": {
+				"keyids": [
+					"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
+					"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+					"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+					"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+					"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"
+				],
+				"threshold": 3
+			},
+			"timestamp": {
+				"keyids": [
+					"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a"
+				],
+				"threshold": 1
+			}
+		},
+		"consistent_snapshot": true
+	},
+	"signatures": [
+		{
+			"keyid": "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
+			"sig": "3044022024b8036b374f7071723f3f2cb1979c42e5da1910f0b178835ad546e3c360836302207140ccd408afcf8720dd9bea7f00325768c3aa47c22d531c849c974fd50e45dd"
+		},
+		{
+			"keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
+			"sig": "3046022100dcb1a96ecbfc05768a3c73726a92d681da78eaec068a9a0cfe13a12db672e44b022100a0dae7bc2e6b953e215f57cc614eb71660b9461d6dc86264b0b74a4f2e1307e1"
+		},
+		{
+			"keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de",
+			"sig": "3046022100c4708d94077cb3d6dd60ebd2dd66545e7afb0464ce2593a5f23f6e3604b9f21e022100992e969cd5069eab17439b2ba60743fe422877bc1a1c46e935a6d5cb47b3cfc6"
+		},
+		{
+			"keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
+			"sig": "3045022051faa6b6fc373730b97c1a4cd92d03efd98b83d4c9c93bf4f404d1f88ea2eb18022100f71ac1cd73dcba950f4210b12f9a05b8140b0490247c5339191e842b868155b4"
+		}
+	]
+}
\ No newline at end of file

From 035c0849c4bf27f2ed9ea35fb1196b94eb37d5bc Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 22 Dec 2023 09:54:22 +0100
Subject: [PATCH 02/33] Make sure DefaultOptions never fails

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 cmd/conformance/main.go  |  5 +----
 cmd/sigstore-go/main.go  |  5 +----
 pkg/root/trusted_root.go |  5 +----
 pkg/tuf/client.go        |  6 ++----
 pkg/tuf/options.go       | 26 +++++++++++++-------------
 5 files changed, 18 insertions(+), 29 deletions(-)

diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
index 8d96e6a5..d6c40263 100644
--- a/cmd/conformance/main.go
+++ b/cmd/conformance/main.go
@@ -57,10 +57,7 @@ func getTrustedRoot() root.TrustedMaterial {
 		if !ok {
 			log.Fatal("unable to get path")
 		}
-		opts, err := tuf.DefaultOptions()
-		if err != nil {
-			log.Fatal(err)
-		}
+		opts := tuf.DefaultOptions()
 		opts.CachePath = path.Join(path.Dir(filename), "tufdata")
 		client, err := tuf.New(opts)
 		if err != nil {
diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go
index 6308276f..18fc5aa6 100644
--- a/cmd/sigstore-go/main.go
+++ b/cmd/sigstore-go/main.go
@@ -121,10 +121,7 @@ func run() error {
 	var trustedRootJSON []byte
 
 	if *tufRootURL != "" {
-		opts, err := tuf.DefaultOptions()
-		if err != nil {
-			return err
-		}
+		opts := tuf.DefaultOptions()
 		opts.RepositoryBaseURL = *tufRootURL
 		client, err := tuf.New(opts)
 		if err != nil {
diff --git a/pkg/root/trusted_root.go b/pkg/root/trusted_root.go
index 65558ba9..fca154dd 100644
--- a/pkg/root/trusted_root.go
+++ b/pkg/root/trusted_root.go
@@ -262,10 +262,7 @@ func NewTrustedRootProtobuf(rootJSON []byte) (*prototrustroot.TrustedRoot, error
 
 // FetchTrustedRoot fetches the Sigstore trusted root from TUF and returns it.
 func FetchTrustedRoot() (*TrustedRoot, error) {
-	opts, err := tuf.DefaultOptions()
-	if err != nil {
-		return nil, err
-	}
+	opts := tuf.DefaultOptions()
 	client, err := tuf.New(opts)
 	if err != nil {
 		return nil, err
diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index 328fd573..be3d543e 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -79,10 +79,8 @@ func New(opts *Options) (*Client, error) {
 
 // DefaultClient returns a Sigstore TUF client for the public good instance
 func DefaultClient() (*Client, error) {
-	opts, err := DefaultOptions()
-	if err != nil {
-		return nil, err
-	}
+	opts := DefaultOptions()
+
 	return New(opts)
 }
 
diff --git a/pkg/tuf/options.go b/pkg/tuf/options.go
index 8bd844cd..47b36267 100644
--- a/pkg/tuf/options.go
+++ b/pkg/tuf/options.go
@@ -26,9 +26,6 @@ var embeddedRepo embed.FS
 const DefaultMirror = "https://tuf-repo-cdn.sigstore.dev"
 
 // Options represent the various options for a Sigstore TUF Client
-//
-// Note that currently, the cache control is not working. Upon initialization
-// the client will *ALWAYS* perform a TUF update.
 type Options struct {
 	// CacheValidity period in days (default 1)
 	CacheValidity int
@@ -49,33 +46,36 @@ type Options struct {
 }
 
 // DefaultOptions returns an options struct for the public good instance
-func DefaultOptions() (*Options, error) {
+func DefaultOptions() *Options {
 	var opts Options
 	var err error
 
-	opts.Root, err = DefaultRoot()
-	if err != nil {
-		return nil, err
-	}
+	opts.Root = DefaultRoot()
 	home, err := os.UserHomeDir()
 	if err != nil {
-		return nil, err
+		// Fall back to using a TUF repository in the temp location
+		home = os.TempDir()
 	}
 	opts.CacheValidity = 1
 	opts.CachePath = filepath.Join(home, ".sigstore", "root")
 	opts.RepositoryBaseURL = DefaultMirror
 
-	return &opts, nil
+	return &opts
 }
 
 // DefaultRoot returns the root.json for the public good instance
-func DefaultRoot() ([]byte, error) {
+func DefaultRoot() []byte {
 	var p = filepath.Join("repository", "root.json")
 
 	b, err := embeddedRepo.ReadFile(p)
 	if err != nil {
-		return nil, err
+		// This should never happen.
+		// ReadFile from an embedded FS will never fail as long as
+		// the path is correct. If it fails, it would mean
+		// that the binary is not assembled as it should, and there
+		// is no way to recover from that.
+		panic(err)
 	}
 
-	return b, nil
+	return b
 }

From 5f4fafaf86c1a0b289363cef5804cb7844cdc6fc Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 22 Dec 2023 10:25:29 +0100
Subject: [PATCH 03/33] avoid empty strings for arguments, use named attributes

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/client.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index be3d543e..6c87b6cf 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -160,12 +160,15 @@ func (c *Client) Refresh() error {
 
 // GetTarget returns a target file from the TUF repository
 func (c *Client) GetTarget(target string) ([]byte, error) {
+	// Set filepath to the empty string. When we get targets,
+	// we rely in the target info struct instead.
+	const filePath = ""
 	ti, err := c.up.GetTargetInfo(target)
 	if err != nil {
 		return nil, fmt.Errorf("target %s not found: %w", target, err)
 	}
 
-	path, tb, err := c.up.FindCachedTarget(ti, "")
+	path, tb, err := c.up.FindCachedTarget(ti, filePath)
 	if err != nil {
 		return nil, fmt.Errorf("error getting target cache: %w", err)
 	}
@@ -175,7 +178,9 @@ func (c *Client) GetTarget(target string) ([]byte, error) {
 	}
 
 	// Download of target is needed
-	_, tb, err = c.up.DownloadTarget(ti, "", "")
+	// Ignore targetsBaseURL, set to empty string
+	const targetsBaseURL = ""
+	_, tb, err = c.up.DownloadTarget(ti, filePath, targetsBaseURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to download target file %s - %w", target, err)
 	}

From 511a0b9fd3795a0a46b8d36a8fd924c0f4d66bad Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 22 Dec 2023 13:11:51 +0100
Subject: [PATCH 04/33] Ignore emacs backup files

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index dbdd02f6..bd0ab9d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 .idea
 .DS_Store
+*~
 /sigstore-go
 /tufdata
 /conformance

From e680b4f75ccca4f0db56cd3755f0e39eada9ee9a Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 22 Dec 2023 14:12:19 +0100
Subject: [PATCH 05/33] Created a bascig config file for the tuf client

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/client.go      | 55 ++++++++++++++++++++++++------------------
 pkg/tuf/config.go      | 53 ++++++++++++++++++++++++++++++++++++++++
 pkg/tuf/config_test.go | 45 ++++++++++++++++++++++++++++++++++
 3 files changed, 129 insertions(+), 24 deletions(-)
 create mode 100644 pkg/tuf/config.go
 create mode 100644 pkg/tuf/config_test.go

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index 6c87b6cf..df31548e 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -17,7 +17,6 @@ package tuf
 import (
 	"fmt"
 	"net/url"
-	"os"
 	"path/filepath"
 	"strings"
 	"time"
@@ -107,44 +106,38 @@ func (c *Client) loadMetadata() error {
 		return nil
 	} else if c.opts.CacheValidity > 0 {
 		// Use cached metadata for up to CacheValidity days.
-		// This is a bit of an hack, as we don't know when the
-		// last the it was updated, fallback to check the
-		// modification time of timestamp.json
 		if tm.Timestamp.Signed.IsExpired(time.Now()) {
 			// Always update if the timestamp is expired
 			return c.Refresh()
 		}
 
-		var p = filepath.Join(
-			c.opts.CachePath,
-			URLToPath(c.opts.RepositoryBaseURL),
-			"timestamp.json",
-		)
-		fi, err := os.Stat(p)
+		cfg, err := LoadConfig(c.configPath())
 		if err != nil {
-			// Failed to get info on the file, fall back
-			// and update if needed
-			return c.Refresh()
+			// Config may not exist, don'tt error
+			// create a new empty config
+			cfg = &Config{}
 		}
 
-		if fi.ModTime().After(time.Now().Add(
-			time.Duration(-24*c.opts.CacheValidity) * time.Hour)) {
+		cacheValidUntil := cfg.LastTimestamp.Add(
+			time.Duration(-24*c.opts.CacheValidity) * time.Hour)
+		if time.Now().Before(cacheValidUntil) {
 			// No need to update
 			return nil
 		}
-		// A TUF client refresh will now happen (c.Refresh),
-		// update the mod time for the timestamp.
-		//
-		// Ignore the error here, there is no need to fail
-		// operation only because the file's metadata could
-		// not be updated
-		//nolint:errcheck
-		os.Chtimes(p, time.Now(), time.Now())
 	}
 
 	return c.Refresh()
 }
 
+func (c *Client) configPath() string {
+	var p = filepath.Join(
+		c.opts.CachePath,
+		fmt.Sprintf("%s.json", URLToPath(c.opts.RepositoryBaseURL)),
+	)
+
+	return p
+}
+
 // Refresh forces a refresh of the underlying TUF client.
 // As the tuf client does not support multiple refreshes during its
 // life-time, this will replace the TUF client with a new one.
@@ -155,7 +148,21 @@ func (c *Client) Refresh() error {
 	if err != nil {
 		return err
 	}
-	return c.up.Refresh()
+	err = c.up.Refresh()
+	if err != nil {
+		return err
+	}
+
+	// Update config with last update
+	cfg, err := LoadConfig(c.configPath())
+	if err != nil {
+		// Likely config file did not exit, create it
+		cfg = &Config{}
+	}
+	cfg.LastTimestamp = time.Now()
+	// ignore error writing update config file
+	_ = cfg.Persist(c.configPath())
+	return nil
 }
 
 // GetTarget returns a target file from the TUF repository
diff --git a/pkg/tuf/config.go b/pkg/tuf/config.go
new file mode 100644
index 00000000..d814b0eb
--- /dev/null
+++ b/pkg/tuf/config.go
@@ -0,0 +1,53 @@
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"time"
+)
+
+type Config struct {
+	LastTimestamp time.Time `json:"last_timestamp"`
+}
+
+func LoadConfig(p string) (*Config, error) {
+	var c Config
+
+	b, err := os.ReadFile(p)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read config: %w", err)
+	}
+	err = json.Unmarshal(b, &c)
+	if err != nil {
+		return nil, fmt.Errorf("malformed config file: %w", err)
+	}
+
+	return &c, nil
+}
+
+func (c *Config) Persist(p string) error {
+	b, err := json.Marshal(c)
+	if err != nil {
+		return fmt.Errorf("failed to JSON marshal config: %w", err)
+	}
+	err = os.WriteFile(p, b, 0400) // Read only by current user
+	if err != nil {
+		return fmt.Errorf("failed to write config: %w", err)
+	}
+	return nil
+}
diff --git a/pkg/tuf/config_test.go b/pkg/tuf/config_test.go
new file mode 100644
index 00000000..b503cdec
--- /dev/null
+++ b/pkg/tuf/config_test.go
@@ -0,0 +1,45 @@
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+func TestConfig(t *testing.T) {
+	var p = filepath.Join(t.TempDir(), "cfg.json")
+	var ts = time.Now()
+	var c = Config{
+		LastTimestamp: ts,
+	}
+
+	err := c.Persist(p)
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	cp, err := LoadConfig(p)
+	delta := ts.Sub(cp.LastTimestamp)
+	if delta < 0 {
+		delta = -delta
+	}
+	// make sure the delta is less than one second. During JSON
+	// serializion precision up to a second may be lost
+	if delta > time.Second {
+		t.Error("wrong date received after load")
+	}
+}

From 7be28c08ebb1e45ee528610924a6919fe7e19cd5 Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 22 Dec 2023 14:26:19 +0100
Subject: [PATCH 06/33] Style fixes

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/client.go | 1 +
 pkg/tuf/config.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index df31548e..ac9f946b 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -162,6 +162,7 @@ func (c *Client) Refresh() error {
 	cfg.LastTimestamp = time.Now()
 	// ignore error writing update config file
 	_ = cfg.Persist(c.configPath())
+
 	return nil
 }
 
diff --git a/pkg/tuf/config.go b/pkg/tuf/config.go
index d814b0eb..92a87063 100644
--- a/pkg/tuf/config.go
+++ b/pkg/tuf/config.go
@@ -49,5 +49,6 @@ func (c *Config) Persist(p string) error {
 	if err != nil {
 		return fmt.Errorf("failed to write config: %w", err)
 	}
+
 	return nil
 }

From 780beb37b7ac7062b4533f759c9baf29478de282 Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 22 Dec 2023 14:29:48 +0100
Subject: [PATCH 07/33] Made consistent snapshot configurable

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/client.go  | 2 +-
 pkg/tuf/options.go | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index ac9f946b..b803c140 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -51,7 +51,7 @@ func New(opts *Options) (*Client, error) {
 		return nil, fmt.Errorf("malformed config mirror: %w", err)
 	}
 	c.cfg.DisableLocalCache = c.opts.DisableLocalCache
-	c.cfg.PrefixTargetsWithHash = true
+	c.cfg.PrefixTargetsWithHash = !c.opts.DisableConsistentSnapshot
 
 	if c.cfg.DisableLocalCache {
 		c.opts.CachePath = ""
diff --git a/pkg/tuf/options.go b/pkg/tuf/options.go
index 47b36267..be7892b8 100644
--- a/pkg/tuf/options.go
+++ b/pkg/tuf/options.go
@@ -43,6 +43,8 @@ type Options struct {
 	// DisableLocalCache mode allows a client to work on a read-only
 	// files system if this is set, cache path is ignored.
 	DisableLocalCache bool
+	// DisableConsistentSnapshot
+	DisableConsistentSnapshot bool
 }
 
 // DefaultOptions returns an options struct for the public good instance

From b1f195fbf4acb75a743d3cbb7699165a47a4dddb Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 22 Dec 2023 14:33:31 +0100
Subject: [PATCH 08/33] Clarified the use of unsafe local mode

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/client.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index b803c140..2b8c53a3 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -64,6 +64,12 @@ func New(opts *Options) (*Client, error) {
 	// client (only reads content on disk) and then decide if we
 	// must perform a full TUF update.
 	var tmpCfg = *c.cfg
+	// Create a temporary config for the first use where UnsafeLocalMode
+	// is true. This means that when we first initialize the client,
+	// we are guaranteed to only read the metadata on disk.
+	// Based on that metadata we take a decision if a full TUF
+	// refresh should be done or not. As so, the tmpCfg is only needed
+	// here and not in future invocations.
 	tmpCfg.UnsafeLocalMode = true
 	c.up, err = updater.New(&tmpCfg)
 	if err != nil {

From 3e2ab65335e3dc60b460a90ed54fdffe5e5f998a Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Mon, 29 Jan 2024 10:56:49 +0100
Subject: [PATCH 09/33] Updated to go-tuf/v2@master

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 examples/oci-image-verification/go.mod | 2 +-
 examples/oci-image-verification/go.sum | 4 ++--
 go.mod                                 | 2 +-
 go.sum                                 | 4 ++--
 pkg/tuf/client.go                      | 4 ++--
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/examples/oci-image-verification/go.mod b/examples/oci-image-verification/go.mod
index 731e44f3..451bd5f7 100644
--- a/examples/oci-image-verification/go.mod
+++ b/examples/oci-image-verification/go.mod
@@ -57,7 +57,6 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
@@ -74,6 +73,7 @@ require (
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
diff --git a/examples/oci-image-verification/go.sum b/examples/oci-image-verification/go.sum
index 3421af49..e893b61f 100644
--- a/examples/oci-image-verification/go.sum
+++ b/examples/oci-image-verification/go.sum
@@ -254,8 +254,6 @@ github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lne
 github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c h1:Y4Mx6GbsUbzvV41SuQfE671gKAXdILTSGdUe4+8y7DE=
-github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c/go.mod h1:3l8VADBl9myZ4VNSQtmM46iEA+jolS2ZFviLocdyWPw=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -321,6 +319,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6 h1:bg4vq6E9GhRioNFR10pWdX8Ntrh9ROpQWmLCDifDT90=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6/go.mod h1:BEDk+xfD0uVATjx1FLvIAjtDhWJnNeffL3i863gqbkM=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
diff --git a/go.mod b/go.mod
index 40419a22..00e2b846 100644
--- a/go.mod
+++ b/go.mod
@@ -10,13 +10,13 @@ require (
 	github.com/go-openapi/swag v0.22.7
 	github.com/google/certificate-transparency-go v1.1.7
 	github.com/in-toto/in-toto-golang v0.9.0
-	github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
 	github.com/sigstore/protobuf-specs v0.2.1
 	github.com/sigstore/rekor v1.3.4
 	github.com/sigstore/sigstore v1.8.1
 	github.com/sigstore/timestamp-authority v1.2.1
 	github.com/stretchr/testify v1.8.4
+	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6
 	golang.org/x/mod v0.14.0
 	google.golang.org/protobuf v1.32.0
 )
diff --git a/go.sum b/go.sum
index d7a5037b..b6decd22 100644
--- a/go.sum
+++ b/go.sum
@@ -238,8 +238,6 @@ github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lne
 github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c h1:Y4Mx6GbsUbzvV41SuQfE671gKAXdILTSGdUe4+8y7DE=
-github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c/go.mod h1:3l8VADBl9myZ4VNSQtmM46iEA+jolS2ZFviLocdyWPw=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -302,6 +300,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6 h1:bg4vq6E9GhRioNFR10pWdX8Ntrh9ROpQWmLCDifDT90=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6/go.mod h1:BEDk+xfD0uVATjx1FLvIAjtDhWJnNeffL3i863gqbkM=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index 2b8c53a3..7f6ca6cb 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -21,8 +21,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/rdimitrov/go-tuf-metadata/metadata/config"
-	"github.com/rdimitrov/go-tuf-metadata/metadata/updater"
+	"github.com/theupdateframework/go-tuf/v2/metadata/config"
+	"github.com/theupdateframework/go-tuf/v2/metadata/updater"
 )
 
 // Client is a Sigstore TUF client

From 8297aeb73de48f5433d9c5d47ddd535a442330ed Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Mon, 29 Jan 2024 11:07:53 +0100
Subject: [PATCH 10/33] Resolved merge conflict

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 examples/oci-image-verification/main.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/examples/oci-image-verification/main.go b/examples/oci-image-verification/main.go
index 1d9122be..6d18c78d 100644
--- a/examples/oci-image-verification/main.go
+++ b/examples/oci-image-verification/main.go
@@ -145,10 +145,7 @@ func run() error {
 	var trustedRootJSON []byte
 
 	if *tufRootURL != "" {
-		opts, err := tuf.DefaultOptions()
-		if err != nil {
-			return err
-		}
+		opts := tuf.DefaultOptions()
 		opts.RepositoryBaseURL = *tufRootURL
 		client, err := tuf.New(opts)
 		if err != nil {

From 11dedbd08ee87f9738df67c7c2ab7ddec14e767f Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Mon, 29 Jan 2024 11:30:56 +0100
Subject: [PATCH 11/33] Fixed errors from linter

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/config.go       |  2 +-
 pkg/tuf/config_test.go  |  3 +++
 pkg/verify/signature.go | 22 +++++++++++-----------
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/pkg/tuf/config.go b/pkg/tuf/config.go
index 92a87063..a10b97c2 100644
--- a/pkg/tuf/config.go
+++ b/pkg/tuf/config.go
@@ -22,7 +22,7 @@ import (
 )
 
 type Config struct {
-	LastTimestamp time.Time `json:"last_timestamp"`
+	LastTimestamp time.Time `json:"lastTimestamp"`
 }
 
 func LoadConfig(p string) (*Config, error) {
diff --git a/pkg/tuf/config_test.go b/pkg/tuf/config_test.go
index b503cdec..797a2739 100644
--- a/pkg/tuf/config_test.go
+++ b/pkg/tuf/config_test.go
@@ -33,6 +33,9 @@ func TestConfig(t *testing.T) {
 	}
 
 	cp, err := LoadConfig(p)
+	if err != nil {
+		t.Error(err.Error())
+	}
 	delta := ts.Sub(cp.LastTimestamp)
 	if delta < 0 {
 		delta = -delta
diff --git a/pkg/verify/signature.go b/pkg/verify/signature.go
index 15a012a9..3f71c889 100644
--- a/pkg/verify/signature.go
+++ b/pkg/verify/signature.go
@@ -44,10 +44,10 @@ func VerifySignature(sigContent SignatureContent, verificationContent Verificati
 		return verifyEnvelope(verifier, envelope)
 	} else if msg := sigContent.MessageSignatureContent(); msg != nil {
 		return errors.New("artifact must be provided to verify message signature")
-	} else {
-		// should never happen, but just in case:
-		return fmt.Errorf("signature content has neither an envelope or a message")
 	}
+
+	// should never happen, but just in case:
+	return fmt.Errorf("signature content has neither an envelope or a message")
 }
 
 func VerifySignatureWithArtifact(sigContent SignatureContent, verificationContent VerificationContent, trustedMaterial root.TrustedMaterial, artifact io.Reader) error { // nolint: revive
@@ -63,10 +63,10 @@ func VerifySignatureWithArtifact(sigContent SignatureContent, verificationConten
 		return verifyEnvelopeWithArtifact(verifier, envelope, artifact)
 	} else if msg := sigContent.MessageSignatureContent(); msg != nil {
 		return verifyMessageSignature(verifier, msg, artifact)
-	} else {
-		// should never happen, but just in case:
-		return fmt.Errorf("signature content has neither an envelope or a message")
 	}
+
+	// should never happen, but just in case:
+	return fmt.Errorf("signature content has neither an envelope or a message")
 }
 
 func VerifySignatureWithArtifactDigest(sigContent SignatureContent, verificationContent VerificationContent, trustedMaterial root.TrustedMaterial, artifactDigest []byte, artifactDigestAlgorithm string) error { // nolint: revive
@@ -82,10 +82,10 @@ func VerifySignatureWithArtifactDigest(sigContent SignatureContent, verification
 		return verifyEnvelopeWithArtifactDigest(verifier, envelope, artifactDigest, artifactDigestAlgorithm)
 	} else if msg := sigContent.MessageSignatureContent(); msg != nil {
 		return verifyMessageSignatureWithArtifactDigest(verifier, msg, artifactDigest)
-	} else {
-		// should never happen, but just in case:
-		return fmt.Errorf("signature content has neither an envelope or a message")
 	}
+
+	// should never happen, but just in case:
+	return fmt.Errorf("signature content has neither an envelope or a message")
 }
 
 func getSignatureVerifier(verificationContent VerificationContent, tm root.TrustedMaterial) (signature.Verifier, error) {
@@ -94,9 +94,9 @@ func getSignatureVerifier(verificationContent VerificationContent, tm root.Trust
 		return signature.LoadVerifier(leafCert.PublicKey, crypto.SHA256)
 	} else if pk, ok := verificationContent.HasPublicKey(); ok {
 		return tm.PublicKeyVerifier(pk.Hint())
-	} else {
-		return nil, fmt.Errorf("no public key or certificate found")
 	}
+
+	return nil, fmt.Errorf("no public key or certificate found")
 }
 
 func verifyEnvelope(verifier signature.Verifier, envelope EnvelopeContent) error {

From dc7e97932eab1403546ce7cc340d6b22e7a7ec41 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Mon, 29 Jan 2024 14:05:52 -0500
Subject: [PATCH 12/33] Use short variable declaration syntax

Co-authored-by: Hayden B <hblauzvern@google.com>
Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/client.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index 7f6ca6cb..6b5dea4e 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -37,7 +37,7 @@ func New(opts *Options) (*Client, error) {
 	var c = Client{
 		opts: opts,
 	}
-	var dir = filepath.Join(opts.CachePath, URLToPath(opts.RepositoryBaseURL))
+	dir := filepath.Join(opts.CachePath, URLToPath(opts.RepositoryBaseURL))
 	var err error
 
 	if c.cfg, err = config.New(opts.RepositoryBaseURL, opts.Root); err != nil {
@@ -63,7 +63,7 @@ func New(opts *Options) (*Client, error) {
 	// based on the cache control configuration. Start with a local
 	// client (only reads content on disk) and then decide if we
 	// must perform a full TUF update.
-	var tmpCfg = *c.cfg
+	tmpCfg := *c.cfg
 	// Create a temporary config for the first use where UnsafeLocalMode
 	// is true. This means that when we first initialize the client,
 	// we are guaranteed to only read the metadata on disk.
@@ -101,7 +101,7 @@ func (c *Client) loadMetadata() error {
 		return c.Refresh()
 	}
 
-	var tm = c.up.GetTrustedMetadataSet()
+	tm := c.up.GetTrustedMetadataSet()
 	if c.opts.ForceCache {
 		// Use cache until it expires
 		if tm.Timestamp.Signed.IsExpired(time.Now()) {

From 8bc63cf70ff065f485f4056cdeab2ee6ac1b3fd4 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Mon, 29 Jan 2024 14:12:59 -0500
Subject: [PATCH 13/33] Remove old unused embedded root

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 .../tuf-repo-cdn.sigstore.dev/root.json       | 140 ------------------
 1 file changed, 140 deletions(-)
 delete mode 100644 pkg/tuf/repository/tuf-repo-cdn.sigstore.dev/root.json

diff --git a/pkg/tuf/repository/tuf-repo-cdn.sigstore.dev/root.json b/pkg/tuf/repository/tuf-repo-cdn.sigstore.dev/root.json
deleted file mode 100644
index c3ea9cb6..00000000
--- a/pkg/tuf/repository/tuf-repo-cdn.sigstore.dev/root.json
+++ /dev/null
@@ -1,140 +0,0 @@
-{
-	"signed": {
-		"_type": "root",
-		"spec_version": "1.0",
-		"version": 7,
-		"expires": "2023-10-04T13:08:11Z",
-		"keys": {
-			"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99": {
-				"keytype": "ecdsa-sha2-nistp256",
-				"scheme": "ecdsa-sha2-nistp256",
-				"keyid_hash_algorithms": [
-					"sha256",
-					"sha512"
-				],
-				"keyval": {
-					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"
-				}
-			},
-			"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de": {
-				"keytype": "ecdsa-sha2-nistp256",
-				"scheme": "ecdsa-sha2-nistp256",
-				"keyid_hash_algorithms": [
-					"sha256",
-					"sha512"
-				],
-				"keyval": {
-					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"
-				}
-			},
-			"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b": {
-				"keytype": "ecdsa-sha2-nistp256",
-				"scheme": "ecdsa-sha2-nistp256",
-				"keyid_hash_algorithms": [
-					"sha256",
-					"sha512"
-				],
-				"keyval": {
-					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n"
-				}
-			},
-			"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b": {
-				"keytype": "ecdsa-sha2-nistp256",
-				"scheme": "ecdsa-sha2-nistp256",
-				"keyid_hash_algorithms": [
-					"sha256",
-					"sha512"
-				],
-				"keyval": {
-					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"
-				}
-			},
-			"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a": {
-				"keytype": "ecdsa-sha2-nistp256",
-				"scheme": "ecdsa-sha2-nistp256",
-				"keyid_hash_algorithms": [
-					"sha256",
-					"sha512"
-				],
-				"keyval": {
-					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"
-				}
-			},
-			"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f": {
-				"keytype": "ecdsa-sha2-nistp256",
-				"scheme": "ecdsa-sha2-nistp256",
-				"keyid_hash_algorithms": [
-					"sha256",
-					"sha512"
-				],
-				"keyval": {
-					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"
-				}
-			},
-			"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c": {
-				"keytype": "ecdsa-sha2-nistp256",
-				"scheme": "ecdsa-sha2-nistp256",
-				"keyid_hash_algorithms": [
-					"sha256",
-					"sha512"
-				],
-				"keyval": {
-					"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"
-				}
-			}
-		},
-		"roles": {
-			"root": {
-				"keyids": [
-					"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
-					"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
-					"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
-					"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
-					"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"
-				],
-				"threshold": 3
-			},
-			"snapshot": {
-				"keyids": [
-					"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b"
-				],
-				"threshold": 1
-			},
-			"targets": {
-				"keyids": [
-					"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
-					"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
-					"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
-					"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
-					"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"
-				],
-				"threshold": 3
-			},
-			"timestamp": {
-				"keyids": [
-					"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a"
-				],
-				"threshold": 1
-			}
-		},
-		"consistent_snapshot": true
-	},
-	"signatures": [
-		{
-			"keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
-			"sig": "3046022100c0610c0055ce5c4a52d054d7322e7b514d55baf44423d63aa4daa077cc60fd1f022100a097f2803f090fb66c42ead915a2c46ebe7db53a32bf18f2188275cc936f8bdd"
-		},
-		{
-			"keyid": "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
-			"sig": "304502203134f0468810299d5493a867c40630b341296b92e59c29821311d353343bb3a4022100e667ae3d304e7e3da0894c7425f6b9ecd917106841280e5cf6f3496ad5f8f68e"
-		},
-		{
-			"keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
-			"sig": "3045022037fe5f45426f21eaaf4730d2136f2b1611d6379688f79b9d1e3f61719997135c022100b63b022d7b79d4694b96f416d88aa4d7b1a3bff8a01f4fb51e0f42137c7d2d06"
-		},
-		{
-			"keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de",
-			"sig": "3044022007cc8fcc4940809f2751ad5b535f4c5f53f5b4952f5b5696b09668e743306ac1022006dfcdf94e94c92163eeb1b47796db62cedaa730aa13aa61b573fe23714730f2"
-		}
-	]
-}
\ No newline at end of file

From c270ed894fcca053330849c20e980d5ab094cf33 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Mon, 29 Jan 2024 14:33:59 -0500
Subject: [PATCH 14/33] Add func to fetch TUF root with given options

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/root/trusted_root.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkg/root/trusted_root.go b/pkg/root/trusted_root.go
index fca154dd..16288a00 100644
--- a/pkg/root/trusted_root.go
+++ b/pkg/root/trusted_root.go
@@ -262,7 +262,11 @@ func NewTrustedRootProtobuf(rootJSON []byte) (*prototrustroot.TrustedRoot, error
 
 // FetchTrustedRoot fetches the Sigstore trusted root from TUF and returns it.
 func FetchTrustedRoot() (*TrustedRoot, error) {
-	opts := tuf.DefaultOptions()
+	return FetchTrustedRootWithOptions(tuf.DefaultOptions())
+}
+
+// FetchTrustedRootWithOptions fetches the trusted root from TUF with the given options and returns it.
+func FetchTrustedRootWithOptions(opts *tuf.Options) (*TrustedRoot, error) {
 	client, err := tuf.New(opts)
 	if err != nil {
 		return nil, err

From a8fd9e01adbee7ba654efa69bc9645e7df2f75c5 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Mon, 29 Jan 2024 14:34:45 -0500
Subject: [PATCH 15/33] Add chainable functional options to Options struct

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/options.go | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/pkg/tuf/options.go b/pkg/tuf/options.go
index be7892b8..aaa182d7 100644
--- a/pkg/tuf/options.go
+++ b/pkg/tuf/options.go
@@ -47,6 +47,48 @@ type Options struct {
 	DisableConsistentSnapshot bool
 }
 
+// WithCacheValidity sets the cache validity period in days
+func (o *Options) WithCacheValidity(days int) *Options {
+	o.CacheValidity = days
+	return o
+}
+
+// WithForceCache forces the client to use the cache without updating
+func (o *Options) WithForceCache() *Options {
+	o.ForceCache = true
+	return o
+}
+
+// WithRoot sets the TUF trust anchor
+func (o *Options) WithRoot(root []byte) *Options {
+	o.Root = root
+	return o
+}
+
+// WithCachePath sets the location on disk for TUF cache
+func (o *Options) WithCachePath(path string) *Options {
+	o.CachePath = path
+	return o
+}
+
+// WithRepositoryBaseURL sets the TUF repository location URL
+func (o *Options) WithRepositoryBaseURL(url string) *Options {
+	o.RepositoryBaseURL = url
+	return o
+}
+
+// WithDisableLocalCache sets the client to work on a read-only file system
+func (o *Options) WithDisableLocalCache() *Options {
+	o.DisableLocalCache = true
+	return o
+}
+
+// WithDisableConsistentSnapshot sets the client to disable consistent snapshot
+func (o *Options) WithDisableConsistentSnapshot() *Options {
+	o.DisableConsistentSnapshot = true
+	return o
+}
+
 // DefaultOptions returns an options struct for the public good instance
 func DefaultOptions() *Options {
 	var opts Options

From 95168ba13db20789402811cfc9d89cf7cc9d5f67 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Mon, 29 Jan 2024 15:06:41 -0500
Subject: [PATCH 16/33] Update CodeQL action

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 .github/workflows/codeql.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e2c0ee2f..ef363879 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,12 +42,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.1.26
+      uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.1.26
+      uses: github/codeql-action/autobuild@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.1.26
+      uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2

From 4f6cb847db8adfeb2aac28a6e7d752d34a6ccbd9 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Mon, 29 Jan 2024 15:10:54 -0500
Subject: [PATCH 17/33] Setup Go version in CodeQL workflwo

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 .github/workflows/codeql.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ef363879..b1a51456 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -40,6 +40,11 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
+    - name: Setup Go
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version-file: ./go.mod
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2

From c2e715ef700c2656a0454f18cdae3a8f314187f3 Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Tue, 30 Jan 2024 09:14:53 +0100
Subject: [PATCH 18/33] Don't specify minor go version

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 go.mod | 4 ++--
 go.sum | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index 4005cb01..4aa4eccc 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/sigstore-go
 
-go 1.21.5
+go 1.21
 
 require (
 	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7
@@ -16,7 +16,7 @@ require (
 	github.com/sigstore/sigstore v1.8.1
 	github.com/sigstore/timestamp-authority v1.2.1
 	github.com/stretchr/testify v1.8.4
-	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6
+	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240130081036-9d5773172084
 	golang.org/x/mod v0.14.0
 	google.golang.org/protobuf v1.32.0
 )
diff --git a/go.sum b/go.sum
index 95062b85..3d4844ff 100644
--- a/go.sum
+++ b/go.sum
@@ -300,8 +300,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6 h1:bg4vq6E9GhRioNFR10pWdX8Ntrh9ROpQWmLCDifDT90=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6/go.mod h1:BEDk+xfD0uVATjx1FLvIAjtDhWJnNeffL3i863gqbkM=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240130081036-9d5773172084 h1:hIsOD11D9EubZYAMsR59dQ21vlckBFBSFny/q04KWxE=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240130081036-9d5773172084/go.mod h1:pDMnUv9xAuOPbmq9SQXav7WA1bGd0F8MxbMlGrDU+A8=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=

From e87063c92bd2f7e7048f7697f93f4bdac3eea5de Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Tue, 30 Jan 2024 10:21:46 +0100
Subject: [PATCH 19/33] Added a simple test for an offline cliant

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/client_test.go | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 pkg/tuf/client_test.go

diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
new file mode 100644
index 00000000..d18c5f35
--- /dev/null
+++ b/pkg/tuf/client_test.go
@@ -0,0 +1,35 @@
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewOfflineClientFail(t *testing.T) {
+	var opt = DefaultOptions()
+	opt.WithForceCache().WithCachePath(t.TempDir())
+	opt.WithRepositoryBaseURL("http://localhost:12345")
+
+	// create a client, it should fail as it's set to forced cache,
+	// and there is no metadata on disk, and the repository url is
+	// invalid.
+
+	c, err := New(opt)
+	assert.Nil(t, c)
+	assert.Error(t, err)
+}

From 96326fa3f01fa28463ec97367d68d80e3c3dc2c1 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Mon, 5 Feb 2024 16:20:00 -0500
Subject: [PATCH 20/33] Add TUF repo creation and basic test to create a client

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 go.mod                 |   2 +-
 pkg/tuf/client.go      |   4 +
 pkg/tuf/client_test.go | 197 +++++++++++++++++++++++++++++++++++++++++
 pkg/tuf/options.go     |  10 +++
 4 files changed, 212 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 4aa4eccc..f8d8f06d 100644
--- a/go.mod
+++ b/go.mod
@@ -17,6 +17,7 @@ require (
 	github.com/sigstore/timestamp-authority v1.2.1
 	github.com/stretchr/testify v1.8.4
 	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240130081036-9d5773172084
+	golang.org/x/crypto v0.18.0
 	golang.org/x/mod v0.14.0
 	google.golang.org/protobuf v1.32.0
 )
@@ -75,7 +76,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index 6b5dea4e..26f2c970 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -59,6 +59,10 @@ func New(opts *Options) (*Client, error) {
 		c.opts.ForceCache = false
 	}
 
+	if opts.Fetcher != nil {
+		c.cfg.Fetcher = opts.Fetcher
+	}
+
 	// Upon client creation, we may not perform a full TUF update,
 	// based on the cache control configuration. Start with a local
 	// client (only reads content on disk) and then decide if we
diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index d18c5f35..84e3dc1c 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -15,9 +15,24 @@
 package tuf
 
 import (
+	"crypto"
+	"crypto/sha256"
+	"net/url"
+	"regexp"
+	"strconv"
+	"strings"
 	"testing"
+	"time"
 
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/stretchr/testify/assert"
+	"github.com/theupdateframework/go-tuf/v2/metadata"
+	"github.com/theupdateframework/go-tuf/v2/metadata/repository"
+	"golang.org/x/crypto/ed25519"
 )
 
 func TestNewOfflineClientFail(t *testing.T) {
@@ -33,3 +48,185 @@ func TestNewOfflineClientFail(t *testing.T) {
 	assert.Nil(t, c)
 	assert.Error(t, err)
 }
+
+func TestCreateClient(t *testing.T) {
+	r := genTestRepo(t)
+
+	rootJSON, err := r.roles.Root().ToBytes(false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var opt = DefaultOptions().
+		WithRepositoryBaseURL("https://testing.local").
+		WithRoot(rootJSON).
+		WithCachePath(t.TempDir()).
+		WithFetcher(r)
+	c, err := New(opt)
+	assert.NotNil(t, c)
+	assert.NoError(t, err)
+}
+
+type repo interface {
+	Root() *metadata.Metadata[metadata.RootType]
+	SetRoot(meta *metadata.Metadata[metadata.RootType])
+	Snapshot() *metadata.Metadata[metadata.SnapshotType]
+	SetSnapshot(meta *metadata.Metadata[metadata.SnapshotType])
+	Timestamp() *metadata.Metadata[metadata.TimestampType]
+	SetTimestamp(meta *metadata.Metadata[metadata.TimestampType])
+	Targets(name string) *metadata.Metadata[metadata.TargetsType]
+	SetTargets(name string, meta *metadata.Metadata[metadata.TargetsType])
+}
+type testrepo struct {
+	keys  map[string]ed25519.PrivateKey
+	roles repo
+	dir   string
+}
+
+func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byte, error) {
+	u, err := url.Parse(urlPath)
+	if err != nil {
+		return []byte{}, err
+	}
+
+	if strings.HasPrefix(u.Path, "/targets/") {
+		// TODO: handle targets
+		return []byte{}, nil
+	}
+	if u.Path == "/timestamp.json" {
+		meta := r.roles.Timestamp()
+		return meta.ToBytes(false)
+	}
+	re := regexp.MustCompile(`/(\d+)\.(root|snapshot|targets)\.json$`)
+	matches := re.FindStringSubmatch(u.Path)
+	if len(matches) > 0 {
+		role := matches[2]
+		version, err := strconv.Atoi(matches[1])
+		if err != nil {
+			return []byte{}, metadata.ErrDownload{}
+		}
+		switch role {
+		case "root":
+			meta := r.roles.Root()
+			if meta.Signed.Version != int64(version) {
+				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
+			}
+			return meta.ToBytes(false)
+		case "snapshot":
+			meta := r.roles.Snapshot()
+			if meta.Signed.Version != int64(version) {
+				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
+			}
+			return meta.ToBytes(false)
+		case "targets":
+			meta := r.roles.Targets("targets")
+			if meta.Signed.Version != int64(version) {
+				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
+			}
+			return meta.ToBytes(false)
+		}
+	}
+
+	return []byte{}, nil
+}
+
+func genTestRepo(t *testing.T) *testrepo {
+	var err error
+	r := &testrepo{
+		keys:  make(map[string]ed25519.PrivateKey),
+		roles: repository.New(),
+	}
+	targets := metadata.Targets(helperExpireIn(7))
+	r.roles.SetTargets("targets", targets)
+	r.dir, err = os.MkdirTemp("", "tuf-test-repo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = os.Mkdir(filepath.Join(r.dir, "targets"), 0700)
+	if err != nil {
+		t.Fatal(err)
+	}
+	targetPath := "foo"
+	targetContent := []byte("foo 1")
+	targetHash := sha256.Sum256(targetContent)
+	localPath := filepath.Join(r.dir, "targets", fmt.Sprintf("%x.%s", targetHash, targetPath))
+	err = os.WriteFile(localPath, targetContent, 0600)
+	if err != nil {
+		t.Fatal(err)
+	}
+	targetFileInfo, err := metadata.TargetFile().FromFile(localPath, "sha256")
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.roles.Targets("targets").Signed.Targets[targetPath] = targetFileInfo
+	snapshot := metadata.Snapshot(helperExpireIn(7))
+	r.roles.SetSnapshot(snapshot)
+	timestamp := metadata.Timestamp(helperExpireIn(1))
+	r.roles.SetTimestamp(timestamp)
+	root := metadata.Root(helperExpireIn(365))
+	r.roles.SetRoot(root)
+
+	for _, name := range []string{"targets", "snapshot", "timestamp", "root"} {
+		_, private, err := ed25519.GenerateKey(nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		r.keys[name] = private
+		key, err := metadata.KeyFromPublicKey(private.Public())
+		if err != nil {
+			t.Fatal(err)
+		}
+		err = r.roles.Root().Signed.AddKey(key, name)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	for _, name := range []string{"targets", "snapshot", "timestamp", "root"} {
+		key := r.keys[name]
+		signer, err := signature.LoadSigner(key, crypto.Hash(0))
+		if err != nil {
+			t.Fatal(err)
+		}
+		switch name {
+		case "targets":
+			_, err = r.roles.Targets("targets").Sign(signer)
+		case "snapshot":
+			_, err = r.roles.Snapshot().Sign(signer)
+		case "timestamp":
+			_, err = r.roles.Timestamp().Sign(signer)
+		case "root":
+			_, err = r.roles.Root().Sign(signer)
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	for _, name := range []string{"targets", "snapshot", "timestamp", "root"} {
+		switch name {
+		case "targets":
+			filename := fmt.Sprintf("%d.%s.json", r.roles.Targets("targets").Signed.Version, name)
+			err = r.roles.Targets("targets").ToFile(filepath.Join(r.dir, filename), true)
+		case "snapshot":
+			filename := fmt.Sprintf("%d.%s.json", r.roles.Snapshot().Signed.Version, name)
+			err = r.roles.Snapshot().ToFile(filepath.Join(r.dir, filename), true)
+		case "timestamp":
+			filename := fmt.Sprintf("%s.json", name)
+			err = r.roles.Timestamp().ToFile(filepath.Join(r.dir, filename), true)
+		case "root":
+			filename := fmt.Sprintf("%d.%s.json", r.roles.Root().Signed.Version, name)
+			err = r.roles.Root().ToFile(filepath.Join(r.dir, filename), true)
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	return r
+}
+
+// helperExpireIn returns time offset by days
+func helperExpireIn(days int) time.Time {
+	return time.Now().AddDate(0, 0, days).UTC()
+}
diff --git a/pkg/tuf/options.go b/pkg/tuf/options.go
index aaa182d7..60f44736 100644
--- a/pkg/tuf/options.go
+++ b/pkg/tuf/options.go
@@ -18,6 +18,8 @@ import (
 	"embed"
 	"os"
 	"path/filepath"
+
+	"github.com/theupdateframework/go-tuf/v2/metadata/fetcher"
 )
 
 //go:embed repository
@@ -45,6 +47,8 @@ type Options struct {
 	DisableLocalCache bool
 	// DisableConsistentSnapshot
 	DisableConsistentSnapshot bool
+	// Fetcher is the metadata fetcher
+	Fetcher fetcher.Fetcher
 }
 
 // WithCacheValidity sets the cache validity period in days
@@ -89,6 +93,12 @@ func (o *Options) WithDisableConsistentSnapshot() *Options {
 	return o
 }
 
+// WithFetcher sets the metadata fetcher
+func (o *Options) WithFetcher(f fetcher.Fetcher) *Options {
+	o.Fetcher = f
+	return o
+}
+
 // DefaultOptions returns an options struct for the public good instance
 func DefaultOptions() *Options {
 	var opts Options

From 057aa839da8bee3e19c0027f56726afa2acb049a Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Tue, 6 Feb 2024 09:06:18 +0100
Subject: [PATCH 21/33] Made the tuf root file configurable via the command
 line

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 cmd/sigstore-go/main.go | 20 +++++++++++++---
 pkg/tuf/client.go       |  4 ++--
 pkg/tuf/client_test.go  | 51 +++++++++++++++++++++++------------------
 3 files changed, 48 insertions(+), 27 deletions(-)

diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go
index 18fc5aa6..224186d6 100644
--- a/cmd/sigstore-go/main.go
+++ b/cmd/sigstore-go/main.go
@@ -47,6 +47,7 @@ var onlineTlog *bool
 var trustedPublicKey *string
 var trustedrootJSONpath *string
 var tufRootURL *string
+var tufTrustedRoot *string
 
 func init() {
 	artifact = flag.String("artifact", "", "Path to artifact to verify")
@@ -62,6 +63,7 @@ func init() {
 	trustedPublicKey = flag.String("publicKey", "", "Path to trusted public key")
 	trustedrootJSONpath = flag.String("trustedrootJSONpath", "examples/trusted-root-public-good.json", "Path to trustedroot JSON file")
 	tufRootURL = flag.String("tufRootURL", "", "URL of TUF root containing trusted root JSON file")
+	tufTrustedRoot = flag.String("tufTrustedRoot", "", "Path to the trusted TUF root.json to bootstrap trust in the remote TUF repository")
 	flag.Parse()
 	if flag.NArg() == 0 {
 		usage()
@@ -123,6 +125,17 @@ func run() error {
 	if *tufRootURL != "" {
 		opts := tuf.DefaultOptions()
 		opts.RepositoryBaseURL = *tufRootURL
+
+		// Load the tuf root.json if provided, if not use public good
+		if *tufTrustedRoot != "" {
+			rb, err := os.ReadFile(*tufTrustedRoot)
+			if err != nil {
+				return fmt.Errorf("failed to read %s: %w",
+					*tufTrustedRoot, err)
+			}
+			opts.Root = rb
+		}
+
 		client, err := tuf.New(opts)
 		if err != nil {
 			return err
@@ -133,9 +146,10 @@ func run() error {
 		}
 	} else if *trustedrootJSONpath != "" {
 		trustedRootJSON, err = os.ReadFile(*trustedrootJSONpath)
-	}
-	if err != nil {
-		return err
+		if err != nil {
+			return fmt.Errorf("failed to read %s: %w",
+				*trustedrootJSONpath, err)
+		}
 	}
 
 	if len(trustedRootJSON) > 0 {
diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index 26f2c970..9e22356f 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -156,11 +156,11 @@ func (c *Client) Refresh() error {
 
 	c.up, err = updater.New(c.cfg)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to create tuf updater: %w", err)
 	}
 	err = c.up.Refresh()
 	if err != nil {
-		return err
+		return fmt.Errorf("tuf refresh failed: %w", err)
 	}
 
 	// Update config with last update
diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index 84e3dc1c..bbdaf3b2 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -83,6 +83,13 @@ type testrepo struct {
 	dir   string
 }
 
+const (
+	tufRoot      = "root"
+	tufTargets   = "targets"
+	tufSnapshot  = "snapshot"
+	tufTimestamp = "timestamp"
+)
+
 func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byte, error) {
 	u, err := url.Parse(urlPath)
 	if err != nil {
@@ -106,20 +113,20 @@ func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 			return []byte{}, metadata.ErrDownload{}
 		}
 		switch role {
-		case "root":
+		case tufRoot:
 			meta := r.roles.Root()
 			if meta.Signed.Version != int64(version) {
 				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
 			}
 			return meta.ToBytes(false)
-		case "snapshot":
+		case tufSnapshot:
 			meta := r.roles.Snapshot()
 			if meta.Signed.Version != int64(version) {
 				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
 			}
 			return meta.ToBytes(false)
-		case "targets":
-			meta := r.roles.Targets("targets")
+		case tufTargets:
+			meta := r.roles.Targets(tufTargets)
 			if meta.Signed.Version != int64(version) {
 				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
 			}
@@ -137,19 +144,19 @@ func genTestRepo(t *testing.T) *testrepo {
 		roles: repository.New(),
 	}
 	targets := metadata.Targets(helperExpireIn(7))
-	r.roles.SetTargets("targets", targets)
+	r.roles.SetTargets(tufTargets, targets)
 	r.dir, err = os.MkdirTemp("", "tuf-test-repo")
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = os.Mkdir(filepath.Join(r.dir, "targets"), 0700)
+	err = os.Mkdir(filepath.Join(r.dir, tufTargets), 0700)
 	if err != nil {
 		t.Fatal(err)
 	}
 	targetPath := "foo"
 	targetContent := []byte("foo 1")
 	targetHash := sha256.Sum256(targetContent)
-	localPath := filepath.Join(r.dir, "targets", fmt.Sprintf("%x.%s", targetHash, targetPath))
+	localPath := filepath.Join(r.dir, tufTargets, fmt.Sprintf("%x.%s", targetHash, targetPath))
 	err = os.WriteFile(localPath, targetContent, 0600)
 	if err != nil {
 		t.Fatal(err)
@@ -158,7 +165,7 @@ func genTestRepo(t *testing.T) *testrepo {
 	if err != nil {
 		t.Fatal(err)
 	}
-	r.roles.Targets("targets").Signed.Targets[targetPath] = targetFileInfo
+	r.roles.Targets(tufTargets).Signed.Targets[targetPath] = targetFileInfo
 	snapshot := metadata.Snapshot(helperExpireIn(7))
 	r.roles.SetSnapshot(snapshot)
 	timestamp := metadata.Timestamp(helperExpireIn(1))
@@ -166,7 +173,7 @@ func genTestRepo(t *testing.T) *testrepo {
 	root := metadata.Root(helperExpireIn(365))
 	r.roles.SetRoot(root)
 
-	for _, name := range []string{"targets", "snapshot", "timestamp", "root"} {
+	for _, name := range []string{tufTargets, tufSnapshot, tufTimestamp, tufRoot} {
 		_, private, err := ed25519.GenerateKey(nil)
 		if err != nil {
 			t.Fatal(err)
@@ -182,20 +189,20 @@ func genTestRepo(t *testing.T) *testrepo {
 		}
 	}
 
-	for _, name := range []string{"targets", "snapshot", "timestamp", "root"} {
+	for _, name := range []string{tufTargets, tufSnapshot, tufTimestamp, tufRoot} {
 		key := r.keys[name]
 		signer, err := signature.LoadSigner(key, crypto.Hash(0))
 		if err != nil {
 			t.Fatal(err)
 		}
 		switch name {
-		case "targets":
-			_, err = r.roles.Targets("targets").Sign(signer)
-		case "snapshot":
+		case tufTargets:
+			_, err = r.roles.Targets(tufTargets).Sign(signer)
+		case tufSnapshot:
 			_, err = r.roles.Snapshot().Sign(signer)
-		case "timestamp":
+		case tufTimestamp:
 			_, err = r.roles.Timestamp().Sign(signer)
-		case "root":
+		case tufRoot:
 			_, err = r.roles.Root().Sign(signer)
 		}
 		if err != nil {
@@ -203,18 +210,18 @@ func genTestRepo(t *testing.T) *testrepo {
 		}
 	}
 
-	for _, name := range []string{"targets", "snapshot", "timestamp", "root"} {
+	for _, name := range []string{tufTargets, tufSnapshot, tufTimestamp, tufRoot} {
 		switch name {
-		case "targets":
-			filename := fmt.Sprintf("%d.%s.json", r.roles.Targets("targets").Signed.Version, name)
-			err = r.roles.Targets("targets").ToFile(filepath.Join(r.dir, filename), true)
-		case "snapshot":
+		case tufTargets:
+			filename := fmt.Sprintf("%d.%s.json", r.roles.Targets(tufTargets).Signed.Version, name)
+			err = r.roles.Targets(tufTargets).ToFile(filepath.Join(r.dir, filename), true)
+		case tufSnapshot:
 			filename := fmt.Sprintf("%d.%s.json", r.roles.Snapshot().Signed.Version, name)
 			err = r.roles.Snapshot().ToFile(filepath.Join(r.dir, filename), true)
-		case "timestamp":
+		case tufTimestamp:
 			filename := fmt.Sprintf("%s.json", name)
 			err = r.roles.Timestamp().ToFile(filepath.Join(r.dir, filename), true)
-		case "root":
+		case tufRoot:
 			filename := fmt.Sprintf("%d.%s.json", r.roles.Root().Signed.Version, name)
 			err = r.roles.Root().ToFile(filepath.Join(r.dir, filename), true)
 		}

From 72edefde033b5face8001dbf4e00adcfe94d19c9 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Tue, 6 Feb 2024 09:26:14 -0500
Subject: [PATCH 22/33] Use consts from go-tuf

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/client_test.go | 51 ++++++++++++++++++------------------------
 1 file changed, 22 insertions(+), 29 deletions(-)

diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index bbdaf3b2..3c9c7e97 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -83,13 +83,6 @@ type testrepo struct {
 	dir   string
 }
 
-const (
-	tufRoot      = "root"
-	tufTargets   = "targets"
-	tufSnapshot  = "snapshot"
-	tufTimestamp = "timestamp"
-)
-
 func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byte, error) {
 	u, err := url.Parse(urlPath)
 	if err != nil {
@@ -113,20 +106,20 @@ func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 			return []byte{}, metadata.ErrDownload{}
 		}
 		switch role {
-		case tufRoot:
+		case metadata.ROOT:
 			meta := r.roles.Root()
 			if meta.Signed.Version != int64(version) {
 				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
 			}
 			return meta.ToBytes(false)
-		case tufSnapshot:
+		case metadata.SNAPSHOT:
 			meta := r.roles.Snapshot()
 			if meta.Signed.Version != int64(version) {
 				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
 			}
 			return meta.ToBytes(false)
-		case tufTargets:
-			meta := r.roles.Targets(tufTargets)
+		case metadata.TARGETS:
+			meta := r.roles.Targets(metadata.TARGETS)
 			if meta.Signed.Version != int64(version) {
 				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
 			}
@@ -144,19 +137,19 @@ func genTestRepo(t *testing.T) *testrepo {
 		roles: repository.New(),
 	}
 	targets := metadata.Targets(helperExpireIn(7))
-	r.roles.SetTargets(tufTargets, targets)
+	r.roles.SetTargets(metadata.TARGETS, targets)
 	r.dir, err = os.MkdirTemp("", "tuf-test-repo")
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = os.Mkdir(filepath.Join(r.dir, tufTargets), 0700)
+	err = os.Mkdir(filepath.Join(r.dir, metadata.TARGETS), 0700)
 	if err != nil {
 		t.Fatal(err)
 	}
 	targetPath := "foo"
 	targetContent := []byte("foo 1")
 	targetHash := sha256.Sum256(targetContent)
-	localPath := filepath.Join(r.dir, tufTargets, fmt.Sprintf("%x.%s", targetHash, targetPath))
+	localPath := filepath.Join(r.dir, metadata.TARGETS, fmt.Sprintf("%x.%s", targetHash, targetPath))
 	err = os.WriteFile(localPath, targetContent, 0600)
 	if err != nil {
 		t.Fatal(err)
@@ -165,7 +158,7 @@ func genTestRepo(t *testing.T) *testrepo {
 	if err != nil {
 		t.Fatal(err)
 	}
-	r.roles.Targets(tufTargets).Signed.Targets[targetPath] = targetFileInfo
+	r.roles.Targets(metadata.TARGETS).Signed.Targets[targetPath] = targetFileInfo
 	snapshot := metadata.Snapshot(helperExpireIn(7))
 	r.roles.SetSnapshot(snapshot)
 	timestamp := metadata.Timestamp(helperExpireIn(1))
@@ -173,7 +166,7 @@ func genTestRepo(t *testing.T) *testrepo {
 	root := metadata.Root(helperExpireIn(365))
 	r.roles.SetRoot(root)
 
-	for _, name := range []string{tufTargets, tufSnapshot, tufTimestamp, tufRoot} {
+	for _, name := range []string{metadata.TARGETS, metadata.SNAPSHOT, metadata.TIMESTAMP, metadata.ROOT} {
 		_, private, err := ed25519.GenerateKey(nil)
 		if err != nil {
 			t.Fatal(err)
@@ -189,20 +182,20 @@ func genTestRepo(t *testing.T) *testrepo {
 		}
 	}
 
-	for _, name := range []string{tufTargets, tufSnapshot, tufTimestamp, tufRoot} {
+	for _, name := range metadata.TOP_LEVEL_ROLE_NAMES {
 		key := r.keys[name]
 		signer, err := signature.LoadSigner(key, crypto.Hash(0))
 		if err != nil {
 			t.Fatal(err)
 		}
 		switch name {
-		case tufTargets:
-			_, err = r.roles.Targets(tufTargets).Sign(signer)
-		case tufSnapshot:
+		case metadata.TARGETS:
+			_, err = r.roles.Targets(metadata.TARGETS).Sign(signer)
+		case metadata.SNAPSHOT:
 			_, err = r.roles.Snapshot().Sign(signer)
-		case tufTimestamp:
+		case metadata.TIMESTAMP:
 			_, err = r.roles.Timestamp().Sign(signer)
-		case tufRoot:
+		case metadata.ROOT:
 			_, err = r.roles.Root().Sign(signer)
 		}
 		if err != nil {
@@ -210,18 +203,18 @@ func genTestRepo(t *testing.T) *testrepo {
 		}
 	}
 
-	for _, name := range []string{tufTargets, tufSnapshot, tufTimestamp, tufRoot} {
+	for _, name := range metadata.TOP_LEVEL_ROLE_NAMES {
 		switch name {
-		case tufTargets:
-			filename := fmt.Sprintf("%d.%s.json", r.roles.Targets(tufTargets).Signed.Version, name)
-			err = r.roles.Targets(tufTargets).ToFile(filepath.Join(r.dir, filename), true)
-		case tufSnapshot:
+		case metadata.TARGETS:
+			filename := fmt.Sprintf("%d.%s.json", r.roles.Targets(metadata.TARGETS).Signed.Version, name)
+			err = r.roles.Targets(metadata.TARGETS).ToFile(filepath.Join(r.dir, filename), true)
+		case metadata.SNAPSHOT:
 			filename := fmt.Sprintf("%d.%s.json", r.roles.Snapshot().Signed.Version, name)
 			err = r.roles.Snapshot().ToFile(filepath.Join(r.dir, filename), true)
-		case tufTimestamp:
+		case metadata.TIMESTAMP:
 			filename := fmt.Sprintf("%s.json", name)
 			err = r.roles.Timestamp().ToFile(filepath.Join(r.dir, filename), true)
-		case tufRoot:
+		case metadata.ROOT:
 			filename := fmt.Sprintf("%d.%s.json", r.roles.Root().Signed.Version, name)
 			err = r.roles.Root().ToFile(filepath.Join(r.dir, filename), true)
 		}

From 0def80752d218e94ff17bd53b73695036094f924 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Tue, 6 Feb 2024 15:50:34 -0500
Subject: [PATCH 23/33] Add test to fetch target

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/client_test.go | 72 ++++++++++++++++++++++++++----------------
 1 file changed, 45 insertions(+), 27 deletions(-)

diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index 3c9c7e97..a1905617 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -49,7 +49,7 @@ func TestNewOfflineClientFail(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func TestCreateClient(t *testing.T) {
+func TestGetTarget(t *testing.T) {
 	r := genTestRepo(t)
 
 	rootJSON, err := r.roles.Root().ToBytes(false)
@@ -65,6 +65,10 @@ func TestCreateClient(t *testing.T) {
 	c, err := New(opt)
 	assert.NotNil(t, c)
 	assert.NoError(t, err)
+
+	target, err := c.GetTarget("foo")
+	assert.NoError(t, err)
+	assert.NotNil(t, target)
 }
 
 type repo interface {
@@ -90,8 +94,20 @@ func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 	}
 
 	if strings.HasPrefix(u.Path, "/targets/") {
-		// TODO: handle targets
-		return []byte{}, nil
+		re := regexp.MustCompile(`/targets/[0-9a-f]{64}\.(.*)$`)
+		matches := re.FindStringSubmatch(u.Path)
+		if len(matches) != 2 {
+			return nil, metadata.ErrDownloadHTTP{StatusCode: 404}
+		}
+		targetFile, ok := r.roles.Targets(metadata.TARGETS).Signed.Targets[matches[1]]
+		if !ok {
+			return nil, metadata.ErrDownloadHTTP{StatusCode: 404}
+		}
+		data, err := os.ReadFile(targetFile.Path)
+		if err != nil {
+			return nil, metadata.ErrDownloadHTTP{StatusCode: 404}
+		}
+		return data, nil
 	}
 	if u.Path == "/timestamp.json" {
 		meta := r.roles.Timestamp()
@@ -99,32 +115,34 @@ func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 	}
 	re := regexp.MustCompile(`/(\d+)\.(root|snapshot|targets)\.json$`)
 	matches := re.FindStringSubmatch(u.Path)
-	if len(matches) > 0 {
-		role := matches[2]
-		version, err := strconv.Atoi(matches[1])
-		if err != nil {
-			return []byte{}, metadata.ErrDownload{}
+	if len(matches) != 3 {
+		return nil, metadata.ErrDownloadHTTP{StatusCode: 404}
+	}
+	role := matches[2]
+	version, err := strconv.Atoi(matches[1])
+	if err != nil {
+		return []byte{}, metadata.ErrDownload{}
+	}
+	switch role {
+	case metadata.ROOT:
+		// TODO: handle all versions of signed root
+		meta := r.roles.Root()
+		if meta.Signed.Version != int64(version) {
+			return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
 		}
-		switch role {
-		case metadata.ROOT:
-			meta := r.roles.Root()
-			if meta.Signed.Version != int64(version) {
-				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
-			}
-			return meta.ToBytes(false)
-		case metadata.SNAPSHOT:
-			meta := r.roles.Snapshot()
-			if meta.Signed.Version != int64(version) {
-				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
-			}
-			return meta.ToBytes(false)
-		case metadata.TARGETS:
-			meta := r.roles.Targets(metadata.TARGETS)
-			if meta.Signed.Version != int64(version) {
-				return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
-			}
-			return meta.ToBytes(false)
+		return meta.ToBytes(false)
+	case metadata.SNAPSHOT:
+		meta := r.roles.Snapshot()
+		if meta.Signed.Version != int64(version) {
+			return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
+		}
+		return meta.ToBytes(false)
+	case metadata.TARGETS:
+		meta := r.roles.Targets(metadata.TARGETS)
+		if meta.Signed.Version != int64(version) {
+			return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
 		}
+		return meta.ToBytes(false)
 	}
 
 	return []byte{}, nil

From f4d05565fcb5b81040e581d3054ca7bc6834918c Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Wed, 7 Feb 2024 10:37:43 -0500
Subject: [PATCH 24/33] Breakout publish

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/client_test.go | 44 +++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index a1905617..8b4d2aa5 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -148,6 +148,29 @@ func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 	return []byte{}, nil
 }
 
+func (r *testrepo) Publish() {
+	var err error
+	for _, name := range metadata.TOP_LEVEL_ROLE_NAMES {
+		switch name {
+		case metadata.TARGETS:
+			filename := fmt.Sprintf("%d.%s.json", r.roles.Targets(metadata.TARGETS).Signed.Version, name)
+			err = r.roles.Targets(metadata.TARGETS).ToFile(filepath.Join(r.dir, filename), true)
+		case metadata.SNAPSHOT:
+			filename := fmt.Sprintf("%d.%s.json", r.roles.Snapshot().Signed.Version, name)
+			err = r.roles.Snapshot().ToFile(filepath.Join(r.dir, filename), true)
+		case metadata.TIMESTAMP:
+			filename := fmt.Sprintf("%s.json", name)
+			err = r.roles.Timestamp().ToFile(filepath.Join(r.dir, filename), true)
+		case metadata.ROOT:
+			filename := fmt.Sprintf("%d.%s.json", r.roles.Root().Signed.Version, name)
+			err = r.roles.Root().ToFile(filepath.Join(r.dir, filename), true)
+		}
+		if err != nil {
+			r.t.Fatal(err)
+		}
+	}
+}
+
 func genTestRepo(t *testing.T) *testrepo {
 	var err error
 	r := &testrepo{
@@ -220,26 +243,7 @@ func genTestRepo(t *testing.T) *testrepo {
 			t.Fatal(err)
 		}
 	}
-
-	for _, name := range metadata.TOP_LEVEL_ROLE_NAMES {
-		switch name {
-		case metadata.TARGETS:
-			filename := fmt.Sprintf("%d.%s.json", r.roles.Targets(metadata.TARGETS).Signed.Version, name)
-			err = r.roles.Targets(metadata.TARGETS).ToFile(filepath.Join(r.dir, filename), true)
-		case metadata.SNAPSHOT:
-			filename := fmt.Sprintf("%d.%s.json", r.roles.Snapshot().Signed.Version, name)
-			err = r.roles.Snapshot().ToFile(filepath.Join(r.dir, filename), true)
-		case metadata.TIMESTAMP:
-			filename := fmt.Sprintf("%s.json", name)
-			err = r.roles.Timestamp().ToFile(filepath.Join(r.dir, filename), true)
-		case metadata.ROOT:
-			filename := fmt.Sprintf("%d.%s.json", r.roles.Root().Signed.Version, name)
-			err = r.roles.Root().ToFile(filepath.Join(r.dir, filename), true)
-		}
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
+	r.Publish()
 
 	return r
 }

From ee12af46c9f6fa8e80e8dff03d398f86cf3b33eb Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Wed, 7 Feb 2024 10:59:51 -0500
Subject: [PATCH 25/33] Add target support and refresh test

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/client_test.go | 181 ++++++++++++++++++++++-------------------
 1 file changed, 99 insertions(+), 82 deletions(-)

diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index 8b4d2aa5..b6bdc82c 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -49,9 +49,9 @@ func TestNewOfflineClientFail(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func TestGetTarget(t *testing.T) {
-	r := genTestRepo(t)
-
+func TestRefresh(t *testing.T) {
+	r := newTestRepo(t)
+	r.AddTarget("foo", []byte("foo 1"))
 	rootJSON, err := r.roles.Root().ToBytes(false)
 	if err != nil {
 		t.Fatal(err)
@@ -61,7 +61,8 @@ func TestGetTarget(t *testing.T) {
 		WithRepositoryBaseURL("https://testing.local").
 		WithRoot(rootJSON).
 		WithCachePath(t.TempDir()).
-		WithFetcher(r)
+		WithFetcher(r).
+		WithDisableLocalCache()
 	c, err := New(opt)
 	assert.NotNil(t, c)
 	assert.NoError(t, err)
@@ -69,6 +70,15 @@ func TestGetTarget(t *testing.T) {
 	target, err := c.GetTarget("foo")
 	assert.NoError(t, err)
 	assert.NotNil(t, target)
+	assert.Equal(t, target, []byte("foo 1"))
+
+	r.AddTarget("foo", []byte("foo 2"))
+	assert.NoError(t, c.Refresh())
+
+	target, err = c.GetTarget("foo")
+	assert.NoError(t, err)
+	assert.NotNil(t, target)
+	assert.Equal(t, target, []byte("foo 2"))
 }
 
 type repo interface {
@@ -85,6 +95,71 @@ type testrepo struct {
 	keys  map[string]ed25519.PrivateKey
 	roles repo
 	dir   string
+	t     *testing.T
+}
+
+func newTestRepo(t *testing.T) *testrepo {
+	var err error
+	r := &testrepo{
+		keys:  make(map[string]ed25519.PrivateKey),
+		roles: repository.New(),
+		t:     t,
+	}
+	targets := metadata.Targets(helperExpireIn(7))
+	r.roles.SetTargets(metadata.TARGETS, targets)
+	r.dir, err = os.MkdirTemp("", "tuf-test-repo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = os.Mkdir(filepath.Join(r.dir, metadata.TARGETS), 0700)
+	if err != nil {
+		t.Fatal(err)
+	}
+	snapshot := metadata.Snapshot(helperExpireIn(7))
+	r.roles.SetSnapshot(snapshot)
+	timestamp := metadata.Timestamp(helperExpireIn(1))
+	r.roles.SetTimestamp(timestamp)
+	root := metadata.Root(helperExpireIn(365))
+	r.roles.SetRoot(root)
+
+	for _, name := range []string{metadata.TARGETS, metadata.SNAPSHOT, metadata.TIMESTAMP, metadata.ROOT} {
+		_, private, err := ed25519.GenerateKey(nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		r.keys[name] = private
+		key, err := metadata.KeyFromPublicKey(private.Public())
+		if err != nil {
+			t.Fatal(err)
+		}
+		err = r.roles.Root().Signed.AddKey(key, name)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	for _, name := range metadata.TOP_LEVEL_ROLE_NAMES {
+		key := r.keys[name]
+		signer, err := signature.LoadSigner(key, crypto.Hash(0))
+		if err != nil {
+			t.Fatal(err)
+		}
+		switch name {
+		case metadata.TARGETS:
+			_, err = r.roles.Targets(metadata.TARGETS).Sign(signer)
+		case metadata.SNAPSHOT:
+			_, err = r.roles.Snapshot().Sign(signer)
+		case metadata.TIMESTAMP:
+			_, err = r.roles.Timestamp().Sign(signer)
+		case metadata.ROOT:
+			_, err = r.roles.Root().Sign(signer)
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	return r
 }
 
 func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byte, error) {
@@ -148,104 +223,46 @@ func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 	return []byte{}, nil
 }
 
-func (r *testrepo) Publish() {
-	var err error
-	for _, name := range metadata.TOP_LEVEL_ROLE_NAMES {
-		switch name {
-		case metadata.TARGETS:
-			filename := fmt.Sprintf("%d.%s.json", r.roles.Targets(metadata.TARGETS).Signed.Version, name)
-			err = r.roles.Targets(metadata.TARGETS).ToFile(filepath.Join(r.dir, filename), true)
-		case metadata.SNAPSHOT:
-			filename := fmt.Sprintf("%d.%s.json", r.roles.Snapshot().Signed.Version, name)
-			err = r.roles.Snapshot().ToFile(filepath.Join(r.dir, filename), true)
-		case metadata.TIMESTAMP:
-			filename := fmt.Sprintf("%s.json", name)
-			err = r.roles.Timestamp().ToFile(filepath.Join(r.dir, filename), true)
-		case metadata.ROOT:
-			filename := fmt.Sprintf("%d.%s.json", r.roles.Root().Signed.Version, name)
-			err = r.roles.Root().ToFile(filepath.Join(r.dir, filename), true)
-		}
-		if err != nil {
-			r.t.Fatal(err)
-		}
-	}
-}
-
-func genTestRepo(t *testing.T) *testrepo {
-	var err error
-	r := &testrepo{
-		keys:  make(map[string]ed25519.PrivateKey),
-		roles: repository.New(),
-	}
-	targets := metadata.Targets(helperExpireIn(7))
-	r.roles.SetTargets(metadata.TARGETS, targets)
-	r.dir, err = os.MkdirTemp("", "tuf-test-repo")
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = os.Mkdir(filepath.Join(r.dir, metadata.TARGETS), 0700)
-	if err != nil {
-		t.Fatal(err)
-	}
-	targetPath := "foo"
-	targetContent := []byte("foo 1")
-	targetHash := sha256.Sum256(targetContent)
-	localPath := filepath.Join(r.dir, metadata.TARGETS, fmt.Sprintf("%x.%s", targetHash, targetPath))
-	err = os.WriteFile(localPath, targetContent, 0600)
+func (r *testrepo) AddTarget(name string, content []byte) {
+	targetHash := sha256.Sum256(content)
+	localPath := filepath.Join(r.dir, metadata.TARGETS, fmt.Sprintf("%x.%s", targetHash, name))
+	err := os.WriteFile(localPath, content, 0600)
 	if err != nil {
-		t.Fatal(err)
+		r.t.Fatal(err)
 	}
 	targetFileInfo, err := metadata.TargetFile().FromFile(localPath, "sha256")
 	if err != nil {
-		t.Fatal(err)
+		r.t.Fatal(err)
 	}
-	r.roles.Targets(metadata.TARGETS).Signed.Targets[targetPath] = targetFileInfo
-	snapshot := metadata.Snapshot(helperExpireIn(7))
-	r.roles.SetSnapshot(snapshot)
-	timestamp := metadata.Timestamp(helperExpireIn(1))
-	r.roles.SetTimestamp(timestamp)
-	root := metadata.Root(helperExpireIn(365))
-	r.roles.SetRoot(root)
+	r.roles.Targets(metadata.TARGETS).Signed.Targets[name] = targetFileInfo
+	r.roles.Targets("targets").Signed.Version++
 
-	for _, name := range []string{metadata.TARGETS, metadata.SNAPSHOT, metadata.TIMESTAMP, metadata.ROOT} {
-		_, private, err := ed25519.GenerateKey(nil)
-		if err != nil {
-			t.Fatal(err)
-		}
-		r.keys[name] = private
-		key, err := metadata.KeyFromPublicKey(private.Public())
-		if err != nil {
-			t.Fatal(err)
-		}
-		err = r.roles.Root().Signed.AddKey(key, name)
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
+	r.roles.Snapshot().Signed.Meta["targets.json"] = metadata.MetaFile(r.roles.Targets(metadata.TARGETS).Signed.Version)
+	r.roles.Snapshot().Signed.Version++
 
-	for _, name := range metadata.TOP_LEVEL_ROLE_NAMES {
-		key := r.keys[name]
-		signer, err := signature.LoadSigner(key, crypto.Hash(0))
+	r.roles.Timestamp().Signed.Meta["snapshot.json"] = metadata.MetaFile(r.roles.Snapshot().Signed.Version)
+	r.roles.Timestamp().Signed.Version++
+
+	for _, name := range []string{metadata.TARGETS, metadata.SNAPSHOT, metadata.TIMESTAMP} {
+		signer, err := signature.LoadSigner(r.keys[name], crypto.Hash(0))
 		if err != nil {
-			t.Fatal(err)
+			r.t.Fatal(err)
 		}
 		switch name {
 		case metadata.TARGETS:
+			r.roles.Targets(metadata.TARGETS).ClearSignatures()
 			_, err = r.roles.Targets(metadata.TARGETS).Sign(signer)
 		case metadata.SNAPSHOT:
+			r.roles.Snapshot().ClearSignatures()
 			_, err = r.roles.Snapshot().Sign(signer)
 		case metadata.TIMESTAMP:
+			r.roles.Timestamp().ClearSignatures()
 			_, err = r.roles.Timestamp().Sign(signer)
-		case metadata.ROOT:
-			_, err = r.roles.Root().Sign(signer)
 		}
 		if err != nil {
-			t.Fatal(err)
+			r.t.Fatal(err)
 		}
 	}
-	r.Publish()
-
-	return r
 }
 
 // helperExpireIn returns time offset by days

From fe78b3457c0ae7435c2dcaf80cf05230de54a10e Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Wed, 7 Feb 2024 16:45:30 -0500
Subject: [PATCH 26/33] Add TUF caching tests

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/client.go      |   7 +-
 pkg/tuf/client_test.go | 180 +++++++++++++++++++++++++++++++++++++----
 pkg/tuf/config.go      |   2 +-
 3 files changed, 168 insertions(+), 21 deletions(-)

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index 9e22356f..b41cb093 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -128,8 +128,7 @@ func (c *Client) loadMetadata() error {
 			cfg = &Config{}
 		}
 
-		cacheValidUntil := cfg.LastTimestamp.Add(
-			time.Duration(-24*c.opts.CacheValidity) * time.Hour)
+		cacheValidUntil := cfg.LastTimestamp.AddDate(0, 0, c.opts.CacheValidity)
 		if time.Now().Before(cacheValidUntil) {
 			// No need to update
 			return nil
@@ -183,12 +182,12 @@ func (c *Client) GetTarget(target string) ([]byte, error) {
 	const filePath = ""
 	ti, err := c.up.GetTargetInfo(target)
 	if err != nil {
-		return nil, fmt.Errorf("target %s not found: %w", target, err)
+		return nil, fmt.Errorf("getting info for target \"%s\": %w", target, err)
 	}
 
 	path, tb, err := c.up.FindCachedTarget(ti, filePath)
 	if err != nil {
-		return nil, fmt.Errorf("error getting target cache: %w", err)
+		return nil, fmt.Errorf("getting target cache: %w", err)
 	}
 	if path != "" {
 		// Cached version found
diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index b6bdc82c..5ac0b61c 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -51,7 +51,7 @@ func TestNewOfflineClientFail(t *testing.T) {
 
 func TestRefresh(t *testing.T) {
 	r := newTestRepo(t)
-	r.AddTarget("foo", []byte("foo 1"))
+	r.AddTarget("foo", []byte("foo version 1"))
 	rootJSON, err := r.roles.Root().ToBytes(false)
 	if err != nil {
 		t.Fatal(err)
@@ -70,17 +70,140 @@ func TestRefresh(t *testing.T) {
 	target, err := c.GetTarget("foo")
 	assert.NoError(t, err)
 	assert.NotNil(t, target)
-	assert.Equal(t, target, []byte("foo 1"))
+	assert.Equal(t, target, []byte("foo version 1"))
 
-	r.AddTarget("foo", []byte("foo 2"))
+	r.AddTarget("foo", []byte("foo version 2"))
 	assert.NoError(t, c.Refresh())
 
 	target, err = c.GetTarget("foo")
 	assert.NoError(t, err)
 	assert.NotNil(t, target)
-	assert.Equal(t, target, []byte("foo 2"))
+	assert.Equal(t, target, []byte("foo version 2"))
 }
 
+func TestCache(t *testing.T) {
+	r := newTestRepo(t)
+	r.AddTarget("foo", []byte("foo version 1"))
+	rootJSON, err := r.roles.Root().ToBytes(false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var opt = DefaultOptions().
+		WithRepositoryBaseURL("https://testing.local").
+		WithRoot(rootJSON).
+		WithCachePath(t.TempDir()).
+		WithFetcher(r).
+		WithCacheValidity(1)
+
+	c, err := New(opt)
+	assert.NotNil(t, c)
+	assert.NoError(t, err)
+
+	target, err := c.GetTarget("foo")
+	assert.NoError(t, err)
+	assert.NotNil(t, target)
+	assert.Equal(t, target, []byte("foo version 1"))
+
+	r.AddTarget("foo", []byte("foo version 2"))
+
+	// Create new client with the same cache path
+	c, err = New(opt)
+	assert.NotNil(t, c)
+	assert.NoError(t, err)
+
+	target, err = c.GetTarget("foo")
+	assert.NoError(t, err)
+	assert.NotNil(t, target)
+	// Cache is still valid, so we should get the old version
+	assert.Equal(t, target, []byte("foo version 1"))
+
+	// Set last updated time to 2 days ago, to trigger cache refresh
+	cfg, err := LoadConfig(c.configPath())
+	if err != nil {
+		t.Fatal(err)
+	}
+	cfg.LastTimestamp = time.Now().Add(-48 * time.Hour)
+	err = cfg.Persist(c.configPath())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create new client with the same cache path
+	c, err = New(opt)
+	assert.NotNil(t, c)
+	assert.NoError(t, err)
+
+	// Now we should get the new version
+	target, err = c.GetTarget("foo")
+	assert.NoError(t, err)
+	assert.Equal(t, target, []byte("foo version 2"))
+}
+
+func TestExpiredTimestamp(t *testing.T) {
+	r := newTestRepo(t)
+	r.AddTarget("foo", []byte("foo version 1"))
+	rootJSON, err := r.roles.Root().ToBytes(false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var opt = DefaultOptions().
+		WithRepositoryBaseURL("https://testing.local").
+		WithRoot(rootJSON).
+		WithCachePath(t.TempDir()).
+		WithFetcher(r).
+		WithCacheValidity(1)
+
+	c, err := New(opt)
+	assert.NotNil(t, c)
+	assert.NoError(t, err)
+
+	target, err := c.GetTarget("foo")
+	assert.NoError(t, err)
+	assert.Equal(t, target, []byte("foo version 1"))
+
+	r.AddTarget("foo", []byte("foo version 2"))
+
+	opt.ForceCache = true
+	c, err = New(opt)
+	assert.NotNil(t, c)
+	assert.NoError(t, err)
+
+	target, err = c.GetTarget("foo")
+	assert.NoError(t, err)
+	// Using ForceCache, so we should get the old version
+	assert.Equal(t, target, []byte("foo version 1"))
+
+	r.SetTimestamp(time.Now())
+
+	// Manually write timestamp to disk, as Refresh() will fail
+	err = r.roles.Timestamp().ToFile(filepath.Join(opt.CachePath, "testing.local", "timestamp.json"), false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Client creation should fail as the timestamp is expired and the repository has an expired timestamp
+	c, err = New(opt)
+	assert.Nil(t, c)
+	assert.Error(t, err)
+
+	// Update repo with unexpired timestamp
+	r.SetTimestamp(time.Now().AddDate(0, 0, 1))
+
+	c, err = New(opt)
+	assert.NotNil(t, c)
+	assert.NoError(t, err)
+
+	target, err = c.GetTarget("foo")
+	assert.NoError(t, err)
+	// Even though ForceCache is set, we should get the new version since the cached timestamp is expired
+	assert.Equal(t, target, []byte("foo version 2"))
+}
+
+// repo represents repositoryType from
+// github.com/theupdateframework/go-tuf/v2/metadata/repository, which is
+// unexported.
 type repo interface {
 	Root() *metadata.Metadata[metadata.RootType]
 	SetRoot(meta *metadata.Metadata[metadata.RootType])
@@ -91,21 +214,28 @@ type repo interface {
 	Targets(name string) *metadata.Metadata[metadata.TargetsType]
 	SetTargets(name string, meta *metadata.Metadata[metadata.TargetsType])
 }
-type testrepo struct {
+
+// testRepo is a basic implementation of a TUF repository for testing purposes.
+// It does not support delegates, multiple signers, thresholds, or other
+// advanced TUF features, but it is sufficient for testing the sigstore-go
+// client. Those other features should be covered by the go-tuf tests. This is
+// primarily intended to test the caching and fetching behavior of the client.
+type testRepo struct {
 	keys  map[string]ed25519.PrivateKey
 	roles repo
 	dir   string
 	t     *testing.T
 }
 
-func newTestRepo(t *testing.T) *testrepo {
+func newTestRepo(t *testing.T) *testRepo {
 	var err error
-	r := &testrepo{
+	r := &testRepo{
 		keys:  make(map[string]ed25519.PrivateKey),
 		roles: repository.New(),
 		t:     t,
 	}
-	targets := metadata.Targets(helperExpireIn(7))
+	tomorrow := time.Now().AddDate(0, 0, 1).UTC()
+	targets := metadata.Targets(tomorrow)
 	r.roles.SetTargets(metadata.TARGETS, targets)
 	r.dir, err = os.MkdirTemp("", "tuf-test-repo")
 	if err != nil {
@@ -115,11 +245,11 @@ func newTestRepo(t *testing.T) *testrepo {
 	if err != nil {
 		t.Fatal(err)
 	}
-	snapshot := metadata.Snapshot(helperExpireIn(7))
+	snapshot := metadata.Snapshot(tomorrow)
 	r.roles.SetSnapshot(snapshot)
-	timestamp := metadata.Timestamp(helperExpireIn(1))
+	timestamp := metadata.Timestamp(tomorrow)
 	r.roles.SetTimestamp(timestamp)
-	root := metadata.Root(helperExpireIn(365))
+	root := metadata.Root(tomorrow)
 	r.roles.SetRoot(root)
 
 	for _, name := range []string{metadata.TARGETS, metadata.SNAPSHOT, metadata.TIMESTAMP, metadata.ROOT} {
@@ -162,7 +292,10 @@ func newTestRepo(t *testing.T) *testrepo {
 	return r
 }
 
-func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byte, error) {
+// DownloadFile is a test implementation of the Fetcher interface, which the
+// client may use to avoid making real HTTP requests. It returns the contents
+// of the metadata files and target files in the test repository.
+func (r *testRepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byte, error) {
 	u, err := url.Parse(urlPath)
 	if err != nil {
 		return []byte{}, err
@@ -223,7 +356,10 @@ func (r *testrepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 	return []byte{}, nil
 }
 
-func (r *testrepo) AddTarget(name string, content []byte) {
+// AddTarget adds a target file to the repository. It also creates a new
+// snapshot and timestamp metadata file, and signs them with the appropriate
+// key.
+func (r *testRepo) AddTarget(name string, content []byte) {
 	targetHash := sha256.Sum256(content)
 	localPath := filepath.Join(r.dir, metadata.TARGETS, fmt.Sprintf("%x.%s", targetHash, name))
 	err := os.WriteFile(localPath, content, 0600)
@@ -265,7 +401,19 @@ func (r *testrepo) AddTarget(name string, content []byte) {
 	}
 }
 
-// helperExpireIn returns time offset by days
-func helperExpireIn(days int) time.Time {
-	return time.Now().AddDate(0, 0, days).UTC()
+// SetTimestamp sets the expiration date of the timestamp metadata file to the
+// given date, and increments the version number. It then signs the metadata
+// file with the appropriate key.
+func (r *testRepo) SetTimestamp(date time.Time) {
+	r.roles.Timestamp().Signed.Expires = date
+	r.roles.Timestamp().Signed.Version++
+	signer, err := signature.LoadSigner(r.keys[metadata.TIMESTAMP], crypto.Hash(0))
+	if err != nil {
+		r.t.Fatal(err)
+	}
+	r.roles.Timestamp().ClearSignatures()
+	_, err = r.roles.Timestamp().Sign(signer)
+	if err != nil {
+		r.t.Fatal(err)
+	}
 }
diff --git a/pkg/tuf/config.go b/pkg/tuf/config.go
index a10b97c2..3f5a81f1 100644
--- a/pkg/tuf/config.go
+++ b/pkg/tuf/config.go
@@ -45,7 +45,7 @@ func (c *Config) Persist(p string) error {
 	if err != nil {
 		return fmt.Errorf("failed to JSON marshal config: %w", err)
 	}
-	err = os.WriteFile(p, b, 0400) // Read only by current user
+	err = os.WriteFile(p, b, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write config: %w", err)
 	}

From 651aff17e5e17d414a9dd33b0f2452874f7d55dc Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Wed, 7 Feb 2024 17:14:34 -0500
Subject: [PATCH 27/33] Remove unreachable code, add more tests

It is impossible to reach the timestamp checks in loadMetadata, as the preceeding code to load metadata and verify it will force an online refresh anyway, so at this point, the cache has already been updated.

Setting RemoteTargetsURL is not necessary as go-tuf will set that correctly by default.

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/client.go      | 22 ++--------------------
 pkg/tuf/client_test.go | 29 +++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index b41cb093..03377a91 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -16,7 +16,6 @@ package tuf
 
 import (
 	"fmt"
-	"net/url"
 	"path/filepath"
 	"strings"
 	"time"
@@ -41,15 +40,11 @@ func New(opts *Options) (*Client, error) {
 	var err error
 
 	if c.cfg, err = config.New(opts.RepositoryBaseURL, opts.Root); err != nil {
-		return nil, fmt.Errorf("failed to create TUF repo: %w", err)
+		return nil, fmt.Errorf("failed to create TUF client: %w", err)
 	}
 
 	c.cfg.LocalMetadataDir = dir
 	c.cfg.LocalTargetsDir = filepath.Join(dir, "targets")
-	c.cfg.RemoteTargetsURL, err = url.JoinPath(opts.RepositoryBaseURL, "targets")
-	if err != nil {
-		return nil, fmt.Errorf("malformed config mirror: %w", err)
-	}
 	c.cfg.DisableLocalCache = c.opts.DisableLocalCache
 	c.cfg.PrefixTargetsWithHash = !c.opts.DisableConsistentSnapshot
 
@@ -105,25 +100,12 @@ func (c *Client) loadMetadata() error {
 		return c.Refresh()
 	}
 
-	tm := c.up.GetTrustedMetadataSet()
 	if c.opts.ForceCache {
-		// Use cache until it expires
-		if tm.Timestamp.Signed.IsExpired(time.Now()) {
-			return c.Refresh()
-		}
-
-		// Cache not expired, return
 		return nil
 	} else if c.opts.CacheValidity > 0 {
-		// Use cached metadata for up to CacheValidity days.
-		if tm.Timestamp.Signed.IsExpired(time.Now()) {
-			// Always update if the timestamp is expired
-			return c.Refresh()
-		}
-
 		cfg, err := LoadConfig(c.configPath())
 		if err != nil {
-			// Config may not exist, don'tt error
+			// Config may not exist, don't error
 			// create a new empty config
 			cfg = &Config{}
 		}
diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index 5ac0b61c..e2c8f48a 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -81,6 +81,35 @@ func TestRefresh(t *testing.T) {
 	assert.Equal(t, target, []byte("foo version 2"))
 }
 
+func TestInvalidRoot(t *testing.T) {
+	r := newTestRepo(t)
+	r2 := newTestRepo(t)
+	rootJSON, err := r.roles.Root().ToBytes(false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a client with a root that is not signed by the given repository fetcher
+	var opt = DefaultOptions().
+		WithRepositoryBaseURL("https://testing.local").
+		WithRoot(rootJSON).
+		WithCachePath(t.TempDir()).
+		WithFetcher(r2).
+		WithDisableLocalCache()
+	c, err := New(opt)
+	assert.Nil(t, c)
+	assert.Error(t, err)
+}
+
+func TestInvalidRepositoryURL(t *testing.T) {
+	var opt = DefaultOptions().
+		WithRepositoryBaseURL(string(byte(0x7f))).
+		WithCachePath(t.TempDir())
+	c, err := New(opt)
+	assert.Nil(t, c)
+	assert.Error(t, err)
+}
+
 func TestCache(t *testing.T) {
 	r := newTestRepo(t)
 	r.AddTarget("foo", []byte("foo version 1"))

From fd475dab547a3ee8da6cb0f075585836ce6cf927 Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 9 Feb 2024 08:35:35 +0100
Subject: [PATCH 28/33] Updated go-tuf

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 examples/oci-image-verification/go.mod |  28 ++--
 examples/oci-image-verification/go.sum | 171 ++++++++++++-------------
 2 files changed, 99 insertions(+), 100 deletions(-)

diff --git a/examples/oci-image-verification/go.mod b/examples/oci-image-verification/go.mod
index 9d209907..bc7c735b 100644
--- a/examples/oci-image-verification/go.mod
+++ b/examples/oci-image-verification/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/sigstore-go/examples/oci-image-verification
 
-go 1.21.5
+go 1.21
 
 replace github.com/sigstore/sigstore-go => ../../
 
@@ -24,7 +24,7 @@ require (
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.22.0 // indirect
 	github.com/go-openapi/errors v0.21.0 // indirect
@@ -32,10 +32,10 @@ require (
 	github.com/go-openapi/jsonreference v0.20.4 // indirect
 	github.com/go-openapi/loads v0.21.5 // indirect
 	github.com/go-openapi/runtime v0.27.1 // indirect
-	github.com/go-openapi/spec v0.20.13 // indirect
+	github.com/go-openapi/spec v0.20.14 // indirect
 	github.com/go-openapi/strfmt v0.22.0 // indirect
 	github.com/go-openapi/swag v0.22.9 // indirect
-	github.com/go-openapi/validate v0.22.4 // indirect
+	github.com/go-openapi/validate v0.22.6 // indirect
 	github.com/google/certificate-transparency-go v1.1.7 // indirect
 	github.com/google/uuid v1.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -62,7 +62,7 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/rekor v1.3.4 // indirect
+	github.com/sigstore/rekor v1.3.5 // indirect
 	github.com/sigstore/timestamp-authority v1.2.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -73,29 +73,29 @@ require (
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	go.mongodb.org/mongo-driver v1.13.1 // indirect
-	go.opentelemetry.io/otel v1.21.0 // indirect
-	go.opentelemetry.io/otel/metric v1.21.0 // indirect
-	go.opentelemetry.io/otel/trace v1.21.0 // indirect
+	go.opentelemetry.io/otel v1.22.0 // indirect
+	go.opentelemetry.io/otel/metric v1.22.0 // indirect
+	go.opentelemetry.io/otel/trace v1.22.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/net v0.20.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/term v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
-	google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect
+	google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457 // indirect
 	google.golang.org/protobuf v1.32.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/klog/v2 v2.120.0 // indirect
 )
diff --git a/examples/oci-image-verification/go.sum b/examples/oci-image-verification/go.sum
index ed71dfd4..877d5e8a 100644
--- a/examples/oci-image-verification/go.sum
+++ b/examples/oci-image-verification/go.sum
@@ -1,4 +1,4 @@
-cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y=
+cloud.google.com/go v0.112.0 h1:tpFCD7hpHFlQ8yPwT3x+QeXqc2T6+n6T+hmABHfDUSM=
 cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
 cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
@@ -9,53 +9,53 @@ cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM=
 cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18 h1:rd389Q26LMy03gG4anandGFC2LW/xvjga5GezeeaxQk=
-github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18/go.mod h1:fgJuSBrJP5qZtKqaMJE0hmhS2tmRH+44IkfZvjtaf1M=
+github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg=
+github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 h1:lGlwhPtrX6EVml1hO0ivjkUxsSyl4dsiw9qcA1k/3IQ=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1/go.mod h1:RKUqNu35KJYcVG/fqTRqmuXJZYNhYkBrnC/hX7yGbTA=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 h1:6oNBlSdi1QqM1PNW7FPA6xOGA5UNsXnkaYZz9vdPGhA=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 h1:DzHpqpoJVaCgOUdVHxE8QB52S6NiVdDQvGlny1qvPqA=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
 github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go v1.49.4 h1:qiXsqEeLLhdLgUIyfr5ot+N/dGPWALmtM1SetRmbUlY=
-github.com/aws/aws-sdk-go v1.49.4/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go-v2 v1.24.0 h1:890+mqQ+hTpNuw0gGP6/4akolQkSToDJgHfQE7AwGuk=
-github.com/aws/aws-sdk-go-v2 v1.24.0/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2/config v1.26.1 h1:z6DqMxclFGL3Zfo+4Q0rLnAZ6yVkzCRxhRMsiRQnD1o=
-github.com/aws/aws-sdk-go-v2/config v1.26.1/go.mod h1:ZB+CuKHRbb5v5F0oJtGdhFTelmrxd4iWO1lf0rQwSAg=
-github.com/aws/aws-sdk-go-v2/credentials v1.16.12 h1:v/WgB8NxprNvr5inKIiVVrXPuuTegM+K8nncFkr1usU=
-github.com/aws/aws-sdk-go-v2/credentials v1.16.12/go.mod h1:X21k0FjEJe+/pauud82HYiQbEr9jRKY3kXEIQ4hXeTQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10 h1:w98BT5w+ao1/r5sUuiH6JkVzjowOKeOJRHERyy1vh58=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10/go.mod h1:K2WGI7vUvkIv1HoNbfBA1bvIZ+9kL3YVmWxeKuLQsiw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9 h1:v+HbZaCGmOwnTTVS86Fleq0vPzOd7tnJGbFhP0stNLs=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9/go.mod h1:Xjqy+Nyj7VDLBtCMkQYOw1QYfAEZCVLrfI0ezve8wd4=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9 h1:N94sVhRACtXyVcjXxrwK1SKFIJrA9pOJ5yu2eSHnmls=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9/go.mod h1:hqamLz7g1/4EJP+GH5NBhcUMLjW+gKLQabgyz6/7WAU=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
+github.com/aws/aws-sdk-go v1.49.21 h1:Rl8KW6HqkwzhATwvXhyr7vD4JFUMi7oXGAw9SrxxIFY=
+github.com/aws/aws-sdk-go v1.49.21/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
+github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
+github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o=
+github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9 h1:Nf2sHxjMJR8CSImIVCONRi4g0Su3J+TSTbS7G0pUeMU=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9/go.mod h1:idky4TER38YIjr2cADF1/ugFMKvZV7p//pVeV5LZbF0=
-github.com/aws/aws-sdk-go-v2/service/kms v1.27.6 h1:zzaFokMF7UVk22/Igtb93A1ReGP50uu99ldLWaEMfHc=
-github.com/aws/aws-sdk-go-v2/service/kms v1.27.6/go.mod h1:D9FVDkZjkZnnFHymJ3fPVz0zOUlNSd0xcIIVmmrAac8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.18.5 h1:ldSFWz9tEHAwHNmjx2Cvy1MjP5/L9kNoR0skc6wyOOM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.18.5/go.mod h1:CaFfXLYL376jgbP7VKC96uFcU8Rlavak0UlAwk1Dlhc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 h1:2k9KmFawS63euAkY4/ixVNsYYwrwnd5fIvgEKkfZFNM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5/go.mod h1:W+nd4wWDVkSUIox9bacmkBP5NMFQeTJ/xqNabpzSR38=
-github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 h1:5UYvv8JUvllZsRnfrcMQ+hJ9jNICmcgKPAO1CER25Wg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.26.5/go.mod h1:XX5gh4CB7wAs4KhcF46G6C8a2i7eupU19dcAAE+EydU=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
+github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 h1:W9PbZAZAEcelhhjb7KuwUtf+Lbc+i7ByYJRuWLlnxyQ=
+github.com/aws/aws-sdk-go-v2/service/kms v1.27.9/go.mod h1:2tFmR7fQnOdQlM2ZCEPpFnBIQD1U8wmXmduBgZbOag0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
 github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
 github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -105,10 +105,9 @@ github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyN
 github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
 github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
 github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
-github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/analysis v0.22.0 h1:wQ/d07nf78HNj4u+KiSY0sT234IAyePPbMgpUjUJQR0=
@@ -123,20 +122,20 @@ github.com/go-openapi/loads v0.21.5 h1:jDzF4dSoHw6ZFADCGltDb2lE4F6De7aWSpe+IcsRz
 github.com/go-openapi/loads v0.21.5/go.mod h1:PxTsnFBoBe+z89riT+wYt3prmSBP6GDAQh2l9H1Flz8=
 github.com/go-openapi/runtime v0.27.1 h1:ae53yaOoh+fx/X5Eaq8cRmavHgDma65XPZuvBqvJYto=
 github.com/go-openapi/runtime v0.27.1/go.mod h1:fijeJEiEclyS8BRurYE1DE5TLb9/KZl6eAdbzjsrlLU=
-github.com/go-openapi/spec v0.20.13 h1:XJDIN+dLH6vqXgafnl5SUIMnzaChQ6QTo0/UPMbkIaE=
-github.com/go-openapi/spec v0.20.13/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw=
+github.com/go-openapi/spec v0.20.14 h1:7CBlRnw+mtjFGlPDRZmAMnq35cRzI91xj03HVyUi/Do=
+github.com/go-openapi/spec v0.20.14/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw=
 github.com/go-openapi/strfmt v0.22.0 h1:Ew9PnEYc246TwrEspvBdDHS4BVKXy/AOVsfqGDgAcaI=
 github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv27135Yr9OivU4=
 github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE=
 github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE=
-github.com/go-openapi/validate v0.22.4 h1:5v3jmMyIPKTR8Lv9syBAIRxG6lY0RqeBPB1LKEijzk8=
-github.com/go-openapi/validate v0.22.4/go.mod h1:qm6O8ZIcPVdSY5219468Jv7kBdGvkiZLPOmqnqTUZ2A=
+github.com/go-openapi/validate v0.22.6 h1:+NhuwcEYpWdO5Nm4bmvhGLW0rt1Fcc532Mu3wpypXfo=
+github.com/go-openapi/validate v0.22.6/go.mod h1:eaddXSqKeTg5XpSmj1dYyFTK/95n/XHwcOY+BMxKMyM=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
-github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
@@ -155,8 +154,8 @@ github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w=
 github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM=
-github.com/google/trillian v1.5.3 h1:3ioA5p09qz+U9/t2riklZtaQdZclaStp0/eQNfewNRg=
-github.com/google/trillian v1.5.3/go.mod h1:p4tcg7eBr7aT6DxrAoILpc3uXNfcuAvZSnQKonVg+Eo=
+github.com/google/trillian v1.6.0 h1:jMBeDBIkINFvS2n6oV5maDqfRlxREAc6CW9QYWQ0qT4=
+github.com/google/trillian v1.6.0/go.mod h1:Yu3nIMITzNhhMJEHjAtp6xKiu+H/iHu2Oq5FjV2mCWI=
 github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
 github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
@@ -239,8 +238,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4=
 github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -275,18 +274,18 @@ github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sigstore/protobuf-specs v0.2.1 h1:KIoM7E3C4uaK092q8YoSj/XSf9720f8dlsbYwwOmgEA=
 github.com/sigstore/protobuf-specs v0.2.1/go.mod h1:xPqQGnH/HllKuZ4VFPz/g+78epWM/NLRGl7Fuy45UdE=
-github.com/sigstore/rekor v1.3.4 h1:RGIia1iOZU7fOiiP2UY/WFYhhp50S5aUm7YrM8aiA6E=
-github.com/sigstore/rekor v1.3.4/go.mod h1:1GubPVO2yO+K0m0wt/3SHFqnilr/hWbsjSOe7Vzxrlg=
+github.com/sigstore/rekor v1.3.5 h1:QoVXcS7NppKY+rpbEFVHr4evGDZBBSh65X0g8PXoUkQ=
+github.com/sigstore/rekor v1.3.5/go.mod h1:CWqOk/fmnPwORQmm7SyDgB54GTJizqobbZ7yOP1lvw8=
 github.com/sigstore/sigstore v1.8.1 h1:mAVposMb14oplk2h/bayPmIVdzbq2IhCgy4g6R0ZSjo=
 github.com/sigstore/sigstore v1.8.1/go.mod h1:02SL1158BSj15bZyOFz7m+/nJzLZfFd9A8ab3Kz7w/E=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.0 h1:nLaaOX85YjBKQOQHWY2UlDkbx+je8ozTEM+t1ySAb78=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.0/go.mod h1:fLxrKqPP9lIz/B3UBD4ZK6j6984eX2czu/0zxm99fkE=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.0 h1:Txd7Fjei2NVb/sjBNYybrl+FcZGptO6FXXH4pVNBQMs=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.0/go.mod h1:mZjoLdfxFzo61abWNQisk8BcUbGshTO5HCpPRjzuPUs=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.0 h1:vQKLGL2H3L6AWnTddmF4TPKKNAM6GX1CtLsvIhCtjOw=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.0/go.mod h1:eaY3HCZUSNzqfkGsvkHSCkBlTQIQ4Sym9po09fAJw5w=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.0 h1:PspwJqJtD4bo0Aboo2UBrvznNUK7ETjD270GD9WLI88=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.0/go.mod h1:8ta2z6+ZsN8o3EdxGgpSn6VCAkTqLztV0L4YnLCwrwU=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.1 h1:rEDdUefulkIQaMJyzLwtgPDLNXBIltBABiFYfb0YmgQ=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.1/go.mod h1:RCdYCc1IxCYWzh2IdzdA6Yf7JIY0cMRqH08fpQYechw=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.1 h1:DvRWG99QGWZC5mp42SEde2Xke/Q384Idnj2da7yB+Mk=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.1/go.mod h1:s13mo3a0UCQS3+PAUUZfvKe48sMDMsHk2GE1b2YfPcU=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.1 h1:lwdRsJv1UbBemuk7w5YfXAQilQxMoFevrzamdPbG0wY=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.1/go.mod h1:2OaSQ80EcdyVRSQ3T4d1lsc6Scopblsiq8U2AEk5K1A=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1 h1:9Ki0qudKpc1FQdef7xHO2bkLyTuw+qNUpWRzjBEmF4c=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1/go.mod h1:nhIgyu4YwwNgalIwTGsoAzam16jjAn3ADRSWKbWPwGI=
 github.com/sigstore/timestamp-authority v1.2.1 h1:j9RmqSAdvKgSofeltPO4x7d+1M3AXaROBzUJ+AA7L5Q=
 github.com/sigstore/timestamp-authority v1.2.1/go.mod h1:Ce+vWWEf0QaKLY2u6mpwEJbmYXEVeOfUk4fQ69kE6ck=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -319,8 +318,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6 h1:bg4vq6E9GhRioNFR10pWdX8Ntrh9ROpQWmLCDifDT90=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240129093820-4e440e28cdf6/go.mod h1:BEDk+xfD0uVATjx1FLvIAjtDhWJnNeffL3i863gqbkM=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 h1:SsiWxSpJ9AD71/vqiZVUjXW1Uusv1wlKn4zPKFNq25w=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141/go.mod h1:D7dcS4bZMmF3pXOgUo8Vs6GLYM9sdrFFd37JqiP3hN4=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
@@ -339,20 +338,20 @@ go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/
 go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 h1:SpGay3w+nEwMpfVnbqOLH5gY52/foP8RE8UzTZ1pdSE=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
-go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
-go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo=
-go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4=
-go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 h1:UNQQKPfTDe1J81ViolILjTKPr9WetKW6uei2hFgJmFs=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw=
+go.opentelemetry.io/otel v1.22.0 h1:xS7Ku+7yTFvDfDraDIJVpw7XPyuHlB9MCiqqX5mcJ6Y=
+go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI=
+go.opentelemetry.io/otel/metric v1.22.0 h1:lypMQnGyJYeuYPhOM/bgjbFM6WE44W1/T45er4d8Hhg=
+go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xCWdXjK8pzFvliY=
 go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o=
 go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A=
-go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc=
-go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ=
-go.step.sm/crypto v0.40.0 h1:356UwJSM4Nhg5b5AjjjLlBNkf92Vw3Gi2r3vbEv72oc=
-go.step.sm/crypto v0.40.0/go.mod h1:gfQMeTQXykihbS8e2Tdn0jtd9HbsQ7vbt+kp7efLA7U=
+go.opentelemetry.io/otel/trace v1.22.0 h1:Hg6pPujv0XG9QaVbGOBVHunyuLcCC3jN7WEhPx83XD0=
+go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo=
+go.step.sm/crypto v0.42.1 h1:OmwHm3GJO8S4VGWL3k4+I+Q4P/F2s+j8msvTyGnh1Vg=
+go.step.sm/crypto v0.42.1/go.mod h1:yNcTLFQBnYCA75fC5bklBoTAT7y0dRZsB1TkinB8JMs=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -373,14 +372,14 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
 golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -410,18 +409,18 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.154.0 h1:X7QkVKZBskztmpPKWQXgjJRPA2dJYrL6r+sYPRLj050=
-google.golang.org/api v0.154.0/go.mod h1:qhSMkM85hgqiokIYsrRyKxrjfBeIhgl4Z2JmeRkYylc=
+google.golang.org/api v0.159.0 h1:fVTj+7HHiUYz4JEZCHHoRIeQX7h5FMzrA2RF/DzDdbs=
+google.golang.org/api v0.159.0/go.mod h1:0mu0TpK33qnydLvWqbImq2b1eQ5FHRSDCBzAxX9ZHyw=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
-google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f h1:Vn+VyHU5guc9KjB5KrjI2q0wCOWEOIh0OEsleqakHJg=
-google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f/go.mod h1:nWSwAFPb+qfNJXsoeO3Io7zf4tMSfN8EA8RlDA04GhY=
-google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f h1:2yNACc1O40tTnrsbk9Cv6oxiW8pxI/pXj0wRtdlYmgY=
-google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f/go.mod h1:Uy9bTZJqmfrw2rIBxgGLnamc78euZULUBrLZ9XTITKI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231127180814-3a041ad873d4 h1:DC7wcm+i+P1rN3Ff07vL+OndGg5OhNddHyTA+ocPqYE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231127180814-3a041ad873d4/go.mod h1:eJVxU6o+4G1PSczBr85xmyvSNYAKvAYgkub40YGomFM=
-google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
-google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
+google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac h1:ZL/Teoy/ZGnzyrqK/Optxxp2pmVh+fmJ97slxSRyzUg=
+google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:+Rvu7ElI+aLzyDQhpHMFMMltsD6m7nqpuWDd2CwJw3k=
+google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457 h1:KHBtwE+eQc3+NxpjmRFlQ3pJQ2FNnhhgB9xOV8kyBuU=
+google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac h1:nUQEQmH/csSvFECKYRv6HWEyypysidKl2I6Qpsglq/0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:daQN87bsDqDoe316QbbvX60nMoJQa4r6Ds0ZuoAe5yA=
+google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0=
+google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
 google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
 google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -437,8 +436,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
-k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/klog/v2 v2.120.0 h1:z+q5mfovBj1fKFxiRzsa2DsJLPIVMk/KFL81LMOfK+8=
+k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=

From 616ee986334a0b3bbf21881a87da3fafd4f11267 Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 9 Feb 2024 08:36:20 +0100
Subject: [PATCH 29/33] Updated to latest go-tuf

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 985a41d8..8f018ed0 100644
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/sigstore/sigstore v1.8.1
 	github.com/sigstore/timestamp-authority v1.2.1
 	github.com/stretchr/testify v1.8.4
-	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240130081036-9d5773172084
+	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141
 	golang.org/x/crypto v0.18.0
 	golang.org/x/mod v0.14.0
 	google.golang.org/protobuf v1.32.0
diff --git a/go.sum b/go.sum
index d49a7ae1..3286a499 100644
--- a/go.sum
+++ b/go.sum
@@ -299,8 +299,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240130081036-9d5773172084 h1:hIsOD11D9EubZYAMsR59dQ21vlckBFBSFny/q04KWxE=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240130081036-9d5773172084/go.mod h1:pDMnUv9xAuOPbmq9SQXav7WA1bGd0F8MxbMlGrDU+A8=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 h1:SsiWxSpJ9AD71/vqiZVUjXW1Uusv1wlKn4zPKFNq25w=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141/go.mod h1:D7dcS4bZMmF3pXOgUo8Vs6GLYM9sdrFFd37JqiP3hN4=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=

From 51aaf341aef4aed282f56ffdb3dba3b047d29b3c Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 9 Feb 2024 08:43:40 +0100
Subject: [PATCH 30/33] Clarified that the updates is replaced, not the actual
 tuf client

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/client.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
index 03377a91..f655f540 100644
--- a/pkg/tuf/client.go
+++ b/pkg/tuf/client.go
@@ -130,8 +130,8 @@ func (c *Client) configPath() string {
 }
 
 // Refresh forces a refresh of the underlying TUF client.
-// As the tuf client does not support multiple refreshes during its
-// life-time, this will replace the TUF client with a new one.
+// As the tuf client updater does not support multiple refreshes during
+// its life-time, this will replace the TUF client updater with a new one.
 func (c *Client) Refresh() error {
 	var err error
 

From 10be16d27f3002b6153af1e8211ef80d390be263 Mon Sep 17 00:00:00 2001
From: Fredrik Skogman <kommendorkapten@github.com>
Date: Fri, 9 Feb 2024 08:53:14 +0100
Subject: [PATCH 31/33] Updated to new error type (pointer)

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/tuf/client_test.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
index e2c8f48a..89d09dbb 100644
--- a/pkg/tuf/client_test.go
+++ b/pkg/tuf/client_test.go
@@ -334,15 +334,15 @@ func (r *testRepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 		re := regexp.MustCompile(`/targets/[0-9a-f]{64}\.(.*)$`)
 		matches := re.FindStringSubmatch(u.Path)
 		if len(matches) != 2 {
-			return nil, metadata.ErrDownloadHTTP{StatusCode: 404}
+			return nil, &metadata.ErrDownloadHTTP{StatusCode: 404}
 		}
 		targetFile, ok := r.roles.Targets(metadata.TARGETS).Signed.Targets[matches[1]]
 		if !ok {
-			return nil, metadata.ErrDownloadHTTP{StatusCode: 404}
+			return nil, &metadata.ErrDownloadHTTP{StatusCode: 404}
 		}
 		data, err := os.ReadFile(targetFile.Path)
 		if err != nil {
-			return nil, metadata.ErrDownloadHTTP{StatusCode: 404}
+			return nil, &metadata.ErrDownloadHTTP{StatusCode: 404}
 		}
 		return data, nil
 	}
@@ -353,31 +353,31 @@ func (r *testRepo) DownloadFile(urlPath string, _ int64, _ time.Duration) ([]byt
 	re := regexp.MustCompile(`/(\d+)\.(root|snapshot|targets)\.json$`)
 	matches := re.FindStringSubmatch(u.Path)
 	if len(matches) != 3 {
-		return nil, metadata.ErrDownloadHTTP{StatusCode: 404}
+		return nil, &metadata.ErrDownloadHTTP{StatusCode: 404}
 	}
 	role := matches[2]
 	version, err := strconv.Atoi(matches[1])
 	if err != nil {
-		return []byte{}, metadata.ErrDownload{}
+		return []byte{}, &metadata.ErrDownload{}
 	}
 	switch role {
 	case metadata.ROOT:
 		// TODO: handle all versions of signed root
 		meta := r.roles.Root()
 		if meta.Signed.Version != int64(version) {
-			return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
+			return []byte{}, &metadata.ErrDownloadHTTP{StatusCode: 404}
 		}
 		return meta.ToBytes(false)
 	case metadata.SNAPSHOT:
 		meta := r.roles.Snapshot()
 		if meta.Signed.Version != int64(version) {
-			return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
+			return []byte{}, &metadata.ErrDownloadHTTP{StatusCode: 404}
 		}
 		return meta.ToBytes(false)
 	case metadata.TARGETS:
 		meta := r.roles.Targets(metadata.TARGETS)
 		if meta.Signed.Version != int64(version) {
-			return []byte{}, metadata.ErrDownloadHTTP{StatusCode: 404}
+			return []byte{}, &metadata.ErrDownloadHTTP{StatusCode: 404}
 		}
 		return meta.ToBytes(false)
 	}

From 1d0f1569d70fe7510087e75e714d2e32ced81ce2 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Fri, 9 Feb 2024 11:34:37 -0500
Subject: [PATCH 32/33] Use 0 days for default CacheValidity

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/options.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pkg/tuf/options.go b/pkg/tuf/options.go
index 60f44736..a675600b 100644
--- a/pkg/tuf/options.go
+++ b/pkg/tuf/options.go
@@ -29,7 +29,7 @@ const DefaultMirror = "https://tuf-repo-cdn.sigstore.dev"
 
 // Options represent the various options for a Sigstore TUF Client
 type Options struct {
-	// CacheValidity period in days (default 1)
+	// CacheValidity period in days (default 0)
 	CacheValidity int
 	// ForceCache controls if the cache should be used without update
 	// as long as the metadata is valid
@@ -110,7 +110,6 @@ func DefaultOptions() *Options {
 		// Fall back to using a TUF repository in the temp location
 		home = os.TempDir()
 	}
-	opts.CacheValidity = 1
 	opts.CachePath = filepath.Join(home, ".sigstore", "root")
 	opts.RepositoryBaseURL = DefaultMirror
 

From 37bb81f23f151ab91ed0dc27e3179c19be0966a9 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Fri, 9 Feb 2024 16:57:38 -0500
Subject: [PATCH 33/33] Clarify CacheValidity option and add NoCache/MaxCache
 consts

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/tuf/options.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkg/tuf/options.go b/pkg/tuf/options.go
index a675600b..a790bd5c 100644
--- a/pkg/tuf/options.go
+++ b/pkg/tuf/options.go
@@ -16,6 +16,7 @@ package tuf
 
 import (
 	"embed"
+	"math"
 	"os"
 	"path/filepath"
 
@@ -25,11 +26,20 @@ import (
 //go:embed repository
 var embeddedRepo embed.FS
 
-const DefaultMirror = "https://tuf-repo-cdn.sigstore.dev"
+const (
+	DefaultMirror = "https://tuf-repo-cdn.sigstore.dev"
+
+	// The following caching values can be used for the CacheValidity option
+	NoCache  = 0
+	MaxCache = math.MaxInt
+)
 
 // Options represent the various options for a Sigstore TUF Client
 type Options struct {
-	// CacheValidity period in days (default 0)
+	// CacheValidity period in days (default 0). Note that the client will
+	// always refresh the cache if the metadata is expired, so this is not an
+	// optimal control for air-gapped environments. Use const MaxCache to only
+	// update the cache when the metadata is expired.
 	CacheValidity int
 	// ForceCache controls if the cache should be used without update
 	// as long as the metadata is valid