From 266c96f2776147eb3de1a02f9af51b721be7a2f0 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Fri, 22 Mar 2024 16:58:55 -0400
Subject: [PATCH] Add test for fetching trusted_root.json from TUF repo

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 hack/gentestdata/gentestdata.go               |  46 ++++++---
 .../trustroot/testdata/ctfeLogID.txt          |   2 +-
 .../trustroot/testdata/ctfePublicKey.pem      |   4 +-
 .../trustroot/testdata/fulcioCertChain.pem    |  28 +++---
 .../trustroot/testdata/marshalledEntry.json   |  86 ++++++++---------
 .../testdata/marshalledEntryFromMirrorFS.json |  50 +++++-----
 .../trustroot/testdata/rekorLogID.txt         |   2 +-
 .../trustroot/testdata/rekorPublicKey.pem     |   4 +-
 pkg/reconciler/trustroot/testdata/root.json   |  30 +++---
 .../testdata/rootWithTrustedRootJSON.json     |  87 ++++++++++++++++++
 .../trustroot/testdata/tsaCertChain.pem       |  26 +++---
 pkg/reconciler/trustroot/testdata/tufRepo.tar | Bin 2837 -> 2835 bytes
 .../testdata/tufRepoWithTrustedRootJSON.tar   | Bin 0 -> 3425 bytes
 pkg/reconciler/trustroot/trustroot.go         |   1 -
 pkg/reconciler/trustroot/trustroot_test.go    |  38 +++++++-
 15 files changed, 269 insertions(+), 135 deletions(-)
 create mode 100644 pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json
 create mode 100644 pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar

diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go
index 29c54646..2600749a 100644
--- a/hack/gentestdata/gentestdata.go
+++ b/hack/gentestdata/gentestdata.go
@@ -77,7 +77,23 @@ func main() {
 		log.Fatal(err)
 	}
 
-	marshalledEntryFromMirrorFS, tufRepo, rootJSON, err := genTUFRepo(sigstoreKeysMap)
+	tufRepo, rootJSON, err := genTUFRepo(map[string][]byte{
+		"rekor.pem":  []byte(sigstoreKeysMap["rekor"]),
+		"ctfe.pem":   []byte(sigstoreKeysMap["ctfe"]),
+		"fulcio.pem": []byte(sigstoreKeysMap["fulcio"]),
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	tufRepoWithTrustedRootJSON, rootJSONWithTrustedRootJSON, err := genTUFRepo(map[string][]byte{
+		"trusted_root.json": marshalledEntry,
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	marshalledEntryFromMirrorFS, err := genTrustedRoot(sigstoreKeysMap)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -92,6 +108,8 @@ func main() {
 	mustWriteFile("marshalledEntryFromMirrorFS.json", marshalledEntryFromMirrorFS)
 	mustWriteFile("tufRepo.tar", tufRepo)
 	mustWriteFile("root.json", rootJSON)
+	mustWriteFile("tufRepoWithTrustedRootJSON.tar", tufRepoWithTrustedRootJSON)
+	mustWriteFile("rootWithTrustedRootJSON.json", rootJSONWithTrustedRootJSON)
 }
 
 func mustWriteFile(path string, data []byte) {
@@ -204,39 +222,37 @@ func genLogID(pkBytes []byte) (string, error) {
 	return cosign.GetTransparencyLogID(pk)
 }
 
-func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, error) {
-	files := map[string][]byte{}
-	files["rekor.pem"] = []byte(sigstoreKeysMap["rekor"])
-	files["ctfe.pem"] = []byte(sigstoreKeysMap["ctfe"])
-	files["fulcio.pem"] = []byte(sigstoreKeysMap["fulcio"])
-
+func genTUFRepo(files map[string][]byte) ([]byte, []byte, error) {
 	defer os.RemoveAll(path.Join(os.TempDir(), "tuf")) // TODO: Update scaffolding to use os.MkdirTemp and remove this
 	ctx := context.Background()
 	local, dir, err := repo.CreateRepo(ctx, files)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 	meta, err := local.GetMeta()
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 	rootJSON, ok := meta["root.json"]
 	if !ok {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 
 	var compressed bytes.Buffer
 	if err := repo.CompressFS(os.DirFS(dir), &compressed, map[string]bool{"keys": true, "staged": true}); err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
+	return compressed.Bytes(), rootJSON, nil
+}
 
+func genTrustedRoot(sigstoreKeysMap map[string]string) ([]byte, error) {
 	tlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap["rekor"]))
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
 	ctlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap["ctfe"]))
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
 
 	trustRoot := &config.SigstoreKeys{
@@ -257,8 +273,8 @@ func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, erro
 	}
 	err = populateLogIDs(trustRoot)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
 	trustRootBytes := []byte(protojson.Format(trustRoot))
-	return trustRootBytes, compressed.Bytes(), rootJSON, nil
+	return trustRootBytes, nil
 }
diff --git a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt
index 0d7a64f1..6e92256b 100644
--- a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt
+++ b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt
@@ -1 +1 @@
-f233e0255ba7b06f768210de40a72dad6456c364f864fef10654e9d1f3576cdf
\ No newline at end of file
+1710e23da0651aaa8194bc9652cd00a97c1fda9c76fce12f14eb635e42036954
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem
index 1bdc24e9..ea57536c 100644
--- a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem
+++ b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfz
-RJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMj
+ld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==
 -----END PUBLIC KEY-----
diff --git a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem
index 9a5052ae..4b10e30d 100644
--- a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem
+++ b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
-ByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7f
-LtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1Ud
-DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggq
-hkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88C
-IQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug==
+MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/5
+5rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1Ud
+DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggq
+hkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64C
+IHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcq
-hkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8
-LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8B
-Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX
-2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICr
-DiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk=
+MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz
+9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8B
+Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3
+eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55
+FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW
 -----END CERTIFICATE-----
diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntry.json b/pkg/reconciler/trustroot/testdata/marshalledEntry.json
index b0c9f8a5..e9fc1f2e 100644
--- a/pkg/reconciler/trustroot/testdata/marshalledEntry.json
+++ b/pkg/reconciler/trustroot/testdata/marshalledEntry.json
@@ -1,78 +1,78 @@
 {
-  "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
-  "tlogs": [
+  "mediaType":  "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
+  "tlogs":  [
     {
-      "baseUrl": "https://rekor.example.com",
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3oWabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "1970-01-01T00:00:00Z"
+      "baseUrl":  "https://rekor.example.com",
+      "hashAlgorithm":  "SHA2_256",
+      "publicKey":  {
+        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==",
+        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
+        "validFor":  {
+          "start":  "1970-01-01T00:00:00Z"
         }
       },
-      "logId": {
-        "keyId": "ODYzMWJhMjQwZTYxN2M1ZWY2NWU2Y2QxZjcwYjhhOTU1NTQ5ZmNhYjk5NmYyZGI2MGE1ZThjYWE5OWJlMWNmMg=="
+      "logId":  {
+        "keyId":  "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ=="
       }
     }
   ],
-  "certificateAuthorities": [
+  "certificateAuthorities":  [
     {
-      "subject": {
-        "organization": "fulcio-organization",
-        "commonName": "fulcio-common-name"
+      "subject":  {
+        "organization":  "fulcio-organization",
+        "commonName":  "fulcio-common-name"
       },
-      "uri": "https://fulcio.example.com",
-      "certChain": {
-        "certificates": [
+      "uri":  "https://fulcio.example.com",
+      "certChain":  {
+        "certificates":  [
           {
-            "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7fLtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggqhkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88CIQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug=="
+            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT"
           },
           {
-            "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICrDiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk="
+            "rawBytes":  "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW"
           }
         ]
       },
-      "validFor": {
-        "start": "1970-01-01T00:00:00Z"
+      "validFor":  {
+        "start":  "1970-01-01T00:00:00Z"
       }
     }
   ],
-  "ctlogs": [
+  "ctlogs":  [
     {
-      "baseUrl": "https://ctfe.example.com",
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfzRJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "1970-01-01T00:00:00Z"
+      "baseUrl":  "https://ctfe.example.com",
+      "hashAlgorithm":  "SHA2_256",
+      "publicKey":  {
+        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==",
+        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
+        "validFor":  {
+          "start":  "1970-01-01T00:00:00Z"
         }
       },
-      "logId": {
-        "keyId": "ZjIzM2UwMjU1YmE3YjA2Zjc2ODIxMGRlNDBhNzJkYWQ2NDU2YzM2NGY4NjRmZWYxMDY1NGU5ZDFmMzU3NmNkZg=="
+      "logId":  {
+        "keyId":  "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA=="
       }
     }
   ],
-  "timestampAuthorities": [
+  "timestampAuthorities":  [
     {
-      "subject": {
-        "organization": "tsa-organization",
-        "commonName": "tsa-common-name"
+      "subject":  {
+        "organization":  "tsa-organization",
+        "commonName":  "tsa-common-name"
       },
-      "uri": "https://tsa.example.com",
-      "certChain": {
-        "certificates": [
+      "uri":  "https://tsa.example.com",
+      "certChain":  {
+        "certificates":  [
           {
-            "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCOUCx97+DsDdyvKgf/FhyiMIzd40bAquTXCeZlDeKsHUhsLHrLCa8fOV8njfl8dE2ABX/lwPA+czYfDW1myooGjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRNdydaOxYhTIQG3d3Zp22F1Rj+XDAKBggqhkjOPQQDAgNJADBGAiEA7BJb9k0usb77EKqvbCfOF1fGeBFiU3i32+4HnUXC9GcCIQCZ+/gZ+G47t2OlCVNnE+9YasE9100MR/Sm9SBCzn6UTQ=="
+            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDgjsTzgbEsFFuBFCp1LIRv4SwYLCLL1fxtq95tbtGj/wHQUmrKLxMLMxaxIzdJs54lIDP+LoKeK25+HBPftwtCjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRRiPL3dEhG22Qh+0GTFJ/G1SW1yDAKBggqhkjOPQQDAgNIADBFAiABNvVUla7gqF/135UkA55FQ57M6r84IArwk43Zy2aPPgIhAO8/F8k9VB5+I1FSiQL1qsM8yO6SUpVF9E+hNJ9n/6zU"
           },
           {
-            "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjjBapPc46v5hDtKeyNshq4Xdb+t+WX6R4Jgrwpy31o+0exhZhzlMYl1aelkZi/7u9fnNsuUVfgRjSZIC1aF+7o0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTXcnWjsWIUyEBt3d2adthdUY/lwwCgYIKoZIzj0EAwIDSQAwRgIhAOYOmibcfPIN/8DYOdEsd6JVa1RJn7dwJJueg4rNwpBzAiEAiFSpjPSVbNRUJDUOYJGPpkmj+TLh5GCoz2Bw2/oed44="
+            "rawBytes":  "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjUhxtm6QXaB2bkGKHenCToVRPhVf0PTkuS7/hTGjHhELoMrD8r3nbqyceFEl4FUTzEMDfrj/YhefX7ZbeesSho0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUYjy93RIRttkIftBkxSfxtUltcgwCgYIKoZIzj0EAwIDSQAwRgIhAJgRO/ig4ZBrlYjuNYpC/kqUIVsfSKLpS9c4/lkcTGBPAiEAq+euZ8zkevab16uWx7ZaEcElKYY3xzhTr5yQYeJPOcQ="
           }
         ]
       },
-      "validFor": {
-        "start": "1970-01-01T00:00:00Z"
+      "validFor":  {
+        "start":  "1970-01-01T00:00:00Z"
       }
     }
   ]
diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json
index b61c78fd..a3774db9 100644
--- a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json
+++ b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json
@@ -1,48 +1,48 @@
 {
-  "tlogs": [
+  "tlogs":  [
     {
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3oWabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "1970-01-01T00:00:00Z"
+      "hashAlgorithm":  "SHA2_256",
+      "publicKey":  {
+        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==",
+        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
+        "validFor":  {
+          "start":  "1970-01-01T00:00:00Z"
         }
       },
-      "logId": {
-        "keyId": "ODYzMWJhMjQwZTYxN2M1ZWY2NWU2Y2QxZjcwYjhhOTU1NTQ5ZmNhYjk5NmYyZGI2MGE1ZThjYWE5OWJlMWNmMg=="
+      "logId":  {
+        "keyId":  "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ=="
       }
     }
   ],
-  "certificateAuthorities": [
+  "certificateAuthorities":  [
     {
-      "certChain": {
-        "certificates": [
+      "certChain":  {
+        "certificates":  [
           {
-            "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7fLtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggqhkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88CIQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug=="
+            "rawBytes":  "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT"
           },
           {
-            "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICrDiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk="
+            "rawBytes":  "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW"
           }
         ]
       },
-      "validFor": {
-        "start": "1970-01-01T00:00:00Z"
+      "validFor":  {
+        "start":  "1970-01-01T00:00:00Z"
       }
     }
   ],
-  "ctlogs": [
+  "ctlogs":  [
     {
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfzRJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "1970-01-01T00:00:00Z"
+      "hashAlgorithm":  "SHA2_256",
+      "publicKey":  {
+        "rawBytes":  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==",
+        "keyDetails":  "PKIX_ECDSA_P256_SHA_256",
+        "validFor":  {
+          "start":  "1970-01-01T00:00:00Z"
         }
       },
-      "logId": {
-        "keyId": "ZjIzM2UwMjU1YmE3YjA2Zjc2ODIxMGRlNDBhNzJkYWQ2NDU2YzM2NGY4NjRmZWYxMDY1NGU5ZDFmMzU3NmNkZg=="
+      "logId":  {
+        "keyId":  "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA=="
       }
     }
   ]
diff --git a/pkg/reconciler/trustroot/testdata/rekorLogID.txt b/pkg/reconciler/trustroot/testdata/rekorLogID.txt
index c8e072f9..e96bd223 100644
--- a/pkg/reconciler/trustroot/testdata/rekorLogID.txt
+++ b/pkg/reconciler/trustroot/testdata/rekorLogID.txt
@@ -1 +1 @@
-8631ba240e617c5ef65e6cd1f70b8a955549fcab996f2db60a5e8caa99be1cf2
\ No newline at end of file
+adc5151f9911ee1f001edc74cd71cd58f8a11a484a8c9709490b4d966471f411
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem
index fa59362e..58573372 100644
--- a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem
+++ b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3o
-WabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro8
+9r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==
 -----END PUBLIC KEY-----
diff --git a/pkg/reconciler/trustroot/testdata/root.json b/pkg/reconciler/trustroot/testdata/root.json
index d635f7bd..f7bae914 100644
--- a/pkg/reconciler/trustroot/testdata/root.json
+++ b/pkg/reconciler/trustroot/testdata/root.json
@@ -3,9 +3,9 @@
   "_type": "root",
   "spec_version": "1.0",
   "version": 1,
-  "expires": "2024-09-22T15:32:01-04:00",
+  "expires": "2024-09-22T16:47:39-04:00",
   "keys": {
-   "4b22a801cd5addfbcf9646b3a2dd299d076be90a506d7173742df76a916b511f": {
+   "0c5ee15a0b35012b32989697c15e22f199d8534863a80197bea385adb908d0c9": {
     "keytype": "ed25519",
     "scheme": "ed25519",
     "keyid_hash_algorithms": [
@@ -13,10 +13,10 @@
      "sha512"
     ],
     "keyval": {
-     "public": "a4d3caa7307b07ae60f8827d6a63a421caa9436818911ec4a5fec159c2e0a6ea"
+     "public": "06ba72d6fe28cc6d1d85ca8f933f7e855875af2cabb97dd075074f5d1c188249"
     }
    },
-   "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59": {
+   "b2cf295def74b86b6a50211bfcf3ab3839a2bdbed936d95cfacce1f4c31deedd": {
     "keytype": "ed25519",
     "scheme": "ed25519",
     "keyid_hash_algorithms": [
@@ -24,10 +24,10 @@
      "sha512"
     ],
     "keyval": {
-     "public": "2e9da73f5b4a9abbcaf343214f54f897cd2d66b02199ed039fe1d4d3bd002b8b"
+     "public": "97c5f9488951eb67f16ea9328c9537c2ade4485a0b924ec0486a236f50e80f96"
     }
    },
-   "93a9525c20dcad686288e943a3a1c5c26b185d838fa25d7ca07c6bd6a80a9093": {
+   "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d": {
     "keytype": "ed25519",
     "scheme": "ed25519",
     "keyid_hash_algorithms": [
@@ -35,10 +35,10 @@
      "sha512"
     ],
     "keyval": {
-     "public": "4c20f29a8b91b19ed8c2446354067fc52d234412ffc9432785f966a0cde6af93"
+     "public": "4b92888524b5cd2de6cad461f83fb86b3f5590792c037b416132811ba71e1e8b"
     }
    },
-   "a182898f8f07aa5a376da7aeaf62dbe13a23f21dc8088e28936b67a08bbefb87": {
+   "fcf4d6c6bfa6fccb41df570cc60e6ef63cfe45baed10c0ead716de97f4a25264": {
     "keytype": "ed25519",
     "scheme": "ed25519",
     "keyid_hash_algorithms": [
@@ -46,32 +46,32 @@
      "sha512"
     ],
     "keyval": {
-     "public": "d5a909f2ecbbe521323e5c84970b2937955e098605d43e6aa9fe14d682eef3b3"
+     "public": "6f98dc24fc1df15ed2888658f711dbe59433aa7b0a62334080100fa52a483716"
     }
    }
   },
   "roles": {
    "root": {
     "keyids": [
-     "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59"
+     "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d"
     ],
     "threshold": 1
    },
    "snapshot": {
     "keyids": [
-     "a182898f8f07aa5a376da7aeaf62dbe13a23f21dc8088e28936b67a08bbefb87"
+     "b2cf295def74b86b6a50211bfcf3ab3839a2bdbed936d95cfacce1f4c31deedd"
     ],
     "threshold": 1
    },
    "targets": {
     "keyids": [
-     "4b22a801cd5addfbcf9646b3a2dd299d076be90a506d7173742df76a916b511f"
+     "fcf4d6c6bfa6fccb41df570cc60e6ef63cfe45baed10c0ead716de97f4a25264"
     ],
     "threshold": 1
    },
    "timestamp": {
     "keyids": [
-     "93a9525c20dcad686288e943a3a1c5c26b185d838fa25d7ca07c6bd6a80a9093"
+     "0c5ee15a0b35012b32989697c15e22f199d8534863a80197bea385adb908d0c9"
     ],
     "threshold": 1
    }
@@ -80,8 +80,8 @@
  },
  "signatures": [
   {
-   "keyid": "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59",
-   "sig": "053c49473376571093b419ce3f4a6fcf350d6b7bead1234fe5eae685ee3914b5c28b9cc1ccfdfa84a276374a54eefe06c0545c1ada32dd42194e5fa86f69510a"
+   "keyid": "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d",
+   "sig": "0eca8e52cd9d8e18dc02593925bde4c44f2eac3e173199ff30a8a875391636f419914563fafe171d5b4b22917b8a6604ad77af5ea9f88166b3f8ca6c15332201"
   }
  ]
 }
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json b/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json
new file mode 100644
index 00000000..cc9bb5cf
--- /dev/null
+++ b/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json
@@ -0,0 +1,87 @@
+{
+ "signed": {
+  "_type": "root",
+  "spec_version": "1.0",
+  "version": 1,
+  "expires": "2024-09-22T16:47:40-04:00",
+  "keys": {
+   "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505": {
+    "keytype": "ed25519",
+    "scheme": "ed25519",
+    "keyid_hash_algorithms": [
+     "sha256",
+     "sha512"
+    ],
+    "keyval": {
+     "public": "3bfd19c0931a80cd3279322fc22b04b90831b1804f5dbc72c31676ca2ac82f97"
+    }
+   },
+   "5dd6940e523073d10a6252f38a4dc2ebf33e23641c103682e43cb351a5672f43": {
+    "keytype": "ed25519",
+    "scheme": "ed25519",
+    "keyid_hash_algorithms": [
+     "sha256",
+     "sha512"
+    ],
+    "keyval": {
+     "public": "d64a13987f3b0ccfcbfab8c5631acff1b69dda70e40c1aae0cb1f0f9575716cb"
+    }
+   },
+   "8b635809713e0b6ae3370afeb6fa83d7aae2039b355e56d1211049246c3d1a4d": {
+    "keytype": "ed25519",
+    "scheme": "ed25519",
+    "keyid_hash_algorithms": [
+     "sha256",
+     "sha512"
+    ],
+    "keyval": {
+     "public": "ecf8b527a4a4ce34718286dc9a67a5969060053bf1750e2dc74e065c9ab30ec1"
+    }
+   },
+   "d263be84f7043dd0b4636fb797cfd1c9b455b9168f282cad8f48ff0ca47465fc": {
+    "keytype": "ed25519",
+    "scheme": "ed25519",
+    "keyid_hash_algorithms": [
+     "sha256",
+     "sha512"
+    ],
+    "keyval": {
+     "public": "e7f35e9f47b6e2f38e62b184d9f9a54f085843c57bb102cab0fe684dabe1e0bd"
+    }
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505"
+    ],
+    "threshold": 1
+   },
+   "snapshot": {
+    "keyids": [
+     "8b635809713e0b6ae3370afeb6fa83d7aae2039b355e56d1211049246c3d1a4d"
+    ],
+    "threshold": 1
+   },
+   "targets": {
+    "keyids": [
+     "5dd6940e523073d10a6252f38a4dc2ebf33e23641c103682e43cb351a5672f43"
+    ],
+    "threshold": 1
+   },
+   "timestamp": {
+    "keyids": [
+     "d263be84f7043dd0b4636fb797cfd1c9b455b9168f282cad8f48ff0ca47465fc"
+    ],
+    "threshold": 1
+   }
+  },
+  "consistent_snapshot": false
+ },
+ "signatures": [
+  {
+   "keyid": "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505",
+   "sig": "1050176114e44eec30b0661a9016b0a1ce607b4168d8e84ab1d4c15d73c3bdb051f0c0b21b67f03c77d4a98ea7dabc5fd1404bbef2eaac605ddfa2a6145d0709"
+  }
+ ]
+}
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem
index e6131a87..0c657654 100644
--- a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem
+++ b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
-ByqGSM49AgEGCCqGSM49AwEHA0IABCOUCx97+DsDdyvKgf/FhyiMIzd40bAquTXC
-eZlDeKsHUhsLHrLCa8fOV8njfl8dE2ABX/lwPA+czYfDW1myooGjMzAxMA4GA1Ud
-DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRNdydaOxYhTIQG3d3Zp22F1Rj+XDAKBggq
-hkjOPQQDAgNJADBGAiEA7BJb9k0usb77EKqvbCfOF1fGeBFiU3i32+4HnUXC9GcC
-IQCZ+/gZ+G47t2OlCVNnE+9YasE9100MR/Sm9SBCzn6UTQ==
+MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
+MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABDgjsTzgbEsFFuBFCp1LIRv4SwYLCLL1fxtq
+95tbtGj/wHQUmrKLxMLMxaxIzdJs54lIDP+LoKeK25+HBPftwtCjMzAxMA4GA1Ud
+DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRRiPL3dEhG22Qh+0GTFJ/G1SW1yDAKBggq
+hkjOPQQDAgNIADBFAiABNvVUla7gqF/135UkA55FQ57M6r84IArwk43Zy2aPPgIh
+AO8/F8k9VB5+I1FSiQL1qsM8yO6SUpVF9E+hNJ9n/6zU
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0
-MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcq
-hkjOPQIBBggqhkjOPQMBBwNCAAQjjBapPc46v5hDtKeyNshq4Xdb+t+WX6R4Jgrw
-py31o+0exhZhzlMYl1aelkZi/7u9fnNsuUVfgRjSZIC1aF+7o0IwQDAOBgNVHQ8B
-Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTXcnWjsWIUyEBt3d
-2adthdUY/lwwCgYIKoZIzj0EAwIDSQAwRgIhAOYOmibcfPIN/8DYOdEsd6JVa1RJ
-n7dwJJueg4rNwpBzAiEAiFSpjPSVbNRUJDUOYJGPpkmj+TLh5GCoz2Bw2/oed44=
+MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAARjUhxtm6QXaB2bkGKHenCToVRPhVf0PTkuS7/h
+TGjHhELoMrD8r3nbqyceFEl4FUTzEMDfrj/YhefX7ZbeesSho0IwQDAOBgNVHQ8B
+Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUYjy93RIRttkIftB
+kxSfxtUltcgwCgYIKoZIzj0EAwIDSQAwRgIhAJgRO/ig4ZBrlYjuNYpC/kqUIVsf
+SKLpS9c4/lkcTGBPAiEAq+euZ8zkevab16uWx7ZaEcElKYY3xzhTr5yQYeJPOcQ=
 -----END CERTIFICATE-----
diff --git a/pkg/reconciler/trustroot/testdata/tufRepo.tar b/pkg/reconciler/trustroot/testdata/tufRepo.tar
index 2fcaab93c79c4c75d3f27033fc53c58b79fc04a9..53f2a8d18d2f854686dd869a530e06b820fda527 100644
GIT binary patch
literal 2835
zcmV+u3+(hCiwFP!00000|Lj^@QzFZ<o@aiA;j3pYGV5Lwu^+kt6%_?VXY|C5iMnI~
zihzKFvSa@HiN@<(j;_6Q+_Ux~BW9YeZacHS%*y<_vd1(UPI}Yf`1;*X6951$<;_vu
z9D#|O<BhySA+_d8qZID|Ialo6iu`#dJ;>!`>c;N?!Z1Dw!DQ-EdgA)sMDC7%5qa=`
z8Gj!ShtuCrC&R((>L~C~Li~UJ7Yy__{+B}GyOlQq@o(<`f0b5NC%w*q;_CaAf0b5N
zRzFRzN3{BWWwnTg)&D7mCL;=;KGS&88xD#q_&eNOco@UQIbDr<W11BAFks?0u)i_Z
zM)h9k_uT#l;yv8{<r!U1ZZ)o~LXbo#9e6GQndi(JtE>(viLr#%MkBc}iaP^nwI|1o
zbkSQd5rVyY(BiRo=2K)+qFtyf<`BAc{-X<Lblr=ex^B|_<occAxHs*d7pDF1;_}Ms
zr0bYew|6g2C9>7U**_m1@!9q7tyozdUHX166v{w(r&&~qm<d5ej7A1$lI1*UGEy2X
zU1Gs`Z*`2IC1{ak#DK;yVQ&<DDgOVm(6;JXNX*JeNege3S55*$^eH6nJU84r=A)-*
zxr$bX<U$}!B5;gEG5*3}Ssi4u!Wb)&ywV93Im?*|R&pJfizI|8;>0pR0fbSGag`*H
zfn?S9U`2sidn99h(&T{!A()Y5leSO{7@Lx|646@JHmVerVFsf2A}aeUgC)FW#u&+j
zmm#u9D!3>VCc{$^7d%O6L0cApYcEhCX9m$bjf7<U_h6-vL{vff<Wvg53yeu>2tffU
zN{WX>LV8CLApp6kQAM&k3CAQ;;ui)>C2L|}A_a^ICB*_dB~8+Z(UY`-bLX@Nrx@n~
z3?M*qk~v|x#;+o)bPL$(c-W_hB(_MGj}hp_$M(NC62F@2v^%Crci1li6d$>8GH|0w
z_en!uoIn1MAyYT*&~);I9WRcyKW0booF-FuK6=8E7nh%BEV&PuFdR&JlPL|RpB_0X
zx&DMoi(3|@*iA2QYG`5KO>8YpF5>vbQFI$7z0RUIQE-MN3(-bHXkq{+Ew@biNFoT4
z7`ea+HAibx;^2%kT5^kut0W2~LMonIBGeeA7oIVT+8d`72p6?>Ns_b47*s`0GQp{U
zl5@rY3*f$#R{mM~@}H(be_MIP|9=wu|5N;*Gq&XaZy`(mzvTbF3|LG4zvTZ*{=ek^
zOa8y)|4VrjdBp$kLh{w$0iNOii1J(huTbkH|9=a4g8$#AsGs!?a86TqUp{XO#v=G0
za&?~uooTmtHrH^QU<;1$P<J1=!26X|$xsr3c1WC)N=`b3fiV(-k@O~cO97muNKtDB
z#s+kXB^9)@9D^pttxK4KHNx2_Bxo5}(hyD3Tp2}13yhFb(wu^DhJlfhjAk-veM=K=
z4Sj^neI59NdH%&k`l~$eWei4W<5Ey6QcO%k!50ZQQ4HQYnNr{ikcmKx*A!#95=tsf
zh~9!Q!s=MOse8{!Dx(2{@qkG=i4YtrhpZ?ymYX1*wL)P`$|+|+Ec5&?E06O3?FxK-
z9shp+UjpaL{{LIZ_x>-3X`<gpbpC2Oo~i%96#KURORkpn|1IRVLh{;1eRrjKnD5jp
zE8Df>#bBwiem1MkjyJc5C-wO$RI=7_{q}b?YlUj7lhyLpvCf3HSLLHVZHzx(jj+?o
zuFv*P8mFax6kF=(!_m%Q7e4ItF7{|Lwym>+{AiG$9dFNIG*)?MY+9!swVUxPp`p6d
zyc$<q|M*8~VMA@V`kh(-X~h1!<Ol0NUG_t7_=*|eIsUK3x9eXcEcgH4L>{gGN^QSg
zU$0lPcI`F+)a!Y(UCHHkR?RxKO7X9e4L2&4i;aVZuzA*~G%~oV%(Jb$vwM_hjdpgv
z+im3HW3^p}Qlr|qZk*O<yVWq?I~snhwj1!x*sMCQ?KZN>MuvyA?5a`o8%N!f)BL27
zH#SQ7^^K;iQ@hui&1#z&)U$kdY;AQu5Y3(Lj5`~f=6Gjz;+lhV-W{#;&(pFj$#Em-
zU9_U!+|So8D%DnfyFR&IZ?r7e^=$3Be-)2E&yJfphqGCE(4)1}#yq=fWTLPrma4N_
zUY@mT*{r@Xt7fT~=jK79wo%PKbn=7FC{)aTcPh4~)9raVs?mivI$KL?^K3isbS_HW
zv(vq1t5wZ9yY;M^uV=klHoZL9+cG<@GE#fv!}`$B_FVUl*K4%bsLRM*UOPNE9GPn+
zDy917pnZL5bn1TWb;h&txO)ZXwf^O1o-QaKZT0#zn0+`6hx6n1L)QGxna?@;pk2w0
zyLWW{`i^ebb{g5)ouezqtTy}5&f0k=+@Vy@3&?JMH}ZV8TgkHaXapy_N6nqAK0j?Y
z&yMH)%gfp2*40p)omX~R`{(n)`MhK|YQ}aiE40(S-tnDNb+yyk8TU_`v)Z7)vA-RA
z-mQ&xt`6thN89aYHiY`DRn7Jm{%o1NlqFLu=9zU`v+C@)dbAJithHIrv%^_d1i?Iu
zH#dvgdZ%?b-2Rw-t{r=-cz-Y{^AcUS^YY%TIVewNmCk*sEF!16Kg(wOS-sO7t<Uz?
z&Q7n!8(MyB)>@U`c5}9lCmktE>nBHT-R$pfZC}@$$62Mm-e_E$h;n%lwubptWBR#0
z8S}L@7A+n$N7uax3p>4P81u6aPdNVR_5XwXKc=(c_%#XOpWuI*FZX}mL|(}M@M!4I
z#Q1b~emqX)%Zuu)7R#H}R2dIV$&MATy3I;^|G2f~Qh94LZk?6~S9u?apHzmB>$ALk
zdALS8N|o78Gg5y&NbD^6-&@J|>;LsX0eNQqGs(YO{{YMN|0eRp{_kB2?`LiQe$ygc
zz1w&A(eAG{&u{)ZABabeR-&*{Kw>t<U{aJaM&TV=;5J&PIWeULa*CWFrXUqTg21@)
zPVi)e=AfD28W;ymNYMuy1P35(Q}X1J0CW<Vr)0gc#Dl+UNZxJ!hRexxc>dVXUS~2L
zj_F}&W%Y96It#2T?e*GSZ+m5RGIi6-1%z3c_CC|YmCJFj7`{<;(~thTg@6C<_5&2H
z70;t+QV{5@=Sc&XOa&GgNS2~SCs~qUnUO{s=0ZTNB5H`9ORbzEhe*jdOd%vk44sMS
zI2Vdh2#zCZ9|=|Bks=9`B*laj90iiWNr}?fm!P=5nEh+uc+Y|UY%mJ&=mkpUB;yja
z(#dJBP+D!ABAL)4D8*!Af})Xuu|U>FZ2)}a5xi!>S{pD1h?blb3KTP(a}N--(<}xu
zA{vx{NqYqp3?p!e2JDN1ale@S%TW9`S{*O`4&bX+2Xl#gP*IWz(nOVlg&@&;4H{8G
zRF+hbkpXEbBrzA65{V3ubH&297CdrfT%$6IbI&-5WEJDwDkGy!(d*y?Xk@^HVU9<K
z(nlt=0{W}9Iv&^myH6!vn*luA|5e}a|0~Yrvi`q?JXQbiKb?7#2Jly(AN(NgD#o8r
zy9}64457#Z!UtrERL~MotE9E(nroCUa_JHiAz&=haTL~h3FNJ05ez4zT}l!d3ks|^
zA}At(0STlKK1k!Z(FV8|Trq-Z9BLne*Y?#Kz%TwL>8q@0hzSlMSZ0m$go?D+!CDE@
zfi*TbVXYHV6C*8nB5RYgN=6ervrZNz$qGgklMgAR2q=*yfm~o9P*Hn^N;?UX8RfNO
lh9DUO)@fxR{nfJKQkJrmrTq8H{{;X5|NkC#1WN!y006(PmJt8|

literal 2837
zcmV+w3+nVAiwFP!00000|Lj^>QyWXN_OpHk!K?2%&RVh-N6bTOK?p2BLc+j}2}jl@
ziA7sW7BF%C`;8W>u`irCV8%0}jDVJ^T3uORW@Ua|S<^Tk<%8L1din0B2>^gbyuPaI
zD{y&zy_R=OqSgWxSL_`yAyB_t!=I<pz0C6&P2U0dQFs!9d`2lf(SJLU+v~rH+}r;H
z`+YhZ&3-@0N5j`0qrgK+`TyBpa?p?Lj}q0pwKoCrzuf-+D6OsMgWfQP^^a@+D6Orn
zf0<p5<NC+7^}-w0|EFlm$I*ZJ8mIYSG%R}9?{M95-^P~T<HdL|jd^ho2QGgD`y1yS
zh93q02<$hIAK~Vgr|~ks8F6i0I?l-e^8qP@<b1M9Dkq4Cz^x6Sm5UY#K?TjU(2|Fw
z6<MYnGL~*1w0!KX`Y~`sW|zYibMXCm{-ci5csU4P`jq#-&{=OZ9nAXYg=+u1>|R^X
z`@~V*+`asYjIS@h{r&zCU+L^li?#Lf+?@@4F&N1pJdqZl9cYRQk}+HdMM{w5%oABD
zlwrm)7QG})(KEE3M<5mHdZ0gw|9>n;TQ}S)GQuS1ypu8rN5Ms{z0f|epbbfh%y@%Z
zCKj#nXe|rQ7?miZ{e{8e(FW2Yp_63EIZsJQ!I?}bld;+d9+YyxnYA&1uqm=oAP@k!
zGwyq^tRRaVJ%`{aD5JPB(Mmyrm`Bf*V+KQkCUFef6KJnoP-K8CSn&&kB|V44Eg5H-
zV>Slkxs*zv1f`Ql9=MQ_@szxkf@_1xDn;N!RFtgv9xP&p8*7qDpox%#R)I7{N{R;;
znIJ9_XTcjVCURqia!L~z=VEe3|H5DeEX<jB^v*@(OmGp=8)-E-ZiTjp5v);wL5iq|
z3fGcB86IO2?i;X5H-N2AM`!Uqh%LkALj(rlq5dykw%<&3)}O|_KRPR-HhW;gd`RQG
z|D+->w(_4+WJc3ooaImG@#3KW=kyqy$9zWT<0mwEagcaMlRJm;qhUVCXK^_D^1x7u
z&hl7V-m*-^G@D=N&_cg!-&(3%`0<Oq=*CS3z2a$r!b>Z)5L%&TV1<*+`Y4hlm3$Hi
zK{@Rr1;&L;5hF!qFh*gSbm+Np)_dlC3W<y)u9eV|P{x=dC=V#nGYTYl2$C}^BPKE`
zDT@r2$?cEQ+TTlm{Htluf2};=|38WS|0Vt}m|pS!w~!V8U-AE62CNnTU-ADH|6lR{
z75`uH|CPLnJmCMgF8S*30MGD$#_%!!S4_(l|9=a4g8$!zsGs!?a2{uLmp*S2#?txj
zWA#}a_GbO!*+R3M09$Z``@DP41wO8=YlTXNz>+oACgnT>U|M=7RYGkN_#~_`Ttd)6
zF|GuIWI<>qkpW9Ff;Ys243QPthFh*<(A*m7tp<-eap^f{PVg9XA{7GTB(+E!6pJ@B
z;YQI1$lT?DKN;s=oTR^r^JKh|ffX+tT4*M~@Z=y#C#)9<O;SRJqyUW3AOm4UvR086
znukOfYzT=l01Qk-Cs^Xa3N2z1NFEILLV^KpQqmejR7#16DhkULdhn|_|I5mQ_<yqk
zUw@2$zW$FOU{(Kr3;EvuAN(xE-^cO%)y8-x{{vV2asEdkR{8%e<hMe~wR&S`ZLeGY
z)Tpd&*N&ErrRK)zqP95N+#Ve_u1=tmwT>D$pQ~BRS6jWT_5tW(_o%w@nbj{+yPVG}
z$F;+%+c|Bft5SPwGV%dilhaGznM}5&9_YbXV>w=aJ#YERQB7^Po5Rgk$l2`d>NLAJ
z7VWdW;YRkizm=9c)OM=hsr9c$>_1C>u>RBh%nwGd7y+K+{~8~!f6V|^>;Em}!TPV%
z+MUKmqmp%MHvyp0DDRzA%DA0XvtF%I{57*ty;7Of_nXp|vu354!A0dN+bZ{V4$4`x
zlb!GMn`L=e?KGg&tTr#3CpBzdH5Sc-(P6dIghy?Q>Q!y0ndSA2b!*v0v*zjt{o|AJ
zakJd4m&%vdBW1nX-Kg23wwXaAD{mqnZ|wS!J38s$fx+F`d8_+=c+v0Ice-?WG}Ec{
zX_g<ENp;rRt!#YOd*+B(naRdz(bQ?fHNfLZtof^c=hI|Z@5;+*d2-Uc$}XCjEHnzG
z>Y`TuuxQn?MWeo`W~rFx=6<tQuV$Zn<yPL=8WjAPn^rbFpQWR%l%}2bFyFY!w#&WV
zq|`q>+1+cks#$MmE3204*`St<8jZ_*dr_$jd@DZ`-S+2vZ{O}Hsy9+Ug?-K^$K$W3
zu4hc8)M!=X)#hGj&m4?R+8%C>+T*i|djH<D9dj9Ste<V$)=qVQ)LG1X4<qMy27S)h
z`&X5+p*v%jU*FiB+NWlAdTZ>;5w9&icd|~o=Wmf}lndCdKR3(e#ZD#5+OurZ-Kv~?
z`0U<KH@3EhT6KfZd^f{Qwh((KjpKIPls=VD%h~DPhwQvs&0)TMaVGdlopu}h-C5<J
z)$I>!7yNLPM(xmGm#xVN8jDsn+g;kUWy+;2nOZT=tk+sp7f02DHgvMq=7)0DU1WtL
zTxH?<W?9?lwYr~bmq+LG!xX;OvMrn*mU!h*D1c*K_KQmIE?pMhQ{8W6i*~Qk&zhBF
zhSMDdlSxN4YoFw>Kj*t~+^9@T)j?(68!?2`YHjbdsqmJwu-L40MR&s_?cSfyx|gG^
z7Td<*X<j??Uw5lp?fJ}osDG`TK4ttLum2y!|7koOO<$7${ssQ0#cKcOP2`3AuOSZ_
z-HUOfMMt&qJ|3Kn_1<QutotJ|Dt#vBD*cHY9bC-gX8-+SGB`iq+d7;dev0pp=Yk(>
zzE3;&d1ENEI-NA?Cy~|5hqK+qivPWpe82u*{|Lx4>z@}ddym#X0It^mTgVgpzqcj4
zpSAt_s6@DayYKL$-Cu2<-~9EYAo-+iU|Jckl{eN%E19*Z!8pw#84BJ6Ba=(caNz=i
z;^3@B3l_cANoY)9j3P*kISW#Aa3Yc?r7R>Q9+O7NNO+~uI?uJ1iP?zXZvOgtJ{z4s
zRCLhGXQOGnZ(3WQ=hRzbUFmGpZfo0X>-mgk^Cg6tpAEjo`=0r9P&8i;bzP7Cri6e0
z?)D=T0r>MUlH;J0Cu<WCN@b0gMre@6M=m9j5mqr4lqOV`C*`aQo;k40$-sC*03#V#
zr=oKljSayF8?_7E3uRDp@?LYaWUNg90iyx1T#!pl!%JY?SWf>nfV?9?f7KhK5!w<n
zDg<U(lH@c57r`VRJ!ne=B$Zd_HPhTs^j1oU)^H5T`^aK&iZdg45j7>MloD55X(9-e
zJfKce$dnS}T!EC*qI3#Kc;Zg6m%!LACjT-N|A|`1iw^>PQ|sUW%%vbf3u&!~D4Es9
zaYT-hfQ(HxCNzlBs^CB*2|+r^MB*GnkXBpaVkAyVa07)$Yar$oc+ftkn7EY6FlLS6
zJPH|{R)p4L@&VxAtk&@`|KA>!cx?voZ2ea~-v3uZ@KyeQ3wbL4-yNNKlLGKJ#}9rG
zbrl!SM_q^Bc)%FF@kv?3&~Pqelnzo<!rI`JRmK|92^bokBnSsC+8B{1?{(18>S$8{
zN2G%TQdT<Um;wbXU=&hok5qW8N93G%44@GqM6O@00Q}-JN#6uT11>1TjIs#Ua~++x
zz(EID{DL!&C?pCV$wv~}a{)nGu5HpDwI)i=Tar$Dlnz*sQAC+EL}@6IwvK5OLLpZY
ni=Zt7Dl1Vk<#nW00eB@VS;<O%J^8-?00960d2)RS073u&Mr)#t

diff --git a/pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar b/pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar
new file mode 100644
index 0000000000000000000000000000000000000000..da8106fddc4227b28ae3dafe55ae19b5e5e61d77
GIT binary patch
literal 3425
zcmV-n4W9BJiwFP!00000|Lj^>a~jFA_OpM5f>#}z+85vOLpPg{Xv8WRZcI38Wna|Y
zsDTOp_ZxtAdu-3K$JZwg8MYd#i>|E9?C;B}tk^9V$tYdKn^*ss0001|^l)W|D?sFM
zJ;*CaDCd}QNXaVzF=pu13H|3(dX!a?s`wQEW?{c-f+SVmf93xDMDDNuA@b<|JbW83
z7U|n@vY7weF?RM~g#4BN2?G3u|0!Yc)yXe0;(xjS|9pLtOGbmav$=OCf4)9B$$d;W
zOP70hlG{Z??q9p6Wa-SuTNfvz#e8=Mz6FOHk8N=O-L03S*d@C@2q5wX$TtXeAbUsn
zI|AMS@($ena^g10-H0bS$O-aHK`#jN1Q3J;A^>X%xM0LXL=Eyracw!U%s|Q&0m=x+
zJhv3k`v>hGd#}E;h*Bu`!|mo^hHmzy8xyw~*^fh&3_q&rU=fef;cTbc|L$*}<dUI6
zl->2-f29!R_TT<^e8jDqK4@{0TdwqUWOjpL?JblBNDP$##$v=JM#vk4G$2|6fuV*1
z5KpZ(92pE5XGS4q1oDy}2Ku!7`)NN~j#|qk0gfUJIJOWdhA8q_C}ItA+GFexW&|1t
zFcZiTY&51&QO1!c_%}9|Wkf+N1@~A3W4zH`X<;bCP#N!`X3|>4fg`{`r5rFCdf+AH
zltX6p=f)D6VJd*+5Idlmau{=<ywl7pfh||cA%LaElsd{RL=XZZ5n%>fsEGZIjpd9N
znj)@<BF16Dp+JIJBNgL{N+tmVfMV?-r@$d=IB|ecBbCO$8Th%eEMizYK|BWpTMIN{
zn0d`5H{L=cHK9~X$b?4%8D)hh!h2v8;e=6derIEGkExTMaLwHAWpNB?D2SC_DoQ*M
zR1j<^*BSz3lm^~0L9EgaI-u=SW4*pJST0^n-6M$Y;qs{kM)s-xKa6qDrkW08mkbxv
zU4X(TE==ZXnGC<G$Pd2~-=#>Z;(<$(ujui^IQD&djAkxL)ol3{O@27;zoE%Pz?j86
z86~Nkryrj<%ByMOUhli?saU0}1BdSPJH*yr<vsKMXcXOr$!M^D8lV7j1|e~TIA<`>
zfH9~ffJ_4gjbngo0-3PF38FN##6W5}HdtE?DD=Ppji6@S18g|AL`mTkw@Mr8EhK<w
z?L2Zy83w4eULnOGp%!o;cZU1)`s9z-pZ>qop#NHVlK=lh+5f+l|6_!X`TwtwWBz~4
z|9=}}9rOQV{(sE>kNN*G|3BvcNBJf4B>%q;$)COk_(uK@A!RS}e+D@_=KsG!zLNhx
zK-53A2AH{2J<#VJVeEtN5v!+eK1heTcPAXlJAB=x2#>V;m<qf*$$3YGcNQCHq(Rsd
zi;&lzVdNc9)>~mL5Qy(WPB2LoQP@kyBo~ScWUK)YNz9BgQej}AMTj$K8P|$fhK(hh
zP>PV&-Xo8&;{ZddFv1!LDDJX^J4K%u=79#j6Xt)Iqo2V%W0U{|ov?VPJKh04B1SvI
zi3Ju|$DIaJO3VZi5*h2DVN_Y8xMNsp$p8|LB7}{@5DQHq&{9f>0CtpU0=zaBQectO
zia|sv5mY(~DAK?mVgC1(C-{H&2LAjp{(k+R0*sIK|6d`W`#+z?t0Z;y<4@ZU{09GX
z%wO<70+jM2|Njd4^FYLQq&f%MKgp@(ayl|99WCbh+qr#f-R;|CG)U4#?B3o5$1XNb
zcd_w5cP#fFyoCo=Pp6B)j@Is$S9dIZlG7@2-FUhmVwk4O<Xt`=yU8Mc>(*+voVvGW
zF}q*iA80<f-w4?MsC^cok5Bdh?$`GhZnL|8KhSO|uCj2G?#cBe7nLVjDeIkGEc(^$
z7!-nLuX^{n7&J|>IS5MdYN0129@n?M*ymR_#jIrWXGLF#7edAi7u8vz)9N+PmCv7_
z+4FIJz7D6*;eKHOLOu!etL~}ema;$&8rDtAhQh)7_YbNb$i3)NHJTpOYFt!5d@L1;
z?cierQTDNY7Cf8WE`d<fku5Lc=d;`KdaB}d{}d=Wcmv=Y06PG@+yCq59=d+I`}FC-
zV$;Q-YF}7u;x>o2T<^Lyu6If>y6(}-PHEl0?ymdeAd9ZACcUizJ=Da}b$wFr3}=^>
z(mJ{>fy-iRcv*>PeH+kvagz1Mt;uDlhw4SM?vI=6sQLc=y+)rNc2WK~tcP8kj{Gjx
zT(C-qJ7167mtrSb>9I5E3&j`lK+Q+neWdR7_p7NHE#5q9e_~Iwn9UaRx|+GCy$`K#
z=DX(4?6rzV&jR-Fn=eP~ZZ?IX8qHs*`DB()=5~;$Zv8B9tJSd4DTMSQC<cR4VfQ}@
z7L`KbrqYgx41=f;1z=s+2It|Reia5$Cz#cTQAj=%J5>-BqfIofX7!@kUS2Ie6g$z&
zwyd}<)uSM(1h88Q)=^1Uu7>?_*pI@f5^fIT1cTDUm_b%L3qUmp>#>x@?VL1f!wf5F
z8=_as`l>OX;o-83Z__-bab$QMN>XjK!qb~Vv01&SCYy59l$ck8)6H~kd$(Dy5n?dO
z^7D~99Y@<>9R*~kk1b}UFrPI`K~}9~#lY|8c-D?em11x`2-}0DDTvlECFf~+vCUhy
zywQROr~Y&sT!e$c&2TclY&4t2U{J3H#jqTVN<q46U!IGaDlFM$+^sHzyV&wkuUvAM
zQI%S(!cw>0U5X7Oh3eV7vsnr5haX0RIE&-q8q7-5)mi9oT(~?RP2D`Z9-HpA*U3Hc
z<EMZ94F|V7g;1ym2Zul1!JSeq3MTgsF7!|-yY2*?aA58XR1F`E6@_6|F9bnnxdi?C
zRihSEx8qJ@(%Vi~t88_?UXaPGP;0hk+xcuOD<vU^tAeWyH#I#NvvqAyi>LiYR+>*M
ztqVKS>U3FKcefW;7oA410M)En3@-PMY>F`OqO_Z1Flc7QtXI5hflkmo%ZEWX3wF-m
z2KLaGl*)r<cX9C{xGnXxD`?$L^4Q&|S^hF>%=1ZB7(Af*E?|nSEXZ0xb<kLrv)1Wk
zypAiJerS}Mh0#SLE5rVP(sKW*!yD83`NgK%=mmvpIf`!jB%hy~^F_Fh(%ViF<I_`Q
zC2TjAn^A&HZB#Tdo?Jh3_`~NvJ_C?1WB7L>_-A<ecevH0-u(vD8a8`8AY88VS5sGs
zZ`VsWXa<|fWj`8EEjedb*H^W99bDH&H<vDnWpmOFujb*Tcaec*%)&t|n&Sbh2Y5|5
zDApS5xY+!Uqt>Wn)={OqiBM}86?-tcE)RR1!TPe(8uhjlRPUUR`^6yZbtbsCEzkOu
z676jb>d)%asB=DxI<0AM+}qZ#yC50|+xmC{>%m`B>%+eHPa)PcQQym|yRLtWQqx2o
z`7|sJ#z|*8(50kYUWMht64t7%Thh*YwL+~1{W`soG}UQkoX^gh-C2B5TSv8Mt=848
zJx?f^R*Q|(+Ty}pAbNThHhh|;g}>s{Qt2~3ZM8;?8n&fj1)=8f6jVCp^Lz!iui>Wn
zS9}_T_1mlNRPn)0IS(=IP6A5HP0Aw{3sMc@Y(j8<gH)q2s1AcmkuQshyb9@Q6_(qh
zW)0pXk=R_ac6WJImZj5S{anuTY}@_!`E>g`@@Z?_9j?<EYkp86(v!-?nVT0ni>p>+
zc;!K(Gg-BHe%Psu&xWPiB8rP5#&dnMF|J&il5)4REk#8ikMq5u^B;I$JD0SFKgy@w
z-gqN%tJ+G_N!6#}WZm}bv^!1B;4?mLH-oITbK?1+b(tRxNI#6Hz45BvTNd(@n{M?g
z@$HM+vMmkCPba2R2^+hF>*mz0`eHkAw@O2{x?c0XDw)#sqSwRg?XVNmO|$3D8<(c}
z{#SGAaX<1)`#(Sb2-vskKN!Q8^&bH6asTI6$XDt=_a*#)s{Hffh(PYMeaA19fv~{h
z+jSt$A(xyuEIqaeNQ1cslzAwy6I^@bwV@m-D-gEIa3qc6Q~|9RHcSgZnbOc(Cbf{t
z35~R(R7=H_;#^@syaPr8M5I>KL4YOHPGPAr6I#;ebs)1!(#7nlqIa8Vk4-1JRiXxa
zt9R#<`67GFuy(MPuJ-l}Ogg%CxfhvK?he^Ly*Q%sou#H9K8EqE)Z~o<fKou9a!4vj
zIYUr#uYr;fYC$DN+*^Stw*VNzBve8v0i5t0Fwddz3R6$HF;ZXynBWiqg&m@Tc`Y$>
zUSp#;K#p1ov_@6~r<DfA0DLSp{Y`m_|MyFVpUnW@tpBr@^&f^YJ>vhbkgwtY!_lc<
zasc4j@slq=KSSu-$j=NE1S7>cvw}#Zu^|u(386)fN=&W9P<X?<p^#`uxz(By4+RAX
zTjC(J93vsU@LV$MJmuaw#jtlAX{0y>8Y*Y4rI2Hy0P&C*A_;VuaQf3u0Q~TowC4xC
z5J7?|kNgg0rI*S>B?+M3S!bEY&NAk)A>27Yq1KpCYmvoNYrz<!UQ@4-5*PyGq_WyN
z&7r~45Nd$uT3Mi-bOI2EF~V}klhioQr58XPVfiRWIm%IfH~GH+00960J$E#|07L))
D*=nwo

literal 0
HcmV?d00001

diff --git a/pkg/reconciler/trustroot/trustroot.go b/pkg/reconciler/trustroot/trustroot.go
index e9c80e92..fdd763f8 100644
--- a/pkg/reconciler/trustroot/trustroot.go
+++ b/pkg/reconciler/trustroot/trustroot.go
@@ -240,7 +240,6 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con
 	ret := &config.SigstoreKeys{}
 
 	// if there is a "trusted_root.json" target, we can use that instead of the custom metadata
-	// TODO: Write tests for this
 	if _, ok := targets["trusted_root.json"]; ok {
 		dl := newDownloader()
 		if err = tufClient.Download("trusted_root.json", &dl); err != nil {
diff --git a/pkg/reconciler/trustroot/trustroot_test.go b/pkg/reconciler/trustroot/trustroot_test.go
index c08da71d..6aee1084 100644
--- a/pkg/reconciler/trustroot/trustroot_test.go
+++ b/pkg/reconciler/trustroot/trustroot_test.go
@@ -168,6 +168,14 @@ var validRepository = testdata.Get("tufRepo.tar")
 // rootJSON is a valid root.json for above TUF repository.
 var rootJSON = testdata.Get("root.json")
 
+// validRepositoryWithTrustedRootJSON is a valid tarred repository representing
+// an air-gap TUF repository containing trusted_root.json.
+var validRepositoryWithTrustedRootJSON = testdata.Get("tufRepoWithTrustedRootJSON.tar")
+
+// IMPORTANT: The next expiration is on 2024-09-21
+// rootJSON is a valid root.json for above TUF repository.
+var rootWithTrustedRootJSON = testdata.Get("rootWithTrustedRootJSON.json")
+
 func TestReconcile(t *testing.T) {
 	table := TableTest{{
 		Name: "bad workqueue key",
@@ -342,7 +350,7 @@ func TestReconcile(t *testing.T) {
 			),
 		},
 		WantCreates: []runtime.Object{
-			makeConfigMapWithMirrorFS(),
+			makeConfigMapWithMirrorFS(marshalledEntryFromMirrorFS),
 		},
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: NewTrustRoot(trName,
@@ -352,6 +360,30 @@ func TestReconcile(t *testing.T) {
 				WithTrustRootFinalizer,
 				MarkReadyTrustRoot,
 			)}},
+	}, {
+		Name: "With repository containing trusted_root.json",
+		Key:  testKey,
+
+		SkipNamespaceValidation: true, // Cluster scoped
+		Objects: []runtime.Object{
+			NewTrustRoot(trName,
+				WithTrustRootUID(uid),
+				WithTrustRootResourceVersion(resourceVersion),
+				WithRepository("targets", rootWithTrustedRootJSON, validRepositoryWithTrustedRootJSON),
+				WithTrustRootFinalizer,
+			),
+		},
+		WantCreates: []runtime.Object{
+			makeConfigMapWithMirrorFS(marshalledEntry),
+		},
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: NewTrustRoot(trName,
+				WithTrustRootUID(uid),
+				WithTrustRootResourceVersion(resourceVersion),
+				WithRepository("targets", rootWithTrustedRootJSON, validRepositoryWithTrustedRootJSON),
+				WithTrustRootFinalizer,
+				MarkReadyTrustRoot,
+			)}},
 	}}
 
 	logger := logtesting.TestLogger(t)
@@ -395,13 +427,13 @@ func makeConfigMapWithSigstoreKeys() *corev1.ConfigMap {
 	return ret
 }
 
-func makeConfigMapWithMirrorFS() *corev1.ConfigMap {
+func makeConfigMapWithMirrorFS(entry string) *corev1.ConfigMap {
 	return &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: system.Namespace(),
 			Name:      config.SigstoreKeysConfigName,
 		},
-		Data: map[string]string{"test-trustroot": marshalledEntryFromMirrorFS},
+		Data: map[string]string{"test-trustroot": entry},
 	}
 }