From ad0ae785fe817559486bd504d628b9097c2f3e79 Mon Sep 17 00:00:00 2001
From: Appu Goundan <appu@google.com>
Date: Thu, 22 Jan 2026 14:09:33 -0500
Subject: [PATCH] Add test for rekor v2 in prod

This is temporary until we update signing config.

Signed-off-by: Appu Goundan <appu@google.com>
---
 .../test/java/dev/sigstore/KeylessTest.java   | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java b/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java
index 9c0278fe..7600e3de 100644
--- a/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java
+++ b/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java
@@ -22,8 +22,12 @@
 import dev.sigstore.testkit.annotations.DisabledIfSkipStaging;
 import dev.sigstore.testkit.annotations.EnabledIfOidcExists;
 import dev.sigstore.testkit.annotations.OidcProviderType;
+import dev.sigstore.trustroot.ImmutableSigstoreSigningConfig;
+import dev.sigstore.trustroot.Service;
+import dev.sigstore.tuf.SigstoreTufClient;
 import java.io.IOException;
 import java.io.StringReader;
+import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -84,6 +88,38 @@ public void sign_production() throws Exception {
     }
   }
 
+  /**
+   * This test injects rekor v2 into the signing config since it's not quite pushed out to prod yet.
+   * Should be merged into "sign_production" above when ready.
+   */
+  @Test
+  @EnabledIfOidcExists(provider = OidcProviderType.ANY)
+  public void sign_production_rekorV2() throws Exception {
+    var prodTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
+    prodTufClient.update();
+    var prodSigningConfig = prodTufClient.getSigstoreSigningConfig();
+    var signingConfig =
+        ImmutableSigstoreSigningConfig.builder()
+            .from(prodSigningConfig)
+            .addTLogs(Service.of(URI.create("https://log2025-1.rekor.sigstore.dev"), 2))
+            .build();
+    var signer =
+        KeylessSigner.builder()
+            .sigstorePublicDefaults()
+            .signingConfigProvider(() -> signingConfig)
+            .enableRekorV2(true)
+            .build();
+    var results = signer.sign(artifactDigests);
+
+    verifySigningResult(results, true);
+
+    var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
+    for (int i = 0; i < results.size(); i++) {
+      verifier.verify(artifactDigests.get(i), results.get(i), VerificationOptions.empty());
+      checkBundleSerialization(results.get(i));
+    }
+  }
+
   @ParameterizedTest
   @ValueSource(booleans = {true, false})
   @EnabledIfOidcExists(provider = OidcProviderType.ANY)