This is pretty nasty. Not sure if there is a cleaner way to do it.

I believe that the load_pem...functions in cryptography load the first valid PEM entry and leave the rest so I don't think they can help us here.

Yeah, this isn't ideal, but it looks like neither cryptography nor pyOpenSSL exposes a "load an entire chain from PEMs" API.

I think the corresponding OpenSSL API is SSL_CTX_get0_chain_certs, so this might be worth a patch to pyOpenSSL in the medium term. But for now, something like this approach is fine 🙂

Looks like the OpenSSL APIs that accomplish this all work in the context of SSL contexts or connections, so they're probably not a great fit...

NB: I opened pyca/cryptography#7878 to add this API, so we'll be able to use it starting with cryptography 39 (assuming they accept it).

Awesome, thanks @woodruffw.

I wonder whether we should warn if a user supplies --rekor-root-pubkey but don't set the --rekor-url. Same with the new --certificate-chain. At the moment they just get ignored which might be confusing.

Same thing when we set --rekor-url but don't set --rekor-root-pubkey. It defaults to the rekor.pub that comes bundled with sigstore-python (which is almost certainly not what you want when you're using a custom Rekor) instead of warning.

Similar issues also exist in the signing code path.

Yeah, it would be good to catch this and flag it as a warning at the minimum (or maybe even an error, since we expect it to fail anyways).

Let's track this with a follow-up issue.