From 9018c86e8c2f752a3a216074b92c1c08b7b6e6cd Mon Sep 17 00:00:00 2001
From: dlorenc <dlorenc@google.com>
Date: Mon, 9 Aug 2021 10:05:50 -0500
Subject: [PATCH] Explicitly disable auth for the sigstore-tuf-root. (#528)

I had expired credentials that were causing this to fail. The bucket
is public, so we should just not use auth (which apparently requires being
explicit).

Signed-off-by: Dan Lorenc <dlorenc@google.com>
---
 go.mod                  | 1 +
 pkg/cosign/tuf/store.go | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 226f6e2086d..3782397b171 100644
--- a/go.mod
+++ b/go.mod
@@ -28,6 +28,7 @@ require (
 	golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b
+	google.golang.org/api v0.50.0
 	k8s.io/api v0.22.0
 	k8s.io/apimachinery v0.22.0
 	k8s.io/client-go v0.22.0
diff --git a/pkg/cosign/tuf/store.go b/pkg/cosign/tuf/store.go
index d8d1216e314..68a6ce0082b 100644
--- a/pkg/cosign/tuf/store.go
+++ b/pkg/cosign/tuf/store.go
@@ -22,6 +22,7 @@ import (
 
 	"cloud.google.com/go/storage"
 	"github.com/theupdateframework/go-tuf/client"
+	"google.golang.org/api/option"
 )
 
 type GcsRemoteOptions struct {
@@ -47,7 +48,7 @@ func GcsRemoteStore(ctx context.Context, bucket string, opts *GcsRemoteOptions,
 	store := gcsRemoteStore{ctx: ctx, bucket: bucket, opts: opts, client: client}
 	if client == nil {
 		var err error
-		store.client, err = storage.NewClient(ctx)
+		store.client, err = storage.NewClient(ctx, option.WithoutAuthentication())
 		if err != nil {
 			return nil, err
 		}