From efdbf477fe171b16f815436bdb8dcc4358924f3b Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Tue, 12 Dec 2023 16:40:32 -0500
Subject: [PATCH] Have conformance test require signed timestamps for bundles
 v02

It seems like this is the behavior that
`test_verify_rejects_bad_tsa_timestamp` is assuming, that was added in
https://github.com/sigstore/sigstore-conformance/pull/112.

Signed-off-by: Zach Steindler <steiza@github.com>
---
 cmd/conformance/main.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
index 1db1d47e..a5e8b63b 100644
--- a/cmd/conformance/main.go
+++ b/cmd/conformance/main.go
@@ -222,7 +222,19 @@ func main() {
 		tr := getTrustedRoot()
 
 		// Verify bundle
-		sev, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithSignedCertificateTimestamps(1))
+		verifierConfig := []verify.VerifierOption{}
+		verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1))
+
+		switch b.Bundle.MediaType {
+		case bundle.SigstoreBundleMediaType01:
+			verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1))
+		case bundle.SigstoreBundleMediaType02:
+			verifierConfig = append(verifierConfig, verify.WithSignedTimestamps(1))
+		default:
+			log.Fatalf("Unknown bundle media type: %s", b.Bundle.MediaType)
+		}
+
+		sev, err := verify.NewSignedEntityVerifier(tr, verifierConfig...)
 		if err != nil {
 			log.Fatal(err)
 		}