Add Fulcio intermediate CA certificate to intermediate pool

This certificate will be necessary for chain building from a leaf
certificate to a root once a new version of Fulcio is rolled out. For
OCI, the chain is stored in an annotation. This intermediate is
currently only needed for verify-blob when looking up the certificate
from Rekor.

For the V3 TUF Root, the intermediate will be bundled, so that it is
easily discoverable and revokable. For now, we'll simply bundle it with
Cosign. Note that intermediates are considered untrusted, so it's fine
if the intermediate is not in TUF currently, as the root that issued the
intermediate certificate is in TUF.

Signed-off-by: Hayden Blauzvern <[email protected]>

cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go

@@ -39,6 +39,9 @@ var fulcioTargetStr = `fulcio.crt.pem`
 // This is the v1 migrated root.
 var fulcioV1TargetStr = `fulcio_v1.crt.pem`
 
+// The untrusted intermediate CA certificate, used for chain building
+var fulcioIntermediateV1Path = "fulcio_intermediate_v1.crt.pem"
+
 const (
 	altRoot = "SIGSTORE_ROOT_FILE"
 )
@@ -116,6 +119,11 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) {
 				}
 			}
 		}
+		intPEM, err := os.ReadFile(fulcioIntermediateV1Path)
+		if err != nil {
+			return nil, nil, errors.Wrap(err, "error reading intermediate cert PEM file")
+		}
+		intermediatePool.AppendCertsFromPEM(intPEM)
 	}
 	return rootPool, intermediatePool, nil
 }

cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go

@@ -40,8 +40,7 @@ func TestGetFulcioRoots(t *testing.T) {
 	if _, err := tmpCertFile.Write(chain); err != nil {
 		t.Fatalf("failed to write cert file: %v", err)
 	}
-	os.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name())
-	defer os.Unsetenv("SIGSTORE_ROOT_FILE")
+	t.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name())
 
 	rootCertPool := Get()
 	// ignore deprecation error because certificates do not contain from SystemCertPool