feat: make operator configurable

rhtas/tuf-repo-init.sh

@@ -44,6 +44,15 @@ Options:
 
   --metadata-expiration
     Tuftool-compatible tetadata expiration time; defaults to 56 weeks
+
+  --operator
+    Operator name for signing config services; defaults to "rhtas"
+
+  --organization
+    Organization name in certificate authority subjects; defaults to "rhtas"
+
+  --common-name
+    Common name in certificate authority subjects; defaults to "rhtas"
 EOF
 }
 
@@ -59,6 +68,9 @@ export TSA_URI=""
 export CTLOG_URI=""
 export REKOR_URI=""
 export METADATA_EXPIRATION="in 52 weeks"
+export OPERATOR="rhtas"
+export ORGANIZATION="rhtas"
+export COMMON_NAME="rhtas"
 
 while [[ $# -gt 0 ]]; do
   case $1 in
@@ -122,6 +134,21 @@ while [[ $# -gt 0 ]]; do
       shift
       shift
       ;;
+    --operator)
+      OPERATOR="$2"
+      shift
+      shift
+      ;;
+    --organization)
+      ORGANIZATION="$2"
+      shift
+      shift
+      ;;
+    --common-name)
+      COMMON_NAME="$2"
+      shift
+      shift
+      ;;
     -*)
       echo "Unknown option $1"
       exit 1
@@ -216,6 +243,9 @@ if [ -n "${FULCIO_CERT}" ]; then
     --set-fulcio-target "${FULCIO_CERT}" \
     --fulcio-uri "${FULCIO_URI}" \
     --oidc-uri "${OIDC_URI}" \
+    --operator "${OPERATOR}" \
+    --organization "${ORGANIZATION}" \
+    --common-name "${COMMON_NAME}" \
     --targets-expires "${METADATA_EXPIRATION}" \
     --targets-version 1 \
     --snapshot-expires "${METADATA_EXPIRATION}" \
@@ -237,6 +267,9 @@ if [ -n "${TSA_CERT}" ]; then
     --key "${KEYDIR}/timestamp.pem" \
     --set-tsa-target "${TSA_CERT}" \
     --tsa-uri "${TSA_URI}" \
+    --operator "${OPERATOR}" \
+    --organization "${ORGANIZATION}" \
+    --common-name "${COMMON_NAME}" \
     --targets-expires "${METADATA_EXPIRATION}" \
     --targets-version 1 \
     --snapshot-expires "${METADATA_EXPIRATION}" \
@@ -258,6 +291,9 @@ if [ -n "${CTLOG_KEY}" ]; then
     --key "${KEYDIR}/timestamp.pem" \
     --set-ctlog-target "${CTLOG_KEY}" \
     --ctlog-uri "${CTLOG_URI}" \
+    --operator "${OPERATOR}" \
+    --organization "${ORGANIZATION}" \
+    --common-name "${COMMON_NAME}" \
     --targets-expires "${METADATA_EXPIRATION}" \
     --targets-version 1 \
     --snapshot-expires "${METADATA_EXPIRATION}" \
@@ -279,6 +315,9 @@ if [ -n "${REKOR_KEY}" ]; then
     --key "${KEYDIR}/timestamp.pem" \
     --set-rekor-target "${REKOR_KEY}" \
     --rekor-uri "${REKOR_URI}" \
+    --operator "${OPERATOR}" \
+    --organization "${ORGANIZATION}" \
+    --common-name "${COMMON_NAME}" \
     --targets-expires "${METADATA_EXPIRATION}" \
     --targets-version 1 \
     --snapshot-expires "${METADATA_EXPIRATION}" \

tuftool/src/rhtas.rs

@@ -152,6 +152,18 @@ pub(crate) struct RhtasArgs {
     #[arg(long)]
     tsa_uri: Option<String>,
 
+    /// Operator name for the signing config services
+    #[arg(long, default_value = "sigstore.dev")]
+    operator: String,
+
+    /// Organization name used in certificate authority subjects
+    #[arg(long, default_value = "sigstore.dev")]
+    organization: String,
+
+    /// Common name used in certificate authority subjects
+    #[arg(long, default_value = "sigstore")]
+    common_name: String,
+
     /// Expiration of targets.json file; can be in full RFC 3339 format, or something like 'in
     /// 7 days'
     #[arg(long, value_parser = parse_datetime)]
@@ -694,13 +706,13 @@ impl RhtasArgs {
 
             let new_ca = CertificateAuthority {
                 subject: Some(DistinguishedName {
-                    organization: "sigstore.dev".to_string(),
-                    common_name: "sigstore".to_string(),
+                    organization: self.organization.clone(),
+                    common_name: self.common_name.clone(),
                 }),
                 uri: self.fulcio_uri.clone().unwrap(),
                 cert_chain: Some(X509CertificateChain { certificates }),
                 valid_for: valid_for.clone(),
-                operator: String::new(),
+                operator: self.operator.clone(),
             };
 
             match trust_bundle
@@ -716,7 +728,7 @@ impl RhtasArgs {
                 if let Err(e) = trust_bundle.add_oidc_url_to_signing_config(
                     oidc_uri.clone(),
                     valid_for,
-                    "sigstore.dev".to_string(),
+                    self.operator.clone(),
                 ) {
                     eprintln!("Failed to add OIDC URL to signing_config: {e:?}");
                 }
@@ -798,7 +810,7 @@ impl RhtasArgs {
                 }),
                 log_id: Some(LogId { key_id }),
                 checkpoint_key_id: None,
-                operator: String::new(),
+                operator: self.operator.clone(),
             };
 
             match trust_bundle.set_target(TargetType::Log(new_ctlog), Target::Ctlog) {
@@ -884,7 +896,7 @@ impl RhtasArgs {
                 }),
                 log_id: Some(LogId { key_id }),
                 checkpoint_key_id: None,
-                operator: String::new(),
+                operator: self.operator.clone(),
             };
 
             match trust_bundle.set_target(TargetType::Log(new_tlog), Target::Tlog) {
@@ -955,13 +967,13 @@ impl RhtasArgs {
 
             let new_tsa = CertificateAuthority {
                 subject: Some(DistinguishedName {
-                    organization: "sigstore.dev".to_string(),
-                    common_name: "sigstore".to_string(),
+                    organization: self.organization.clone(),
+                    common_name: self.common_name.clone(),
                 }),
                 uri: self.tsa_uri.clone().unwrap(),
                 cert_chain: Some(X509CertificateChain { certificates }),
                 valid_for: Some(TimeRange { start, end }),
-                operator: String::new(),
+                operator: self.operator.clone(),
             };
 
             match trust_bundle