add staging to conformance

.github/workflows/conformance.yml

@@ -5,12 +5,15 @@ on:
     branches:
       - '**'
   pull_request:
+  # TODO: add cron
 
 jobs:
   conformance:
     strategy:
+      max-parallel: 1
       matrix:
         java-version: [11, 17]
+        sigstore-env: [production, staging]
       fail-fast: false
 
     runs-on: ubuntu-latest
@@ -35,4 +38,5 @@ jobs:
       - uses: sigstore/sigstore-conformance@ee4de0e602873beed74cf9e49d5332529fe69bf6 # v0.0.11
         with:
           entrypoint: ${{ github.workspace }}/bin/sigstore-cli
+          environment: ${{ matrix.sigstore-env }}
           xfail: "test_verify_dsse_bundle_with_trust_root"

sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java

@@ -41,6 +41,13 @@ public class Sign implements Callable<Integer> {
   @ArgGroup(multiplicity = "1", exclusive = true)
   SignatureFiles signatureFiles;
 
+  @Option(
+      names = {"--staging"},
+      description = "test against staging",
+      required = false,
+      defaultValue = "false")
+  Boolean staging;
+
   @Option(
       names = {"--identity-token"},
       description = "the OIDC identity token to use",
@@ -49,7 +56,10 @@ public class Sign implements Callable<Integer> {
 
   @Override
   public Integer call() throws Exception {
-    var signerBuilder = KeylessSigner.builder().sigstorePublicDefaults();
+    var signerBuilder =
+        staging
+            ? KeylessSigner.builder().sigstoreStagingDefaults()
+            : KeylessSigner.builder().sigstorePublicDefaults();
     if (identityToken != null) {
       // If we've explicitly provided an identity token, customize the signer to only use the token
       // string OIDC client.

sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java

@@ -51,11 +51,27 @@ public class Verify implements Callable<Integer> {
   @ArgGroup(multiplicity = "0..1", exclusive = false)
   Policy policy;
 
-  @Option(
-      names = {"--trusted-root"},
-      description = "an alternative to the TUF managed sigstore public good trusted root",
-      required = false)
-  Path trustedRoot;
+  @ArgGroup(multiplicity = "0..1", exclusive = true)
+  Target target;
+
+  /**
+   * Chose one trusted root provider target, (staging or prod or custom trusted_root), default is
+   * prod.
+   */
+  static class Target {
+    @Option(
+        names = {"--staging"},
+        description = "test against staging",
+        required = false,
+        defaultValue = "false")
+    Boolean staging;
+
+    @Option(
+        names = {"--trusted-root"},
+        description = "an alternative to the TUF managed sigstore public good trusted root",
+        required = false)
+    Path trustedRoot;
+  }
 
   static class Policy {
     @Option(
@@ -101,9 +117,11 @@ public Integer call() throws Exception {
     var verificationOptions = verificationOptionsBuilder.alwaysUseRemoteRekorEntry(false).build();
 
     var verifier =
-        (trustedRoot == null)
+        target == null
             ? new KeylessVerifier.Builder().sigstorePublicDefaults().build()
-            : new KeylessVerifier.Builder().fromTrustedRoot(trustedRoot).build();
+            : target.staging
+                ? new KeylessVerifier.Builder().sigstoreStagingDefaults().build()
+                : new KeylessVerifier.Builder().fromTrustedRoot(target.trustedRoot).build();
     verifier.verify(
         artifact,
         KeylessVerificationRequest.builder()