From 51fa6f716f8645c528273680b4131181d49a0516 Mon Sep 17 00:00:00 2001
From: Emil Lerch <emil@lerch.org>
Date: Mon, 27 Mar 2023 22:50:06 -0700
Subject: [PATCH] rekor public key urls do not seem to work - download manually

---
 entrypoint.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index d823f1d..83a4f8e 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -31,12 +31,12 @@ while IFS=  read -r f; do
   docker cp "${container}":/home/user/signature "${dest_sig}"
   docker rm "${container}"
   if [ -n "${INPUT_PUBLIC_KEY}" ]; then
-    echo "Public key specified at ${INPUT_PUBLIC_KEY}. Uploading to sigstore public transparency log"
-    rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key "${INPUT_PUBLIC_KEY}"
-    ec=$?
-    if [ $ec -ne 0 ]; then
-      exit $ec
-    fi
+    echo "Public key url specified. Uploading to sigstore public transparency log"
+    echo "Fetching key from ${INPUT_PUBLIC_KEY}"
+    curl -sLo /tmp/public_key "${INPUT_PUBLIC_KEY}"
+    ec=$?; if [ $ec -ne 0 ]; then exit $ec; fi
+    rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key /tmp/public_key
+    ec=$?; if [ $ec -ne 0 ]; then exit $ec; fi
   fi
 done <<ALLFILES_INPUT
 $all_files