Migration path for signer identities

[puerco]

Problem:

We are about to release the new version of sourcetool that uses the new standalone actions repository. When we do this all the new source attestations will begin to get signed with the new repo identity. On the other hand, all existing attestations stored in the tracked repositories have attestations signed with this repo identity.

This means that once we start using the new release, sourcetool will not be able to find older VSAs and provenance attestations as it will look for statements signed with the new ID. This breaks verification of commits, generating new attestations and more.

Temporary Solution

In order to bridge the old a new identities, we will add a hack that double verifies attestations when verification fails with the new identity. If the signer identity matches the new ID (the new repo), source tool will attempt to verify the attestation using the old one (this repo).

This is a temporary hack. I will drop the commit once all repos attest new commits and their latest signatures are done by the new repo.

Reference

For reference, these are the IDs involved:

Old repository SAN value:
https://github.com/slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@refs/heads/main

New repository SAN value:
https://github.com/slsa-framework/source-actions/.github/workflows/compute_slsa_source.yml@refs/heads/main

[puerco]

The hack merged in #256, once all repos are signing with the new ID, we need to drop e4e1f80

[puerco]

OK, tag signing works again with the patch: https://github.com/puerco/slsa-source-poc/actions/runs/16613392262/

[TomHennen]

FWIW I wouldn't be surprised if the need for these sorts of 'hacks' isn't just temporary and we wind up needing them again in the future.

[puerco]

Perhaps it is worth modeling when signer identity changes and other breaks in continuity can happen and have a more formal implementation to handle them.

[puerco]

We added a hack for this a while back.