From 95c86d0682521890fbc6bc144de999643a509ac7 Mon Sep 17 00:00:00 2001
From: SequeI <asiek@redhat.com>
Date: Thu, 29 Jan 2026 18:10:53 +0000
Subject: [PATCH] fix: lazily create and cache OIDC Issuer for Kubernetes token
 support

Issuer was created eagerly in __init__, fetching OIDC discovery config.
Kubernetes OIDC providers lack authorization_endpoint/token_endpoint,
causing failures even when identity_token was provided directly.

Now Issuer is lazily created and cached when OAuth flow is needed.

Signed-off-by: SequeI <asiek@redhat.com>
---
 src/model_signing/_signing/sign_sigstore.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/model_signing/_signing/sign_sigstore.py b/src/model_signing/_signing/sign_sigstore.py
index 9140a8cf..a4e5bb42 100644
--- a/src/model_signing/_signing/sign_sigstore.py
+++ b/src/model_signing/_signing/sign_sigstore.py
@@ -126,7 +126,8 @@ def __init__(
         if not oidc_issuer:
             oidc_issuer = trust_config.signing_config.get_oidc_url()
 
-        self._issuer = sigstore_oidc.Issuer(oidc_issuer)
+        self._oidc_issuer = oidc_issuer
+        self._issuer: sigstore_oidc.Issuer | None = None
         self._signing_context = (
             sigstore_signer.SigningContext.from_trust_config(trust_config)
         )
@@ -153,6 +154,9 @@ def _get_identity_token(self) -> sigstore_oidc.IdentityToken:
             if token:
                 return sigstore_oidc.IdentityToken(token, self._client_id)
 
+        if self._issuer is None:
+            self._issuer = sigstore_oidc.Issuer(self._oidc_issuer)
+
         return self._issuer.identity_token(
             force_oob=self._force_oob,
             client_id=self._client_id,