From e213ad5ae94f04519d6eaba74887ed6d41629405 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Fri, 30 Jan 2026 12:34:44 -0800
Subject: [PATCH] Make OIDC audience configurable

Add support for custom OIDC token audiences to handle cases where
identity providers use different audience values than the default
"sigstore".

Changes:
- Add optional `audience` parameter to `IdentityToken.initialize`
- Add optional `oidc_audience` parameter to `Signer.initialize`
- Add `--oidc-audience` CLI option (defaults to "sigstore")

This aligns with sigstore-python's approach (PR #1402) and provides
flexibility for different OIDC providers while maintaining backward
compatibility with the default "sigstore" audience.

Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
---
 cli/lib/sigstore/cli.rb | 4 +++-
 lib/sigstore/oidc.rb    | 7 +++----
 lib/sigstore/signer.rb  | 4 ++--
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/cli/lib/sigstore/cli.rb b/cli/lib/sigstore/cli.rb
index ef3c1b3..6e48685 100644
--- a/cli/lib/sigstore/cli.rb
+++ b/cli/lib/sigstore/cli.rb
@@ -80,6 +80,7 @@ def verify(*files)
     desc "sign ARTIFACT", "Sign a file"
     option :staging, type: :boolean, desc: "Use the staging trusted root"
     option :identity_token, type: :string, desc: "Identity token to use for signing"
+    option :oidc_audience, type: :string, desc: "Expected audience for the OIDC token", default: "sigstore"
     option :bundle, type: :string, desc: "Path to write the signed bundle to"
     option :signature, type: :string, desc: "Path to write the signature to"
     option :certificate, type: :string, desc: "Path to the public certificate"
@@ -95,7 +96,8 @@ def sign(file)
       contents = File.binread(file)
       bundle = Sigstore::Signer.new(
         jwt: options[:identity_token],
-        trusted_root:
+        trusted_root:,
+        oidc_audience: options[:oidc_audience]
       ).sign(contents)
 
       File.binwrite(options[:bundle], bundle.to_json) if options[:bundle]
diff --git a/lib/sigstore/oidc.rb b/lib/sigstore/oidc.rb
index 77918a9..c4d9694 100644
--- a/lib/sigstore/oidc.rb
+++ b/lib/sigstore/oidc.rb
@@ -30,10 +30,10 @@ module OIDC
     class IdentityToken
       attr_reader :raw_token, :identity
 
-      def initialize(raw_token)
+      def initialize(raw_token, audience: DEFAULT_AUDIENCE)
         @raw_token = raw_token
 
-        @unverified_claims = self.class.decode_jwt(raw_token)
+        @unverified_claims = self.class.decode_jwt(raw_token, audience: audience)
         @iss = @unverified_claims["iss"]
         @nbf = @unverified_claims["nbf"]
         @exp = @unverified_claims["exp"]
@@ -58,12 +58,11 @@ def issuer
         @iss
       end
 
-      def self.decode_jwt(raw_token)
+      def self.decode_jwt(raw_token, audience: DEFAULT_AUDIENCE)
         # These claims are required by OpenID Connect, so
         # we can strongly enforce their presence.
         # See: https://openid.net/specs/openid-connect-basic-1_0.html#IDToken
         required = %w[aud sub iat exp iss]
-        audience = DEFAULT_AUDIENCE
         leeway = 5
 
         _header, payload, _signature =
diff --git a/lib/sigstore/signer.rb b/lib/sigstore/signer.rb
index c66e11d..727c1b1 100644
--- a/lib/sigstore/signer.rb
+++ b/lib/sigstore/signer.rb
@@ -26,8 +26,8 @@ module Sigstore
   class Signer
     include Loggable
 
-    def initialize(jwt:, trusted_root:)
-      @identity_token = OIDC::IdentityToken.new(jwt)
+    def initialize(jwt:, trusted_root:, oidc_audience: OIDC::DEFAULT_AUDIENCE)
+      @identity_token = OIDC::IdentityToken.new(jwt, audience: oidc_audience)
       @trusted_root = trusted_root
 
       @verifier = Verifier.for_trust_root(trust_root: @trusted_root)