diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
index 9b48f2b2d74..db1fc460c7e 100644
--- a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
+++ b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
@@ -39,6 +39,23 @@ var fulcioTargetStr = `fulcio.crt.pem`
 // This is the v1 migrated root.
 var fulcioV1TargetStr = `fulcio_v1.crt.pem`
 
+// The untrusted intermediate CA certificate, used for chain building
+// TODO: Remove once this is bundled in TUF metadata.
+var fulcioIntermediateV1 = `-----BEGIN CERTIFICATE-----
+MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
+KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
+MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
+LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
+AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
+7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
+0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
+BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
+KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
+zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
+nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
+mygUY7Ii2zbdCdliiow=
+-----END CERTIFICATE-----`
+
 const (
 	altRoot = "SIGSTORE_ROOT_FILE"
 )
@@ -116,6 +133,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) {
 				}
 			}
 		}
+		intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
 	}
 	return rootPool, intermediatePool, nil
 }
diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go
index 9071db8cd4a..b400f453a82 100644
--- a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go
+++ b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go
@@ -40,8 +40,7 @@ func TestGetFulcioRoots(t *testing.T) {
 	if _, err := tmpCertFile.Write(chain); err != nil {
 		t.Fatalf("failed to write cert file: %v", err)
 	}
-	os.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name())
-	defer os.Unsetenv("SIGSTORE_ROOT_FILE")
+	t.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name())
 
 	rootCertPool := Get()
 	// ignore deprecation error because certificates do not contain from SystemCertPool