Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore

[imjasonh]

Signed-off-by: Jason Hall [email protected]

Depends on sigstore/sigstore#435
Part of #1865

Summary

This removes pkg/cosign/tuf in favor if sigstore/sigstore's new pkg/tuf.

This moves cosign-specific logic into an internal package only used by the cosign CLI. This package adds cosign-specific override behavior, and otherwise falls back to sigstore/sigstore's new pkg/fulcioroots.

Release Note

pkg/cosign/tuf and cmd/cosign/cli/fulcio/fulcioroots packages are moved to sigstore/sigstore

[codecov-commenter]

Codecov Report

Merging #1866 (c7799bf) into main (89b9e88) will decrease coverage by 1.80%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1866      +/-   ##
==========================================
- Coverage   33.43%   31.62%   -1.81%     
==========================================
  Files         146      138       -8     
  Lines        9344     8632     -712     
==========================================
- Hits         3124     2730     -394     
+ Misses       5847     5581     -266     
+ Partials      373      321      -52     

Impacted Files	Coverage Δ
cmd/cosign/cli/fulcio/fulcio.go	21.42% <ø> (ø)
cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go	49.26% <ø> (ø)
cmd/cosign/cli/options/initialize.go	0.00% <ø> (ø)
cmd/cosign/cli/policy_init.go	1.40% <ø> (ø)
cmd/cosign/cli/verify/verify_blob.go	10.42% <ø> (ø)
pkg/cosign/kubernetes/webhook/validation.go	74.00% <ø> (ø)
pkg/cosign/tlog.go	29.71% <ø> (ø)
pkg/cosign/verify.go	32.16% <ø> (ø)
cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 89b9e88...c7799bf. Read the comment docs.

[haydentherapper]

Thanks for adding this here! I didn't realize this had already been added back.

[asraa]

I'm writing up a design doc right now, let's go as proceeded but I realize separating this from cosign means that it's very difficult to, for example, set locations of a remote through flags for cosign.

My plan is to refactor the TUF client now in sigstore with a TufOpts that holds the main options for configuring a Tuf Object:

• mirror
• trusted root
• pre-downloaded targets (embedded ones)
• location of a cache

The goal is all of these can be configured through cosign usage, either through env vars of flags. I'll share the doc today. I'm currently hacking on it because it's hard to pre-empt the design without trying it :/

cc @haydentherapper @znewman01

[imjasonh]

Do we want to keep cosign's pkg/tuf around with type aliases and deprecation warnings for a release, or do we think this isn't used outside of cosign? Technically I don't think we make any guarantees about the Go API stability of sigstore/cosign, though we shouldn't break people unnecessarily if we think folks are depending on it.

I think gitsign is using it, but I can update that myself.

[dlorenc]

Do we want to keep cosign's pkg/tuf around with type aliases and deprecation warnings for a release, or do we think this isn't used outside of cosign? Technically I don't think we make any guarantees about the Go API stability of sigstore/cosign, though we shouldn't break people unnecessarily if we think folks are depending on it.

I think gitsign is using it, but I can update that myself.

I don't mind removing it.

[znewman01]

nit: not clear whether "this behavior" refers to "returns the Fulcio root certificate" or the bit about the env var.

[haydentherapper]

+1, would simply clarify that these methods support fetching from an environment variable too

[imjasonh]

I had wanted to have some wording around how/why this is different from s/s's pkg/fulcioroots, but I guess it doesn't really need it since this is internal now and only usable in cosign. I'll remove the "If this behavior" part. Thanks!

[asraa]

Move the documentation on If the SIGSTORE_ROOT_FILE env variable is set above to here?

Also, what is the format of this file -- notably it's a list of PEM encoded FULCIO certificates, NOT a TUF root.json.

[imjasonh]

This const isn't exported, so the comment wouldn't be available in godoc. I can put a comment here too in case folks are looking through code and find it, but I think it's better to have on the exported method.

Can you suggest wording for the format of the file? I think you'll have better context there than me.

[dlorenc]

Merge conflict, otherwise lgtm and let's get this in to unblock the log jam.