remove sget

.github/workflows/build.yaml

@@ -62,7 +62,7 @@ jobs:
       - name: creds
         run: gcloud auth configure-docker --quiet
 
-      - name: containers-cosign-sget
+      - name: containers-cosign
         run: make sign-ci-containers
         env:
           KO_PREFIX: gcr.io/projectsigstore/cosign/ci

.github/workflows/cross.yaml

@@ -25,15 +25,12 @@ jobs:
         include:
           - os: macos-latest
             COSIGN_TARGET: cosign-darwin-amd64
-            SGET_TARGET: sget-darwin-amd64
             COSIGN_PASSWORD: COSIGN_PASSWORD
           - os: ubuntu-latest
             COSIGN_TARGET: cosign-linux-amd64
-            SGET_TARGET: sget-linux-amd64
             COSIGN_PASSWORD: COSIGN_PASSWORD
           - os: windows-latest
             COSIGN_TARGET: cosign-windows-amd64.exe
-            SGET_TARGET: sget-windows-amd64.exe
             COSIGN_PASSWORD: COSIGN_PASSWORD
     steps:
       - name: Install Go
@@ -46,27 +43,22 @@ jobs:
       - name: build cosign
         run: |
           make cosign && mv ./cosign ./${{matrix.COSIGN_TARGET}}
-          make sget && mv ./sget ./${{matrix.SGET_TARGET}}
       - name: Create checksum file
         shell: pwsh
         run: |
           $hash=Get-FileHash -Path ./${{matrix.COSIGN_TARGET}}
           Write-Output $($hash.Hash + " " + $(([io.fileinfo]$hash.path).basename)) | Tee-Object -Path ${{matrix.COSIGN_TARGET}}.sha256
-          $hash=Get-FileHash -Path ./${{matrix.SGET_TARGET}}
-          Write-Output $($hash.Hash + " " + $(([io.fileinfo]$hash.path).basename)) | Tee-Object -Path ${{matrix.SGET_TARGET}}.sha256
       - name: sign
         shell: bash
         env:
           COSIGN_PASSWORD: ${{secrets[matrix.COSIGN_PASSWORD]}}
         if: github.event_name != 'pull_request'
         run: |
           ./${{matrix.COSIGN_TARGET}} sign-blob --yes --key ./.github/workflows/cosign-test.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig
-          ./${{matrix.COSIGN_TARGET}} sign-blob --yes --key ./.github/workflows/cosign-test.key ./${{matrix.SGET_TARGET}} > ${{matrix.SGET_TARGET}}.sig
       - name: verify
         if: github.event_name != 'pull_request'
         run: |
           ./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign-test.pub --signature ${{matrix.COSIGN_TARGET}}.sig ./${{matrix.COSIGN_TARGET}}
-          ./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign-test.pub --signature ${{matrix.SGET_TARGET}}.sig ./${{matrix.SGET_TARGET}}
       - name: Upload artifacts
         if: github.event_name != 'pull_request'
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
@@ -76,6 +68,3 @@ jobs:
             cosign-*
             cosign.-*sha256
             cosign-*.sig
-            sget-*
-            sget.-*sha256
-            sget-*.sig

.github/workflows/e2e-with-binary.yml

@@ -42,7 +42,6 @@ jobs:
       id-token: write
       contents: read
     env:
-      COSIGN_EXPERIMENTAL: "true"
       COSIGN_YES: "true"
 
     steps:

.github/workflows/github-oidc.yaml

@@ -35,7 +35,6 @@ jobs:
       packages: write
       contents: read
     env:
-      COSIGN_EXPERIMENTAL: "true"
       GIT_HASH: ${{ github.sha }}
       GIT_VERSION: unstable
       GITHUB_RUN_ID: ${{ github.run_id }}

.github/workflows/validate-release.yml

@@ -70,4 +70,3 @@ jobs:
       - name: check binaries
         run: |
           ./dist/cosign-linux-amd64 version
-          ./dist/sget-linux-amd64 version

.gitignore

@@ -19,7 +19,6 @@
 /cosign*
 .vscode
 .idea
-/sget*
 
 # fuzzing artifacts
 *.libfuzzer
@@ -28,10 +27,6 @@
 bin*
 dist/
 cosignImagerefs
-policyControllerImagerefs
-sgetImagerefs
-policyImagerefs
-
 bundle
 signature
 certificate

.goreleaser.yml

@@ -155,68 +155,19 @@ builds:
       - pivkey
       - pkcs11key
 
-  - id: sget
-    binary: sget-{{ .Os }}-{{ .Arch }}
-    no_unique_dist_dir: true
-    mod_timestamp: '{{ .CommitTimestamp }}'
-    main: ./cmd/sget
-    flags:
-      - -trimpath
-    goos:
-      - linux
-      - darwin
-      - windows
-    goarch:
-      - amd64
-      - arm64
-      - arm
-      - s390x
-      - ppc64le
-      - riscv64
-    goarm:
-      - '7'
-    ignore:
-      - goos: windows
-        goarch: arm64
-      - goos: windows
-        goarch: arm
-      - goos: windows
-        goarch: s390x
-      - goos: windows
-        goarch: ppc64le
-    ldflags:
-      - "{{ .Env.LDFLAGS }}"
-    env:
-      - CGO_ENABLED=0
-
 signs:
   - id: cosign
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
-  - id: sget
-    signature: "${artifact}.sig"
-    cmd: ./dist/cosign-linux-amd64
-    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
-    artifacts: binary
-    ids:
-      - sget
   # Keyless
   - id: cosign-keyless
     signature: "${artifact}-keyless.sig"
     certificate: "${artifact}-keyless.pem"
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
     artifacts: binary
-  - id: sget-keyless
-    signature: "${artifact}-keyless.sig"
-    certificate: "${artifact}-keyless.pem"
-    cmd: ./dist/cosign-linux-amd64
-    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
-    artifacts: binary
-    ids:
-      - sget
   - id: checksum-keyless
     signature: "${artifact}-keyless.sig"
     certificate: "${artifact}-keyless.pem"

.ko.yaml

@@ -31,18 +31,3 @@ builds:
   ldflags:
   - -extldflags "-static"
   - "{{ .Env.LDFLAGS }}"
-
-- id: sget
-  dir: .
-  main: ./cmd/sget
-  env:
-  - CGO_ENABLED=0
-  flags:
-  - -trimpath
-  - --tags
-  - "{{ .Env.GIT_HASH }}"
-  - --tags
-  - "{{ .Env.GIT_VERSION }}"
-  ldflags:
-  - -extldflags "-static"
-  - "{{ .Env.LDFLAGS }}"

Makefile

@@ -84,10 +84,6 @@ cosign: $(SRCS)
 cosign-pivkey-pkcs11key: $(SRCS)
 	CGO_ENABLED=1 $(GOEXE) build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign
 
-.PHONY: sget
-sget: ## Build sget binary
-	$(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/sget
-
 .PHONY: cross
 cross:
 	$(foreach GOOS, $(PLATFORMS),\
@@ -112,7 +108,6 @@ test:
 
 clean:
 	rm -rf cosign
-	rm -rf sget
 	rm -rf dist/
 
 KOCACHE_PATH=/tmp/ko
@@ -133,7 +128,7 @@ endef
 # ko build
 ##########
 .PHONY: ko
-ko: ko-cosign ko-sget
+ko: ko-cosign
 
 .PHONY: ko-cosign
 ko-cosign:
@@ -144,15 +139,6 @@ ko-cosign:
 		$(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \
 		github.com/sigstore/cosign/v2/cmd/cosign
 
-.PHONY: ko-sget
-ko-sget:
-	# sget
-	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \
-		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
-		--image-refs sgetImagerefs \
-		github.com/sigstore/cosign/v2/cmd/sget
-
 .PHONY: ko-local
 ko-local:
 	$(create_kocache_path)

README.md

@@ -192,44 +192,6 @@ Pushing signature to: ttl.sh/my-artifact-f42c22e0
 
 As usual, make sure to reference any images you sign by their digest to make sure you don't sign the wrong thing!
 
-#### sget
-
-We also include the `sget` command for safer, automatic verification of signatures and integration with our binary transparency log, Rekor.
-
-To install `sget`, if you have Go 1.16+, you can directly run:
-
-    $ go install github.com/sigstore/cosign/v2/cmd/sget@latest
-
-and the resulting binary will be placed at `$GOPATH/bin/sget` (or `$GOBIN/sget`, if set).
-
-Just like `curl`, `sget` can be used to fetch artifacts by digest using the OCI URL.
-Digest verification is automatic:
-
-```shell
-$ sget us.gcr.io/dlorenc-vmtest2/readme@sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec > artifact
-```
-
-You can also use `sget` to fetch contents by tag.
-Fetching contents without verifying them is dangerous, so we require the artifact be signed in this case:
-
-```shell
-$ sget gcr.io/dlorenc-vmtest2/artifact
-error: public key must be specified when fetching by tag, you must fetch by digest or supply a public key
-
-$ sget --key cosign.pub us.gcr.io/dlorenc-vmtest2/readme > foo
-
-Verification for us.gcr.io/dlorenc-vmtest2/readme --
-The following checks were performed on each of these signatures:
-  - The cosign claims were validated
-  - Existence of the claims in the transparency log was verified offline
-  - The signatures were verified against the specified public key
-  - The code-signing certificate was verified using trusted certificate authority certificates
-```
-
-The signature, claims and transparency log proofs are all verified automatically by sget as part of the download.
-
-`curl | bash` isn't a great idea, but `sget | bash` is less-bad.
-
 #### Tekton Bundles
 
 [Tekton](https://tekton.dev) bundles can be uploaded and managed within an OCI registry.