Skip to content

Commit

Permalink
fix: use sigstore/pkg/fulcioroots to lessen deps (#746)
Browse files Browse the repository at this point in the history
We've long had the problem that slsa-verifier has too many dependencies.

This PR replaces `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`
with `"github.com/sigstore/sigstore/pkg/fulcioroots"`,
removing lot's of unneeded transitive dependencies like
`"github.com/aws/aws-sdk-go-v2"` and
`"github.com/Azure/go-autorest/autorest"` from our `go.mod`.

## Investigation

At
[deps.dep](https://deps.dev/go/github.com%2Fslsa-framework%2Fslsa-verifier%2Fv2/v2.4.1/dependencies/graph?filter=aws),
we can see that the indirect dependencies of `aws/aws-sdk-go-v2` come
from `cosign/cosign`.

<img width="1110" alt="image"
src="https://github.com/slsa-framework/slsa-verifier/assets/32398091/3de1adf4-29ac-4bec-a511-0ae191c3141c">

That's a good start, but this gives us only module-wide dependencies,
not package-level dependencies. We can instead use `go mod why <pkg>` to
get the package-level dependency chain.

Now we know that it's our `gha` package that imports a fulcio package,
which imports an aws package.

```
➜  slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/                                  
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2
```

Looking at our `gha` package we can see that the required methods from
fulcio are `Get()` and `GetIntermediates()`. Looking at the source
codes, we see that
`"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`'s implementation
of these methods is the same as
`"github.com/sigstore/sigstore/pkg/fulcioroots"`'s implementation. So we
chose the latter's implementation, which happens to require fewer
module-level dependencies.

-
https://github.com/sigstore/cosign/blob/546f1c5b91ef58d6b034a402d0211d980184a0e5/cmd/cosign/cli/fulcio/fulcio.go#L16
-
https://github.com/sigstore/cosign/blob/546f1c5b91ef58d6b034a402d0211d980184a0e5/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go#L16
-
https://github.com/sigstore/sigstore/blob/25dd9f3e52ec1e666b3c913edd1a0b7aa236b246/pkg/fulcioroots/fulcioroots.go#L17

## Testing

- unit tests continue to pass
- manual test to verify a provenance with the steps in our
[readme](https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#npm-packages-built-using-the-slsa3-nodejs-builder)

## Future Work

The sigstore-go library is meant to be a more long-term solution, for
replacing much of the sigstore-related functionality that slsa-verifier
implements directly.

Signed-off-by: Ramon Petgrave <[email protected]>
  • Loading branch information
ramonpetgrave64 authored Mar 27, 2024
1 parent b1f9867 commit fe539a2
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 476 deletions.
82 changes: 0 additions & 82 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -26,88 +26,35 @@ require (
)

require (
filippo.io/edwards25519 v1.0.0 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect
github.com/cloudflare/circl v1.3.3 // indirect
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c // indirect
github.com/emicklei/go-restful/v3 v3.10.2 // indirect
github.com/go-openapi/strfmt v0.22.0 // indirect
github.com/go-openapi/swag v0.22.8 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-github/v53 v53.2.0 // indirect
github.com/google/uuid v1.5.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/sagikazarmark/locafero v0.3.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/sigstore/timestamp-authority v1.1.2 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
go.opentelemetry.io/otel/metric v1.19.0 // indirect
go.step.sm/crypto v0.38.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
)

require (
cloud.google.com/go/compute v1.23.3 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.29 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
github.com/alibabacloud-go/darabonba-openapi v0.1.18 // indirect
github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 // indirect
github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
github.com/alibabacloud-go/openapi-util v0.0.11 // indirect
github.com/alibabacloud-go/tea v1.1.18 // indirect
github.com/alibabacloud-go/tea-utils v1.4.4 // indirect
github.com/alibabacloud-go/tea-xml v1.1.2 // indirect
github.com/aliyun/credentials-go v1.2.3 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2 v1.21.2 // indirect
github.com/aws/aws-sdk-go-v2/config v1.19.1 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect
github.com/aws/smithy-go v1.15.0 // indirect
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect
github.com/clbanning/mxj/v2 v2.5.6 // indirect
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
github.com/coreos/go-oidc/v3 v3.9.0 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dimchansky/utfbom v1.1.1 // indirect
github.com/docker/cli v24.0.0+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker v24.0.7+incompatible // indirect
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-jose/go-jose/v3 v3.0.1 // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.21.5 // indirect
Expand All @@ -117,57 +64,41 @@ require (
github.com/go-openapi/loads v0.21.3 // indirect
github.com/go-openapi/spec v0.20.12 // indirect
github.com/go-openapi/validate v0.22.4 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/certificate-transparency-go v1.1.6 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/imdario/mergo v0.3.16 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.17.0 // indirect
github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/miekg/pkcs11 v1.1.1 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.1.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/segmentio/ksuid v1.0.4 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/fulcio v1.4.3
github.com/sigstore/protobuf-specs v0.2.1
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
github.com/spf13/afero v1.10.0 // indirect
github.com/spf13/cast v1.5.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/viper v1.17.0 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/thales-e-security/pool v0.0.2 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tjfoc/gmsm v1.3.2 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
github.com/xanzy/go-gitlab v0.90.0 // indirect
go.mongodb.org/mongo-driver v1.13.1 // indirect
go.opentelemetry.io/otel v1.19.0 // indirect
go.opentelemetry.io/otel/trace v1.19.0 // indirect
Expand All @@ -176,28 +107,15 @@ require (
golang.org/x/crypto v0.18.0 // indirect
golang.org/x/exp v0.0.0-20231006140011-7918f672742d
golang.org/x/net v0.20.0 // indirect
golang.org/x/oauth2 v0.16.0 // indirect
golang.org/x/sync v0.5.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/term v0.16.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
google.golang.org/grpc v1.59.0 // indirect
google.golang.org/protobuf v1.33.0
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.27.3 // indirect
k8s.io/apimachinery v0.27.3 // indirect
k8s.io/client-go v0.27.3 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
Loading

0 comments on commit fe539a2

Please sign in to comment.