cliplugin: convert module to package only

[ramonpetgrave64]

Summary

Pending #1948, #1958

branch diff:

• ramonpetgrave64/sigstore@ramonpetgrave64-kms-plugin-cli-hashencoding...ramonpetgrave64:sigstore:no-module
• ramonpetgrave64/sigstore@lint-fix...ramonpetgrave64:sigstore:no-module

Moves the details of kms.signerVerifier to a new bridge package signerverifier.SignerVerifier to avoid import cycles.

Marks ProviderNotFoundError for deprecation.

Converts cliplugin to be a package only, not a module. This lets consumers, such as cosign, avoid having to load the module like below, and its okay because there are no new dependencies.

import _ "github.com/sigstore/sigstore/pkg/signature/kms/cliplugin"

To start using cliplugin, consumers need only bump the version of sigstore.

• lint fixes, becuase golanci-lint does not run against sub-modules.

Testing

Example error

error during command execution: signing ../blob.txt: reading key: kms get: exec: "sigstore-kms-myawskmsX": executable file not found in $PATH

Release Note

cliplugin is now a package only, not a module that needs to be loaded for initialization. There is no need to explicitly import cliplugin.

Documentation

No doc changes.

[ramonpetgrave64]

Lint errors should be fixed after merging #1958. Afterwards, we can remove that PR's explicit commands to run golangci-lint the the cliplugin directory.

[ramonpetgrave64]

@haydentherapper @bobcallaway

[Hayden-IO]

note: the stuck CI is expected, we'll remove that as a requirement

[ramonpetgrave64]

@haydentherapper It may be because the job's changed names, because of the matrix?

https://github.com/orgs/community/discussions/26698#discussioncomment-3252954

[ramonpetgrave64]

I re-did the commits to follow a better flow.

[bobcallaway]

this looks strange, perhaps it doesn't matter with the replace on line 5?

[ramonpetgrave64]

That's right. Pinning an actual version won't be useful, I think.

[Hayden-IO]

This library is used outside of Cosign so we shouldn't be making changes just because of how Cosign outputs this error.

Isn't it more accurate to log that it is an unrecognized scheme rather than a missing executable? Whether the KMS provider is an executable or module is a detail the user doesn't need to be aware of.

I think we can get the best of both worlds - wrap the original error from cliplugin.LoadSignerVerifier in a ProviderNotFoundError.

[ramonpetgrave64]

changed, and added tests

[Hayden-IO]

Rather than modify this interface, can we leave this as-is and just redefine the interface in an internal package under pkg/signature/kms/cliplugin, like pkg/signature/kms/cliplugin/internal/signerverifier?

[ramonpetgrave64]

That works! though we have to copy the contents of the interface. It's okay, because if the two interfaces are ever out of sync, I see we would get a compiler error since cliplugin.LoadsignerVerifier()'s return value would not satisfy the return value of Get().