Skip to content

fix: use sigstore/pkg/fulcioroots to lessen deps#746

Merged
laurentsimon merged 3 commits intoslsa-framework:mainfrom
ramonpetgrave64:ramonpetgrave64-sigstore-go-trusted-root
Mar 27, 2024
Merged

fix: use sigstore/pkg/fulcioroots to lessen deps#746
laurentsimon merged 3 commits intoslsa-framework:mainfrom
ramonpetgrave64:ramonpetgrave64-sigstore-go-trusted-root

Conversation

@ramonpetgrave64
Copy link
Copy Markdown
Contributor

@ramonpetgrave64 ramonpetgrave64 commented Mar 21, 2024
edited
Loading

We've long had the problem that slsa-verifier has too many dependencies.

This PR replaces "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" with "github.com/sigstore/sigstore/pkg/fulcioroots",
removing lot's of unneeded transitive dependencies like "github.com/aws/aws-sdk-go-v2" and "github.com/Azure/go-autorest/autorest" from our go.mod.

Investigation

At deps.dep, we can see that the indirect dependencies of aws/aws-sdk-go-v2 come from cosign/cosign.

image

That's a good start, but this gives us only module-wide dependencies, not package-level dependencies. We can instead use go mod why <pkg> to get the package-level dependency chain.

Now we know that it's our gha package that imports a fulcio package, which imports an aws package.

➜  slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/                                  
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2

Looking at our gha package we can see that the required methods from fulcio are Get() and GetIntermediates(). Looking at the source codes, we see that "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"'s implementation of these methods is the same as "github.com/sigstore/sigstore/pkg/fulcioroots"'s implementation. So we chose the latter's implementation, which happens to require fewer module-level dependencies.

Testing

  • unit tests continue to pass
  • manual test to verify a provenance with the steps in our readme

Future Work

The sigstore-go library is meant to be a more long-term solution, for replacing much of the sigstore-related functionality that slsa-verifier implements directly.

@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review March 21, 2024 21:00
@ramonpetgrave64
Copy link
Copy Markdown
Contributor Author

ramonpetgrave64 commented Mar 21, 2024

@laurentsimon @ianlewis

@laurentsimon
Copy link
Copy Markdown
Contributor

laurentsimon commented Mar 22, 2024

Thanks. Let's wait for the slsa-verfiier release and merge this. After that we can cut releases more often :)

@laurentsimon
Copy link
Copy Markdown
Contributor

laurentsimon commented Mar 26, 2024

Can you rebase? I've enabled auto-merge.

@laurentsimon laurentsimon enabled auto-merge (squash) March 26, 2024 21:47
@laurentsimon laurentsimon merged commit fe539a2 into slsa-framework:main Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

+1 more reviewer

@kpk47 kpk47 kpk47 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ramonpetgrave64 @laurentsimon @kpk47