fix: use a uniform verifier interface for provenance type (#478)

* cleanup: use a uniform verifier interface for provenance type

Signed-off-by: Asra Ali <asraa@google.com>

* fix experimental gateg

Signed-off-by: Asra Ali <asraa@google.com>

* oops

Signed-off-by: Asra Ali <asraa@google.com>

---------

Signed-off-by: Asra Ali <asraa@google.com>

cli/slsa-verifier/main.go

@@ -16,10 +16,6 @@ func check(err error) {
 	}
 }
 
-func ExperimentalEnabled() bool {
-	return os.Getenv("SLSA_VERIFIER_EXPERIMENTAL") == "1"
-}
-
 func rootCmd() *cobra.Command {
 	c := &cobra.Command{
 		Use:   "slsa-verifier",

cli/slsa-verifier/verify.go

@@ -43,7 +43,6 @@ func verifyArtifactCmd() *cobra.Command {
 		Run: func(cmd *cobra.Command, args []string) {
 			v := verify.VerifyArtifactCommand{
 				ProvenancePath:      o.ProvenancePath,
-				BundlePath:          o.BundlePath,
 				SourceURI:           o.SourceURI,
 				PrintProvenance:     o.PrintProvenance,
 				BuildWorkflowInputs: o.BuildWorkflowInputs.AsMap(),
@@ -61,21 +60,6 @@ func verifyArtifactCmd() *cobra.Command {
 				v.BuilderID = &o.BuilderID
 			}
 
-			// In experimental mode, we allow either provenance or bundle path, but exactly
-			// one must be set. We already check to ensure that they are mutually exclusive.
-			if ExperimentalEnabled() {
-				if !(cmd.Flags().Changed("provenance-path") ||
-					cmd.Flags().Changed("bundle-path")) {
-					fmt.Fprintf(os.Stderr, "%s\n%s", cmd.UsageString(),
-						"exactly one of --provenance-path or --bundle-path must be supplied")
-					os.Exit(1)
-				}
-			} else if !cmd.Flags().Changed("provenance-path") {
-				// --provenance-path must be set.
-				fmt.Fprintf(os.Stderr, "%s\n%s\n", cmd.UsageString(), "--provenance-path must be supplied")
-				os.Exit(1)
-			}
-
 			if _, err := v.Exec(cmd.Context(), args); err != nil {
 				fmt.Fprintf(os.Stderr, "%s: %v\n", FAILURE, err)
 				os.Exit(1)
@@ -86,6 +70,8 @@ func verifyArtifactCmd() *cobra.Command {
 	}
 
 	o.AddFlags(cmd)
+	// --provenance-path must be supplied when verifying an artifact.
+	cmd.MarkFlagRequired("provenance-path")
 	return cmd
 }
 

cli/slsa-verifier/verify/options.go

@@ -39,7 +39,6 @@ type VerifyOptions struct {
 	BuilderID           string
 	/* Other */
 	ProvenancePath  string
-	BundlePath      string
 	PrintProvenance bool
 }
 
@@ -68,17 +67,11 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.ProvenancePath, "provenance-path", "",
 		"path to a provenance file")
 
-	cmd.Flags().StringVar(&o.BundlePath, "bundle-path", "",
-		"path to a Sigstore provenance bundle file containing offline information.")
-
 	cmd.Flags().BoolVar(&o.PrintProvenance, "print-provenance", false,
 		"[optional] print the verified provenance to stdout")
 
 	cmd.MarkFlagRequired("source-uri")
 	cmd.MarkFlagsMutuallyExclusive("source-versioned-tag", "source-tag")
-
-	// Enforce exactly one of --provenance-path and --bundle-path.
-	cmd.MarkFlagsMutuallyExclusive("provenance-path", "bundle-path")
 }
 
 type workflowInputs struct {

cli/slsa-verifier/verify/verify_artifact.go

@@ -30,7 +30,6 @@ import (
 // Note: nil branch, tag, version-tag and builder-id means we ignore them during verification.
 type VerifyArtifactCommand struct {
 	ProvenancePath      string
-	BundlePath          string
 	BuilderID           *string
 	SourceURI           string
 	SourceBranch        *string
@@ -63,20 +62,10 @@ func (c *VerifyArtifactCommand) Exec(ctx context.Context, artifacts []string) (*
 			ExpectedID: c.BuilderID,
 		}
 
-		var provenance []byte
-		if c.ProvenancePath != "" {
-			provenance, err = os.ReadFile(c.ProvenancePath)
-			if err != nil {
-				fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
-				return nil, err
-			}
-		} else {
-			bundle, err := os.ReadFile(c.BundlePath)
-			if err != nil {
-				fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
-				return nil, err
-			}
-			provenanceOpts.ProvenanceBundle = bundle
+		provenance, err := os.ReadFile(c.ProvenancePath)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
+			return nil, err
 		}
 
 		verifiedProvenance, outBuilderID, err := verifiers.VerifyArtifact(ctx, provenance, artifactHash, provenanceOpts, builderOpts)