We've long had the problem that slsa-verifier has too many dependencies.
This PR replaces `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`
with `"github.com/sigstore/sigstore/pkg/fulcioroots"`,
removing lot's of unneeded transitive dependencies like
`"github.com/aws/aws-sdk-go-v2"` and
`"github.com/Azure/go-autorest/autorest"` from our `go.mod`.
## Investigation
At
[deps.dep](https://deps.dev/go/github.com%2Fslsa-framework%2Fslsa-verifier%2Fv2/v2.4.1/dependencies/graph?filter=aws),
we can see that the indirect dependencies of `aws/aws-sdk-go-v2` come
from `cosign/cosign`.
<img width="1110" alt="image"
src="https://github.com/slsa-framework/slsa-verifier/assets/32398091/3de1adf4-29ac-4bec-a511-0ae191c3141c">
That's a good start, but this gives us only module-wide dependencies,
not package-level dependencies. We can instead use `go mod why <pkg>` to
get the package-level dependency chain.
Now we know that it's our `gha` package that imports a fulcio package,
which imports an aws package.
```
➜ slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2
```
Looking at our `gha` package we can see that the required methods from
fulcio are `Get()` and `GetIntermediates()`. Looking at the source
codes, we see that
`"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`'s implementation
of these methods is the same as
`"github.com/sigstore/sigstore/pkg/fulcioroots"`'s implementation. So we
chose the latter's implementation, which happens to require fewer
module-level dependencies.
-
546f1c5b91/cmd/cosign/cli/fulcio/fulcio.go (L16)
-
546f1c5b91/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go (L16)
-
25dd9f3e52/pkg/fulcioroots/fulcioroots.go (L17)
## Testing
- unit tests continue to pass
- manual test to verify a provenance with the steps in our
[readme](https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#npm-packages-built-using-the-slsa3-nodejs-builder)
## Future Work
The sigstore-go library is meant to be a more long-term solution, for
replacing much of the sigstore-related functionality that slsa-verifier
implements directly.
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
This is in preparation for switching over the Rekor entry type in the
slsa github generator to be the newer DSSE type. This adds support for
searching for both intoto v001 and dsse v001 entries.
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Previously we used the go-cmp's Diff for displaying a human-friendly
diff between two structs in an error message.
I had intended to do a json print of the structs and do a line-by-line
diff. There is an internal library for calculating text diff, but I
don't see any external functions that expose it to make it available for
our use: https://pkg.go.dev/golang.org/x/tools/internal/diff
Instead, this we will simply display both structs in their own "actual"
and "expected" sections. The user can use their other tools to find a
human-friendly diff.
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
/cc @mihaimaruseac
/cc @laurentsimon
Based off the prefix of the BuilderID within the provenance, if the
builder use to build the artifact is one of the BYOB builders of
slsa-framework/slsa-github-generator repo, the --builderid flag is not
need and is handled automatically. This was done to increase access to
users since before the automatic pickup of the builder-id would get the
delegator.
Test cases that cover verifyProvenance will need to be complete after
the v1.8.0 release of slsa-framework/slsa-github-generator.
The main structure that is changed is the ExpectedBuilderPath is
hardcoded now to slsa-framework builders within
`/cli/slsa-verifier/verify/verify_artifact.go `. This can later be
changed now if needed to be an input like the other fields of
`provenanceOpts` populated during `verify_artifact.go`. The added
function within `provenance.go`, `verifyBuilderIDPath` is called during
`verifyProvenance` to check this path within `provenanceOpts`. Upon
failure of this function, expected and received BuilderID's are also
outputted.
closes#659
makes use of discussion on closed pr #673
---------
Signed-off-by: Noah Elzner <elzner@google.com>
Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Internally use full builder IDs including server url rather than worflow
ref as a path. This should hopefully avoid confusion between dealing
with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path
portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include
the domain/server url part of the workflow/builder ID. The Fulcio OID
claims include the full url.
Code extracted from #641
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and
`ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref
type whereas `ValidateGitRef` validates that the type is of a given
type.
Code extracted from #641
Signed-off-by: Ian Lewis <ianlewis@google.com>
Fixes#473
Updates handling of provenance by providing implementations based on
[buildType](https://slsa.dev/provenance/v1#buildType) since this
determines how to interpret parameters and dependencies. This is done
because we need a way to interpret parameters not just based on the
predicateType. The 3 major build types with format differences are:
- non-BYOB SLSA v0.2
- BYOB SLSA v0.2
- BYOB SLSA v1.0
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
* feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format
Signed-off-by: Asra Ali <asraa@google.com>
* docs: update verifier README.md for docker-based builder
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
