mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-11 11:06:38 +00:00
fe539a2bde
We've long had the problem that slsa-verifier has too many dependencies. This PR replaces `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"` with `"github.com/sigstore/sigstore/pkg/fulcioroots"`, removing lot's of unneeded transitive dependencies like `"github.com/aws/aws-sdk-go-v2"` and `"github.com/Azure/go-autorest/autorest"` from our `go.mod`. ## Investigation At [deps.dep](https://deps.dev/go/github.com%2Fslsa-framework%2Fslsa-verifier%2Fv2/v2.4.1/dependencies/graph?filter=aws), we can see that the indirect dependencies of `aws/aws-sdk-go-v2` come from `cosign/cosign`. <img width="1110" alt="image" src="https://github.com/slsa-framework/slsa-verifier/assets/32398091/3de1adf4-29ac-4bec-a511-0ae191c3141c"> That's a good start, but this gives us only module-wide dependencies, not package-level dependencies. We can instead use `go mod why <pkg>` to get the package-level dependency chain. Now we know that it's our `gha` package that imports a fulcio package, which imports an aws package. ``` ➜ slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/ # github.com/aws/aws-sdk-go-v2 github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio github.com/sigstore/cosign/v2/cmd/cosign/cli/options github.com/awslabs/amazon-ecr-credential-helper/ecr-login github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api github.com/aws/aws-sdk-go-v2/config github.com/aws/aws-sdk-go-v2/internal/ini github.com/aws/aws-sdk-go-v2 ``` Looking at our `gha` package we can see that the required methods from fulcio are `Get()` and `GetIntermediates()`. Looking at the source codes, we see that `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`'s implementation of these methods is the same as `"github.com/sigstore/sigstore/pkg/fulcioroots"`'s implementation. So we chose the latter's implementation, which happens to require fewer module-level dependencies. -546f1c5b91/cmd/cosign/cli/fulcio/fulcio.go (L16)-546f1c5b91/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go (L16)-25dd9f3e52/pkg/fulcioroots/fulcioroots.go (L17)## Testing - unit tests continue to pass - manual test to verify a provenance with the steps in our [readme](https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#npm-packages-built-using-the-slsa3-nodejs-builder) ## Future Work The sigstore-go library is meant to be a more long-term solution, for replacing much of the sigstore-related functionality that slsa-verifier implements directly. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>