Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use sigstore/pkg/fulcioroots to lessen deps #746

Merged
merged 3 commits into from
Mar 27, 2024
Merged

fix: use sigstore/pkg/fulcioroots to lessen deps #746

merged 3 commits into from
Mar 27, 2024

Conversation

ramonpetgrave64
Copy link
Contributor

@ramonpetgrave64 ramonpetgrave64 commented Mar 21, 2024
edited
Loading

We've long had the problem that slsa-verifier has too many dependencies.

This PR replaces "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" with "github.com/sigstore/sigstore/pkg/fulcioroots",
removing lot's of unneeded transitive dependencies like "github.com/aws/aws-sdk-go-v2" and "github.com/Azure/go-autorest/autorest" from our go.mod.

Investigation

At deps.dep, we can see that the indirect dependencies of aws/aws-sdk-go-v2 come from cosign/cosign.

image

That's a good start, but this gives us only module-wide dependencies, not package-level dependencies. We can instead use go mod why <pkg> to get the package-level dependency chain.

Now we know that it's our gha package that imports a fulcio package, which imports an aws package.

➜  slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/                                  
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2

Looking at our gha package we can see that the required methods from fulcio are Get() and GetIntermediates(). Looking at the source codes, we see that "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"'s implementation of these methods is the same as "github.com/sigstore/sigstore/pkg/fulcioroots"'s implementation. So we chose the latter's implementation, which happens to require fewer module-level dependencies.

Testing

  • unit tests continue to pass
  • manual test to verify a provenance with the steps in our readme

Future Work

The sigstore-go library is meant to be a more long-term solution, for replacing much of the sigstore-related functionality that slsa-verifier implements directly.

@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review March 21, 2024 21:00
@ramonpetgrave64
Copy link
Contributor Author

@laurentsimon @ianlewis

@laurentsimon
Copy link
Contributor

Thanks. Let's wait for the slsa-verfiier release and merge this. After that we can cut releases more often :)

@laurentsimon
Copy link
Contributor

Can you rebase? I've enabled auto-merge.

@laurentsimon laurentsimon enabled auto-merge (squash) March 26, 2024 21:47
@laurentsimon laurentsimon merged commit fe539a2 into slsa-framework:main Mar 27, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kpk47 kpk47 kpk47 approved these changes

@laurentsimon laurentsimon laurentsimon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ramonpetgrave64 @laurentsimon @kpk47