Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix: use sigstore/pkg/fulcioroots to lessen deps #746

Merged
merged 3 commits into from
Mar 27, 2024
Merged

fix: use sigstore/pkg/fulcioroots to lessen deps #746

merged 3 commits into from
Mar 27, 2024

Conversation

ramonpetgrave64
Copy link
Contributor

@ramonpetgrave64 ramonpetgrave64 commented Mar 21, 2024
edited
Loading

We've long had the problem that slsa-verifier has too many dependencies.

This PR replaces "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" with "github.com/sigstore/sigstore/pkg/fulcioroots",
removing lot's of unneeded transitive dependencies like "github.com/aws/aws-sdk-go-v2" and "github.com/Azure/go-autorest/autorest" from our go.mod.

Investigation

At deps.dep, we can see that the indirect dependencies of aws/aws-sdk-go-v2 come from cosign/cosign.

image

That's a good start, but this gives us only module-wide dependencies, not package-level dependencies. We can instead use go mod why <pkg> to get the package-level dependency chain.

Now we know that it's our gha package that imports a fulcio package, which imports an aws package.

➜  slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/                                  
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2

Looking at our gha package we can see that the required methods from fulcio are Get() and GetIntermediates(). Looking at the source codes, we see that "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"'s implementation of these methods is the same as "github.com/sigstore/sigstore/pkg/fulcioroots"'s implementation. So we chose the latter's implementation, which happens to require fewer module-level dependencies.

Testing

  • unit tests continue to pass
  • manual test to verify a provenance with the steps in our readme

Future Work

The sigstore-go library is meant to be a more long-term solution, for replacing much of the sigstore-related functionality that slsa-verifier implements directly.

@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review March 21, 2024 21:00
@ramonpetgrave64
Copy link
Contributor Author

@laurentsimon @ianlewis

@laurentsimon
Copy link
Contributor

Thanks. Let's wait for the slsa-verfiier release and merge this. After that we can cut releases more often :)

@laurentsimon
Copy link
Contributor

Can you rebase? I've enabled auto-merge.

@laurentsimon laurentsimon enabled auto-merge (squash) March 26, 2024 21:47
@laurentsimon laurentsimon merged commit fe539a2 into slsa-framework:main Mar 27, 2024
14 checks passed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@kpk47 kpk47 kpk47 approved these changes

@laurentsimon laurentsimon laurentsimon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ramonpetgrave64 @laurentsimon @kpk47