We've long had the problem that slsa-verifier has too many dependencies.
This PR replaces "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" with "github.com/sigstore/sigstore/pkg/fulcioroots",
removing lot's of unneeded transitive dependencies like "github.com/aws/aws-sdk-go-v2" and "github.com/Azure/go-autorest/autorest" from our go.mod.
Investigation
At deps.dep, we can see that the indirect dependencies of aws/aws-sdk-go-v2 come from cosign/cosign.
That's a good start, but this gives us only module-wide dependencies, not package-level dependencies. We can instead use go mod why <pkg> to get the package-level dependency chain.
Now we know that it's our gha package that imports a fulcio package, which imports an aws package.
➜ slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2
Looking at our gha package we can see that the required methods from fulcio are Get() and GetIntermediates(). Looking at the source codes, we see that "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"'s implementation of these methods is the same as "github.com/sigstore/sigstore/pkg/fulcioroots"'s implementation. So we chose the latter's implementation, which happens to require fewer module-level dependencies.
manual test to verify a provenance with the steps in our readme
Future Work
The sigstore-go library is meant to be a more long-term solution, for replacing much of the sigstore-related functionality that slsa-verifier implements directly.
We've long had the problem that slsa-verifier has too many dependencies.
This PR replaces
"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
with"github.com/sigstore/sigstore/pkg/fulcioroots"
, removing lot's of unneeded transitive dependencies like"github.com/aws/aws-sdk-go-v2"
and"github.com/Azure/go-autorest/autorest"
from ourgo.mod
.Investigation
At deps.dep, we can see that the indirect dependencies of
aws/aws-sdk-go-v2
come fromcosign/cosign
.That's a good start, but this gives us only module-wide dependencies, not package-level dependencies. We can instead use
go mod why <pkg>
to get the package-level dependency chain.Now we know that it's our
gha
package that imports a fulcio package, which imports an aws package.Looking at our
gha
package we can see that the required methods from fulcio areGet()
andGetIntermediates()
. Looking at the source codes, we see that"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
's implementation of these methods is the same as"github.com/sigstore/sigstore/pkg/fulcioroots"
's implementation. So we chose the latter's implementation, which happens to require fewer module-level dependencies.Testing
Future Work
The sigstore-go library is meant to be a more long-term solution, for replacing much of the sigstore-related functionality that slsa-verifier implements directly.