fix: use sigstore/pkg/fulcioroots to lessen deps

[ramonpetgrave64]

We've long had the problem that slsa-verifier has too many dependencies.

This PR replaces "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" with "github.com/sigstore/sigstore/pkg/fulcioroots", removing lot's of unneeded transitive dependencies like "github.com/aws/aws-sdk-go-v2" and "github.com/Azure/go-autorest/autorest" from our go.mod.

Investigation

At deps.dep, we can see that the indirect dependencies of aws/aws-sdk-go-v2 come from cosign/cosign.

That's a good start, but this gives us only module-wide dependencies, not package-level dependencies. We can instead use go mod why <pkg> to get the package-level dependency chain.

Now we know that it's our gha package that imports a fulcio package, which imports an aws package.

➜  slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/                                  
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2

Looking at our gha package we can see that the required methods from fulcio are Get() and GetIntermediates(). Looking at the source codes, we see that "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"'s implementation of these methods is the same as "github.com/sigstore/sigstore/pkg/fulcioroots"'s implementation. So we chose the latter's implementation, which happens to require fewer module-level dependencies.

• https://github.com/sigstore/cosign/blob/546f1c5b91ef58d6b034a402d0211d980184a0e5/cmd/cosign/cli/fulcio/fulcio.go#L16
  • https://github.com/sigstore/cosign/blob/546f1c5b91ef58d6b034a402d0211d980184a0e5/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go#L16
• https://github.com/sigstore/sigstore/blob/25dd9f3e52ec1e666b3c913edd1a0b7aa236b246/pkg/fulcioroots/fulcioroots.go#L17

Testing

• unit tests continue to pass
• manual test to verify a provenance with the steps in our readme

Future Work

The sigstore-go library is meant to be a more long-term solution, for replacing much of the sigstore-related functionality that slsa-verifier implements directly.

[ramonpetgrave64]

@laurentsimon @ianlewis

[laurentsimon]

Thanks. Let's wait for the slsa-verfiier release and merge this. After that we can cut releases more often :)

[laurentsimon]

Can you rebase? I've enabled auto-merge.