Open rturner3 opened 1 year ago
Cosign library uses Rekor directly (https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L86), and they does not provide an interface that we can use to create our own client (autogenerated using swagger) So in order to remove Rekor dependency we must remove cosign dependency as well.
So alternative is to make this plugin external, or create a sidecar that exposes an API that we can consume... And we are not able to use Cosign directly (as cmd client) since they does not provides API, and logs partial information (depending on logs is not good idea either)
There is an issue on Sigstore #678, where there are suggestions on creating a sigstore-go library to avoid the direct use of cosign and rekor, they created a sigstore-go, we'll need to review if we can use that one or if it is still a work in progress
Per discussion in https://github.com/sigstore/sigstore/issues/678 , this issue is currently blocked on the readiness of sigstore-go. Once it's dependable, we can switch over.
SPIRE depends on the
github.com/sigstore/rekor
Go module for using Rekor APIs. This causes some maintenance-related challenges with dependency management because that project is designed to provide CLI binaries, not a client library for its APIs. See https://github.com/spiffe/spire/pull/3928#issuecomment-1457063646 for more context.The public Rekor instance has stable APIs with an SLA, so we may be able to just write our own client code against those APIs if and until there is some supported Go open source client library for Rekor.
This could become a high-priority issue if we need to adopt security fixes in the
github.com/sigstore/cosign
orgithub.com/sigstore/sigstore
projects, because thisgithub.com/sigstore/rekor
dependency currently prevents us from upgrading to newer versions of those other sigstore projects.