-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move cjson code from in-toto-golang #10
Conversation
Pull Request Test Coverage Report for Build 1527373138
💛 - Coveralls |
Signed-off-by: Aditya Sirish <aditya@saky.in> Co-authored-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Would be good to have something with an embedded json.RawMessage! |
Signed-off-by: Aditya Sirish <aditya@saky.in>
Does 68a4286 suffice? |
Happy to report that it also passes everything in https://github.com/tent/canonical-json-go/blob/master/encode_test.go |
I think so! thank you |
Cool! I'm going to go ahead and merge this now, since the library has been previously reviewed as part of in-toto-golang... |
The existing cjson hasn't been maintained. The last update was 9 years ago. This was replaced by the upstream go-securesystemslib secure-systems-lab/go-securesystemslib#10 Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
The existing cjson hasn't been maintained. The last update was 9 years ago. This was replaced by the upstream go-securesystemslib secure-systems-lab/go-securesystemslib#10 Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
The existing cjson hasn't been maintained. The last update was 9 years ago. This was replaced by the upstream go-securesystemslib secure-systems-lab/go-securesystemslib#10 Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
The existing cjson hasn't been maintained. The last update was 9 years ago. This was replaced by the upstream go-securesystemslib secure-systems-lab/go-securesystemslib#10 Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
The existing cjson hasn't been maintained. The last update was 9 years ago. This was replaced by the upstream go-securesystemslib secure-systems-lab/go-securesystemslib#10 Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev>
* Add method to unmarshal certificates with a limit (#430) * Add method to unmarshal certificates with a limit This removes a DOS vector for services that use this method. Otherwise, a client can provide a large PEM block to cause the service to do a significant amount of work. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Add suggested iteration limit Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add unsafe verifier to verify signatures with SHA1 digests (#441) I relaxed the hash function constraints on VerifyMessage, including the SHA1 digest as a supported function. The expectation is that LoadVerifier will still be the primary way to set up a verifier, which will enforce the hash function. Otherwise, LoadUnsafeVerifier will be used to load a verifier that only supports SHA1. Note that SignMessage will not support SHA1 still. I also dropped SHA1 from ECDSA's supported hash functions. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.12 to 1.44.13 (#440) Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github/codeql-action (#439) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 75b4f1c4669133dc294b06c2794e969efa2e5316 to 2.1.10. This release includes the previously tagged commit. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/75b4f1c4669133dc294b06c2794e969efa2e5316...2f58583a1b24a7d3c7034f6bf9fa506d23b1183b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump actions/setup-go from 3.0.0 to 3.1.0 (#438) * Bump actions/setup-go from 3.0.0 to 3.1.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/f6164bd8c8acb4a71fb2791a8b6c4024ff038dab...fcdc43634adb5f7ae75a9d7a9b9361790f7293e2) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * update version comments Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <ctadeu@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.13 to 1.44.14 (#443) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.13 to 1.44.14. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.13...v1.44.14) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump actions/dependency-review-action (#442) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1. This release includes the previously tagged commit. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/3f943b86c9a289f4e632c632695e2e0898d9d67d...39e692fa323107ef86d8fdac0067ce647f239bd7) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Remove dependency on deprecated github.com/pkg/errors (#444) * Remove dependency on deprecated github.com/pkg/errors Signed-off-by: Jason Hall <jason@chainguard.dev> * appease linter Signed-off-by: Jason Hall <jason@chainguard.dev> * fix AWS KMS test Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump google-github-actions/auth from 0.7.1 to 0.7.2 (#446) Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 0.7.1 to 0.7.2. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/b258a9f230b36c9fa86dfaa43d1906bd76399edb...dafc92490a98acbdec38e6eb649f05d55e632447) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.14 to 1.44.15 (#447) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.14 to 1.44.15. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.14...v1.44.15) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/Azure/azure-sdk-for-go (#445) Bumps [github.com/Azure/azure-sdk-for-go](https://github.com/Azure/azure-sdk-for-go) from 64.0.0+incompatible to 64.1.0+incompatible. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/v64.0.0...v64.1.0) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github/codeql-action from 2.1.10 to 2.1.11 (#448) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.10 to 2.1.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2f58583a1b24a7d3c7034f6bf9fa506d23b1183b...a3a6c128d771b6b9bdebb1c9d0583ebd2728a108) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.15 to 1.44.16 (#449) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.15 to 1.44.16. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.15...v1.44.16) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/go-rod/rod from 0.106.6 to 0.106.7 (#450) Bumps [github.com/go-rod/rod](https://github.com/go-rod/rod) from 0.106.6 to 0.106.7. - [Release notes](https://github.com/go-rod/rod/releases) - [Commits](https://github.com/go-rod/rod/compare/v0.106.6...v0.106.7) --- updated-dependencies: - dependency-name: github.com/go-rod/rod dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/google/go-containerregistry from 0.8.0 to 0.9.0 (#451) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.8.0 to 0.9.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.16 to 1.44.17 (#453) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.16 to 1.44.17. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.16...v1.44.17) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump google-github-actions/auth from 0.7.2 to 0.7.3 (#452) Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 0.7.2 to 0.7.3. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/dafc92490a98acbdec38e6eb649f05d55e632447...81012c2689e66f7f020ed6d8ab43596a0f8b503a) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/go-rod/rod from 0.106.7 to 0.106.8 (#454) Bumps [github.com/go-rod/rod](https://github.com/go-rod/rod) from 0.106.7 to 0.106.8. - [Release notes](https://github.com/go-rod/rod/releases) - [Commits](https://github.com/go-rod/rod/compare/v0.106.7...v0.106.8) --- updated-dependencies: - dependency-name: github.com/go-rod/rod dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump actions/upload-artifact from 3.0.0 to 3.1.0 (#456) * Bump actions/upload-artifact from 3.0.0 to 3.1.0 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/6673cd052c4cd6fcf4b4e6e60ea986c889389535...3cea5372237819ed00197afe530f5a7ea3e805c8) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * update version comment Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <ctadeu@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.17 to 1.44.18 (#455) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.17 to 1.44.18. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.17...v1.44.18) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.18 to 1.44.19 (#457) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.18 to 1.44.19. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.18...v1.44.19) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.19 to 1.44.20 (#461) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.19 to 1.44.20. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.19...v1.44.20) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/Azure/azure-sdk-for-go (#460) Bumps [github.com/Azure/azure-sdk-for-go](https://github.com/Azure/azure-sdk-for-go) from 64.1.0+incompatible to 65.0.0+incompatible. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/v64.1.0...v65.0.0) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump actions/dependency-review-action from 1.0.1 to 1.0.2 (#459) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 1.0.1 to 1.0.2. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/39e692fa323107ef86d8fdac0067ce647f239bd7...a9c83d3af6b9031e20feba03b904645bb23d1dab) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump google-github-actions/auth from 0.7.3 to 0.8.0 (#458) * Bump google-github-actions/auth from 0.7.3 to 0.8.0 Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 0.7.3 to 0.8.0. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/81012c2689e66f7f020ed6d8ab43596a0f8b503a...ceee102ec2387dd9e844e01b530ccd4ec87ce955) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * update version comment Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <ctadeu@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.20 to 1.44.21 (#464) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.20 to 1.44.21. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.20...v1.44.21) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/hashicorp/vault/api from 1.5.0 to 1.6.0 (#463) Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/vault/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/vault/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.21 to 1.44.22 (#465) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.21 to 1.44.22. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.21...v1.44.22) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Update go-tuf to pick up security fixes (#462) Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Export providerInit type (#466) Also remove unnecessary providerMux indirection, and just use a package-level var directly. Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump actions/setup-go from 3.1.0 to 3.2.0 (#469) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/fcdc43634adb5f7ae75a9d7a9b9361790f7293e2...b22fbbc2921299758641fab08929b4ac52b32923) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.22 to 1.44.23 (#470) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.22 to 1.44.23. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.22...v1.44.23) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/go-rod/rod from 0.106.8 to 0.107.0 (#471) Bumps [github.com/go-rod/rod](https://github.com/go-rod/rod) from 0.106.8 to 0.107.0. - [Release notes](https://github.com/go-rod/rod/releases) - [Commits](https://github.com/go-rod/rod/compare/v0.106.8...v0.107.0) --- updated-dependencies: - dependency-name: github.com/go-rod/rod dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * update error message (#473) Signed-off-by: cpanato <ctadeu@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.23 to 1.44.24 (#474) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.23 to 1.44.24. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.23...v1.44.24) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Allow passing options to GCP's `LoadSignVerifier`. (#468) This lets the caller control authentication, in particular by providing an `option.TokenSource`. Signed-off-by: Matt Moore <mattmoor@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev> * Migrate AWK KMS to use the v2 SDK. (#475) Looking at doing something similar to https://github.com/sigstore/sigstore/pull/468 for AWS, I noticed that our KMS stuff was using the old SDK. The bulk of this change is migrating things to the v2 SDK, but this also exposes a way to plumb through options to `LoadSignerVerified` similar to #468 for GCP. Signed-off-by: Matt Moore <mattmoor@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump google.golang.org/api from 0.75.0 to 0.81.0 (#476) Signed-off-by: Jason Hall <jason@chainguard.dev> * fix uppercase err msgs to quiet golangci-lint (#477) * fix uppercase err msgs to quiet golangci-lint Signed-off-by: Bob Callaway <bcallaway@google.com> * fix test case compares Signed-off-by: Bob Callaway <bcallaway@google.com> * always complain about known lint issues Signed-off-by: Bob Callaway <bcallaway@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump actions/cache from 3.0.2 to 3.0.3 (#478) Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/48af2dc4a9e8278b89d7fa154b955c30c6aaab09...30f413bfed0a2bc738fdfd409e5a9e96b24545fd) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/secure-systems-lab/go-securesystemslib (#482) Bumps [github.com/secure-systems-lab/go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib) from 0.3.1 to 0.4.0. - [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases) - [Commits](https://github.com/secure-systems-lab/go-securesystemslib/compare/v0.3.1...v0.4.0) --- updated-dependencies: - dependency-name: github.com/secure-systems-lab/go-securesystemslib dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.24 to 1.44.26 (#481) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.24 to 1.44.26. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.24...v1.44.26) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github/codeql-action from 2.1.11 to 2.1.12 (#480) * Bump github/codeql-action from 2.1.11 to 2.1.12 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.11 to 2.1.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/a3a6c128d771b6b9bdebb1c9d0583ebd2728a108...27ea8f8fe5977c00f5b37e076ab846c5bd783b96) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * update version comment Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <ctadeu@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump google.golang.org/api from 0.81.0 to 0.82.0 (#483) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.81.0 to 0.82.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.81.0...v0.82.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Autoclose OAuth success page after 5 seconds. (#484) Small QoL improvement to clean up success pages after they are no longer needed. Shout out to @bobcallaway for the idea! Co-authored-by: Bob Callaway <bcallaway@google.com> Signed-off-by: Billy Lynch <billy@chainguard.dev> Co-authored-by: Bob Callaway <bcallaway@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.26 to 1.44.27 (#485) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.26 to 1.44.27. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.26...v1.44.27) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add a warning when using WithDigest with ECDSA (#487) Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#489) Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/go-rod/rod from 0.107.0 to 0.107.1 (#488) Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump google.golang.org/api from 0.82.0 to 0.83.0 (#495) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.82.0 to 0.83.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.82.0...v0.83.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go-v2 from 1.16.4 to 1.16.5 (#491) Bumps [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) from 1.16.4 to 1.16.5. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.16.4...v1.16.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go-v2/config from 1.15.9 to 1.15.10 (#494) Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.15.9 to 1.15.10. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.15.9...config/v1.15.10) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.17.2 to 1.17.3 (#493) Bumps [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) from 1.17.2 to 1.17.3. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ecr/v1.17.2...service/ecr/v1.17.3) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/kms dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump actions/cache from 3.0.3 to 3.0.4 (#490) * Bump actions/cache from 3.0.3 to 3.0.4 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/30f413bfed0a2bc738fdfd409e5a9e96b24545fd...c3f1317a9e7b1ef106c153ac8c0f00fed3ddbc0d) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * update version comment Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpanato <ctadeu@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump github.com/aws/aws-sdk-go from 1.44.27 to 1.44.29 (#492) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.27 to 1.44.29. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.27...v1.44.29) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add `cosign init` to initialize the SigStore root metadata (#520) * verify TUF root Signed-off-by: Asra Ali <asraa@google.com> * use tuf root for rekor and fulcio data Signed-off-by: Asra Ali <asraa@google.com> * add local tests and configs Signed-off-by: Asra Ali <asraa@google.com> * update Signed-off-by: Asra Ali <asraa@google.com> * update gcs bucket to prod Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Explicitly disable auth for the sigstore-tuf-root. (#528) I had expired credentials that were causing this to fail. The bucket is public, so we should just not use auth (which apparently requires being explicit). Signed-off-by: Dan Lorenc <dlorenc@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * 'cosign init' minor enhancements (file or URL root, write to $HOME/.sigstore) (#530) * make minor changes to cosign init Signed-off-by: Asra Ali <asraa@google.com> * use gcs root Signed-off-by: Asra Ali <asraa@google.com> * also pin sha Signed-off-by: Asra Ali <asraa@google.com> * embed initial root Signed-off-by: Asra Ali <asraa@google.com> * remove sha because of embedded root Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * chore: enable whitespace check on golangci-lint and organize imports (#687) Signed-off-by: Carlos Panato <ctadeu@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add a policy-init using TUF metadata and Fulcio signers (#469) * add policy init with tuf Signed-off-by: Asra Ali <asraa@google.com> * update go-tuf to my local fork for ease Signed-off-by: Asra Ali <asraa@google.com> * clean up Signed-off-by: Asra Ali <asraa@google.com> * add subcommand Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * [root policy] Add root policy signing (#856) * add root policy signing Signed-off-by: Asra Ali <asraa@google.com> * b64 encode Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Remove the preallocation of signatures slice. (#869) This was making codeql upset. I don't think there's a real issue, but better safe than sorry. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * update root ux (#747) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * add optional issuer to root policy (#999) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Update slsa-provenance predicate to v0.2 (#1054) * Update slsa-provenance to v0.2 This dep update also required updating the go-tuf dependency, so there are some bug fixes in the go-tuf code in this PR as well. Signed-off-by: Priya Wadhwa <priyawadhwa@google.com> * Remove newlines from targets so that they match expected targets Signed-off-by: Priya Wadhwa <priyawadhwa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add Fulcio v1 root to the cosign (#1112) * add fulcio v1 root Signed-off-by: Asra Ali <asraa@google.com> * remove unneeded todo Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * cjson - Move to go-securesystemslib (#1141) The existing cjson hasn't been maintained. The last update was 9 years ago. This was replaced by the upstream go-securesystemslib https://github.com/secure-systems-lab/go-securesystemslib/pull/10 Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * return error when rekor pub cannot be retrieved, fix file path construction (#1157) Signed-off-by: Jake Sanders <jsand@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * expand CI testing to Windows and OSX, fix issues uncovered (#1158) * Also run unit and secretless e2e tests on OSX * run e2e-tests-with-binary on OSX and Windows * run unit tests on all 3 supported OSes * add `-race` unit tests * `os.Open` -> `os.Stat` for checking file existence * `path.Join` -> `filepath.Join` * simplify `getLocalTarget` * always `Close()` `localTarget` * embed everything in the repository directory * always use `/` as path divider in embedded fs * `path` -> `localCacheDBPath` * assorted improvements in `RootClient` * ensure `remote` is non-nil * fix one straggler call to `filepath.Join` * add `requireCoherence` option * fix fatal memory leak in test * create `embedded{Read, Open}File()` helpers * add link to issue #1160 in TODO * add comments for require coherence Signed-off-by: Jake Sanders <jsand@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * use `sync.Once` to init the global tuf root (#1163) Signed-off-by: Jake Sanders <jsand@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * update go-tuf and use the newly exposed `Close()` (#1181) Signed-off-by: Jake Sanders <jsand@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Remove the "upload" flag for "cosign initialize" (#1201) The "upload" flag is not used anywhere and it is not really needed. When we update from the remote TUF repo, we expect the same number of root signatures (or more) which is a sensible default. Closes: #1195 Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * update snapshot and timestamp (#1211) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Spelling (#1246) * spelling: abstractions Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: annotations Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: announcement Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: attached Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: attachment Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: attestation Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: cloudbuild Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: compatibility Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: consideration Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: constituent Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: dekkagaijin Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: dependabot Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: environment Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: immutable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: include Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: initialized Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: mailing Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: payloads Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: percent Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: setting Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: sigstore Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: stored Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: validity Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: verified Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: verifier Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: without Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Update the embedded TUF metadata. (#1251) The rekor.json and staging.json files weren't in here before. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Refactor the tuf client code. (#1252) This is my attempt at refactoring the TUF client code to better support the configuration modes we've recently added. This also adds support for SIGSTORE_NO_CACHE, and eliminates most writes to disk from cosign outside of cosign initialize. I think these tests are about equivalent to what we had before, if not a bit better. The coverage is at 72% and hits most non-sporadic errors. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Fix the unit tests with expired TUF metadata. (#1270) These tests worked by mocking at the "isExpired" level. When the real files ARE expired, but we mock them to be NOT expired, the code continues down a path it shouldn't and fails later, trying to use expired metadata. We should fix this "better" by generating real expired and unexpired metadata, or changing the system clock somehow. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Fix a few bugs in cosign initialize (#1280) * In getRoot, the metadata is always stored at the top level, not under repository/. * In Initialize, download all metadata and targets. This should avoid a disk write on verify. * Use path instead of filepath for Windows Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * add error message (#1296) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bundle TUF timestamp with signature on signing (#1294) * Bundle TUF timestamp with signature on signing This updates the code to support adding the TUF timestamp to the OCI signature. Changes to pkg/oci add support for reading and saving the timestamp by annotation key. Changes to the TUF client add putting the timestamp in memory on client initialization, so callers can access the timestamp. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Add TUF timestamp to OCI signature on sign This adds the TUF timestamp to the Fulcio and Rekor signers. Both are necessary since each relies on TUF metadata. If both signers are used, the latter one will overwrite the TUF timestamp. I also added a basic mock Rekor client for tests. A number of methods are not implemented yet. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Add license Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Move timestamp to TUF package Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Update TUF client to persist local store Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Bump the snapshot and timestamp roles metadata from root signing. (#1339) Signed-off-by: Dan Lorenc <lorenc.d@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Cache the location of the remote repository when running cosign initialize (#1315) * store remote Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com> * add test Signed-off-by: Asra Ali <asraa@google.com> * use json struct for cached remote info Signed-off-by: Asra Ali <asraa@google.com> * update lint Signed-off-by: Asra Ali <asraa@google.com> * update Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * add root status output (#1404) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Remove TUF timestamp from OCI signature bundle (#1428) As described in #1273, this solution does not work because the TUF root is not included in the snapshot. Removing unused code. Confirmed that verifying images with a timestamp annotation still works. Confimed that signing and verifying works locally too. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Fetch verification targets by TUF custom metadata (#1423) * Add TUF client method for fetching by metadata Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Fetch verification targets by TUF custom metadata This uses GetTargetsByMeta to read the targets using the custom metadata, or fallback to the old targets by filename. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Resolve PR comments, linter, and update tests Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * update go-tuf and simplify TUF client code (#1455) * update go tuf and simplify code Signed-off-by: Asra Ali <asraa@google.com> * add commend Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * remove old fulcio root and fix fallback target code (#1738) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * test: create fake TUF test root and create test SETs for verification (#1750) * wip Signed-off-by: Asra Ali <asraa@google.com> add fake SET test Signed-off-by: Asra Ali <asraa@google.com> fix Signed-off-by: Asra Ali <asraa@google.com> fix test Signed-off-by: Asra Ali <asraa@google.com> fix Signed-off-by: Asra Ali <asraa@google.com> * address haydentherapper comments Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * tuf: add debug info if tuf update fails (#1766) * add debug info for tuf update fail Signed-off-by: Asra Ali <asraa@google.com> * move debugging funcs to top Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add rekor.0.pub TUF target to unit tests (#1860) This target was added to the v3 TUF root. Signed-off-by: Priya Wadhwa <priya@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev> * Remove dependency on deprecated github.com/pkg/errors (#1887) * cmd/cosign/cli: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * cmd/sget/cli: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * internal/pkg/cosign/ephemeral: remove dependency on pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/cosign: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/oci: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/policy: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/sget: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/signature: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * go.mod: go mod tidy Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/cosign/kubernetes/webhook: remove unnecessary fmt.Sprintf Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/oci/remote: should handle error on name.NewRepository Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Update go-tuf (#1894) Signed-off-by: Tomasz Janiszewski <janiszt@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * fix: fix fetching updated targets from TUF root (#1921) * fix: fix fetching updated targets from TUF root Signed-off-by: Asra Ali <asraa@google.com> add comment Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> possible fix windows Signed-off-by: Asra Ali <asraa@google.com> lint Signed-off-by: Asra Ali <asraa@google.com> fix windows maybe Signed-off-by: Asra Ali <asraa@google.com> fix close Signed-off-by: Asra Ali <asraa@google.com> * update zack comments Signed-off-by: Asra Ali <asraa@google.com> update fix Signed-off-by: Asra Ali <asraa@google.com> update and add some debug Signed-off-by: Asra Ali <asraa@google.com> add debug Signed-off-by: Asra Ali <asraa@google.com> no cache Signed-off-by: Asra Ali <asraa@google.com> remove debug Signed-off-by: Asra Ali <asraa@google.com> * try haydens comments Signed-off-by: Asra Ali <asraa@google.com> * Use Rekor API for pubkeys before TUF if so specified. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address PR feedback, bump golangci-lint from 1.46.0 to 1.46.2 Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add comments for the env variables. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use path instead of filepath, basically revert to what it was before. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * ho hum, really just use the path. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * When interacting with fs do not use OS specific separators. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * fix windows line endings Signed-off-by: Asra Ali <asraa@google.com> * pass embedded into initialization Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev> * tuf: improve TUF client concurrency and caching (#1953) * move rekor public key fetch inside GetRekorPubs Signed-off-by: Asra Ali <asraa@google.com> * use in-memory metadata and targets, sync to disk on start and updates Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> * Use TUF singleton. Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Asra Ali <asraa@google.com> * hayden comment, sync.Once used Signed-off-by: Asra Ali <asraa@google.com> * return global error Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev> * Drop tuf client dependency on GCS client library (#1967) * Drop tuf client dependency on GCS client library Signed-off-by: Jason Hall <jason@chainguard.dev> * Add more validation of bucket names, clean paths Signed-off-by: Jason Hall <jason@chainguard.dev> * update-deps.sh Signed-off-by: Jason Hall <jason@chainguard.dev> * remove GCSRemoteStore Signed-off-by: Jason Hall <jason@chainguard.dev> * Add comment about GCS->HTTP fallback Signed-off-by: Jason Hall <jason@chainguard.dev> * update DefaultRemoteRoot Signed-off-by: Jason Hall <jason@chainguard.dev> * make docgen Signed-off-by: Jason Hall <jason@chainguard.dev> * move tuf to pkg/tuf Signed-off-by: Jason Hall <jason@chainguard.dev> * actually move tuf to pkg/tuf Signed-off-by: Jason Hall <jason@chainguard.dev> * update copyright years, unexport, add godoc Signed-off-by: Jason Hall <jason@chainguard.dev> * Break off a `fulcioroot` package. (#639) The `cosigned` webhook pulls in the Fulcio roots, and runs as a K8s controller, which consumes `klog`. However, some of the certificate transparency stuff the Fulcio package pulls in consumes `glog`. These both define conflicting `-log_dir` flags, which cause `cosigned` to crash on startup. With this change, `cosigned` can use `fulcioroots.Get` to load the roots without pulling in `glog`. In a subsequent change, I have tests that should catch this before a breaking change merges. Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * update root ux (#747) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * refactor: move from io/ioutil to io and os packages (#978) The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add Fulcio v1 root to the cosign (#1112) * add fulcio v1 root Signed-off-by: Asra Ali <asraa@google.com> * remove unneeded todo Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Do not require multiple Fulcio certs in the TUF root (#1230) cosign requires both fulcio.crt.pem and fulcio_v1.crt.pem in the TUF root which doesn't make sense when using local TUF. fulcio_v1.crt.pem was added in the embedded TUF in order to support Fulcio v1 but it shouldn't be required when users initialize cosign with their own TUF repo. Closes: #1229 Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Refactor the tuf client code. (#1252) This is my attempt at refactoring the TUF client code to better support the configuration modes we've recently added. This also adds support for SIGSTORE_NO_CACHE, and eliminates most writes to disk from cosign outside of cosign initialize. I think these tests are about equivalent to what we had before, if not a bit better. The coverage is at 72% and hits most non-sporadic errors. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Fetch verification targets by TUF custom metadata (#1423) * Add TUF client method for fetching by metadata Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Fetch verification targets by TUF custom metadata This uses GetTargetsByMeta to read the targets using the custom metadata, or fallback to the old targets by filename. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Resolve PR comments, linter, and update tests Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Fix fulcioroots test and linter error (#1741) The linter error is from a deprecated method, but since this is only used in tests and we don't use system roots, this is fine. The test was also failing because the TUF remote can't be called in tests. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add intermediate CA certificate pool for Fulcio (#1749) This separates roots and intermediates from the TUF targets. This will be used to configure the default intermediate certificates when none are found. In particular, this will be used by verify-blob when fetching an entry from Rekor. An intermediate CA certificate will be added to the v3 TUF root. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Add Fulcio intermediate CA certificate to intermediate pool (#1774) This certificate will be necessary for chain building from a leaf certificate to a root once a new version of Fulcio is rolled out. For OCI, the chain is stored in an annotation. This intermediate is currently only needed for verify-blob when looking up the certificate from Rekor. For the V3 TUF Root, the intermediate will be bundled, so that it is easily discoverable and revokable. For now, we'll simply bundle it with Cosign. Note that intermediates are considered untrusted, so it's fine if the intermediate is not in TUF currently, as the root that issued the intermediate certificate is in TUF. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Load in intermediate cert pool from TUF (#1804) With the v3 TUF root, the intermediate CA certificate will be included, so that if the intermediate signing key was compromised, the intermediate certificate could be revoked by removing it from the TUF targets and replacing it with a trusted certificate. This change loads the intermediate certificate from TUF. However, we don't want to force all users to follow this structure - They may choose to use CRLs to detect revoked intermediates. Also, I don't want to enforce TUF usage in the Verify package. Therefore, for TUF, we lazily create a certificate pool only if an intermediate certificate is found, and if it's not found, then VerifyImageSignature will create a pool using the chain provided in the annotation. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * Remove dependency on deprecated github.com/pkg/errors (#1887) * cmd/cosign/cli: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * cmd/sget/cli: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * internal/pkg/cosign/ephemeral: remove dependency on pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/cosign: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/oci: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/policy: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/sget: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/signature: remove dependency on deprecated github.com/pkg/errors Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * go.mod: go mod tidy Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/cosign/kubernetes/webhook: remove unnecessary fmt.Sprintf Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> * pkg/oci/remote: should handle error on name.NewRepository Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * fix: fix fetching updated targets from TUF root (#1921) * fix: fix fetching updated targets from TUF root Signed-off-by: Asra Ali <asraa@google.com> add comment Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> possible fix windows Signed-off-by: Asra Ali <asraa@google.com> lint Signed-off-by: Asra Ali <asraa@google.com> fix windows maybe Signed-off-by: Asra Ali <asraa@google.com> fix close Signed-off-by: Asra Ali <asraa@google.com> * update zack comments Signed-off-by: Asra Ali <asraa@google.com> update fix Signed-off-by: Asra Ali <asraa@google.com> update and add some debug Signed-off-by: Asra Ali <asraa@google.com> add debug Signed-off-by: Asra Ali <asraa@google.com> no cache Signed-off-by: Asra Ali <asraa@google.com> remove debug Signed-off-by: Asra Ali <asraa@google.com> * try haydens comments Signed-off-by: Asra Ali <asraa@google.com> * Use Rekor API for pubkeys before TUF if so specified. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address PR feedback, bump golangci-lint from 1.46.0 to 1.46.2 Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add comments for the env variables. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use path instead of filepath, basically revert to what it was before. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * ho hum, really just use the path. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * When interacting with fs do not use OS specific separators. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * fix windows line endings Signed-off-by: Asra Ali <asraa@google.com> * pass embedded into initialization Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev> * tuf: improve TUF client concurrency and caching (#1953) * move rekor public key fetch inside GetRekorPubs Signed-off-by: Asra Ali <asraa@google.com> * use in-memory metadata and targets, sync to disk on start and updates Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> * Use TUF singleton. Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Asra Ali <asraa@google.com> * hayden comment, sync.Once used Signed-off-by: Asra Ali <asraa@google.com> * return global error Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev> * feat(fulcioroots): singleton error pattern (#1965) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com> Signed-off-by: Jason Hall <jason@chainguard.dev> * move fulcioroots to pkg/fulcioroots Signed-off-by: Jason Hall <jason@chainguard.dev> * remove alternate root behavior, rm fulcioroots_test.go, use pkg/tuf Signed-off-by: Jason Hall <jason@chainguard.dev> * base on latest go.sum Signed-off-by: Jason Hall <jason@chainguard.dev> * go mod tidy Signed-off-by: Jason Hall <jason@chainguard.dev> * base on latest go.sum, again somehow? Signed-off-by: Jason Hall <jason@chainguard.dev> * address some low-hanging lint fruit Signed-off-by: Jason Hall <jason@chainguard.dev> * lint: only fail PRs on new findings Signed-off-by: Jason Hall <jason@chainguard.dev> * lint: ignore revive lint findings in pkg/tuf Signed-off-by: Jason Hall…
I've copied
Key
andKeyVal
from in-toto for the test. We can possibly add some tests from TUF as well?theupdateframework/go-tuf#180
cc @trishankatdatadog @mnm678 @asraa