From 277ca3960a769d306b07a9ed8651d53bd76afb8d Mon Sep 17 00:00:00 2001 From: Jon Johnson Date: Fri, 9 Feb 2024 20:50:22 -0800 Subject: [PATCH] Drop cosign dep It's too far gone. We can't escape the dependency hell. For our own purposes, we don't even use the SBOMs that get attached. Signed-off-by: Jon Johnson --- go.mod | 25 +--- go.sum | 84 +------------- internal/cli/build.go | 6 +- internal/cli/publish.go | 14 --- pkg/build/build_implementation.go | 4 +- pkg/build/oci/image.go | 7 +- pkg/build/oci/index.go | 25 ++-- pkg/build/oci/publish.go | 95 ++-------------- pkg/build/oci/sbom.go | 183 ------------------------------ pkg/build/sbom.go | 5 +- 10 files changed, 29 insertions(+), 419 deletions(-) delete mode 100644 pkg/build/oci/sbom.go diff --git a/go.mod b/go.mod index 9bec1ed72..d64498f63 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,6 @@ require ( github.com/jinzhu/copier v0.4.0 github.com/klauspost/pgzip v1.2.6 github.com/package-url/packageurl-go v0.1.2 - github.com/sigstore/cosign/v2 v2.2.3 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.8.4 @@ -36,7 +35,6 @@ require ( github.com/MakeNowJust/heredoc/v2 v2.0.1 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect - github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/buger/jsonparser v1.1.1 // indirect @@ -59,37 +57,22 @@ require ( github.com/go-logfmt/logfmt v0.6.0 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-openapi/analysis v0.22.0 // indirect - github.com/go-openapi/errors v0.21.0 // indirect - github.com/go-openapi/jsonpointer v0.20.2 // indirect - github.com/go-openapi/jsonreference v0.20.4 // indirect - github.com/go-openapi/loads v0.21.5 // indirect - github.com/go-openapi/runtime v0.27.1 // indirect - github.com/go-openapi/spec v0.20.13 // indirect - github.com/go-openapi/strfmt v0.22.0 // indirect - github.com/go-openapi/swag v0.22.9 // indirect - github.com/go-openapi/validate v0.22.4 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-hclog v0.9.2 // indirect github.com/hashicorp/go-retryablehttp v0.7.5 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect - github.com/josharian/intern v1.0.0 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/compress v1.17.4 // indirect - github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect github.com/lucasb-eyer/go-colorful v1.2.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.15 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/muesli/reflow v0.3.0 // indirect github.com/muesli/termenv v0.15.2 // indirect - github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0-rc5 // indirect github.com/pjbgf/sha1cd v0.3.0 // indirect @@ -97,27 +80,21 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/psanford/memfs v0.0.0-20230130182539-4dbf7e3e865e // indirect github.com/rivo/uniseg v0.2.0 // indirect - github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect github.com/sergi/go-diff v1.3.1 // indirect - github.com/sigstore/rekor v1.3.4 // indirect - github.com/sigstore/sigstore v1.8.1 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skeema/knownhosts v1.2.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect go.lsp.dev/uri v0.3.0 // indirect - go.mongodb.org/mongo-driver v1.13.1 // indirect go.opentelemetry.io/otel/metric v1.22.0 // indirect go.opentelemetry.io/otel/trace v1.22.0 // indirect golang.org/x/crypto v0.18.0 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/net v0.20.0 // indirect - golang.org/x/term v0.16.0 // indirect + golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.15.0 // indirect - gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gotest.tools/v3 v3.5.1 // indirect diff --git a/go.sum b/go.sum index a8633147f..8951cd1d6 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/MakeNowJust/heredoc/v2 v2.0.1 h1:rlCHh70XXXv7toz95ajQWOWQnN4WNLt0TdpZYIR/J6A= github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= @@ -13,19 +13,13 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= -github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8= github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk= github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg= -github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= -github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chainguard-dev/clog v1.3.0 h1:L/ey0VNH958YpzQa5OO2e2q+iOENxtLAhqkmgzh03e0= github.com/chainguard-dev/clog v1.3.0/go.mod h1:cV516KZWqYc/phZsCNwF36u/KMGS+Gj5Uqeb8Hlp95Y= github.com/chainguard-dev/go-apk v0.0.0-20240207141231-4a3a18e598d6 h1:EV1GSw01XEbGAUElsHbVzG2N1+pGuewP2wmzcy+9MbM= @@ -85,35 +79,11 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-openapi/analysis v0.22.0 h1:wQ/d07nf78HNj4u+KiSY0sT234IAyePPbMgpUjUJQR0= -github.com/go-openapi/analysis v0.22.0/go.mod h1:acDnkkCI2QxIo8sSIPgmp1wUlRohV7vfGtAIVae73b0= -github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY= -github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho= -github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= -github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= -github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= -github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= -github.com/go-openapi/loads v0.21.5 h1:jDzF4dSoHw6ZFADCGltDb2lE4F6De7aWSpe+IcsRzT0= -github.com/go-openapi/loads v0.21.5/go.mod h1:PxTsnFBoBe+z89riT+wYt3prmSBP6GDAQh2l9H1Flz8= -github.com/go-openapi/runtime v0.27.1 h1:ae53yaOoh+fx/X5Eaq8cRmavHgDma65XPZuvBqvJYto= -github.com/go-openapi/runtime v0.27.1/go.mod h1:fijeJEiEclyS8BRurYE1DE5TLb9/KZl6eAdbzjsrlLU= -github.com/go-openapi/spec v0.20.13 h1:XJDIN+dLH6vqXgafnl5SUIMnzaChQ6QTo0/UPMbkIaE= -github.com/go-openapi/spec v0.20.13/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw= -github.com/go-openapi/strfmt v0.22.0 h1:Ew9PnEYc246TwrEspvBdDHS4BVKXy/AOVsfqGDgAcaI= -github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv27135Yr9OivU4= -github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= -github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= -github.com/go-openapi/validate v0.22.4 h1:5v3jmMyIPKTR8Lv9syBAIRxG6lY0RqeBPB1LKEijzk8= -github.com/go-openapi/validate v0.22.4/go.mod h1:qm6O8ZIcPVdSY5219468Jv7kBdGvkiZLPOmqnqTUZ2A= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -121,8 +91,6 @@ github.com/google/go-containerregistry v0.19.0 h1:uIsMRBV7m/HDkDxE/nXMnv1q+lOOSP github.com/google/go-containerregistry v0.19.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= -github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI= @@ -137,15 +105,11 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg= -github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= -github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI= -github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4= github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= @@ -157,8 +121,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 h1:WGrKdjHtWC67RX96eTkYD2f53NDHhrq/7robWTAfk4s= -github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491/go.mod h1:o158RFmdEbYyIZmXAbrvmJWesbyxlLKee6X64VPVuOc= github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= @@ -168,24 +130,16 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= -github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= -github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s= github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8= github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo= github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8= -github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= -github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -201,14 +155,6 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= -github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/psanford/memfs v0.0.0-20230130182539-4dbf7e3e865e h1:51xcRlSMBU5rhM9KahnJGfEsBPVPz3182TgFRowA8yY= github.com/psanford/memfs v0.0.0-20230130182539-4dbf7e3e865e/go.mod h1:tcaRap0jS3eifrEEllL6ZMd9dg8IlDpi2S1oARrQ+NI= github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= @@ -217,16 +163,8 @@ github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= -github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= -github.com/sigstore/cosign/v2 v2.2.3 h1:WX7yawI+EXu9h7S5bZsfYCbB9XW6Jc43ctKy/NoOSiA= -github.com/sigstore/cosign/v2 v2.2.3/go.mod h1:WpMn4MBt0cI23GdHsePwO4NxhX1FOz1ITGB3ALUjFaI= -github.com/sigstore/rekor v1.3.4 h1:RGIia1iOZU7fOiiP2UY/WFYhhp50S5aUm7YrM8aiA6E= -github.com/sigstore/rekor v1.3.4/go.mod h1:1GubPVO2yO+K0m0wt/3SHFqnilr/hWbsjSOe7Vzxrlg= -github.com/sigstore/sigstore v1.8.1 h1:mAVposMb14oplk2h/bayPmIVdzbq2IhCgy4g6R0ZSjo= -github.com/sigstore/sigstore v1.8.1/go.mod h1:02SL1158BSj15bZyOFz7m+/nJzLZfFd9A8ab3Kz7w/E= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= @@ -244,8 +182,6 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= -github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tmc/dot v0.0.0-20210901225022-f9bc17da75c0 h1:hwIpbdjckSFqmZ6hod7WZgGR7tVVrSUzZrBfNZl7AOg= github.com/tmc/dot v0.0.0-20210901225022-f9bc17da75c0/go.mod h1:DV83s9TfD0rgoKcqvDmM+aYdz6BXmTkquwd+bI/8tlo= github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= @@ -254,17 +190,11 @@ github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/ github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= -github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= -github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= -github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= -github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo= go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= -go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/vk= -go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo= go.opentelemetry.io/otel v1.22.0 h1:xS7Ku+7yTFvDfDraDIJVpw7XPyuHlB9MCiqqX5mcJ6Y= go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI= go.opentelemetry.io/otel/metric v1.22.0 h1:lypMQnGyJYeuYPhOM/bgjbFM6WE44W1/T45er4d8Hhg= @@ -335,7 +265,6 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= @@ -355,19 +284,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 h1:nz5NESFLZbJGPFxDT/HCn+V1mZ8JGNoY4nUpmW/Y2eg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac h1:nUQEQmH/csSvFECKYRv6HWEyypysidKl2I6Qpsglq/0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:daQN87bsDqDoe316QbbvX60nMoJQa4r6Ds0ZuoAe5yA= -google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= -google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/go-jose/go-jose.v2 v2.6.1 h1:qEzJlIDmG9q5VO0M/o8tGS65QMHMS1w01TQJB1VPJ4U= -gopkg.in/go-jose/go-jose.v2 v2.6.1/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= diff --git a/internal/cli/build.go b/internal/cli/build.go index 8b388fe6a..309d91060 100644 --- a/internal/cli/build.go +++ b/internal/cli/build.go @@ -25,8 +25,8 @@ import ( "sync" "github.com/chainguard-dev/clog" + v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/layout" - coci "github.com/sigstore/cosign/v2/pkg/oci" "github.com/spf13/cobra" "go.opentelemetry.io/otel" "golang.org/x/exp/slices" @@ -162,7 +162,7 @@ func BuildCmd(ctx context.Context, imageRef, output string, archs []types.Archit // buildImage build all of the components of an image in a single working directory. // Each layer is a separate file, as are config, manifests, index and sbom. -func buildImageComponents(ctx context.Context, workDir string, archs []types.Architecture, opts ...build.Option) (idx coci.SignedImageIndex, sboms []types.SBOM, err error) { +func buildImageComponents(ctx context.Context, workDir string, archs []types.Architecture, opts ...build.Option) (idx v1.ImageIndex, sboms []types.SBOM, err error) { log := clog.FromContext(ctx) ctx, span := otel.Tracer("apko").Start(ctx, "buildImageComponents") defer span.End() @@ -210,7 +210,7 @@ func buildImageComponents(ctx context.Context, workDir string, archs []types.Arc return nil, nil, fmt.Errorf("unable to create working image directory %s: %w", imageDir, err) } - imgs := map[types.Architecture]coci.SignedImage{} + imgs := map[types.Architecture]v1.Image{} contexts := map[types.Architecture]*build.Context{} imageTars := map[types.Architecture]string{} diff --git a/internal/cli/publish.go b/internal/cli/publish.go index 09acc2c94..26b643a35 100644 --- a/internal/cli/publish.go +++ b/internal/cli/publish.go @@ -169,7 +169,6 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu local = opts.local tags = opts.tags additionalTags []string - wantSBOM = len(sboms) > 0 // it only generates sboms if wantSbom was true builtReferences = make([]string, 0) ) @@ -232,19 +231,6 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu return err } - // publish each arch-specific sbom - // publish the index sbom - if wantSBOM { - // TODO: Why aren't these just attached to idx? - - // all sboms will be in the same directory - if err := oci.PostAttachSBOMsFromIndex( - ctx, idx, sboms, tags, ropt..., - ); err != nil { - return fmt.Errorf("attaching sboms to index: %w", err) - } - } - // copy sboms over to the sbomPath target directory if sbomPath != "" { for _, sbom := range sboms { diff --git a/pkg/build/build_implementation.go b/pkg/build/build_implementation.go index 1a3f273d1..c9449fc71 100644 --- a/pkg/build/build_implementation.go +++ b/pkg/build/build_implementation.go @@ -29,13 +29,13 @@ import ( "chainguard.dev/apko/pkg/lock" "chainguard.dev/apko/pkg/options" + v1 "github.com/google/go-containerregistry/pkg/v1" gzip "github.com/klauspost/pgzip" "go.opentelemetry.io/otel" "github.com/chainguard-dev/clog" "github.com/chainguard-dev/go-apk/pkg/apk" "github.com/chainguard-dev/go-apk/pkg/tarball" - "github.com/sigstore/cosign/v2/pkg/oci" ) // pgzip's default is GOMAXPROCS(0) @@ -180,7 +180,7 @@ func (bc *Context) buildImage(ctx context.Context) error { } // WriteIndex saves the index file from the given image configuration. -func WriteIndex(ctx context.Context, o *options.Options, idx oci.SignedImageIndex) (string, error) { +func WriteIndex(ctx context.Context, o *options.Options, idx v1.ImageIndex) (string, error) { log := clog.FromContext(ctx) outfile := filepath.Join(o.TempDir(), "index.json") diff --git a/pkg/build/oci/image.go b/pkg/build/oci/image.go index 85963f14a..6f0a860aa 100644 --- a/pkg/build/oci/image.go +++ b/pkg/build/oci/image.go @@ -30,15 +30,13 @@ import ( v1tar "github.com/google/go-containerregistry/pkg/v1/tarball" ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types" "github.com/google/shlex" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/pkg/oci/signed" "golang.org/x/exp/maps" "chainguard.dev/apko/pkg/build/types" "chainguard.dev/apko/pkg/options" ) -func BuildImageFromLayer(ctx context.Context, layer v1.Layer, ic types.ImageConfiguration, created time.Time, arch types.Architecture) (oci.SignedImage, error) { +func BuildImageFromLayer(ctx context.Context, layer v1.Layer, ic types.ImageConfiguration, created time.Time, arch types.Architecture) (v1.Image, error) { log := clog.FromContext(ctx) mediaType, err := layer.MediaType() @@ -176,8 +174,7 @@ func BuildImageFromLayer(ctx context.Context, layer v1.Layer, ic types.ImageConf return nil, fmt.Errorf("unable to update %s config file: %w", imageType, err) } - si := signed.Image(v1Image) - return si, nil + return v1Image, nil } func BuildImageTarballFromLayer(ctx context.Context, imageRef string, layer v1.Layer, outputTarGZ string, ic types.ImageConfiguration, opts options.Options) error { diff --git a/pkg/build/oci/index.go b/pkg/build/oci/index.go index 53998915d..1e7bfd0f8 100644 --- a/pkg/build/oci/index.go +++ b/pkg/build/oci/index.go @@ -30,9 +30,6 @@ import ( "github.com/google/go-containerregistry/pkg/v1/mutate" v1tar "github.com/google/go-containerregistry/pkg/v1/tarball" ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" - ocimutate "github.com/sigstore/cosign/v2/pkg/oci/mutate" - "github.com/sigstore/cosign/v2/pkg/oci/signed" "go.opentelemetry.io/otel" "chainguard.dev/apko/pkg/build/types" @@ -41,7 +38,7 @@ import ( // GenerateIndex generates an OCI image index from the given imgs. The index type // will be "application/vnd.oci.image.index.v1+json". // The index is stored in memory. -func GenerateIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[types.Architecture]oci.SignedImage) (name.Digest, oci.SignedImageIndex, error) { +func GenerateIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[types.Architecture]v1.Image) (name.Digest, v1.ImageIndex, error) { _, span := otel.Tracer("apko").Start(ctx, "GenerateIndex") defer span.End() @@ -51,13 +48,13 @@ func GenerateIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[ty // GenerateDockerIndex generates a docker multi-arch manifest from the given imgs. The index type // will be "application/vnd.docker.distribution.manifest.list.v2+json". // The index is stored in memory. -func GenerateDockerIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[types.Architecture]oci.SignedImage) (name.Digest, oci.SignedImageIndex, error) { +func GenerateDockerIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[types.Architecture]v1.Image) (name.Digest, v1.ImageIndex, error) { return generateIndexWithMediaType(ggcrtypes.DockerManifestList, ic, imgs) } // generateIndexWithMediaType generates an index or docker manifest list from the given imgs. The index type // is provided by the `mediaType` parameter. -func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageConfiguration, imgs map[types.Architecture]oci.SignedImage) (name.Digest, oci.SignedImageIndex, error) { +func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageConfiguration, imgs map[types.Architecture]v1.Image) (name.Digest, v1.ImageIndex, error) { // If annotations are set and we're using the OCI mediaType, set annotations on the index. annotations := map[string]string{} if mediaType == ggcrtypes.OCIImageIndex { @@ -73,11 +70,9 @@ func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageCon } } - idx := signed.ImageIndex( - mutate.IndexMediaType( - mutate.Annotations(empty.Index, annotations).(v1.ImageIndex), - mediaType), - ) + idx := mutate.Annotations(empty.Index, annotations).(v1.ImageIndex) + idx = mutate.IndexMediaType(idx, mediaType) + archs := make([]types.Architecture, 0, len(imgs)) for arch := range imgs { archs = append(archs, arch) @@ -102,7 +97,7 @@ func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageCon return name.Digest{}, nil, fmt.Errorf("failed to compute size: %w", err) } - idx = ocimutate.AppendManifests(idx, ocimutate.IndexAddendum{ + idx = mutate.AppendManifests(idx, mutate.IndexAddendum{ Add: img, Descriptor: v1.Descriptor{ MediaType: mt, @@ -122,9 +117,9 @@ func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageCon // BuildIndex builds a self-contained tar.gz file containing the index and its individual images for all architectures. // Returns the digest and the path to the combined tar.gz. -func BuildIndex(outfile string, idx oci.SignedImageIndex, tags []string) (name.Digest, error) { +func BuildIndex(outfile string, idx v1.ImageIndex, tags []string) (name.Digest, error) { tagsToImages := make(map[name.Tag]v1.Image) - var imgs = make([]oci.SignedImage, 0) + var imgs = make([]v1.Image, 0) manifest, err := idx.IndexManifest() if err != nil { return name.Digest{}, fmt.Errorf("failed to get index manifest: %w", err) @@ -140,7 +135,7 @@ func BuildIndex(outfile string, idx oci.SignedImageIndex, tags []string) (name.D } for _, m := range manifest.Manifests { arch := m.Platform.Architecture - img, err := idx.SignedImage(m.Digest) + img, err := idx.Image(m.Digest) if err != nil { return name.Digest{}, fmt.Errorf("failed to get image for manifest %s: %w", m.Digest, err) } diff --git a/pkg/build/oci/publish.go b/pkg/build/oci/publish.go index 3ac83dfef..9d4d1076f 100644 --- a/pkg/build/oci/publish.go +++ b/pkg/build/oci/publish.go @@ -25,9 +25,6 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/daemon" "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/sigstore/cosign/v2/pkg/oci" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/oci/walk" "go.opentelemetry.io/otel" "golang.org/x/sync/errgroup" ) @@ -36,7 +33,7 @@ import ( // `local` determines if it should push to the local docker daemon or to the actual registry. // `shouldPushTags` determines whether to push the tags provided in the `tags` parameter, or whether // to treat the first tag as a digest and push that instead. -func PublishImage(ctx context.Context, image oci.SignedImage, shouldPushTags bool, tags []string, remoteOpts ...remote.Option) (name.Digest, error) { +func PublishImage(ctx context.Context, image v1.Image, shouldPushTags bool, tags []string, remoteOpts ...remote.Option) (name.Digest, error) { log := clog.FromContext(ctx) ref, err := name.ParseReference(tags[0]) if err != nil { @@ -68,12 +65,6 @@ func PublishImage(ctx context.Context, image oci.SignedImage, shouldPushTags boo return fmt.Errorf("unable to parse reference: %w", err) } - // Write any attached SBOMs/signatures. - wp := writePeripherals(ctx, ref, remoteOpts...) - g.Go(func() error { - return wp(ctx, image) - }) - g.Go(func() error { return remote.Write(ref, image, remoteOpts...) }) @@ -89,7 +80,7 @@ func PublishImage(ctx context.Context, image oci.SignedImage, shouldPushTags boo return dig, nil } -func LoadImage(ctx context.Context, image oci.SignedImage, tags []string) (name.Reference, error) { +func LoadImage(ctx context.Context, image v1.Image, tags []string) (name.Reference, error) { log := clog.FromContext(ctx) hash, err := image.Digest() if err != nil { @@ -129,7 +120,7 @@ func LoadImage(ctx context.Context, image oci.SignedImage, tags []string) (name. // Note that docker, when provided with a multi-architecture index, will load just the image inside for the provided // platform, defaulting to the one on which the docker daemon is running. // PublishIndex will determine that platform and use it to publish the updated index. -func PublishIndex(ctx context.Context, idx oci.SignedImageIndex, tags []string, remoteOpts ...remote.Option) (name.Digest, error) { +func PublishIndex(ctx context.Context, idx v1.ImageIndex, tags []string, remoteOpts ...remote.Option) (name.Digest, error) { log := clog.FromContext(ctx) // TODO(jason): Also set annotations on the index. ggcr's @@ -160,17 +151,6 @@ func PublishIndex(ctx context.Context, idx oci.SignedImageIndex, tags []string, return name.Digest{}, fmt.Errorf("unable to parse reference: %w", err) } - // Write any attached SBOMs/signatures (recursively) - g.Go(func() error { - wp := writePeripherals(ctx, ref, remoteOpts...) - return walk.SignedEntity(ctx, idx, func(ctx context.Context, se oci.SignedEntity) error { - g.Go(func() error { - return wp(ctx, se) - }) - return nil - }) - }) - g.Go(func() error { return remote.WriteIndex(ref, idx, remoteOpts...) }) @@ -185,7 +165,7 @@ func PublishIndex(ctx context.Context, idx oci.SignedImageIndex, tags []string, // If attempting to save locally, pick the native architecture // and use that cached image for local tags // Ported from https://github.com/ko-build/ko/blob/main/pkg/publish/daemon.go#L92-L168 -func LoadIndex(ctx context.Context, idx oci.SignedImageIndex, tags []string) (name.Reference, error) { +func LoadIndex(ctx context.Context, idx v1.ImageIndex, tags []string) (name.Reference, error) { log := clog.FromContext(ctx) im, err := idx.IndexManifest() if err != nil { @@ -212,7 +192,7 @@ func LoadIndex(ctx context.Context, idx oci.SignedImageIndex, tags []string) (na } useManifest = manifest } - img, err := idx.SignedImage(useManifest.Digest) + img, err := idx.Image(useManifest.Digest) if err != nil { return name.Digest{}, fmt.Errorf("reading child image %q", useManifest.Digest.String()) } @@ -224,7 +204,7 @@ func LoadIndex(ctx context.Context, idx oci.SignedImageIndex, tags []string) (na // PublishImagesFromIndex publishes all images from an index to a remote registry. // The only difference between this and PublishIndex is that PublishIndex pushes out all blobs and referenced manifests // from within the index. This adds pushing the referenced SignedImage artifacts along with appropriate tags. -func PublishImagesFromIndex(ctx context.Context, idx oci.SignedImageIndex, repo name.Repository, remoteOpts ...remote.Option) ([]name.Digest, error) { +func PublishImagesFromIndex(ctx context.Context, idx v1.ImageIndex, repo name.Repository, remoteOpts ...remote.Option) ([]name.Digest, error) { ctx, span := otel.Tracer("apko").Start(ctx, "PublishImagesFromIndex") defer span.End() @@ -243,17 +223,11 @@ func PublishImagesFromIndex(ctx context.Context, idx oci.SignedImageIndex, repo digests[i] = dig g.Go(func() error { - img, err := idx.SignedImage(m.Digest) + img, err := idx.Image(m.Digest) if err != nil { return fmt.Errorf("failed to get image for %v from index: %w", m, err) } - g.Go(func() error { - // Write any attached SBOMs/signatures. - wp := writePeripherals(ctx, dig, remoteOpts...) - return wp(ctx, img) - }) - g.Go(func() error { return remote.Write(dig, img, remoteOpts...) }) @@ -267,61 +241,6 @@ func PublishImagesFromIndex(ctx context.Context, idx oci.SignedImageIndex, repo return digests, nil } -// writePeripherals returns a function to write any attached SBOMs/signatures. -// Its output is meant to be passed to walk.SignedEntity(). -func writePeripherals(ctx context.Context, tag name.Reference, opt ...remote.Option) walk.Fn { - log := clog.FromContext(ctx) - ociOpts := []ociremote.Option{ociremote.WithRemoteOptions(opt...)} - - // Respect COSIGN_REPOSITORY - targetRepoOverride, err := ociremote.GetEnvTargetRepository() - if err != nil { - return func(ctx context.Context, se oci.SignedEntity) error { return err } - } - if (targetRepoOverride != name.Repository{}) { - ociOpts = append(ociOpts, ociremote.WithTargetRepository(targetRepoOverride)) - } - - return func(ctx context.Context, se oci.SignedEntity) error { - h, err := se.(interface{ Digest() (v1.Hash, error) }).Digest() - if err != nil { - return err - } - - // TODO(mattmoor): We should have a WriteSBOM helper upstream. - digest := tag.Context().Digest(h.String()) // Don't *get* the tag, we know the digest - ref, err := ociremote.SBOMTag(digest, ociOpts...) - if err != nil { - return err - } - - f, err := se.Attachment("sbom") - if err != nil { - // Some levels (e.g. the index) may not have an SBOM, - // just like some levels may not have signatures/attestations. - return nil - } - - if err := remote.Write(ref, f, opt...); err != nil { - return fmt.Errorf("writing sbom: %w", err) - } - - // TODO(mattmoor): Don't enable this until we start signing or it - // will publish empty signatures! - // if err := ociremote.WriteSignatures(tag.Context(), se, ociOpts...); err != nil { - // return err - // } - - // TODO(mattmoor): Are there any attestations we want to write? - // if err := ociremote.WriteAttestations(tag.Context(), se, ociOpts...); err != nil { - // return err - // } - log.Infof("Published SBOM %v", ref) - - return nil - } -} - // Copt copies an image from one registry repository to another. func Copy(ctx context.Context, src, dst string, remoteOpts ...remote.Option) error { log := clog.FromContext(ctx) diff --git a/pkg/build/oci/sbom.go b/pkg/build/oci/sbom.go deleted file mode 100644 index 23d8fd203..000000000 --- a/pkg/build/oci/sbom.go +++ /dev/null @@ -1,183 +0,0 @@ -// Copyright 2022, 2023 Chainguard, Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package oci - -import ( - "context" - "errors" - "fmt" - "os" - - "github.com/chainguard-dev/clog" - "github.com/google/go-containerregistry/pkg/name" - v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/remote" - ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" - ocimutate "github.com/sigstore/cosign/v2/pkg/oci/mutate" - "github.com/sigstore/cosign/v2/pkg/oci/static" - ctypes "github.com/sigstore/cosign/v2/pkg/types" - "go.opentelemetry.io/otel" - "golang.org/x/sync/errgroup" - - "chainguard.dev/apko/pkg/build/types" -) - -// PostAttachSBOMsFromIndex attaches SBOMs to an already published index and all of the referenced images -func PostAttachSBOMsFromIndex(ctx context.Context, idx oci.SignedImageIndex, sboms []types.SBOM, - tags []string, remoteOpts ...remote.Option) error { - ctx, span := otel.Tracer("apko").Start(ctx, "PostAttachSBOMsFromIndex") - defer span.End() - - manifest, err := idx.IndexManifest() - if err != nil { - return fmt.Errorf("failed to get index manifest: %w", err) - } - var g errgroup.Group - for _, m := range manifest.Manifests { - m := m - g.Go(func() error { - img, err := idx.SignedImage(m.Digest) - if err != nil { - return fmt.Errorf("failed to get image %s: %w", m.Digest, err) - } - if _, err := PostAttachSBOM( - ctx, img, sboms, m.Platform, tags, remoteOpts..., - ); err != nil { - return fmt.Errorf("attaching sboms to %s image: %w", m.Platform.String(), err) - } - return nil - }) - } - if err := g.Wait(); err != nil { - return err - } - - if _, err := PostAttachSBOM( - ctx, idx, sboms, nil, tags, remoteOpts..., - ); err != nil { - return fmt.Errorf("attaching sboms to index: %w", err) - } - return nil -} - -// PostAttachSBOM attaches the sboms to a single already published image -func PostAttachSBOM(ctx context.Context, si oci.SignedEntity, sboms []types.SBOM, - platform *v1.Platform, tags []string, remoteOpts ...remote.Option) (oci.SignedEntity, error) { - var err2 error - if si, err2 = attachSBOM(ctx, si, sboms, platform); err2 != nil { - return nil, err2 - } - var g errgroup.Group - for _, tag := range tags { - ref, err := name.ParseReference(tag) - if err != nil { - return nil, fmt.Errorf("parsing reference: %w", err) - } - // Write any attached SBOMs/signatures. - wp := writePeripherals(ctx, ref, remoteOpts...) - g.Go(func() error { - return wp(ctx, si) - }) - } - if err := g.Wait(); err != nil { - return nil, err - } - return si, nil -} - -// attachSBOM does the actual attachment of one or more SBOMs to a single image or index. -func attachSBOM( - ctx context.Context, - si oci.SignedEntity, sboms []types.SBOM, - platform *v1.Platform, -) (oci.SignedEntity, error) { - log := clog.FromContext(ctx) - var mt ggcrtypes.MediaType - var path string - - // get the index of the item - var ( - h v1.Hash - err error - ) - platformName := "index" - if platform != nil { - platformName = platform.String() - } - if i, ok := si.(oci.SignedImage); ok { - h, err = i.Digest() - } else if ii, ok := si.(oci.SignedImageIndex); ok { - h, err = ii.Digest() - } else { - return nil, errors.New("unable to cast signed signedentity as image or index") - } - if err != nil { - return nil, fmt.Errorf("unable to get digest for signed item: %w", err) - } - - // find the sbom for use - var matched []types.SBOM - for _, s := range sboms { - if s.Digest != h { - continue - } - if (s.Arch == "" && platform == nil) || types.ParseArchitecture(s.Arch).ToOCIPlatform().String() == platform.String() { - matched = append(matched, s) - } - } - if len(matched) == 0 { - return nil, fmt.Errorf("unable to find sbom for digest %s and platform %s", h, platformName) - } - - switch matched[0].Format { - case "spdx": - mt = ctypes.SPDXJSONMediaType - case "cyclonedx": - mt = ctypes.CycloneDXJSONMediaType - case "idb": - mt = "application/vnd.apko.installed-db" - default: - return nil, fmt.Errorf("unsupported SBOM format: %s", matched[0].Format) - } - if len(matched) > 1 { - // When we have multiple formats, warn that we're picking the first. - log.Warnf("multiple SBOM formats requested, uploading SBOM with media type: %s", mt) - } - path = matched[0].Path - - sbom, err := os.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("reading sbom: %w", err) - } - - f, err := static.NewFile(sbom, static.WithLayerMediaType(mt)) - if err != nil { - return nil, err - } - var aterr error - if i, ok := si.(oci.SignedImage); ok { - si, aterr = ocimutate.AttachFileToImage(i, "sbom", f) - } else if ii, ok := si.(oci.SignedImageIndex); ok { - si, aterr = ocimutate.AttachFileToImageIndex(ii, "sbom", f) - } else { - return nil, errors.New("unable to cast signed entity as image or index") - } - if aterr != nil { - return nil, fmt.Errorf("attaching file to image: %w", aterr) - } - - return si, nil -} diff --git a/pkg/build/sbom.go b/pkg/build/sbom.go index eeee0af4d..5f6805d39 100644 --- a/pkg/build/sbom.go +++ b/pkg/build/sbom.go @@ -34,7 +34,6 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types" - "github.com/sigstore/cosign/v2/pkg/oci" "go.opentelemetry.io/otel" khash "sigs.k8s.io/release-utils/hash" ) @@ -69,7 +68,7 @@ func newSBOM(ctx context.Context, fsys apkfs.FullFS, o options.Options, ic types return sopt } -func (bc *Context) GenerateImageSBOM(ctx context.Context, arch types.Architecture, img oci.SignedImage) ([]types.SBOM, error) { +func (bc *Context) GenerateImageSBOM(ctx context.Context, arch types.Architecture, img v1.Image) ([]types.SBOM, error) { log := clog.New(slog.Default().Handler()).With("arch", arch.ToAPK()) ctx = clog.WithLogger(ctx, log) @@ -147,7 +146,7 @@ func (bc *Context) GenerateImageSBOM(ctx context.Context, arch types.Architectur return sboms, nil } -func GenerateIndexSBOM(ctx context.Context, o options.Options, ic types.ImageConfiguration, indexDigest name.Digest, imgs map[types.Architecture]oci.SignedImage) ([]types.SBOM, error) { +func GenerateIndexSBOM(ctx context.Context, o options.Options, ic types.ImageConfiguration, indexDigest name.Digest, imgs map[types.Architecture]v1.Image) ([]types.SBOM, error) { log := clog.FromContext(ctx) _, span := otel.Tracer("apko").Start(ctx, "GenerateIndexSBOM") defer span.End()