[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

cosign update

All,

For anyone wondering what is holding up 'cosign', here is the latest
update and request for assistance.

Latest code as usual here:
https://salsa.debian.org/go-team/packages/cosign/

Real build pipelines churning here:
https://salsa.debian.org/jas/cosign/-/pipelines

Watch the debian/salsa-ci.yml for non-sid B-D's --
https://salsa.debian.org/go-team/packages/cosign/-/blob/debian/sid/debian/salsa-ci.yml
-- currently we are waiting for NEW handling of these packages:

golang-github-smallstep-crypto
sigstore-go
golang-github-withfig-autocomplete-tools

Let's look at the latest build output:
https://salsa.debian.org/jas/cosign/-/jobs/6622639

It fails due to these dependencies:

cannot find package "github.com/sigstore/sigstore/pkg/tuf
cannot find package "github.com/google/go-github/v55/github
cannot find package "github.com/sigstore/sigstore/pkg/fulcioroots
cannot find package "cuelang.org/go/cue/cuecontext
cannot find package "cuelang.org/go/cue/load
cannot find package "cuelang.org/go/encoding/json
cannot find package "github.com/open-policy-agent/opa/rego

Going through these:

x) github.com/sigstore/sigstore/pkg/tuf - according to upstream, TUF
support is deprecated so we dropped this part.  However cosign still
uses it.  There are open github issues related to TUF, but help
appreciated if anyone knows how to assist cosign upstream to drop the
github.com/sigstore/sigstore/pkg/tuf dependency, assuming that is the
right thing.

x) github.com/google/go-github/v55/github - maybe just a package version
upgrade?  Help appreciated.

x) github.com/sigstore/sigstore/pkg/fulcioroots - I haven't analyzed
this at all.

x) cuelang.org/go/ - seems like an entire eco-system on its own, can we
patch this out of cosign?  Could

x) github.com/open-policy-agent/opa/rego - I have packaged this and it
builds fine locally but seems to fail on Salsa:
https://salsa.debian.org/jas/golang-github-open-policy-agent-opa/-/pipelines/765894
However this packaging doesn't look optimal, it is 1.5GB large and
contains a lot of vendored stuff.  Can we patch cosign to avoid OPA?

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to: