cosign: request for help

To: debian-go@lists.debian.org
Subject: cosign: request for help
From: Simon Josefsson <simon@josefsson.org>
Date: Mon, 25 Nov 2024 14:49:46 +0100
Message-id: <[🔎] 87ttbv2zk5.fsf_-_@kaka.sjd.se>
In-reply-to: <[🔎] 87y11861nu.fsf@kaka.sjd.se> (Simon Josefsson's message of "Sun, 24 Nov 2024 17:23:49 +0100")
References: <[🔎] 87ed3620tj.fsf@kaka.sjd.se> <[🔎] 87y11861nu.fsf@kaka.sjd.se>

After adding a number of new packages to Debian, I'm now down to a
single TUFv0-related build problem preventing cosign from building:

https://salsa.debian.org/jas/cosign/-/jobs/6649015

src/github.com/sigstore/cosign/pkg/cosign/ctlog.go:24:2: cannot find package "github.com/sigstore/sigstore/pkg/tuf" in any of:
	/usr/lib/go-1.23/src/github.com/sigstore/sigstore/pkg/tuf (from $GOROOT)
	/builds/jas/cosign/debian/output/source_dir/_build/src/github.com/sigstore/sigstore/pkg/tuf (from $GOPATH)
src/github.com/sigstore/cosign/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go:27:2: cannot find package "github.com/sigstore/sigstore/pkg/fulcioroots" in any of:
	/usr/lib/go-1.23/src/github.com/sigstore/sigstore/pkg/fulcioroots (from $GOROOT)
	/builds/jas/cosign/debian/output/source_dir/_build/src/github.com/sigstore/sigstore/pkg/fulcioroots (from $GOPATH)

The problem seems to be:

 1) github.com/sigstore/sigstore has marked the TUF client as
    deprecated, since it uses the old TUF v0 APIs:

    https://github.com/sigstore/sigstore/releases

 2) Debian's github.com/sigstore/sigstore package dropped the TUF
    support altogether, to allow TUF v2 to be uploaded into Debian --
    TUFv2 is needed by github.com/sigstore/sigstore-go which is required
    by cosign.

    https://salsa.debian.org/go-team/packages/golang-github-sigstore-sigstore/-/commit/9bc3e28a51f32273ccfc9ec9bd0e6fbc7c561241

    The github.com/sigstore/sigstore/pkg/fulcioroots directory is
    removed, since it uses the github.com/sigstore/sigstore/pkg/tuf API.

 3) Cosign still uses the github.com/sigstore/sigstore TUFv0-related
    APIs, so the compilation breaks as above.

It seems some Go skill is required to sort out this mess.  Help?!

My naive ideas:

1) Patch github.com/sigstore/sigstore so it still exposes the
tuf/fulcioroots APIs, but they are dummy functions that doesn't do
anything.

2) Patch cosign (ctlog.go and fulcioroots.go) to avoid calling the
TUFv0-related APIs from github.com/sigstore/sigstore.

I'll work on getting the >5 NEW dependencies into unstable, awaiting
help from someone more experienced in reading/writing Go...

TUFv0-migration seems to be discussed in some upstream cosign github
issues, but it is hard for me to understand what is going on.

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- cosign update
  - From: Simon Josefsson <simon@josefsson.org>
- Re: cosign update
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Bug#1088230: ITP: golang-github-open-policy-agent-opa -- Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Next by Date: Re: Admin access to my projects on go-team?
Previous by thread: Re: cosign update
Next by thread: golang-github-lestrrat-go-jwx
Index(es):
- Date
- Thread