Migrating to the use of in-toto/go-witness module (#331)

* added all imports

* fixing go sum

* changing go-witness back for now, makes more sense

* moved witness to using new in-toto/go-witness module

Signed-off-by: chaosinthecrd <[email protected]>

* adding change to test now following newer version of policy

* running docgen as changes found from use of new module

* pinning to v0.2.0 of archivista and go-witness

Signed-off-by: chaosinthecrd <[email protected]>

---------

Signed-off-by: chaosinthecrd <[email protected]>
Signed-off-by: Tom Meadows <[email protected]>

cmd/config.go

@@ -20,11 +20,11 @@ import (
 	"os"
 	"strings"
 
+	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/witness/options"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
-	"github.com/testifysec/go-witness/log"
 )
 
 func initConfig(rootCmd *cobra.Command, rootOptions *options.RootOptions) error {

cmd/keyloader.go

@@ -19,11 +19,11 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/log"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/witness/options"
 	"github.com/spf13/pflag"
-	"github.com/testifysec/go-witness/cryptoutil"
-	"github.com/testifysec/go-witness/log"
-	"github.com/testifysec/go-witness/signer"
 )
 
 // signerProvidersFromFlags looks at all flags that were set by the user to determine which signer providers we should use

cmd/root.go

@@ -18,9 +18,9 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/witness/options"
 	"github.com/spf13/cobra"
-	"github.com/testifysec/go-witness/log"
 )
 
 var ro = &options.RootOptions{}

cmd/root_test.go

@@ -26,12 +26,12 @@ import (
 	"testing"
 	"time"
 
+	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/signer"
+	"github.com/in-toto/go-witness/signer/file"
 	"github.com/in-toto/witness/options"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/testifysec/go-witness/cryptoutil"
-	"github.com/testifysec/go-witness/signer"
-	"github.com/testifysec/go-witness/signer/file"
 )
 
 const (

cmd/run.go

@@ -20,19 +20,19 @@ import (
 	"encoding/json"
 	"fmt"
 
+	witness "github.com/in-toto/go-witness"
+	"github.com/in-toto/go-witness/archivista"
+	"github.com/in-toto/go-witness/attestation"
+	"github.com/in-toto/go-witness/attestation/commandrun"
+	"github.com/in-toto/go-witness/attestation/material"
+	"github.com/in-toto/go-witness/attestation/product"
+	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/log"
+	"github.com/in-toto/go-witness/registry"
+	"github.com/in-toto/go-witness/timestamp"
 	"github.com/in-toto/witness/options"
 	"github.com/spf13/cobra"
-	witness "github.com/testifysec/go-witness"
-	"github.com/testifysec/go-witness/archivista"
-	"github.com/testifysec/go-witness/attestation"
-	"github.com/testifysec/go-witness/attestation/commandrun"
-	"github.com/testifysec/go-witness/attestation/material"
-	"github.com/testifysec/go-witness/attestation/product"
-	"github.com/testifysec/go-witness/cryptoutil"
-	"github.com/testifysec/go-witness/dsse"
-	"github.com/testifysec/go-witness/log"
-	"github.com/testifysec/go-witness/registry"
-	"github.com/testifysec/go-witness/timestamp"
 )
 
 func RunCmd() *cobra.Command {

cmd/run_test.go

@@ -24,13 +24,13 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/signer"
+	"github.com/in-toto/go-witness/signer/file"
 	"github.com/in-toto/witness/options"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/testifysec/go-witness/cryptoutil"
-	"github.com/testifysec/go-witness/dsse"
-	"github.com/testifysec/go-witness/signer"
-	"github.com/testifysec/go-witness/signer/file"
 )
 
 func TestRunRSAKeyPair(t *testing.T) {

cmd/sign.go

@@ -19,12 +19,12 @@ import (
 	"fmt"
 	"os"
 
+	witness "github.com/in-toto/go-witness"
+	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/timestamp"
 	"github.com/in-toto/witness/options"
 	"github.com/spf13/cobra"
-	witness "github.com/testifysec/go-witness"
-	"github.com/testifysec/go-witness/cryptoutil"
-	"github.com/testifysec/go-witness/dsse"
-	"github.com/testifysec/go-witness/timestamp"
 )
 
 func SignCmd() *cobra.Command {

cmd/sign_test.go

@@ -22,10 +22,10 @@ import (
 	"os"
 	"testing"
 
+	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/witness/options"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/testifysec/go-witness/cryptoutil"
 )
 
 func Test_runSignPolicyRSA(t *testing.T) {

cmd/verify.go

@@ -22,14 +22,14 @@ import (
 	"fmt"
 	"os"
 
+	witness "github.com/in-toto/go-witness"
+	"github.com/in-toto/go-witness/archivista"
+	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/log"
+	"github.com/in-toto/go-witness/source"
 	"github.com/in-toto/witness/options"
 	"github.com/spf13/cobra"
-	witness "github.com/testifysec/go-witness"
-	"github.com/testifysec/go-witness/archivista"
-	"github.com/testifysec/go-witness/cryptoutil"
-	"github.com/testifysec/go-witness/dsse"
-	"github.com/testifysec/go-witness/log"
-	"github.com/testifysec/go-witness/source"
 )
 
 func VerifyCmd() *cobra.Command {

cmd/verify_test.go

@@ -28,15 +28,16 @@ import (
 	"testing"
 	"time"
 
+	witness "github.com/in-toto/go-witness"
+	"github.com/in-toto/go-witness/attestation/commandrun"
+	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/policy"
+	"github.com/in-toto/go-witness/signer"
+	"github.com/in-toto/go-witness/signer/file"
 	"github.com/in-toto/witness/options"
 	"github.com/stretchr/testify/require"
-	witness "github.com/testifysec/go-witness"
-	"github.com/testifysec/go-witness/attestation/commandrun"
-	"github.com/testifysec/go-witness/cryptoutil"
-	"github.com/testifysec/go-witness/dsse"
-	"github.com/testifysec/go-witness/policy"
-	"github.com/testifysec/go-witness/signer"
-	"github.com/testifysec/go-witness/signer/file"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestRunVerifyCA(t *testing.T) {
@@ -313,7 +314,7 @@ func makepolicy(t *testing.T, functionary policy.Functionary, publicKey policy.P
 	}
 
 	p := policy.Policy{
-		Expires:    time.Now().Add(1 * time.Hour),
+		Expires:    metav1.Time{Time: time.Now().Add(1 * time.Hour)},
 		PublicKeys: map[string]policy.PublicKey{},
 		Steps:      map[string]policy.Step{},
 	}
@@ -351,14 +352,8 @@ func createTestRSAKey() (cryptoutil.Signer, cryptoutil.Verifier, []byte, []byte,
 	}
 
 	pemBytes := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: keyBytes})
-	if err != nil {
-		return nil, nil, nil, nil, err
-	}
 
 	privKeyBytes := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privKey)})
-	if err != nil {
-		return nil, nil, nil, nil, err
-	}
 
 	return signer, verifier, pemBytes, privKeyBytes, nil
 }

docs/witness_run.md

@@ -22,7 +22,8 @@ witness run [cmd] [flags]
   -k, --signer-file-key-path string                   Path to the file containing the private key
       --signer-fulcio-oidc-client-id string           OIDC client ID to use for authentication
       --signer-fulcio-oidc-issuer string              OIDC issuer to use for authentication
-      --signer-fulcio-token string                    Raw token to use for authentication
+      --signer-fulcio-token string                    Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)
+      --signer-fulcio-token-path string               Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)
       --signer-fulcio-url string                      Fulcio address to sign with
       --signer-spiffe-socket-path string              Path to the SPIFFE Workload API Socket
       --signer-vault-altnames strings                 Alt names to use for the generated certificate. All alt names must be allowed by the vault role policy

docs/witness_sign.md

@@ -22,7 +22,8 @@ witness sign [file] [flags]
   -k, --signer-file-key-path string                   Path to the file containing the private key
       --signer-fulcio-oidc-client-id string           OIDC client ID to use for authentication
       --signer-fulcio-oidc-issuer string              OIDC issuer to use for authentication
-      --signer-fulcio-token string                    Raw token to use for authentication
+      --signer-fulcio-token string                    Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)
+      --signer-fulcio-token-path string               Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)
       --signer-fulcio-url string                      Fulcio address to sign with
       --signer-spiffe-socket-path string              Path to the SPIFFE Workload API Socket
       --signer-vault-altnames strings                 Alt names to use for the generated certificate. All alt names must be allowed by the vault role policy

go.mod

@@ -3,12 +3,13 @@ module github.com/in-toto/witness
 go 1.19
 
 require (
+	github.com/in-toto/go-witness v0.2.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.6.1
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.15.0
 	github.com/stretchr/testify v1.8.4
-	github.com/testifysec/go-witness v0.1.17
+	k8s.io/apimachinery v0.26.11
 )
 
 require (
@@ -32,7 +33,7 @@ require (
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/aws/aws-sdk-go v1.44.334 // indirect
 	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230220124406-51331ccfc40f // indirect
 	github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425 // indirect
@@ -44,19 +45,26 @@ require (
 	github.com/go-git/go-billy/v5 v5.4.1 // indirect
 	github.com/go-git/go-git/v5 v5.5.2 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-containerregistry v0.13.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-3 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/in-toto/archivista v0.2.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/open-policy-agent/opa v0.49.2 // indirect
 	github.com/owenrumney/go-sarif v1.1.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
@@ -73,7 +81,6 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
-	github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76 // indirect
 	github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -82,20 +89,25 @@ require (
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
 	github.com/zeebo/errs v1.3.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/mod v0.10.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.56.3 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.90.0 // indirect
+	k8s.io/utils v0.0.0-20230115233650-391b47cb4029 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
 
 replace github.com/sigstore/rekor => github.com/testifysec/rekor v0.4.0-dsse-intermediates-2