Using sigstore-go's API instead of Cosign #537
Description
We, being the sigstore-go maintainers, have released a new version of sigstore-go with support for signing artifacts. We've been looking for good candidates in the ecosystem to try out sigstore-go, and I think gitsign would be a perfect choice. You're using Cosign's API currently for blob signing and not container signing, which means you should be able to migrate over to sigstore-go without any loss of functionality and a gain of fewer dependencies and a much cleaner API.
The main changes to note, beyond the API, are:
- The usage of a new TUF client that uses a trust root bundle to fetch roots of trust. This also simplifies support for private Sigstore instances, which can provide trust root material via a single file rather than needing a TUF environment or setting multiple environment variables
- Support for the new bundle format for verification material (cert and proof) and signature.
Here is an example of how to use the API to sign - https://github.com/sigstore/sigstore-go/blob/main/examples/sigstore-go-signing/main.go - and to verify - https://github.com/sigstore/sigstore-go/blob/main/cmd/sigstore-go/main.go.
If you were to make this change, at a glance over the code, you would roughly need to:
- Fetch an identity token using Cosign's identity providers (we're talking about pulling these into a dedicated repo)
- Change initialize to initialize the new TUF client
- Provide the identity token and artifact to sigstore-go's signing API, output a bundle, and transform the bundle into the PKCS7 structure you store in the commit
- You can let the signing API handle uploading to Rekor and fetching a cert from Fulcio, the API just needs an identity token
- All verification can be replaced with sigstore-go's verification API, with the bundle as input (see 1 and 2)
You'd also need to decide if and how to support previously generated signatures/verification material. For verification, one suggestion would be to merge the "detached" verification material into a bundle that the sigstore-go API accepts, like what we're going to be doing in Cosign to output bundles - https://github.com/sigstore/cosign/pull/3752/files#diff-ed22d84833d1dbf7ab58a443e2105ce4769e2db0761f4d1c403ebc879957a3e1. I think this is no different than what you're already doing, switching between PKCS7 and Cosign structs.
If you wanna tackle this, let us know if you need any pointers!