Skip to content

Commit

Permalink
Drop cosign dep
Browse files Browse the repository at this point in the history
It's too far gone. We can't escape the dependency hell.

For our own purposes, we don't even use the SBOMs that get attached.

Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
  • Loading branch information
jonjohnsonjr committed Feb 10, 2024
1 parent b29fbd6 commit 43693d5
Show file tree
Hide file tree
Showing 10 changed files with 35 additions and 433 deletions.
25 changes: 1 addition & 24 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ require (
github.com/jinzhu/copier v0.4.0
github.com/klauspost/pgzip v1.2.6
github.com/package-url/packageurl-go v0.1.2
github.com/sigstore/cosign/v2 v2.2.3
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
github.com/spf13/cobra v1.8.0
github.com/stretchr/testify v1.8.4
Expand All @@ -36,7 +35,6 @@ require (
github.com/MakeNowJust/heredoc/v2 v2.0.1 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
github.com/bahlo/generic-list-go v0.2.0 // indirect
github.com/buger/jsonparser v1.1.1 // indirect
Expand All @@ -59,65 +57,44 @@ require (
github.com/go-logfmt/logfmt v0.6.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.22.0 // indirect
github.com/go-openapi/errors v0.21.0 // indirect
github.com/go-openapi/jsonpointer v0.20.2 // indirect
github.com/go-openapi/jsonreference v0.20.4 // indirect
github.com/go-openapi/loads v0.21.5 // indirect
github.com/go-openapi/runtime v0.27.1 // indirect
github.com/go-openapi/spec v0.20.13 // indirect
github.com/go-openapi/strfmt v0.22.0 // indirect
github.com/go-openapi/swag v0.22.9 // indirect
github.com/go-openapi/validate v0.22.4 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-hclog v0.9.2 // indirect
github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.15 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/muesli/reflow v0.3.0 // indirect
github.com/muesli/termenv v0.15.2 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/psanford/memfs v0.0.0-20230130182539-4dbf7e3e865e // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/sergi/go-diff v1.3.1 // indirect
github.com/sigstore/rekor v1.3.4 // indirect
github.com/sigstore/sigstore v1.8.1 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/skeema/knownhosts v1.2.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/vbatts/tar-split v0.11.5 // indirect
github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
go.lsp.dev/uri v0.3.0 // indirect
go.mongodb.org/mongo-driver v1.13.1 // indirect
go.opentelemetry.io/otel/metric v1.22.0 // indirect
go.opentelemetry.io/otel/trace v1.22.0 // indirect
golang.org/x/crypto v0.18.0 // indirect
golang.org/x/mod v0.14.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/term v0.16.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.15.0 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gotest.tools/v3 v3.5.1 // indirect
Expand Down
84 changes: 2 additions & 82 deletions go.sum

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions internal/cli/build.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ import (
"sync"

"github.com/chainguard-dev/clog"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/layout"
coci "github.com/sigstore/cosign/v2/pkg/oci"
"github.com/spf13/cobra"
"go.opentelemetry.io/otel"
"golang.org/x/exp/slices"
Expand Down Expand Up @@ -162,7 +162,7 @@ func BuildCmd(ctx context.Context, imageRef, output string, archs []types.Archit

// buildImage build all of the components of an image in a single working directory.
// Each layer is a separate file, as are config, manifests, index and sbom.
func buildImageComponents(ctx context.Context, workDir string, archs []types.Architecture, opts ...build.Option) (idx coci.SignedImageIndex, sboms []types.SBOM, err error) {
func buildImageComponents(ctx context.Context, workDir string, archs []types.Architecture, opts ...build.Option) (idx v1.ImageIndex, sboms []types.SBOM, err error) {
log := clog.FromContext(ctx)
ctx, span := otel.Tracer("apko").Start(ctx, "buildImageComponents")
defer span.End()
Expand Down Expand Up @@ -210,7 +210,7 @@ func buildImageComponents(ctx context.Context, workDir string, archs []types.Arc
return nil, nil, fmt.Errorf("unable to create working image directory %s: %w", imageDir, err)
}

imgs := map[types.Architecture]coci.SignedImage{}
imgs := map[types.Architecture]v1.Image{}
contexts := map[types.Architecture]*build.Context{}
imageTars := map[types.Architecture]string{}

Expand Down
14 changes: 0 additions & 14 deletions internal/cli/publish.go
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,6 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu
local = opts.local
tags = opts.tags
additionalTags []string
wantSBOM = len(sboms) > 0 // it only generates sboms if wantSbom was true
builtReferences = make([]string, 0)
)

Expand Down Expand Up @@ -232,19 +231,6 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu
return err
}

// publish each arch-specific sbom
// publish the index sbom
if wantSBOM {
// TODO: Why aren't these just attached to idx?

// all sboms will be in the same directory
if err := oci.PostAttachSBOMsFromIndex(
ctx, idx, sboms, tags, ropt...,
); err != nil {
return fmt.Errorf("attaching sboms to index: %w", err)
}
}

// copy sboms over to the sbomPath target directory
if sbomPath != "" {
for _, sbom := range sboms {
Expand Down
4 changes: 2 additions & 2 deletions pkg/build/build_implementation.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,13 @@ import (
"chainguard.dev/apko/pkg/lock"
"chainguard.dev/apko/pkg/options"

v1 "github.com/google/go-containerregistry/pkg/v1"
gzip "github.com/klauspost/pgzip"
"go.opentelemetry.io/otel"

"github.com/chainguard-dev/clog"
"github.com/chainguard-dev/go-apk/pkg/apk"
"github.com/chainguard-dev/go-apk/pkg/tarball"
"github.com/sigstore/cosign/v2/pkg/oci"
)

// pgzip's default is GOMAXPROCS(0)
Expand Down Expand Up @@ -180,7 +180,7 @@ func (bc *Context) buildImage(ctx context.Context) error {
}

// WriteIndex saves the index file from the given image configuration.
func WriteIndex(ctx context.Context, o *options.Options, idx oci.SignedImageIndex) (string, error) {
func WriteIndex(ctx context.Context, o *options.Options, idx v1.ImageIndex) (string, error) {
log := clog.FromContext(ctx)
outfile := filepath.Join(o.TempDir(), "index.json")

Expand Down
7 changes: 2 additions & 5 deletions pkg/build/oci/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,13 @@ import (
v1tar "github.com/google/go-containerregistry/pkg/v1/tarball"
ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types"
"github.com/google/shlex"
"github.com/sigstore/cosign/v2/pkg/oci"
"github.com/sigstore/cosign/v2/pkg/oci/signed"
"golang.org/x/exp/maps"

"chainguard.dev/apko/pkg/build/types"
"chainguard.dev/apko/pkg/options"
)

func BuildImageFromLayer(ctx context.Context, layer v1.Layer, ic types.ImageConfiguration, created time.Time, arch types.Architecture) (oci.SignedImage, error) {
func BuildImageFromLayer(ctx context.Context, layer v1.Layer, ic types.ImageConfiguration, created time.Time, arch types.Architecture) (v1.Image, error) {
log := clog.FromContext(ctx)

mediaType, err := layer.MediaType()
Expand Down Expand Up @@ -176,8 +174,7 @@ func BuildImageFromLayer(ctx context.Context, layer v1.Layer, ic types.ImageConf
return nil, fmt.Errorf("unable to update %s config file: %w", imageType, err)
}

si := signed.Image(v1Image)
return si, nil
return v1Image, nil
}

func BuildImageTarballFromLayer(ctx context.Context, imageRef string, layer v1.Layer, outputTarGZ string, ic types.ImageConfiguration, opts options.Options) error {
Expand Down
25 changes: 10 additions & 15 deletions pkg/build/oci/index.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,6 @@ import (
"github.com/google/go-containerregistry/pkg/v1/mutate"
v1tar "github.com/google/go-containerregistry/pkg/v1/tarball"
ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types"
"github.com/sigstore/cosign/v2/pkg/oci"
ocimutate "github.com/sigstore/cosign/v2/pkg/oci/mutate"
"github.com/sigstore/cosign/v2/pkg/oci/signed"
"go.opentelemetry.io/otel"

"chainguard.dev/apko/pkg/build/types"
Expand All @@ -41,7 +38,7 @@ import (
// GenerateIndex generates an OCI image index from the given imgs. The index type
// will be "application/vnd.oci.image.index.v1+json".
// The index is stored in memory.
func GenerateIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[types.Architecture]oci.SignedImage) (name.Digest, oci.SignedImageIndex, error) {
func GenerateIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[types.Architecture]v1.Image) (name.Digest, v1.ImageIndex, error) {
_, span := otel.Tracer("apko").Start(ctx, "GenerateIndex")
defer span.End()

Expand All @@ -51,13 +48,13 @@ func GenerateIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[ty
// GenerateDockerIndex generates a docker multi-arch manifest from the given imgs. The index type
// will be "application/vnd.docker.distribution.manifest.list.v2+json".
// The index is stored in memory.
func GenerateDockerIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[types.Architecture]oci.SignedImage) (name.Digest, oci.SignedImageIndex, error) {
func GenerateDockerIndex(ctx context.Context, ic types.ImageConfiguration, imgs map[types.Architecture]v1.Image) (name.Digest, v1.ImageIndex, error) {
return generateIndexWithMediaType(ggcrtypes.DockerManifestList, ic, imgs)
}

// generateIndexWithMediaType generates an index or docker manifest list from the given imgs. The index type
// is provided by the `mediaType` parameter.
func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageConfiguration, imgs map[types.Architecture]oci.SignedImage) (name.Digest, oci.SignedImageIndex, error) {
func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageConfiguration, imgs map[types.Architecture]v1.Image) (name.Digest, v1.ImageIndex, error) {
// If annotations are set and we're using the OCI mediaType, set annotations on the index.
annotations := map[string]string{}
if mediaType == ggcrtypes.OCIImageIndex {
Expand All @@ -73,11 +70,9 @@ func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageCon
}
}

idx := signed.ImageIndex(
mutate.IndexMediaType(
mutate.Annotations(empty.Index, annotations).(v1.ImageIndex),
mediaType),
)
idx := mutate.Annotations(empty.Index, annotations).(v1.ImageIndex)
idx = mutate.IndexMediaType(idx, mediaType)

archs := make([]types.Architecture, 0, len(imgs))
for arch := range imgs {
archs = append(archs, arch)
Expand All @@ -102,7 +97,7 @@ func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageCon
return name.Digest{}, nil, fmt.Errorf("failed to compute size: %w", err)
}

idx = ocimutate.AppendManifests(idx, ocimutate.IndexAddendum{
idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
Add: img,
Descriptor: v1.Descriptor{
MediaType: mt,
Expand All @@ -122,9 +117,9 @@ func generateIndexWithMediaType(mediaType ggcrtypes.MediaType, ic types.ImageCon

// BuildIndex builds a self-contained tar.gz file containing the index and its individual images for all architectures.
// Returns the digest and the path to the combined tar.gz.
func BuildIndex(outfile string, idx oci.SignedImageIndex, tags []string) (name.Digest, error) {
func BuildIndex(outfile string, idx v1.ImageIndex, tags []string) (name.Digest, error) {
tagsToImages := make(map[name.Tag]v1.Image)
var imgs = make([]oci.SignedImage, 0)
var imgs = make([]v1.Image, 0)
manifest, err := idx.IndexManifest()
if err != nil {
return name.Digest{}, fmt.Errorf("failed to get index manifest: %w", err)
Expand All @@ -140,7 +135,7 @@ func BuildIndex(outfile string, idx oci.SignedImageIndex, tags []string) (name.D
}
for _, m := range manifest.Manifests {
arch := m.Platform.Architecture
img, err := idx.SignedImage(m.Digest)
img, err := idx.Image(m.Digest)
if err != nil {
return name.Digest{}, fmt.Errorf("failed to get image for manifest %s: %w", m.Digest, err)
}
Expand Down
Loading

0 comments on commit 43693d5

Please sign in to comment.