bump fulcio dep to 0.5.2 (#2176)

* bump fulcio dep to 0.5.2

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

* io/ioutil deprecated, fix test

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

* gofmt

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

* gofmt

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

* gofmt

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

cmd/cosign/cli/dockerfile/verify_test.go

@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE-2.0
+//	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,

cmd/cosign/cli/fulcio/fulcio.go

@@ -62,7 +62,7 @@ func (rf *realConnector) OIDConnect(url, clientID, secret, redirectURL string) (
 	return oauthflow.OIDConnect(url, clientID, secret, redirectURL, rf.flow)
 }
 
-func getCertForOauthID(priv *ecdsa.PrivateKey, fc api.Client, connector oidcConnector, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string) (*api.CertificateResponse, error) {
+func getCertForOauthID(priv *ecdsa.PrivateKey, fc api.LegacyClient, connector oidcConnector, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string) (*api.CertificateResponse, error) {
 	pubBytes, err := x509.MarshalPKIXPublicKey(&priv.PublicKey)
 	if err != nil {
 		return nil, err
@@ -92,7 +92,7 @@ func getCertForOauthID(priv *ecdsa.PrivateKey, fc api.Client, connector oidcConn
 }
 
 // GetCert returns the PEM-encoded signature of the OIDC identity returned as part of an interactive oauth2 flow plus the PEM-encoded cert chain.
-func GetCert(ctx context.Context, priv *ecdsa.PrivateKey, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.Client) (*api.CertificateResponse, error) {
+func GetCert(ctx context.Context, priv *ecdsa.PrivateKey, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) {
 	c := &realConnector{}
 	switch flow {
 	case flowDevice:
@@ -202,7 +202,7 @@ func GetIntermediates() (*x509.CertPool, error) {
 	return fulcioroots.GetIntermediates()
 }
 
-func NewClient(fulcioURL string) (api.Client, error) {
+func NewClient(fulcioURL string) (api.LegacyClient, error) {
 	fulcioServer, err := url.Parse(fulcioURL)
 	if err != nil {
 		return nil, err

cmd/cosign/cli/fulcio/fulcio_test.go

@@ -49,7 +49,7 @@ type testClient struct {
 	err      error
 }
 
-var _ api.Client = (*testClient)(nil)
+var _ api.LegacyClient = (*testClient)(nil)
 
 func (p *testClient) SigningCert(cr api.CertificateRequest, token string) (*api.CertificateResponse, error) {
 	return &p.payload, p.err

cmd/cosign/cli/fulcio/fulcioverifier/ctutil/ctutil.go

@@ -52,26 +52,26 @@ func LeafHashB64(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp,
 //
 // This function can be used with three different types of leaf certificate:
 //   - X.509 Certificate:
-//       If using this function to calculate the leaf hash for a normal X.509
-//       certificate then it is enough to just provide the end entity
-//       certificate in chain. This case assumes that the SCT being provided is
-//       not embedded within the leaf certificate provided, i.e. the certificate
-//       is what was submitted to the Certificate Transparency Log in order to
-//       obtain the SCT.  For this case, set embedded to false.
+//     If using this function to calculate the leaf hash for a normal X.509
+//     certificate then it is enough to just provide the end entity
+//     certificate in chain. This case assumes that the SCT being provided is
+//     not embedded within the leaf certificate provided, i.e. the certificate
+//     is what was submitted to the Certificate Transparency Log in order to
+//     obtain the SCT.  For this case, set embedded to false.
 //   - Precertificate:
-//       If using this function to calculate the leaf hash for a precertificate
-//       then the issuing certificate must also be provided in chain.  The
-//       precertificate should be at chain[0], and its issuer at chain[1].  For
-//       this case, set embedded to false.
+//     If using this function to calculate the leaf hash for a precertificate
+//     then the issuing certificate must also be provided in chain.  The
+//     precertificate should be at chain[0], and its issuer at chain[1].  For
+//     this case, set embedded to false.
 //   - X.509 Certificate containing the SCT embedded within it:
-//       If using this function to calculate the leaf hash for a certificate
-//       where the SCT provided is embedded within the certificate you
-//       are providing at chain[0], set embedded to true.  LeafHash will
-//       calculate the leaf hash by building the corresponding precertificate.
-//       LeafHash will return an error if the provided SCT cannot be found
-//       embedded within chain[0].  As with the precertificate case, the issuing
-//       certificate must also be provided in chain.  The certificate containing
-//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+//     If using this function to calculate the leaf hash for a certificate
+//     where the SCT provided is embedded within the certificate you
+//     are providing at chain[0], set embedded to true.  LeafHash will
+//     calculate the leaf hash by building the corresponding precertificate.
+//     LeafHash will return an error if the provided SCT cannot be found
+//     embedded within chain[0].  As with the precertificate case, the issuing
+//     certificate must also be provided in chain.  The certificate containing
+//     the embedded SCT should be at chain[0], and its issuer at chain[1].
 //
 // Note: LeafHash doesn't check that the provided SCT verifies for the given
 // chain.  It simply calculates what the leaf hash would be for the given
@@ -91,25 +91,25 @@ func LeafHash(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, emb
 //
 // This function can be used with three different types of leaf certificate:
 //   - X.509 Certificate:
-//       If using this function to verify an SCT for a normal X.509 certificate
-//       then it is enough to just provide the end entity certificate in chain.
-//       This case assumes that the SCT being provided is not embedded within
-//       the leaf certificate provided, i.e. the certificate is what was
-//       submitted to the Certificate Transparency Log in order to obtain the
-//       SCT.  For this case, set embedded to false.
+//     If using this function to verify an SCT for a normal X.509 certificate
+//     then it is enough to just provide the end entity certificate in chain.
+//     This case assumes that the SCT being provided is not embedded within
+//     the leaf certificate provided, i.e. the certificate is what was
+//     submitted to the Certificate Transparency Log in order to obtain the
+//     SCT.  For this case, set embedded to false.
 //   - Precertificate:
-//       If using this function to verify an SCT for a precertificate then the
-//       issuing certificate must also be provided in chain.  The precertificate
-//       should be at chain[0], and its issuer at chain[1].  For this case, set
-//       embedded to false.
+//     If using this function to verify an SCT for a precertificate then the
+//     issuing certificate must also be provided in chain.  The precertificate
+//     should be at chain[0], and its issuer at chain[1].  For this case, set
+//     embedded to false.
 //   - X.509 Certificate containing the SCT embedded within it:
-//       If the SCT you wish to verify is embedded within the certificate you
-//       are providing at chain[0], set embedded to true.  VerifySCT will
-//       verify the provided SCT by building the corresponding precertificate.
-//       VerifySCT will return an error if the provided SCT cannot be found
-//       embedded within chain[0].  As with the precertificate case, the issuing
-//       certificate must also be provided in chain.  The certificate containing
-//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+//     If the SCT you wish to verify is embedded within the certificate you
+//     are providing at chain[0], set embedded to true.  VerifySCT will
+//     verify the provided SCT by building the corresponding precertificate.
+//     VerifySCT will return an error if the provided SCT cannot be found
+//     embedded within chain[0].  As with the precertificate case, the issuing
+//     certificate must also be provided in chain.  The certificate containing
+//     the embedded SCT should be at chain[0], and its issuer at chain[1].
 func VerifySCT(pubKey crypto.PublicKey, chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) error {
 	s, err := ct.NewSignatureVerifier(pubKey)
 	if err != nil {
@@ -126,25 +126,25 @@ func VerifySCT(pubKey crypto.PublicKey, chain []*x509.Certificate, sct *ct.Signe
 //
 // This function can be used with three different types of leaf certificate:
 //   - X.509 Certificate:
-//       If using this function to verify an SCT for a normal X.509 certificate
-//       then it is enough to just provide the end entity certificate in chain.
-//       This case assumes that the SCT being provided is not embedded within
-//       the leaf certificate provided, i.e. the certificate is what was
-//       submitted to the Certificate Transparency Log in order to obtain the
-//       SCT.  For this case, set embedded to false.
+//     If using this function to verify an SCT for a normal X.509 certificate
+//     then it is enough to just provide the end entity certificate in chain.
+//     This case assumes that the SCT being provided is not embedded within
+//     the leaf certificate provided, i.e. the certificate is what was
+//     submitted to the Certificate Transparency Log in order to obtain the
+//     SCT.  For this case, set embedded to false.
 //   - Precertificate:
-//       If using this function to verify an SCT for a precertificate then the
-//       issuing certificate must also be provided in chain.  The precertificate
-//       should be at chain[0], and its issuer at chain[1].  For this case, set
-//       embedded to false.
+//     If using this function to verify an SCT for a precertificate then the
+//     issuing certificate must also be provided in chain.  The precertificate
+//     should be at chain[0], and its issuer at chain[1].  For this case, set
+//     embedded to false.
 //   - X.509 Certificate containing the SCT embedded within it:
-//       If the SCT you wish to verify is embedded within the certificate you
-//       are providing at chain[0], set embedded to true.  VerifySCT will
-//       verify the provided SCT by building the corresponding precertificate.
-//       VerifySCT will return an error if the provided SCT cannot be found
-//       embedded within chain[0].  As with the precertificate case, the issuing
-//       certificate must also be provided in chain.  The certificate containing
-//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+//     If the SCT you wish to verify is embedded within the certificate you
+//     are providing at chain[0], set embedded to true.  VerifySCT will
+//     verify the provided SCT by building the corresponding precertificate.
+//     VerifySCT will return an error if the provided SCT cannot be found
+//     embedded within chain[0].  As with the precertificate case, the issuing
+//     certificate must also be provided in chain.  The certificate containing
+//     the embedded SCT should be at chain[0], and its issuer at chain[1].
 func VerifySCTWithVerifier(sv *ct.SignatureVerifier, chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) error {
 	if sv == nil {
 		return errors.New("ct.SignatureVerifier is nil")

cmd/cosign/cli/options/registry.go

@@ -17,7 +17,7 @@ package options
 import (
 	"context"
 	"crypto/tls"
-	"io/ioutil"
+	"io"
 	"net/http"
 
 	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
@@ -83,7 +83,7 @@ func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Op
 		kc := authn.NewMultiKeychain(
 			authn.DefaultKeychain,
 			google.Keychain,
-			authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),
+			authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))),
 			authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
 			github.Keychain,
 		)

cmd/cosign/cli/verify/verify_blob_test.go

@@ -17,7 +17,7 @@ package verify
 import (
 	"encoding/base64"
 	"encoding/json"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"testing"
 
@@ -80,7 +80,7 @@ func TestSignaturesBundle(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err := ioutil.WriteFile(fp, contents, 0644); err != nil {
+	if err := os.WriteFile(fp, contents, 0644); err != nil {
 		t.Fatal(err)
 	}
 

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/miekg/pkcs11 v1.1.1
 	github.com/open-policy-agent/opa v0.43.0
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0
-	github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7
+	github.com/sigstore/fulcio v0.5.2
 	github.com/sigstore/rekor v0.11.0
 	github.com/sigstore/sigstore v1.4.0
 	github.com/spf13/cobra v1.5.0
@@ -66,8 +66,6 @@ require (
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/PaesslerAG/gval v1.0.0 // indirect
-	github.com/PaesslerAG/jsonpath v0.1.1 // indirect
 	github.com/agnivade/levenshtein v1.0.1 // indirect
 	github.com/armon/go-metrics v0.4.0 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
@@ -152,7 +150,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.2.2 // indirect
@@ -269,7 +267,7 @@ require (
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 // indirect
 	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	golang.org/x/tools v0.1.11 // indirect
 	google.golang.org/appengine v1.6.7 // indirect