WIP: split OIDC providers into separate Go modules

.github/workflows/kind-e2e-insecure-registry.yaml

@@ -59,7 +59,7 @@ jobs:
 
     - name: Install Cosign
       run: |
-        go install ./cmd/cosign
+        go install -C ./cmd/cosign
 
     - name: Setup mirror
       uses: chainguard-dev/actions/setup-mirror@main

.goreleaser.yml

@@ -27,7 +27,8 @@ builds:
   - id: linux
     binary: cosign-linux-{{ .Arch }}
     no_unique_dist_dir: true
-    main: ./cmd/cosign
+    main: .
+    dir: ./cmd/cosign
     flags:
       - -trimpath
     mod_timestamp: '{{ .CommitTimestamp }}'
@@ -50,7 +51,8 @@ builds:
   - id: linux-pivkey-pkcs11key-amd64
     binary: cosign-linux-pivkey-pkcs11key-amd64
     no_unique_dist_dir: true
-    main: ./cmd/cosign
+    main: .
+    dir: ./cmd/cosign
     flags:
       - -trimpath
     mod_timestamp: '{{ .CommitTimestamp }}'
@@ -73,7 +75,8 @@ builds:
   - id: linux-pivkey-pkcs11key-arm64
     binary: cosign-linux-pivkey-pkcs11key-arm64
     no_unique_dist_dir: true
-    main: ./cmd/cosign
+    main: .
+    dir: ./cmd/cosign
     flags:
       - -trimpath
     mod_timestamp: '{{ .CommitTimestamp }}'
@@ -101,7 +104,8 @@ builds:
     env:
       - CC=o64-clang
       - CXX=o64-clang++
-    main: ./cmd/cosign
+    main: .
+    dir: ./cmd/cosign
     flags:
       - -trimpath
     mod_timestamp: '{{ .CommitTimestamp }}'
@@ -121,7 +125,8 @@ builds:
     env:
       - CC=aarch64-apple-darwin21.4-clang
       - CXX=aarch64-apple-darwin21.4-clang++
-    main: ./cmd/cosign
+    main: .
+    dir: ./cmd/cosign
     flags:
       - -trimpath
     goos:
@@ -140,7 +145,8 @@ builds:
     env:
       - CC=x86_64-w64-mingw32-gcc
       - CXX=x86_64-w64-mingw32-g++
-    main: ./cmd/cosign
+    main: .
+    dir: ./cmd/cosign
     mod_timestamp: '{{ .CommitTimestamp }}'
     flags:
       - -trimpath

Makefile

@@ -79,10 +79,10 @@ log-%:
 			}'
 
 cosign: $(SRCS)
-	CGO_ENABLED=0 $(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign
+	CGO_ENABLED=0 $(GOEXE) build -C ./cmd/cosign -trimpath -ldflags "$(LDFLAGS)" -o ./../../$@
 
 cosign-pivkey-pkcs11key: $(SRCS)
-	CGO_ENABLED=1 $(GOEXE) build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign
+	CGO_ENABLED=1 $(GOEXE) build -C ./cmd/cosign -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o ../../cosign
 
 .PHONY: cross
 cross:

README.md

@@ -40,7 +40,7 @@ If you have Go 1.19+, you can setup a development environment:
 ```shell
 $ git clone https://github.com/sigstore/cosign
 $ cd cosign
-$ go install ./cmd/cosign
+$ go install -C ./cmd/cosign
 $ $(go env GOPATH)/bin/cosign
 ```
 
@@ -747,6 +747,6 @@ process](https://github.com/sigstore/.github/blob/main/SECURITY.md)
 
 ## PEM files in GitHub Release Assets
 
-The GitHub release assets for cosign contain a PEM file produced by [GoReleaser](https://github.com/sigstore/cosign/blob/ac999344eb381ae91455b0a9c5c267e747608d76/.goreleaser.yml#L166) while signing the cosign blob that is used to verify the integrity of the release binaries. This file is not used by cosign itself, but is provided for users who wish to verify the integrity of the release binaries. 
+The GitHub release assets for cosign contain a PEM file produced by [GoReleaser](https://github.com/sigstore/cosign/blob/ac999344eb381ae91455b0a9c5c267e747608d76/.goreleaser.yml#L166) while signing the cosign blob that is used to verify the integrity of the release binaries. This file is not used by cosign itself, but is provided for users who wish to verify the integrity of the release binaries.
 
 By default, cosign output these PEM files in [base64 encoded format](https://github.com/sigstore/cosign/blob/main/doc/cosign_sign-blob.md#options), this approach might be good for air-gapped environments where the PEM file is stored in a file system. So, you should decode these PEM files before using them to verify the blobs.

cmd/cosign/cli/attest/attest_blob_test.go

@@ -34,7 +34,7 @@ import (
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/test"
+	"github.com/sigstore/cosign/v2/pkg/cosign/test"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
 	"github.com/theupdateframework/go-tuf/encrypted"

cmd/cosign/cli/fulcio/fulcio_test.go

@@ -30,7 +30,7 @@ import (
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/test"
+	"github.com/sigstore/cosign/v2/pkg/cosign/test"
 	"github.com/sigstore/fulcio/pkg/api"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/oauthflow"

cmd/cosign/cli/options/predicate.go

@@ -19,34 +19,31 @@ import (
 	"fmt"
 	"net/url"
 
-	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
-
-	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/spf13/cobra"
 
-	"github.com/sigstore/cosign/v2/pkg/cosign/attestation"
+	"github.com/sigstore/cosign/v2/pkg/policy"
 )
 
 const (
-	PredicateCustom    = "custom"
-	PredicateSLSA      = "slsaprovenance"
-	PredicateSPDX      = "spdx"
-	PredicateSPDXJSON  = "spdxjson"
-	PredicateCycloneDX = "cyclonedx"
-	PredicateLink      = "link"
-	PredicateVuln      = "vuln"
+	// Deprecated: Use pkg/cosign/policy.PredicateCustom instead.
+	PredicateCustom = policy.PredicateCustom
+	// Deprecated: Use pkg/cosign/policy.PredicateSLSA instead.
+	PredicateSLSA = policy.PredicateSLSA
+	// Deprecated: Use pkg/cosign/policy.PredicateSPDX instead.
+	PredicateSPDX = policy.PredicateSPDX
+	// Deprecated: Use pkg/cosign/policy.PredicateSPDXJSON instead.
+	PredicateSPDXJSON = policy.PredicateSPDXJSON
+	// Deprecated: Use pkg/cosign/policy.PredicateCycloneDX instead.
+	PredicateCycloneDX = policy.PredicateCycloneDX
+	// Deprecated: Use pkg/cosign/policy.PredicateLink instead.
+	PredicateLink = policy.PredicateLink
+	// Deprecated: Use pkg/cosign/policy.PredicateVuln instead.
+	PredicateVuln = policy.PredicateVuln
 )
 
 // PredicateTypeMap is the mapping between the predicate `type` option to predicate URI.
-var PredicateTypeMap = map[string]string{
-	PredicateCustom:    attestation.CosignCustomProvenanceV01,
-	PredicateSLSA:      slsa.PredicateSLSAProvenance,
-	PredicateSPDX:      in_toto.PredicateSPDX,
-	PredicateSPDXJSON:  in_toto.PredicateSPDX,
-	PredicateCycloneDX: in_toto.PredicateCycloneDX,
-	PredicateLink:      in_toto.PredicateLinkV1,
-	PredicateVuln:      attestation.CosignVulnProvenanceV01,
-}
+// Deprecated: Use pkg/cosign/policy.PredicateTypeMap instead.
+var PredicateTypeMap = policy.PredicateTypeMap
 
 // PredicateOptions is the wrapper for predicate related options.
 type PredicateOptions struct {

cmd/cosign/cli/sign/sign.go

@@ -57,8 +57,16 @@ import (
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
 	sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
 
-	// Loads OIDC providers
-	_ "github.com/sigstore/cosign/v2/pkg/providers/all"
+	//
+	_ "github.com/sigstore/cosign/v2/pkg/providers/github"
+
+	//
+	_ "github.com/sigstore/cosign/v2/pkg/providers"
+	_ "github.com/sigstore/cosign/v2/pkg/providers/buildkite"
+	_ "github.com/sigstore/cosign/v2/pkg/providers/envvar"
+	_ "github.com/sigstore/cosign/v2/pkg/providers/filesystem"
+	_ "github.com/sigstore/cosign/v2/pkg/providers/google"
+	_ "github.com/sigstore/cosign/v2/pkg/providers/spiffe"
 )
 
 func ShouldUploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Reference, tlogUpload bool) (bool, error) {

cmd/cosign/cli/sign/sign_test.go

@@ -32,7 +32,7 @@ import (
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/test"
+	"github.com/sigstore/cosign/v2/pkg/cosign/test"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/theupdateframework/go-tuf/encrypted"
 )

cmd/cosign/cli/verify/verify_blob_test.go

@@ -42,9 +42,9 @@ import (
 	"github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
+	"github.com/sigstore/cosign/v2/pkg/cosign/test"
 	sigs "github.com/sigstore/cosign/v2/pkg/signature"
 	ctypes "github.com/sigstore/cosign/v2/pkg/types"
-	"github.com/sigstore/cosign/v2/test"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/pki"
 	"github.com/sigstore/rekor/pkg/types"

cmd/cosign/cli/verify/verify_test.go

@@ -36,9 +36,9 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/internal/ui"
+	"github.com/sigstore/cosign/v2/pkg/cosign/test"
 	"github.com/sigstore/cosign/v2/pkg/oci"
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
-	"github.com/sigstore/cosign/v2/test"
 	"github.com/sigstore/sigstore/pkg/signature/payload"
 	"github.com/stretchr/testify/assert"
 )