From db8c5d63dc33b42bad8e030563e89d73fd62a537 Mon Sep 17 00:00:00 2001 From: Christian Rebischke Date: Sat, 29 Mar 2025 15:17:44 +0100 Subject: [PATCH] Deprecate all packages in in-toto-golang This commit deprecates all packages within in-toto-golang and the most important methods. Signed-off-by: Christian Rebischke --- in_toto/keylib.go | 14 +++++++++- in_toto/model.go | 14 ++++++++++ in_toto/runlib.go | 14 ++++++++++ in_toto/runlib_test.go | 2 +- in_toto/slsa_provenance/common/common.go | 1 + in_toto/slsa_provenance/v0.1/provenance.go | 1 + in_toto/slsa_provenance/v0.2/provenance.go | 1 + in_toto/slsa_provenance/v1/provenance.go | 1 + in_toto/verifylib.go | 30 ++++++++++++++++++++++ in_toto/verifylib_test.go | 6 ++--- internal/spiffe/spiffe.go | 1 + 11 files changed, 80 insertions(+), 5 deletions(-) diff --git a/in_toto/keylib.go b/in_toto/keylib.go index a3994c84..a7d2d102 100644 --- a/in_toto/keylib.go +++ b/in_toto/keylib.go @@ -285,6 +285,8 @@ On success it will return nil. The following errors can happen: - no valid PKCS8/PKCS1 private key or PKIX public key - errors while marshalling - unsupported key types + +Deprecated: This method has been deprecated. */ func (k *Key) LoadKey(path string, scheme string, KeyIDHashAlgorithms []string) error { pemFile, err := os.Open(path) @@ -301,6 +303,9 @@ func (k *Key) LoadKey(path string, scheme string, KeyIDHashAlgorithms []string) return pemFile.Close() } +// LoadKeyDefaults has been deprecated. +// +// Deprecated: This method has been deprecated. func (k *Key) LoadKeyDefaults(path string) error { pemFile, err := os.Open(path) if err != nil { @@ -317,6 +322,8 @@ func (k *Key) LoadKeyDefaults(path string) error { } // LoadKeyReader loads the key from a supplied reader. The logic matches LoadKey otherwise. +// +// Deprecated: This method has been deprecated. func (k *Key) LoadKeyReader(r io.Reader, scheme string, KeyIDHashAlgorithms []string) error { if r == nil { return ErrNoPEMBlock @@ -336,6 +343,9 @@ func (k *Key) LoadKeyReader(r io.Reader, scheme string, KeyIDHashAlgorithms []st return k.loadKey(key, pemData, scheme, KeyIDHashAlgorithms) } +// LoadKeyReaderDefaults has been deprecated. +// +// Deprecated: This method has been deprecated. func (k *Key) LoadKeyReaderDefaults(r io.Reader) error { if r == nil { return ErrNoPEMBlock @@ -447,7 +457,9 @@ func (k *Key) loadKey(keyObj interface{}, pemData *pem.Block, scheme string, key /* VerifyCertificateTrust verifies that the certificate has a chain of trust to a root in rootCertPool, possibly using any intermediates in -intermediateCertPool +intermediateCertPool. + +Deprecated: This method has been deprecated. */ func VerifyCertificateTrust(cert *x509.Certificate, rootCertPool, intermediateCertPool *x509.CertPool) ([][]*x509.Certificate, error) { verifyOptions := x509.VerifyOptions{ diff --git a/in_toto/model.go b/in_toto/model.go index 40815356..4298995f 100644 --- a/in_toto/model.go +++ b/in_toto/model.go @@ -816,6 +816,8 @@ a valid JSON formatted Metablock that contains a Link or Layout. Deprecated: Use LoadMetadata for a signature wrapper agnostic way to load an envelope. + +Deprecated: This method has been deprecated. */ func (mb *Metablock) Load(path string) error { // Read entire file @@ -858,6 +860,8 @@ func (mb *Metablock) Load(path string) error { /* Dump JSON serializes and writes the Metablock on which it was called to the passed path. It returns an error if JSON serialization or writing fails. + +Deprecated: This method has been deprecated. */ func (mb *Metablock) Dump(path string) error { // JSON encode Metablock formatted with newlines and indentation @@ -880,6 +884,8 @@ func (mb *Metablock) Dump(path string) error { GetSignableRepresentation returns the canonical JSON representation of the Signed field of the Metablock on which it was called. If canonicalization fails the first return value is nil and the second return value is the error. + +Deprecated: This method has been deprecated. */ func (mb *Metablock) GetSignableRepresentation() ([]byte, error) { return cjson.EncodeCanonical(mb.Signed) @@ -899,6 +905,8 @@ that it finds in the Signatures field of the Metablock on which it was called. It returns an error if Signatures does not contain a Signature corresponding to the passed Key, the object in Signed cannot be canonicalized, or the Signature is invalid. + +Deprecated: This method has been deprecated. */ func (mb *Metablock) VerifySignature(key Key) error { sig, err := mb.GetSignatureForKeyID(key.KeyID) @@ -930,6 +938,8 @@ func (mb *Metablock) VerifySignature(key Key) error { } // GetSignatureForKeyID returns the signature that was created by the provided keyID, if it exists. +// +// Deprecated: This method has been deprecated. func (mb *Metablock) GetSignatureForKeyID(keyID string) (Signature, error) { for _, s := range mb.Signatures { if s.KeyID == keyID { @@ -943,6 +953,8 @@ func (mb *Metablock) GetSignatureForKeyID(keyID string) (Signature, error) { /* ValidateMetablock ensures that a passed Metablock object is valid. It indirectly validates the Link or Layout that the Metablock object contains. + +Deprecated: This method has been deprecated. */ func ValidateMetablock(mb Metablock) error { switch mbSignedType := mb.Signed.(type) { @@ -971,6 +983,8 @@ Sign creates a signature over the signed portion of the metablock using the Key object provided. It then appends the resulting signature to the signatures field as provided. It returns an error if the Signed object cannot be canonicalized, or if the key is invalid or not supported. + +Deprecated: This method has been deprecated. */ func (mb *Metablock) Sign(key Key) error { signer, err := getSignerVerifierFromKey(key) diff --git a/in_toto/runlib.go b/in_toto/runlib.go index 4cc03216..2a481d9f 100644 --- a/in_toto/runlib.go +++ b/in_toto/runlib.go @@ -40,6 +40,8 @@ If reading the file fails, the first return value is nil and the second return value is the error. NOTE: For cross-platform consistency Windows-style line separators (CRLF) are normalized to Unix-style line separators (LF) before hashing file contents. + +Deprecated: This method has been deprecated. */ func RecordArtifact(path string, hashAlgorithms []string, lineNormalization bool) (HashObj, error) { supportedHashMappings := getHashMapping() @@ -91,6 +93,8 @@ the following format: If recording an artifact fails the first return value is nil and the second return value is the error. + +Deprecated: This method has been deprecated. */ func RecordArtifacts(paths []string, hashAlgorithms []string, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool) (evalArtifacts map[string]HashObj, err error) { // Make sure to initialize a fresh hashset for every RecordArtifacts call @@ -273,6 +277,8 @@ If the command cannot be executed or no pipes for stdout or stderr can be created the first return value is nil and the second return value is the error. NOTE: Since stdout and stderr are captured, they cannot be seen during the command execution. + +Deprecated: This method has been deprecated. */ func RunCommand(cmdArgs []string, runDir string) (map[string]interface{}, error) { if len(cmdArgs) == 0 { @@ -318,6 +324,8 @@ metadata. Link metadata contains recorded products at the passed productPaths and materials at the passed materialPaths. The returned link is wrapped in a Metablock object. If command execution or artifact recording fails the first return value is an empty Metablock and the second return value is the error. + +Deprecated: This method has been deprecated. */ func InTotoRun(name string, runDir string, materialPaths []string, productPaths []string, cmdArgs []string, key Key, hashAlgorithms []string, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) { materials, err := RecordArtifacts(materialPaths, hashAlgorithms, gitignorePatterns, lStripPaths, lineNormalization, followSymlinkDirs) @@ -379,6 +387,8 @@ InTotoRecordStart begins the creation of a link metablock file in two steps, in order to provide evidence for supply chain steps that cannot be carries out by a single command. InTotoRecordStart collects the hashes of the materials before any commands are run, signs the unfinished link, and returns the link. + +Deprecated: This method has been deprecated. */ func InTotoRecordStart(name string, materialPaths []string, key Key, hashAlgorithms, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) { materials, err := RecordArtifacts(materialPaths, hashAlgorithms, gitignorePatterns, lStripPaths, lineNormalization, followSymlinkDirs) @@ -428,6 +438,8 @@ InTotoRecordStart. InTotoRecordStop takes in a signed unfinished link metablock created by InTotoRecordStart and records the hashes of any products created by commands run between InTotoRecordStart and InTotoRecordStop. The resultant finished link metablock is then signed by the provided key and returned. + +Deprecated: This method has been deprecated. */ func InTotoRecordStop(prelimLinkEnv Metadata, productPaths []string, key Key, hashAlgorithms, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) { if err := prelimLinkEnv.VerifySignature(key); err != nil { @@ -475,6 +487,8 @@ func InTotoRecordStop(prelimLinkEnv Metadata, productPaths []string, key Key, ha InTotoMatchProducts checks if local artifacts match products in passed link. NOTE: Does not check integrity or authenticity of passed link! + +Deprecated: This method has been deprecated. */ func InTotoMatchProducts(link *Link, paths []string, hashAlgorithms []string, excludePatterns []string, lstripPaths []string) ([]string, []string, []string, error) { if len(paths) == 0 { diff --git a/in_toto/runlib_test.go b/in_toto/runlib_test.go index 6036f52f..f38e0a68 100644 --- a/in_toto/runlib_test.go +++ b/in_toto/runlib_test.go @@ -450,7 +450,7 @@ func TestInTotoRun(t *testing.T) { }, }, Products: map[string]HashObj{ - "foo.tar.gz": HashObj{ + "foo.tar.gz": { "sha256": "52947cb78b91ad01fe81cd6aef42d1f6817e92b9e6936c1e5aabb7c98514f355", }, }, diff --git a/in_toto/slsa_provenance/common/common.go b/in_toto/slsa_provenance/common/common.go index a45a4546..6ac60030 100644 --- a/in_toto/slsa_provenance/common/common.go +++ b/in_toto/slsa_provenance/common/common.go @@ -1,3 +1,4 @@ +// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness package common // DigestSet contains a set of digests. It is represented as a map from diff --git a/in_toto/slsa_provenance/v0.1/provenance.go b/in_toto/slsa_provenance/v0.1/provenance.go index 5978e922..ef0fd51c 100644 --- a/in_toto/slsa_provenance/v0.1/provenance.go +++ b/in_toto/slsa_provenance/v0.1/provenance.go @@ -1,3 +1,4 @@ +// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness package v01 import ( diff --git a/in_toto/slsa_provenance/v0.2/provenance.go b/in_toto/slsa_provenance/v0.2/provenance.go index 40416e29..555e724b 100644 --- a/in_toto/slsa_provenance/v0.2/provenance.go +++ b/in_toto/slsa_provenance/v0.2/provenance.go @@ -1,3 +1,4 @@ +// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness package v02 import ( diff --git a/in_toto/slsa_provenance/v1/provenance.go b/in_toto/slsa_provenance/v1/provenance.go index 5a26445c..e33b7458 100644 --- a/in_toto/slsa_provenance/v1/provenance.go +++ b/in_toto/slsa_provenance/v1/provenance.go @@ -1,3 +1,4 @@ +// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness package v1 import ( diff --git a/in_toto/verifylib.go b/in_toto/verifylib.go index de9dfa7e..1e614a59 100644 --- a/in_toto/verifylib.go +++ b/in_toto/verifylib.go @@ -2,6 +2,8 @@ Package in_toto implements types and routines to verify a software supply chain according to the in-toto specification. See https://github.com/in-toto/docs/blob/master/in-toto-spec.md + +Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness */ package in_toto @@ -41,6 +43,8 @@ returned. The format is: If executing the inspection command fails, or if the executed command has a non-zero exit code, the first return value is an empty Metablock map and the second return value is the error. + +Deprecated: This method has been deprecated. */ func RunInspections(layout Layout, runDir string, lineNormalization bool, useDSSE bool) (map[string]Metadata, error) { inspectionMetadata := make(map[string]Metadata) @@ -189,6 +193,8 @@ All rules except for DISALLOW consume queued artifacts on success, and leave the queue unchanged on failure. Hence, it is left to a terminal DISALLOW rule to fail overall verification, if artifacts are left in the queue that should have been consumed by preceding rules. + +Deprecated: This method has been deprecated. */ func VerifyArtifacts(items []interface{}, itemsMetadata map[string]Metadata) error { @@ -384,6 +390,8 @@ step. The function returns a map with one Metablock (link) per step: If links corresponding to the same step report different Materials or different Products, the first return value is an empty Metablock map and the second return value is the error. + +Deprecated: This method has been deprecated. */ func ReduceStepsMetadata(layout Layout, stepsMetadata map[string]map[string]Metadata) (map[string]Metadata, @@ -447,6 +455,8 @@ VerifyStepCommandAlignment (soft) verifies that for each step of the passed layout the command executed, as per the passed link, matches the expected command, as per the layout. Soft verification means that, in case a command does not align, a warning is issued. + +Deprecated: This method has been deprecated. */ func VerifyStepCommandAlignment(layout Layout, stepsMetadata map[string]map[string]Metadata) { @@ -482,6 +492,8 @@ LoadLayoutCertificates loads the root and intermediate CAs from the layout if in This will be used to check signatures that were used to sign links but not configured in the PubKeys section of the step. No configured CAs means we don't want to allow this. Returned CertPools will be empty in this case. + +Deprecated: This method has been deprecated. */ func LoadLayoutCertificates(layout Layout, intermediatePems [][]byte) (*x509.CertPool, *x509.CertPool, error) { rootPool := x509.NewCertPool() @@ -533,6 +545,8 @@ links with valid signatures from distinct functionaries and has the format: If for any step of the layout there are not enough links available, the first return value is an empty map of Metablock maps and the second return value is the error. + +Deprecated: This method has been deprecated. */ func VerifyLinkSignatureThesholds(layout Layout, stepsMetadata map[string]map[string]Metadata, rootCertPool, intermediateCertPool *x509.CertPool) ( @@ -646,6 +660,8 @@ If a link cannot be loaded at a constructed link name or is invalid, it is ignored. Only a preliminary threshold check is performed, that is, if there aren't at least Threshold links for any given step, the first return value is an empty map of Metablock maps and the second return value is the error. + +Deprecated: This method has been deprecated. */ func LoadLinksForLayout(layout Layout, linkDir string) (map[string]map[string]Metadata, error) { stepsMetadata := make(map[string]map[string]Metadata) @@ -690,6 +706,8 @@ func LoadLinksForLayout(layout Layout, linkDir string) (map[string]map[string]Me /* VerifyLayoutExpiration verifies that the passed Layout has not expired. It returns an error if the (zulu) date in the Expires field is in the past. + +Deprecated: This method has been deprecated. */ func VerifyLayoutExpiration(layout Layout) error { expires, err := time.Parse(ISO8601DateSchema, layout.Expires) @@ -709,6 +727,8 @@ corresponding signature of the Layout in the passed Metablock's Signed field. Signatures and keys are associated by key id. If the key map is empty, or the Metablock's Signature field does not have a signature for one or more of the passed keys, or a matching signature is invalid, an error is returned. + +Deprecated: This method has been deprecated. */ func VerifyLayoutSignatures(layoutEnv Metadata, layoutKeys map[string]Key) error { @@ -732,6 +752,8 @@ chain. NOTE: The assumption is that the steps mentioned in the layout are to be performed sequentially. So, the first step mentioned in the layout denotes what comes into the supply chain and the last step denotes what goes out. + +Deprecated: This method has been deprecated. */ func GetSummaryLink(layout Layout, stepsMetadataReduced map[string]Metadata, stepName string, useDSSE bool) (Metadata, error) { @@ -776,6 +798,8 @@ func GetSummaryLink(layout Layout, stepsMetadataReduced map[string]Metadata, VerifySublayouts checks if any step in the supply chain is a sublayout, and if so, recursively resolves it and replaces it with a summary link summarizing the steps carried out in the sublayout. + +Deprecated: This method has been deprecated. */ func VerifySublayouts(layout Layout, stepsMetadataVerified map[string]map[string]Metadata, @@ -832,6 +856,8 @@ in the following fields: The substitution marker is '{}' and the keyword within the braces is replaced by a value found in the substitution map passed, parameterDictionary. The layout with parameters substituted is returned to the calling function. + +Deprecated: This method has been deprecated. */ func SubstituteParameters(layout Layout, parameterDictionary map[string]string) (Layout, error) { @@ -907,6 +933,8 @@ Metablock object. NOTE: Artifact rules of type "create", "modify" and "delete" are currently not supported. + +Deprecated: This method has been deprecated. */ func InTotoVerify(layoutEnv Metadata, layoutKeys map[string]Key, linkDir string, stepName string, parameterDictionary map[string]string, intermediatePems [][]byte, lineNormalization bool) ( @@ -1010,6 +1038,8 @@ func InTotoVerify(layoutEnv Metadata, layoutKeys map[string]Key, /* InTotoVerifyWithDirectory provides the same functionality as InTotoVerify, but adds the possibility to select a local directory from where the inspections are run. + +Deprecated: This method has been deprecated. */ func InTotoVerifyWithDirectory(layoutEnv Metadata, layoutKeys map[string]Key, linkDir string, runDir string, stepName string, parameterDictionary map[string]string, intermediatePems [][]byte, lineNormalization bool) ( diff --git a/in_toto/verifylib_test.go b/in_toto/verifylib_test.go index cb8d3acd..a74a87cc 100644 --- a/in_toto/verifylib_test.go +++ b/in_toto/verifylib_test.go @@ -579,7 +579,7 @@ func TestVerifyArtifact(t *testing.T) { { name: "Consuming filename material in inspection", item: []interface{}{Inspection{SupplyChainItem: SupplyChainItem{Name: "foo", ExpectedMaterials: [][]string{{"ALLOW", "foo.py"}, {"DISALLOW", "*"}}}}}, - metadata: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"./bar/..//foo.py": HashObj{"sha265": "abc"}}}}}, + metadata: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"./bar/..//foo.py": {"sha265": "abc"}}}}}, expectErr: "", }, { @@ -636,14 +636,14 @@ func TestVerifyMatchRule(t *testing.T) { name: "Match material foo.py with foo.d/foo.py", rule: map[string]string{"pattern": "*", "dstName": "foo", "dstType": "materials", "dstPrefix": "foo.d"}, srcArtifact: map[string]HashObj{"foo.py": {"sha265": "abc"}}, - item: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.d/foo.py": HashObj{"sha265": "abc"}}}}}, + item: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.d/foo.py": {"sha265": "abc"}}}}}, expectSet: NewSet("foo.py"), }, { name: "Match material foo.d/foo.py with foo.py", rule: map[string]string{"pattern": "*", "dstName": "foo", "dstType": "materials", "srcPrefix": "foo.d"}, srcArtifact: map[string]HashObj{"foo.d/foo.py": {"sha265": "abc"}}, - item: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.py": HashObj{"sha265": "abc"}}}}}, + item: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.py": {"sha265": "abc"}}}}}, expectSet: NewSet("foo.d/foo.py"), }, { diff --git a/internal/spiffe/spiffe.go b/internal/spiffe/spiffe.go index d23f0863..694de963 100644 --- a/internal/spiffe/spiffe.go +++ b/internal/spiffe/spiffe.go @@ -1,3 +1,4 @@ +// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness package spiffe import (