├── CODEOWNERS ├── .github ├── dependabot.yml └── workflows │ ├── build.yaml │ ├── scorecard.yml │ ├── release.yml │ └── codeql-analysis.yml ├── .gitignore ├── COPYRIGHT.txt ├── oci.go ├── .goreleaser.yaml ├── fetch.go ├── ROADMAP.md ├── go.mod ├── CODE_OF_CONDUCT.md ├── trust.go ├── README.md ├── main.go ├── sign.go ├── LICENSE └── go.sum /CODEOWNERS: -------------------------------------------------------------------------------- 1 | @sigstore/sget-codeowners 2 | 3 | # The CODEOWNERS are managed via a GitHub team, but the current list is (in alphabetical order): 4 | 5 | # dlorenc 6 | # imjasonh 7 | # luhring 8 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: gomod 4 | directory: "/" 5 | schedule: 6 | interval: weekly 7 | open-pull-requests-limit: 10 8 | - package-ecosystem: "github-actions" 9 | directory: "/" 10 | schedule: 11 | interval: weekly 12 | open-pull-requests-limit: 10 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | .DS_STORE 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | 9 | # Test binary, built with `go test -c` 10 | *.test 11 | 12 | # Output of the go coverage tool, specifically when used with LiteIDE 13 | *.out 14 | 15 | # Dependency directories (remove the comment below to include it) 16 | # vendor/ 17 | 18 | # IDEs 19 | .vscode 20 | .idea 21 | 22 | # fuzzing artifacts 23 | *.libfuzzer 24 | *fuzz.a 25 | 26 | bin* 27 | dist/ 28 | 29 | sget 30 | -------------------------------------------------------------------------------- /COPYRIGHT.txt: -------------------------------------------------------------------------------- 1 | 2 | Copyright 2021 The Sigstore Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | -------------------------------------------------------------------------------- /oci.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io" 6 | "os" 7 | 8 | "github.com/google/go-containerregistry/pkg/authn" 9 | "github.com/google/go-containerregistry/pkg/name" 10 | "github.com/google/go-containerregistry/pkg/v1/remote" 11 | ) 12 | 13 | func fetchImage(ref string) error { 14 | r, err := name.NewDigest(ref) 15 | if err != nil { 16 | return fmt.Errorf("parsing as OCI ref by digest: %w", err) 17 | } 18 | // TODO: look for a signature in Rekor? 19 | img, err := remote.Image(r, remote.WithAuthFromKeychain(authn.DefaultKeychain)) 20 | if err != nil { 21 | return fmt.Errorf("fetching image: %w", err) 22 | } 23 | ls, err := img.Layers() 24 | if err != nil { 25 | return fmt.Errorf("getting layers: %w", err) 26 | } 27 | if len(ls) != 1 { 28 | return fmt.Errorf("image had %d layers, expected one", len(ls)) 29 | } 30 | rc, err := ls[0].Compressed() 31 | if err != nil { 32 | return fmt.Errorf("getting layer data: %w", err) 33 | } 34 | defer rc.Close() 35 | if _, err := io.Copy(os.Stdout, rc); err != nil { 36 | return fmt.Errorf("reading layer data: %w", err) 37 | } 38 | return nil 39 | } 40 | -------------------------------------------------------------------------------- /.github/workflows/build.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2021 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Build 17 | 18 | on: 19 | pull_request: 20 | branches: ['main'] 21 | 22 | jobs: 23 | build: 24 | name: Build 25 | runs-on: ubuntu-latest 26 | steps: 27 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c 28 | - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 29 | with: 30 | go-version: '1.19' 31 | check-latest: true 32 | cache: true 33 | 34 | - run: | 35 | go build ./... 36 | -------------------------------------------------------------------------------- /.goreleaser.yaml: -------------------------------------------------------------------------------- 1 | builds: 2 | - env: 3 | - CGO_ENABLED=0 4 | goos: 5 | - linux 6 | - darwin 7 | - freebsd 8 | - windows 9 | goarch: 10 | - amd64 11 | - arm64 12 | ldflags: 13 | - "-s -w" 14 | - "-extldflags=-zrelro" 15 | - "-extldflags=-znow" 16 | 17 | nfpms: 18 | - id: default 19 | package_name: sget 20 | vendor: Sigstore 21 | homepage: https://github.com/sigstore/sget 22 | maintainer: sget authors 23 | description: A safer `curl | sh` 24 | formats: 25 | - apk 26 | - deb 27 | - rpm 28 | 29 | archives: 30 | - id: binary 31 | format: binary 32 | 33 | gomod: 34 | proxy: true 35 | 36 | checksum: 37 | name_template: 'checksums.txt' 38 | 39 | source: 40 | enabled: true 41 | 42 | sboms: 43 | - id: binaries 44 | artifacts: binary 45 | - id: packages 46 | artifacts: package 47 | 48 | signs: 49 | - cmd: cosign 50 | env: 51 | - COSIGN_YES=1 52 | certificate: '${artifact}.pem' 53 | signature: '${artifact}.sig' 54 | args: 55 | - sign-blob 56 | - '--output-certificate=${certificate}' 57 | - '--output-signature=${signature}' 58 | - '${artifact}' 59 | artifacts: binary 60 | output: true 61 | -------------------------------------------------------------------------------- /.github/workflows/scorecard.yml: -------------------------------------------------------------------------------- 1 | name: Scorecard supply-chain security 2 | on: 3 | # (Optional) For Branch-Protection check. Only the default branch is supported. See 4 | # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection 5 | # branch_protection_rule: 6 | # To guarantee Maintained check is occasionally updated. See 7 | # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained 8 | schedule: 9 | - cron: '42 8 * * 0' 10 | push: 11 | branches: ["main"] 12 | 13 | # Declare default permissions as none. 14 | permissions: {} 15 | 16 | jobs: 17 | analysis: 18 | name: Scorecard analysis 19 | permissions: 20 | # Needed to upload the results to code-scanning dashboard. 21 | security-events: write 22 | # Needed to publish results and get a badge (see publish_results below). 23 | id-token: write 24 | uses: sigstore/community/.github/workflows/reusable-scorecard.yml@d0c95c8803672313d0bf72e1a44021be5b583c24 # main 25 | # (Optional) Disable publish results: 26 | # with: 27 | # publish_results: false 28 | 29 | # (Optional) Enable Branch-Protection check: 30 | # secrets: 31 | # scorecard_token: ${{ secrets.SCORECARD_TOKEN }} 32 | -------------------------------------------------------------------------------- /fetch.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "crypto/sha256" 6 | "fmt" 7 | "io" 8 | "net/http" 9 | "os" 10 | ) 11 | 12 | type tempFile struct { 13 | f *os.File 14 | digest string 15 | } 16 | 17 | func (f tempFile) out() io.ReadCloser { 18 | f.f.Seek(0, 0) 19 | return f.f 20 | } 21 | 22 | func fetch(ctx context.Context, url string, discard bool) (*tempFile, error) { 23 | req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) 24 | if err != nil { 25 | return nil, err 26 | } 27 | resp, err := http.DefaultClient.Do(req) 28 | if err != nil { 29 | return nil, err 30 | } 31 | if resp.StatusCode != http.StatusOK { 32 | return nil, fmt.Errorf("GET %s: %d %s", url, resp.StatusCode, resp.Status) 33 | } 34 | defer resp.Body.Close() 35 | 36 | tf := &tempFile{} 37 | 38 | var tmp io.Writer 39 | if discard { 40 | tmp = io.Discard 41 | } else { 42 | tmp, err = os.CreateTemp("", "sget-*") 43 | if err != nil { 44 | return nil, fmt.Errorf("making temp file: %w", err) 45 | } 46 | tf.f = tmp.(*os.File) 47 | } 48 | 49 | h := sha256.New() 50 | if _, err := io.Copy(tmp, io.TeeReader(resp.Body, h)); err != nil { 51 | return nil, fmt.Errorf("reading response: %v", err) 52 | } 53 | tf.digest = fmt.Sprintf("%x", h.Sum(nil)) 54 | return tf, nil 55 | } 56 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: release 2 | 3 | # run only on tags 4 | on: 5 | push: 6 | tags: 7 | - 'v*' 8 | 9 | permissions: 10 | contents: write # needed to write releases 11 | id-token: write # needed for keyless signing 12 | 13 | jobs: 14 | release: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c 18 | with: 19 | fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags) 20 | 21 | - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 22 | with: 23 | go-version: 1.19 24 | check-latest: true 25 | 26 | - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 27 | with: 28 | path: ~/go/pkg/mod 29 | key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} 30 | restore-keys: | 31 | ${{ runner.os }}-go- 32 | 33 | - uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 34 | - uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 35 | - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b 36 | with: 37 | version: latest 38 | args: release --rm-dist 39 | env: 40 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 41 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2021 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: CodeQL 17 | 18 | on: 19 | push: 20 | branches: [ main ] 21 | 22 | jobs: 23 | analyze: 24 | name: Analyze 25 | runs-on: ubuntu-latest 26 | 27 | permissions: 28 | security-events: write 29 | actions: read 30 | contents: read 31 | 32 | strategy: 33 | fail-fast: false 34 | matrix: 35 | language: [ 'go' ] 36 | 37 | steps: 38 | - name: Checkout repository 39 | uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c 40 | 41 | # Initializes the CodeQL tools for scanning. 42 | - name: Initialize CodeQL 43 | uses: github/codeql-action/init@16964e90ba004cdf0cd845b866b5df21038b7723 44 | with: 45 | languages: ${{ matrix.language }} 46 | # queries: ./path/to/local/query, your-org/your-repo/queries@main 47 | 48 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 49 | # If this step fails, then you should remove it and run the build manually (see below) 50 | - name: Autobuild 51 | uses: github/codeql-action/autobuild@16964e90ba004cdf0cd845b866b5df21038b7723 52 | 53 | # ℹ️ Command-line programs to run using the OS shell. 54 | # 📚 https://git.io/JvXDl 55 | 56 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 57 | # and modify them (or add more) to build your code if your project 58 | # uses a compiled language 59 | #- run: | 60 | # make bootstrap 61 | # make release 62 | 63 | - name: Perform CodeQL Analysis 64 | uses: github/codeql-action/analyze@16964e90ba004cdf0cd845b866b5df21038b7723 65 | -------------------------------------------------------------------------------- /ROADMAP.md: -------------------------------------------------------------------------------- 1 | # `sget` Roadmap 2 | 3 | ### Today 4 | 5 | `sget` fetches blobs from OCI registries, using Docker API registry auth, checking content digests to ensure integrity, and verifying any `cosign` signatures that are found in the registry. 6 | 7 | `sget` currently has no functionality to fetch arbitrary URLs. 8 | 9 | ### Phase 0 10 | 11 | Add basic URL-fetching functionality to `sget`, with content digests to ensure integrity. 12 | 13 | This phase may also include a manual verification step where buffered contents are shown to the user, so they can manually inspect the contents before proceeding. 14 | 15 | ### Phase 1: "Social Proof" 16 | 17 | In the absence of a maintainer-provided policy, `sget` users can gain assurance about the safety of an artifact by relying on crowd-sourced verification and signatures. 18 | 19 | Signatures will be stored in Rekor, using certificates created by Fulcio's "keyless" OIDC capabilities. 20 | 21 | Before trusting an artifact, users should be able to: 22 | 23 | - see the total number of unique identities that have signed indicating that the artifact is safe to fetch. 24 | - see a random small subset of those identities. 25 | - see any identities with email addresses that match the URL's domain. 26 | - locally configure trusted identities, and trust those identities more than arbitrary public identities. 27 | 28 | The goal of this phase is to encourage adoption of `sget` by end users wishing to consume content more safely, without requiring any action by maintainers. 29 | 30 | Our options in this phase are necessarily limited and incomplete without some help from maintainers. 31 | 32 | #### Phase 1.5: Local Policy 33 | 34 | Building on locally configured trusted identities, `sget` should further support configuring a local policy for trusted artifacts. 35 | 36 | For example: "I trust identities A, B and C, but need to have sign-off from 2+ of those before trusting an artifact" 37 | 38 | As with **Phase 1**, this phase doesn't require any buy-in from maintainers. 39 | 40 | ### Phase 2: Maintainer Policy 41 | 42 | In this phase we'll describe how maintainers can set policies for signature requirements on released artifacts, so that consumers of the artifacts can have maximum assurance that the artifact is safe to consume according to maintainers. 43 | 44 | This phase will also include release tooling to make new releases of artifacts/policies/signatures as smooth as possible for maintainers and end users, without sacrificing availability or safety assurances. 45 | 46 | The goal of this phase is to gain adoption among maintainers wishing to make consuming their content even safer for interested users. 47 | 48 | 49 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/sigstore/sget 2 | 3 | go 1.19 4 | 5 | require ( 6 | github.com/BurntSushi/toml v1.2.1 7 | github.com/go-openapi/strfmt v0.21.3 8 | github.com/go-openapi/swag v0.22.3 9 | github.com/google/go-containerregistry v0.13.0 10 | github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf 11 | github.com/mitchellh/go-homedir v1.1.0 12 | github.com/sigstore/fulcio v1.1.0 13 | github.com/sigstore/rekor v1.0.1 14 | github.com/sigstore/sigstore v1.5.2 15 | github.com/spf13/cobra v1.6.1 16 | golang.org/x/net v0.8.0 17 | golang.org/x/term v0.6.0 18 | ) 19 | 20 | require ( 21 | github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect 22 | github.com/coreos/go-oidc/v3 v3.5.0 // indirect 23 | github.com/docker/cli v20.10.20+incompatible // indirect 24 | github.com/docker/distribution v2.8.1+incompatible // indirect 25 | github.com/docker/docker v20.10.20+incompatible // indirect 26 | github.com/docker/docker-credential-helpers v0.7.0 // indirect 27 | github.com/go-jose/go-jose/v3 v3.0.0 // indirect 28 | github.com/go-openapi/analysis v0.21.4 // indirect 29 | github.com/go-openapi/errors v0.20.3 // indirect 30 | github.com/go-openapi/jsonpointer v0.19.5 // indirect 31 | github.com/go-openapi/jsonreference v0.20.0 // indirect 32 | github.com/go-openapi/loads v0.21.2 // indirect 33 | github.com/go-openapi/runtime v0.24.1 // indirect 34 | github.com/go-openapi/spec v0.20.7 // indirect 35 | github.com/go-openapi/validate v0.22.0 // indirect 36 | github.com/golang/protobuf v1.5.2 // indirect 37 | github.com/inconshreveable/mousetrap v1.0.1 // indirect 38 | github.com/josharian/intern v1.0.0 // indirect 39 | github.com/klauspost/compress v1.15.11 // indirect 40 | github.com/kr/pretty v0.3.0 // indirect 41 | github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect 42 | github.com/mailru/easyjson v0.7.7 // indirect 43 | github.com/mitchellh/mapstructure v1.5.0 // indirect 44 | github.com/oklog/ulid v1.3.1 // indirect 45 | github.com/opencontainers/go-digest v1.0.0 // indirect 46 | github.com/opencontainers/image-spec v1.1.0-rc2 // indirect 47 | github.com/opentracing/opentracing-go v1.2.0 // indirect 48 | github.com/pkg/errors v0.9.1 // indirect 49 | github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect 50 | github.com/segmentio/ksuid v1.0.4 // indirect 51 | github.com/shibumi/go-pathspec v1.3.0 // indirect 52 | github.com/sirupsen/logrus v1.9.0 // indirect 53 | github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect 54 | github.com/spf13/pflag v1.0.5 // indirect 55 | github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 // indirect 56 | github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect 57 | go.mongodb.org/mongo-driver v1.10.0 // indirect 58 | golang.org/x/crypto v0.6.0 // indirect 59 | golang.org/x/oauth2 v0.5.0 // indirect 60 | golang.org/x/sync v0.1.0 // indirect 61 | golang.org/x/sys v0.6.0 // indirect 62 | golang.org/x/text v0.8.0 // indirect 63 | google.golang.org/appengine v1.6.7 // indirect 64 | google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc // indirect 65 | google.golang.org/grpc v1.53.0 // indirect 66 | google.golang.org/protobuf v1.28.1 // indirect 67 | gopkg.in/square/go-jose.v2 v2.6.0 // indirect 68 | gopkg.in/yaml.v2 v2.4.0 // indirect 69 | gopkg.in/yaml.v3 v3.0.1 // indirect 70 | ) 71 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at . All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at [http://contributor-covenant.org/version/1/4][version] 72 | 73 | [homepage]: http://contributor-covenant.org 74 | [version]: http://contributor-covenant.org/version/1/4/ -------------------------------------------------------------------------------- /trust.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "fmt" 6 | "log" 7 | neturl "net/url" 8 | "os" 9 | "path/filepath" 10 | "sort" 11 | 12 | "github.com/BurntSushi/toml" 13 | "github.com/mitchellh/go-homedir" 14 | "github.com/spf13/cobra" 15 | ) 16 | 17 | func addTrust(cmd *cobra.Command) { 18 | var h string 19 | var remove bool 20 | trust := &cobra.Command{ 21 | Use: "trust IDENTITY...", 22 | Args: cobra.MinimumNArgs(1), 23 | SilenceUsage: true, 24 | SilenceErrors: true, 25 | RunE: func(cmd *cobra.Command, args []string) error { 26 | cfg, err := loadConfig() 27 | if err != nil { 28 | return fmt.Errorf("loading config file: %w", err) 29 | } 30 | 31 | ids := cfg.Identities 32 | if h != "" { 33 | u, err := neturl.Parse("scheme://" + h) 34 | if err != nil { 35 | return fmt.Errorf("parsing URL: %w", err) 36 | } 37 | h = u.Hostname() 38 | log.Println("adding trusted identities for host:", h) 39 | ids = cfg.Hosts[h].Identities 40 | } 41 | m := map[string]struct{}{} 42 | for _, i := range ids { 43 | m[i] = struct{}{} 44 | } 45 | if remove { 46 | // Remove trusted identities. 47 | for _, a := range args { 48 | if _, ok := m[a]; !ok { 49 | log.Println("trusted identity not found, will not be removed:", a) 50 | } else { 51 | log.Println("removing trusted identity:", a) 52 | delete(m, a) 53 | } 54 | } 55 | } else { 56 | // Add trusted identities. 57 | for _, a := range args { 58 | if _, ok := m[a]; ok { 59 | log.Println("already trusted identity:", a) 60 | } else { 61 | log.Println("adding trusted identity:", a) 62 | m[a] = struct{}{} 63 | } 64 | } 65 | } 66 | ids = make([]string, 0, len(m)) 67 | for i := range m { 68 | ids = append(ids, i) 69 | } 70 | sort.Strings(ids) 71 | 72 | if cfg.Hosts == nil { 73 | cfg.Hosts = map[string]host{} 74 | } 75 | if h != "" { 76 | cfg.Hosts[h] = host{Identities: ids} 77 | } else { 78 | cfg.Identities = ids 79 | } 80 | if err := writeConfig(*cfg); err != nil { 81 | return fmt.Errorf("writing config: %v", err) 82 | } 83 | return nil 84 | }, 85 | } 86 | trust.Flags().StringVar(&h, "host", "", "If set, scope trust to this host") 87 | trust.Flags().BoolVar(&remove, "rm", false, "If set, remove trusted identities") 88 | cmd.AddCommand(trust) 89 | } 90 | 91 | type config struct { 92 | Identities []string 93 | Hosts map[string]host 94 | } 95 | 96 | type host struct { 97 | Identities []string 98 | } 99 | 100 | func configPath() (string, error) { 101 | dir := os.Getenv("SGET_CONFIG") 102 | if dir == "" { 103 | home, err := homedir.Dir() 104 | if err != nil { 105 | return "", err 106 | } 107 | dir = filepath.Join(home, ".sget") 108 | } 109 | return filepath.Join(dir, "config.toml"), nil 110 | } 111 | 112 | func loadConfig() (*config, error) { 113 | p, err := configPath() 114 | if err != nil { 115 | return nil, err 116 | } 117 | f, err := os.ReadFile(p) 118 | if os.IsNotExist(err) { 119 | return &config{}, nil 120 | } else if err != nil { 121 | return nil, fmt.Errorf("reading config file: %w", err) 122 | } 123 | var config config 124 | if err := toml.Unmarshal(f, &config); err != nil { 125 | return nil, err 126 | } 127 | return &config, nil 128 | } 129 | 130 | func writeConfig(c config) error { 131 | p, err := configPath() 132 | if err != nil { 133 | return err 134 | } 135 | if err := os.MkdirAll(filepath.Dir(p), 0755); err != nil { 136 | return err 137 | } 138 | var buf bytes.Buffer 139 | if err := toml.NewEncoder(&buf).Encode(c); err != nil { 140 | return err 141 | } 142 | return os.WriteFile(p, buf.Bytes(), 0755) 143 | } 144 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # `sget` 2 | 3 | ### 🚨 `sget` is not ready for non-testing use at this time 🚨 4 | 5 | `sget` is currently an experiment, and as such is not guaranteed to be safe or reliable. 6 | 7 | Its config formats and flags may change in breaking ways at any time. 8 | Its security properties may change, including in ways that make it _less_ secure than it previously was, or even less secure than _not_ using `sget`. 9 | 10 | Please see the [roadmap](./ROADMAP.md) to get an idea where we're heading. 11 | 12 | Join `#sget` on the [Sigstore Slack](https://sigstore.slack.com) ([invite link](https://sigstore.slack.com/join/shared_invite/zt-mhs55zh0-XmY3bcfWn4XEyMqUUutbUQ#/shared-invite/email)) to get involved, ask questions, propose ideas, etc. 13 | Also feel free to [file an issue](https://github.com/sigstore/sget/issuues/new) to ask a question or report a bug. 14 | 15 | With that out of the way... 16 | 17 | # What is `sget`? 18 | 19 | `sget` is command for safer, automatic verification of signatures and integration with Sigstore's binary transparency log, [Rekor](https://github.com/sigstore/rekor). 20 | 21 | It aims to provide a safer alternative to `curl` when fetching artifacts from the internet, and especially when piping those contents to a shell, for example the dreaded and often (correctly!) maligned `curl | sh`. 22 | 23 | `curl | sh` isn't a great idea, but `sget | sh` is less-bad. 24 | 25 | ### Installation 26 | 27 | To install `sget`, if you have Go 1.16+, you can directly run: 28 | 29 | ``` 30 | go install github.com/sigstore/sget@main 31 | ``` 32 | 33 | and the resulting binary will be placed at `$GOPATH/bin/sget` (or `$GOBIN/sget`, if set). 34 | 35 | ### `sget ` 36 | 37 | This will fetch an HTTPS URL and look for any signatures for the contents' digest in the Rekor transparency log. 38 | 39 | If any signatures are found matching your trusted identities (see below), the contents will be piped to stdout. 40 | 41 | ``` 42 | sget https://example.com/archive.zip > archive.zip 43 | ``` 44 | 45 | or 46 | 47 | ``` 48 | sget https://example.com/install.sh | sh 49 | ``` 50 | 51 | ### `sget sign ` 52 | 53 | This will prompt you to go through the Fulcio OIDC flow to generate a signature for the URL, tied to your identity. 54 | This record will be appended to the Rekor transparency log so that other users can see it. 55 | 56 | If other users configure your identity as a trusted identity, you signature will be accepted when they attempt to fetch the URL using `sget`. 57 | 58 | ### `sget trust ...` 59 | 60 | This adds the specified identities to your list of trusted identities. 61 | 62 | When fetching content using `sget `, if any of these identities have signatures for the URL in Rekor, the content will be considered to be trusted. 63 | 64 | Trusted identities can be removed with the `--rm` flag: 65 | 66 | ``` 67 | sget trust --rm alice@example.com 68 | ``` 69 | 70 | Trusted identities can be scoped only to certain URL hostnames with the `--host` flag: 71 | 72 | ``` 73 | sget trust --host=example.com alice@example.com 74 | ``` 75 | 76 | In this case, signatures for `alice@example.com` will only be trusted if the URL is being fetched from `example.com`. 77 | 78 | ### `sget ` 79 | 80 | `sget` began its life as a tool to fetch contents stored in an OCI registry, and this functionality remains today. 81 | 82 | The main benefit of relying on an OCI registry in this case is that OCI provides a standard and broadly-supported API for fetching content by its digest, i.e., content-addressed storage. 83 | This means that if someone shares a reference to an object in an OCI registry that includes the digests of its contents, the registry will verify this digest matches before accepting it, and clients (including `sget`) will verify it again before fetching it. 84 | 85 | This makes `sget` resistant to attacks where the contents fetched today by one person may differ unexpectedly when fetched tomorrow by someone else. 86 | 87 | `sget ` only supports references by digest at this time, and will not currently check for any signatures from trusted identities. 88 | 89 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "crypto/x509" 6 | "encoding/base64" 7 | "encoding/json" 8 | "encoding/pem" 9 | "fmt" 10 | "io" 11 | "log" 12 | neturl "net/url" 13 | "os" 14 | "os/signal" 15 | "strings" 16 | 17 | fapi "github.com/sigstore/fulcio/pkg/api" 18 | rekor "github.com/sigstore/rekor/pkg/generated/client" 19 | rentries "github.com/sigstore/rekor/pkg/generated/client/entries" 20 | rindex "github.com/sigstore/rekor/pkg/generated/client/index" 21 | rmodels "github.com/sigstore/rekor/pkg/generated/models" 22 | "github.com/spf13/cobra" 23 | "golang.org/x/net/idna" 24 | ) 25 | 26 | func main() { 27 | var flags rootFlags 28 | root := &cobra.Command{ 29 | Use: "sget URL", 30 | Args: cobra.ExactArgs(1), 31 | SilenceUsage: true, 32 | SilenceErrors: true, 33 | RunE: func(cmd *cobra.Command, args []string) error { 34 | ctx := cmd.Context() 35 | 36 | url := args[0] 37 | u, err := neturl.Parse(url) 38 | if err != nil { 39 | return fmt.Errorf("parsing URL: %w", err) 40 | } 41 | if u.Scheme != "https" { 42 | log.Println("URL is not HTTPS, assuming it's an OCI image reference by digest") 43 | return fetchImage(url) 44 | } 45 | if pu, err := idna.Punycode.ToASCII(u.Hostname()); err != nil { 46 | return fmt.Errorf("failed to parse URL: %w", err) 47 | } else if strings.HasPrefix(pu, "xn--") { 48 | return fmt.Errorf("refusing to fetch Punycode URL %q", pu) 49 | } 50 | 51 | // Validate digest if specified. 52 | tmp, err := fetch(ctx, url, false) 53 | if err != nil { 54 | return fmt.Errorf("error getting digest for %q: %w", url, err) 55 | } 56 | defer os.Remove(tmp.f.Name()) 57 | gotDigest := tmp.digest 58 | if flags.wantDigest != "" && flags.wantDigest != gotDigest { 59 | return fmt.Errorf("digest mismatch; got %q, want %q", gotDigest, flags.wantDigest) 60 | } 61 | 62 | // Get Fulcio root cert. 63 | fulcioServer, err := neturl.Parse(flags.fulcioURL) 64 | if err != nil { 65 | return fmt.Errorf("creating Fulcio client: %w", err) 66 | } 67 | fclient := fapi.NewClient(fulcioServer, fapi.WithTimeout(flags.fulcioTimeout)) 68 | fresp, err := fclient.RootCert() 69 | if err != nil { 70 | return fmt.Errorf("getting signing cert: %w", err) 71 | } 72 | fulcioRoot := x509.NewCertPool() 73 | if !fulcioRoot.AppendCertsFromPEM(fresp.ChainPEM) { 74 | return fmt.Errorf("failed appending Fulcio root cert") 75 | } 76 | 77 | // Find entries for url + digest 78 | rclient := rekor.NewHTTPClient(nil) 79 | iparams := rindex.NewSearchIndexParams() 80 | iparams.SetTimeout(flags.rekorTimeout) 81 | iparams.SetQuery(&rmodels.SearchIndex{Hash: "sha256:" + tmp.digest}) 82 | iresp, err := rclient.Index.SearchIndex(iparams) 83 | if err != nil { 84 | return fmt.Errorf("querying Rekor entries: %w", err) 85 | } 86 | if len(iresp.Payload) == 0 { 87 | return fmt.Errorf("found no Rekor entries for URL: %s", url) 88 | } 89 | identities := set{} 90 | for _, e := range iresp.Payload { 91 | gparams := rentries.NewGetLogEntryByUUIDParams() 92 | gparams.SetTimeout(flags.rekorTimeout) 93 | gparams.SetEntryUUID(e) 94 | gresp, err := rclient.Entries.GetLogEntryByUUID(gparams) 95 | if err != nil { 96 | return fmt.Errorf("getting Rekor entry %q: %w", e, err) 97 | } 98 | le := gresp.Payload[e] 99 | leb, err := base64.StdEncoding.DecodeString(le.Body.(string)) 100 | if err != nil { 101 | return fmt.Errorf("decoding Rekor LogEntry body: %w", err) 102 | } 103 | var ent struct { 104 | Spec struct { 105 | PublicKey []byte 106 | } 107 | } 108 | if err := json.Unmarshal(leb, &ent); err != nil { 109 | return fmt.Errorf("unmarshaling Rekor LogEntry body: %w", err) 110 | } 111 | 112 | // TODO: Check that the URL matches, not just the digest. 113 | 114 | if len(ent.Spec.PublicKey) == 0 { 115 | continue 116 | } 117 | block, _ := pem.Decode(ent.Spec.PublicKey) 118 | if block == nil { 119 | return fmt.Errorf("parsing certificate PEM; block is nil") 120 | } 121 | cert, err := x509.ParseCertificate(block.Bytes) 122 | if err != nil { 123 | return fmt.Errorf("parsing certificat: %w", err) 124 | } 125 | 126 | // Verify cert is from Fulcio. 127 | if _, err := cert.Verify(x509.VerifyOptions{ 128 | // THIS IS IMPORTANT: WE DO NOT CHECK TIMES HERE 129 | // THE CERTIFICATE IS TREATED AS TRUSTED FOREVER 130 | // WE CHECK THAT THE SIGNATURES WERE CREATED DURING THIS WINDOW 131 | CurrentTime: cert.NotBefore, 132 | Roots: fulcioRoot, 133 | KeyUsages: []x509.ExtKeyUsage{ 134 | x509.ExtKeyUsageCodeSigning, 135 | }, 136 | }); err != nil { 137 | return fmt.Errorf("checking cert against Fulcio root: %w", err) 138 | } 139 | 140 | if len(cert.EmailAddresses) != 1 { 141 | log.Printf("saw unexpected number of identities for %q: %s", e, cert.EmailAddresses) 142 | } 143 | for _, email := range cert.EmailAddresses { 144 | identities.add(email) 145 | } 146 | } 147 | 148 | // Collect trusted identities. 149 | cfg, err := loadConfig() 150 | if err != nil { 151 | return fmt.Errorf("loading config file: %w", err) 152 | } 153 | trust := set{} 154 | for _, i := range cfg.Identities { 155 | trust.add(i) 156 | } 157 | if h, ok := cfg.Hosts[u.Host]; ok { 158 | for _, i := range h.Identities { 159 | trust.add(i) 160 | } 161 | } 162 | 163 | log.Printf("Found %d identities who have signed for %s", len(identities), url) 164 | log.Println("Signing identities:", identities) // TODO: remove 165 | match := trust.intersect(identities) 166 | if len(match) == 0 { 167 | return fmt.Errorf("found no trusted identities for %s", url) 168 | } 169 | 170 | log.Println("Found trusted identities:", match) 171 | 172 | var outw io.WriteCloser 173 | switch flags.out { 174 | case "-": 175 | outw = os.Stdout 176 | default: 177 | outw, err = os.Create(flags.out) 178 | if err != nil { 179 | return fmt.Errorf("creating %q: %w", flags.out, err) 180 | } 181 | } 182 | defer outw.Close() 183 | 184 | // Write the contents of the temp file to stdout. 185 | _, err = io.Copy(outw, tmp.out()) 186 | return err 187 | }, 188 | } 189 | flags.addFlags(root) 190 | 191 | addSign(root) 192 | addTrust(root) 193 | 194 | ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt) 195 | defer cancel() 196 | if err := root.ExecuteContext(ctx); err != nil { 197 | log.Fatal(err) 198 | } 199 | } 200 | 201 | type set map[string]struct{} 202 | 203 | func (s set) add(n string) { s[n] = struct{}{} } 204 | 205 | func (s set) intersect(o set) set { 206 | out := set{} 207 | for k := range s { 208 | if _, ok := o[k]; ok { 209 | out[k] = struct{}{} 210 | } 211 | } 212 | return out 213 | } 214 | 215 | func (s set) String() string { 216 | var sb strings.Builder 217 | first := true 218 | for k := range s { 219 | if !first { 220 | sb.WriteRune(' ') 221 | } 222 | sb.WriteString(k) 223 | first = false 224 | } 225 | return sb.String() 226 | } 227 | 228 | type rootFlags struct { 229 | rekorFlags 230 | fulcioFlags 231 | wantDigest string 232 | out string 233 | } 234 | 235 | func (f *rootFlags) addFlags(cmd *cobra.Command) { 236 | f.rekorFlags.addFlags(cmd) 237 | f.fulcioFlags.addFlags(cmd) 238 | cmd.Flags().StringVar(&f.wantDigest, "digest", "", "If set, URL must have the given digest") 239 | cmd.Flags().StringVarP(&f.out, "out", "o", "-", `File path to write to (for stdout pass "-")`) 240 | } 241 | -------------------------------------------------------------------------------- /sign.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "crypto" 6 | "crypto/ecdsa" 7 | "crypto/elliptic" 8 | "crypto/rand" 9 | "crypto/sha256" 10 | "crypto/x509" 11 | "encoding/base64" 12 | "encoding/json" 13 | "fmt" 14 | "log" 15 | neturl "net/url" 16 | "os" 17 | "time" 18 | 19 | "github.com/go-openapi/strfmt" 20 | "github.com/go-openapi/swag" 21 | "github.com/in-toto/in-toto-golang/in_toto" 22 | fapi "github.com/sigstore/fulcio/pkg/api" 23 | rekor "github.com/sigstore/rekor/pkg/generated/client" 24 | rentries "github.com/sigstore/rekor/pkg/generated/client/entries" 25 | rmodels "github.com/sigstore/rekor/pkg/generated/models" 26 | "github.com/sigstore/sigstore/pkg/oauthflow" 27 | "github.com/sigstore/sigstore/pkg/signature" 28 | "github.com/sigstore/sigstore/pkg/signature/dsse" 29 | "github.com/spf13/cobra" 30 | "golang.org/x/term" 31 | ) 32 | 33 | func addSign(cmd *cobra.Command) { 34 | var flags signFlags 35 | sign := &cobra.Command{ 36 | Use: "sign URL", 37 | Args: cobra.ExactArgs(1), 38 | SilenceUsage: true, 39 | SilenceErrors: true, 40 | RunE: func(cmd *cobra.Command, args []string) error { 41 | ctx := cmd.Context() 42 | 43 | url := args[0] 44 | u, err := neturl.Parse(url) 45 | if err != nil { 46 | return fmt.Errorf("parsing URL: %w", err) 47 | } 48 | if u.Scheme != "https" { 49 | return fmt.Errorf("URL must be HTTPS") 50 | } 51 | 52 | // Validate digest if specified. 53 | tmp, err := fetch(ctx, url, true) 54 | if err != nil { 55 | return fmt.Errorf("error getting digest for %q: %w", url, err) 56 | } 57 | gotDigest := tmp.digest 58 | if flags.wantDigest != "" && flags.wantDigest != gotDigest { 59 | return fmt.Errorf("digest mismatch; got %q, want %q", gotDigest, flags.wantDigest) 60 | } 61 | log.Println("Fetched URL with digest:", gotDigest) 62 | 63 | // Do the OAuth dance and get an ID token. 64 | var flow oauthflow.TokenGetter 65 | switch { 66 | case flags.idtoken != "": 67 | flow = &oauthflow.StaticTokenGetter{RawToken: flags.idtoken} 68 | case !term.IsTerminal(0): 69 | fmt.Fprintln(os.Stderr, "Non-interactive mode detected, using device flow.") 70 | flow = oauthflow.NewDeviceFlowTokenGetter( 71 | flags.oidcIssuer, oauthflow.SigstoreDeviceURL, oauthflow.SigstoreTokenURL) 72 | default: 73 | flow = oauthflow.DefaultIDTokenGetter 74 | } 75 | idt, err := oauthflow.OIDConnect(flags.oidcIssuer, flags.oidcClientID, flags.oidcClientSecret, flags.oidcRedirectURL, flow) 76 | if err != nil { 77 | return fmt.Errorf("getting ID token: %w", err) 78 | } 79 | idtoken := idt.RawString 80 | log.Println("Got ID token! Signing as", idt.Subject) 81 | 82 | // Get signing cert from ephemeral private key and idtoken. 83 | priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 84 | if err != nil { 85 | return fmt.Errorf("generating ephemeral private key: %w", err) 86 | } 87 | pubBytes, err := x509.MarshalPKIXPublicKey(&priv.PublicKey) 88 | if err != nil { 89 | return err 90 | } 91 | h := sha256.Sum256([]byte(idt.Subject)) 92 | proof, err := ecdsa.SignASN1(rand.Reader, priv, h[:]) 93 | if err != nil { 94 | return err 95 | } 96 | fulcioServer, err := neturl.Parse(flags.fulcioURL) 97 | if err != nil { 98 | return fmt.Errorf("creating Fulcio client: %w", err) 99 | } 100 | fclient := fapi.NewClient(fulcioServer) 101 | fresp, err := fclient.SigningCert(fapi.CertificateRequest{ 102 | PublicKey: fapi.Key{ 103 | Algorithm: "ecdsa", 104 | Content: pubBytes, 105 | }, 106 | SignedEmailAddress: proof, 107 | }, idtoken) 108 | if err != nil { 109 | return fmt.Errorf("getting signing cert: %w", err) 110 | } 111 | // TODO: Verify SCT. Do something with chain? 112 | log.Println("Got signing cert!") 113 | 114 | // Sign the message. 115 | s, err := signature.LoadECDSASigner(priv, crypto.SHA256) 116 | if err != nil { 117 | return fmt.Errorf("loading signer: %w", err) 118 | } 119 | ds := dsse.WrapSigner(s, "application/vnd.in-toto+json") 120 | msg, err := json.Marshal(in_toto.Statement{ 121 | StatementHeader: in_toto.StatementHeader{ 122 | Type: "sget-fetched", 123 | Subject: []in_toto.Subject{{ 124 | Name: url, 125 | Digest: map[string]string{"sha256": gotDigest}, 126 | }}, 127 | }, 128 | }) 129 | if err != nil { 130 | return fmt.Errorf("encoding message: %w", err) 131 | } 132 | signed, err := ds.SignMessage(bytes.NewReader(msg)) 133 | if err != nil { 134 | return fmt.Errorf("signing: %w", err) 135 | } 136 | 137 | // Record url + digest. 138 | certPEMBase64 := strfmt.Base64(fresp.CertPEM) 139 | params := rentries.NewCreateLogEntryParams() 140 | params.SetTimeout(flags.fulcioTimeout) 141 | params.SetProposedEntry(&rmodels.Intoto{ 142 | APIVersion: swag.String("0.0.1"), 143 | Spec: rmodels.IntotoV001Schema{ 144 | Content: &rmodels.IntotoV001SchemaContent{ 145 | Envelope: string(signed), 146 | }, 147 | PublicKey: &certPEMBase64, 148 | }, 149 | }) 150 | created, err := rekor.NewHTTPClient(nil).Entries.CreateLogEntry(params) 151 | if err != nil { 152 | return fmt.Errorf("adding Rekor entry: %w", err) 153 | } 154 | log.Println("Rekor entry created!") 155 | 156 | le := created.Payload[created.ETag] 157 | log.Println("UUID:", created.ETag) 158 | log.Println("Integrated Time:", time.Unix(*le.IntegratedTime, 0).Format(time.RFC3339)) 159 | log.Println("Log Index:", *le.LogIndex) 160 | leb, err := base64.StdEncoding.DecodeString(le.Body.(string)) 161 | if err != nil { 162 | return fmt.Errorf("decoding Rekor LogEntry body: %w", err) 163 | } 164 | log.Println("Entry:", string(leb)) 165 | return nil 166 | }, 167 | } 168 | flags.addFlags(sign) 169 | 170 | cmd.AddCommand(sign) 171 | } 172 | 173 | type rekorFlags struct { 174 | rekorURL string 175 | rekorTimeout time.Duration 176 | } 177 | 178 | func (f *rekorFlags) addFlags(cmd *cobra.Command) { 179 | cmd.Flags().StringVar(&f.rekorURL, "rekor-url", "https://rekor.sigstore.dev", "URL of the Rekor transparency log") 180 | cmd.Flags().DurationVar(&f.rekorTimeout, "rekor-timeout", 30*time.Second, "Timeout for requests to Rekor") 181 | } 182 | 183 | type fulcioFlags struct { 184 | fulcioURL string 185 | fulcioTimeout time.Duration 186 | } 187 | 188 | func (f *fulcioFlags) addFlags(cmd *cobra.Command) { 189 | cmd.Flags().StringVar(&f.fulcioURL, "fulcio-url", "https://fulcio.sigstore.dev", "URL of the Fulcio CA") 190 | cmd.Flags().DurationVar(&f.fulcioTimeout, "fulcio-timeout", 30*time.Second, "Timeout for requests to Fulcio") 191 | } 192 | 193 | type oidcFlags struct { 194 | oidcIssuer string 195 | oidcClientID string 196 | oidcClientSecret string 197 | oidcRedirectURL string 198 | } 199 | 200 | func (f *oidcFlags) addFlags(cmd *cobra.Command) { 201 | cmd.Flags().StringVar(&f.oidcIssuer, "oidc-issuer", "https://oauth2.sigstore.dev/auth", "OIDC issuer") 202 | cmd.Flags().StringVar(&f.oidcClientID, "oidc-client-id", "sigstore", "OIDC client ID") 203 | cmd.Flags().StringVar(&f.oidcClientSecret, "oidc-client-secret", "", "OIDC client secret") 204 | cmd.Flags().StringVar(&f.oidcRedirectURL, "oidc-redirect-url", "localhost:0/auth/callback", "OIDC redirect URL") 205 | 206 | } 207 | 208 | type signFlags struct { 209 | rekorFlags 210 | fulcioFlags 211 | oidcFlags 212 | wantDigest, idtoken string 213 | } 214 | 215 | func (f *signFlags) addFlags(cmd *cobra.Command) { 216 | f.rekorFlags.addFlags(cmd) 217 | f.fulcioFlags.addFlags(cmd) 218 | f.oidcFlags.addFlags(cmd) 219 | cmd.Flags().StringVar(&f.wantDigest, "digest", "", "If set, URL must have the given digest") 220 | cmd.Flags().StringVar(&f.idtoken, "idtoken", "", "If set, skip OIDC flow and use this ID token") 221 | } 222 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= 2 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 3 | github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= 4 | github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= 5 | github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= 6 | github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= 7 | github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= 8 | github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= 9 | github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= 10 | github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= 11 | github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= 12 | github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= 13 | github.com/containerd/stargz-snapshotter/estargz v0.12.1 h1:+7nYmHJb0tEkcRaAW+MHqoKaJYZmkikupxCqVtmPuY0= 14 | github.com/coreos/go-oidc/v3 v3.5.0 h1:VxKtbccHZxs8juq7RdJntSqtXFtde9YpNpGn0yqgEHw= 15 | github.com/coreos/go-oidc/v3 v3.5.0/go.mod h1:ecXRtV4romGPeO6ieExAsUK9cb/3fp9hXNz1tlv8PIM= 16 | github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= 17 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 18 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 19 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 20 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 21 | github.com/docker/cli v20.10.20+incompatible h1:lWQbHSHUFs7KraSN2jOJK7zbMS2jNCHI4mt4xUFUVQ4= 22 | github.com/docker/cli v20.10.20+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= 23 | github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= 24 | github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= 25 | github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E= 26 | github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= 27 | github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= 28 | github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= 29 | github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= 30 | github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw= 31 | github.com/facebookgo/limitgroup v0.0.0-20150612190941-6abd8d71ec01 h1:IeaD1VDVBPlx3viJT9Md8if8IxxJnO+x0JCGb054heg= 32 | github.com/facebookgo/muster v0.0.0-20150708232844-fd3d7953fd52 h1:a4DFiKFJiDRGFD1qIcqGLX/WlUMD9dyLSLDt+9QZgt8= 33 | github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= 34 | github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= 35 | github.com/go-openapi/analysis v0.21.2/go.mod h1:HZwRk4RRisyG8vx2Oe6aqeSQcoxRp47Xkp3+K6q+LdY= 36 | github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc= 37 | github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9QyAgQRPp9y3pfo= 38 | github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= 39 | github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= 40 | github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= 41 | github.com/go-openapi/errors v0.20.3 h1:rz6kiC84sqNQoqrtulzaL/VERgkoCyB6WdEkc2ujzUc= 42 | github.com/go-openapi/errors v0.20.3/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk= 43 | github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= 44 | github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= 45 | github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= 46 | github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns= 47 | github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= 48 | github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= 49 | github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g= 50 | github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro= 51 | github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw= 52 | github.com/go-openapi/runtime v0.24.1 h1:Sml5cgQKGYQHF+M7yYSHaH1eOjvTykrddTE/KtQVjqo= 53 | github.com/go-openapi/runtime v0.24.1/go.mod h1:AKurw9fNre+h3ELZfk6ILsfvPN+bvvlaU/M9q/r9hpk= 54 | github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I= 55 | github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= 56 | github.com/go-openapi/spec v0.20.7 h1:1Rlu/ZrOCCob0n+JKKJAWhNWMPW8bOZRg8FJaY+0SKI= 57 | github.com/go-openapi/spec v0.20.7/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= 58 | github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg= 59 | github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= 60 | github.com/go-openapi/strfmt v0.21.2/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= 61 | github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o= 62 | github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg= 63 | github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= 64 | github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= 65 | github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= 66 | github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= 67 | github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= 68 | github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= 69 | github.com/go-openapi/validate v0.22.0 h1:b0QecH6VslW/TxtpKgzpO1SNG7GU2FsaqKdP1E2T50Y= 70 | github.com/go-openapi/validate v0.22.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= 71 | github.com/go-rod/rod v0.112.6 h1:zMirUmhsBeshMWyf285BD0UGtGq54HfThLDGSjcP3lU= 72 | github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= 73 | github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4= 74 | github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= 75 | github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= 76 | github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= 77 | github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= 78 | github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= 79 | github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= 80 | github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs= 81 | github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= 82 | github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= 83 | github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk= 84 | github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28= 85 | github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo= 86 | github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk= 87 | github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw= 88 | github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360= 89 | github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg= 90 | github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE= 91 | github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8= 92 | github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= 93 | github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= 94 | github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= 95 | github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= 96 | github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= 97 | github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= 98 | github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= 99 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 100 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= 101 | github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= 102 | github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= 103 | github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= 104 | github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 105 | github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 106 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 107 | github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 108 | github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= 109 | github.com/google/go-containerregistry v0.13.0 h1:y1C7Z3e149OJbOPDBxLYR8ITPz8dTKqQwjErKVHJC8k= 110 | github.com/google/go-containerregistry v0.13.0/go.mod h1:J9FQ+eSS4a1aC2GNZxvNpbWhgp0487v+cgiilB4FqDo= 111 | github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 112 | github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= 113 | github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXpNvOEDLDc= 114 | github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc= 115 | github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf h1:FU8tuL4IWx/Hq55AO4+13AZn3Kd6uk3Z44OCIZ9coTw= 116 | github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf/go.mod h1:twl9XmClqj6/h/HANQQYaJZVKPPW/Mz53bd2t6UXGQA= 117 | github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= 118 | github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= 119 | github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= 120 | github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 h1:dYTbLf4m0a5u0KLmPfB6mgxbcV7588bOCx79hxa5Sr4= 121 | github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= 122 | github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= 123 | github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= 124 | github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= 125 | github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= 126 | github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= 127 | github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c= 128 | github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= 129 | github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 130 | github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 131 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 132 | github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= 133 | github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= 134 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 135 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 136 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 137 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 138 | github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf h1:ndns1qx/5dL43g16EQkPV/i8+b3l5bYQwLeoSBe7tS8= 139 | github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf/go.mod h1:aGkAgvWY/IUcVFfuly53REpfv5edu25oij+qHRFaraA= 140 | github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 141 | github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 142 | github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= 143 | github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= 144 | github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= 145 | github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= 146 | github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= 147 | github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= 148 | github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= 149 | github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= 150 | github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= 151 | github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= 152 | github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= 153 | github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= 154 | github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= 155 | github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= 156 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= 157 | github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= 158 | github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= 159 | github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= 160 | github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= 161 | github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034= 162 | github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= 163 | github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= 164 | github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= 165 | github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= 166 | github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 167 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 168 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 169 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 170 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 171 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 172 | github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= 173 | github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= 174 | github.com/prometheus/common v0.39.0 h1:oOyhkDq05hPZKItWVBkJ6g6AtGxi+fy7F4JvUV8uhsI= 175 | github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= 176 | github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 177 | github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 178 | github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 179 | github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k= 180 | github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= 181 | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= 182 | github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE= 183 | github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs= 184 | github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= 185 | github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= 186 | github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= 187 | github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= 188 | github.com/sigstore/fulcio v1.1.0 h1:mzzJ05Ccu8Y2inyioklNvc8MpzlGHxu8YqNeTm0dHfU= 189 | github.com/sigstore/fulcio v1.1.0/go.mod h1:zv1ZQTXZbUwQdRwajlQksc34pRas+2aZYpIZoQBNev8= 190 | github.com/sigstore/rekor v1.0.1 h1:rcESXSNkAPRWFYZel9rarspdvneET60F2ngNkadi89c= 191 | github.com/sigstore/rekor v1.0.1/go.mod h1:ecTKdZWGWqE1pl3U1m1JebQJLU/hSjD9vYHOmHQ7w4g= 192 | github.com/sigstore/sigstore v1.5.2 h1:rvZSPJDH2ysoc8kjW9v4nv1UX3XwSA8y4x6Dk7hA0D4= 193 | github.com/sigstore/sigstore v1.5.2/go.mod h1:wxhp9KoaOpeb1VLKILruD283KJqPSqX+3TuBByVDZ6E= 194 | github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= 195 | github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= 196 | github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= 197 | github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= 198 | github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= 199 | github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= 200 | github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= 201 | github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= 202 | github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= 203 | github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= 204 | github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= 205 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 206 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 207 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 208 | github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 209 | github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= 210 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 211 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 212 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 213 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 214 | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 215 | github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= 216 | github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= 217 | github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 h1:1i/Afw3rmaR1gF3sfVkG2X6ldkikQwA9zY380LrR5YI= 218 | github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4/go.mod h1:vAqWV3zEs89byeFsAYoh/Q14vJTgJkHwnnRCWBBBINY= 219 | github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= 220 | github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= 221 | github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= 222 | github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= 223 | github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME= 224 | github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU= 225 | github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= 226 | github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= 227 | github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= 228 | github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= 229 | github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= 230 | github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= 231 | github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= 232 | github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= 233 | github.com/ysmood/gson v0.7.3 h1:QFkWbTH8MxyUTKPkVWAENJhxqdBa4lYTQWqZCiLG6kE= 234 | github.com/ysmood/leakless v0.8.0 h1:BzLrVoiwxikpgEQR0Lk8NyBN5Cit2b1z+u0mgL4ZJak= 235 | github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= 236 | go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= 237 | go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= 238 | go.mongodb.org/mongo-driver v1.8.3/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY= 239 | go.mongodb.org/mongo-driver v1.10.0 h1:UtV6N5k14upNp4LTduX0QCufG124fSu25Wz9tu94GLg= 240 | go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8= 241 | golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= 242 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 243 | golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= 244 | golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 245 | golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 246 | golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= 247 | golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= 248 | golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= 249 | golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc= 250 | golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= 251 | golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= 252 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 253 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 254 | golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= 255 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 256 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 257 | golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= 258 | golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 259 | golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= 260 | golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= 261 | golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= 262 | golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= 263 | golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= 264 | golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= 265 | golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= 266 | golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= 267 | golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= 268 | golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 269 | golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 270 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 271 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 272 | golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 273 | golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 274 | golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= 275 | golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 276 | golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 277 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 278 | golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 279 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 280 | golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 281 | golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 282 | golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 283 | golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 284 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 285 | golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 286 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 287 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 288 | golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 289 | golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 290 | golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 291 | golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 292 | golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 293 | golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= 294 | golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 295 | golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= 296 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 297 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 298 | golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= 299 | golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= 300 | golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= 301 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 302 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 303 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 304 | golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 305 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 306 | golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 307 | golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 308 | golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= 309 | golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= 310 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 311 | golang.org/x/tools v0.0.0-20190329151228-23e29df326fe/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 312 | golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 313 | golang.org/x/tools v0.0.0-20190420181800-aa740d480789/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 314 | golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 315 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 316 | golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= 317 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 318 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 319 | google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= 320 | google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 321 | google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc h1:ijGwO+0vL2hJt5gaygqP2j6PfflOBrRot0IczKbmtio= 322 | google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= 323 | google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc= 324 | google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= 325 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= 326 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= 327 | google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= 328 | google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= 329 | google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= 330 | gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVCwMc= 331 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 332 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 333 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 334 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 335 | gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= 336 | gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= 337 | gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= 338 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 339 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 340 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 341 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 342 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 343 | gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 344 | gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 345 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 346 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 347 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 348 | gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= 349 | --------------------------------------------------------------------------------