Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps.

pkg/cosign/kubernetes/webhook/validation.go

@@ -87,12 +87,16 @@ func validSignatures(ctx context.Context, ref name.Reference, verifier signature
 // validSignaturesWithFulcio expects a Fulcio Cert to verify against. An
 // optional rekorClient can also be given, if nil passed, default is assumed.
 func validSignaturesWithFulcio(ctx context.Context, ref name.Reference, fulcioRoots *x509.CertPool, rekorClient *client.Rekor, identities []v1alpha1.Identity, opts ...ociremote.Option) ([]oci.Signature, error) {
+	ids := make([]cosign.Identity, len(identities))
+	for i, id := range identities {
+		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject}
+	}
 	sigs, _, err := cosignVerifySignatures(ctx, ref, &cosign.CheckOpts{
 		RegistryClientOpts: opts,
 		RootCerts:          fulcioRoots,
 		RekorClient:        rekorClient,
 		ClaimVerifier:      cosign.SimpleClaimVerifier,
-		Identities:         identities,
+		Identities:         ids,
 	})
 	return sigs, err
 }

pkg/cosign/verify.go

@@ -32,7 +32,6 @@ import (
 	"time"
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl"
-	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
 	cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
 	"github.com/sigstore/cosign/pkg/cosign/tuf"
 
@@ -58,6 +57,13 @@ import (
 	sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
 )
 
+// Identity specifies an issuer/subject to verify a signature against.
+// Both Issuer/Subject support regexp.
+type Identity struct {
+	Issuer  string
+	Subject string
+}
+
 // CheckOpts are the options for checking signatures.
 type CheckOpts struct {
 	// RegistryClientOpts are the options for interacting with the container registry.
@@ -94,7 +100,7 @@ type CheckOpts struct {
 	// Identities is an array of Identity (Subject, Issuer) matchers that have
 	// to be met for the signature to ve valid.
 	// Supercedes CertEmail / CertOidcIssuer
-	Identities []v1alpha1.Identity
+	Identities []Identity
 }
 
 func getSignedEntity(signedImgRef name.Reference, regClientOpts []ociremote.Option) (oci.SignedEntity, v1.Hash, error) {
@@ -189,7 +195,6 @@ func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Ver
 		for _, identity := range co.Identities {
 			issuerMatches := false
 			// Check the issuer first
-			fmt.Fprintf(os.Stderr, "Checking identity: %+v", identity)
 			if identity.Issuer != "" {
 				issuer := getIssuer(cert)
 				if regex, err := regexp.Compile(identity.Issuer); err != nil {

pkg/cosign/verify_test.go

@@ -40,7 +40,6 @@ import (
 	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/pkg/errors"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
-	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
 	"github.com/sigstore/cosign/pkg/cosign/bundle"
 	ctuf "github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/cosign/pkg/oci/static"
@@ -558,56 +557,56 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) {
 	oidcIssuer := "https://accounts.google.com"
 
 	tests := []struct {
-		identities       []v1alpha1.Identity
+		identities       []Identity
 		wantErrSubstring string
 		dnsNames         []string
 		emailAddresses   []string
 		ipAddresses      []net.IP
 		uris             []*url.URL
 	}{
 		{identities: nil /* No matches required, checks out */},
-		{identities: []v1alpha1.Identity{ // Strict match on both
+		{identities: []Identity{ // Strict match on both
 			{Subject: emailSubject, Issuer: oidcIssuer}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: ""},
-		{identities: []v1alpha1.Identity{ // just issuer
+		{identities: []Identity{ // just issuer
 			{Issuer: oidcIssuer}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: ""},
-		{identities: []v1alpha1.Identity{ // just subject
+		{identities: []Identity{ // just subject
 			{Subject: emailSubject}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: ""},
-		{identities: []v1alpha1.Identity{ // mis-match
+		{identities: []Identity{ // mis-match
 			{Subject: "wrongsubject", Issuer: oidcIssuer},
 			{Subject: emailSubject, Issuer: "wrongissuer"}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: "none of the expected identities matched"},
-		{identities: []v1alpha1.Identity{ // one good identity, other does not match
+		{identities: []Identity{ // one good identity, other does not match
 			{Subject: "wrongsubject", Issuer: "wrongissuer"},
 			{Subject: emailSubject, Issuer: oidcIssuer}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: ""},
-		{identities: []v1alpha1.Identity{ // illegal regex for subject
+		{identities: []Identity{ // illegal regex for subject
 			{Subject: "****", Issuer: oidcIssuer}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: "malformed subject in identity"},
-		{identities: []v1alpha1.Identity{ // illegal regex for issuer
+		{identities: []Identity{ // illegal regex for issuer
 			{Subject: emailSubject, Issuer: "****"}},
 			wantErrSubstring: "malformed issuer in identity"},
-		{identities: []v1alpha1.Identity{ // regex matches
+		{identities: []Identity{ // regex matches
 			{Subject: ".*example.com", Issuer: ".*accounts.google.*"}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: ""},
-		{identities: []v1alpha1.Identity{ // regex matches dnsNames
+		{identities: []Identity{ // regex matches dnsNames
 			{Subject: ".*ubject.example.com", Issuer: ".*accounts.google.*"}},
 			dnsNames:         dnsSubjects,
 			wantErrSubstring: ""},
-		{identities: []v1alpha1.Identity{ // regex matches ip
+		{identities: []Identity{ // regex matches ip
 			{Subject: "1.2.3.*", Issuer: ".*accounts.google.*"}},
 			ipAddresses:      ipSubjects,
 			wantErrSubstring: ""},
-		{identities: []v1alpha1.Identity{ // regex matches urls
+		{identities: []Identity{ // regex matches urls
 			{Subject: ".*url.examp.*", Issuer: ".*accounts.google.*"}},
 			uris:             uriSubjects,
 			wantErrSubstring: ""},