Add Metadata interface for signature wrappers

This change introduces the signature wrapper agnostic Metadata interface
and support for DSSE.

Signed-off-by: Aditya Sirish <aditya@saky.in>

cmd/record.go

@@ -126,6 +126,13 @@ operating systems. It is done by replacing all line separators
 with a new line character.`,
 	)
 
+	recordCmd.PersistentFlags().BoolVar(
+		&useDSSE,
+		"use-dsse",
+		false,
+		"Create metadata using DSSE instead of the legacy signature wrapper.",
+	)
+
 	recordCmd.PersistentFlags().BoolVar(
 		&followSymlinkDirs,
 		"follow-symlink-dirs",
@@ -165,7 +172,7 @@ command is executed. Symlinks are followed.`,
 }
 
 func recordStart(cmd *cobra.Command, args []string) error {
-	block, err := intoto.InTotoRecordStart(recordStepName, recordMaterialsPaths, key, []string{"sha256"}, exclude, lStripPaths, lineNormalization, followSymlinkDirs)
+	block, err := intoto.InTotoRecordStart(recordStepName, recordMaterialsPaths, key, []string{"sha256"}, exclude, lStripPaths, lineNormalization, followSymlinkDirs, useDSSE)
 	if err != nil {
 		return fmt.Errorf("failed to create start link file: %w", err)
 	}
@@ -181,14 +188,14 @@ func recordStart(cmd *cobra.Command, args []string) error {
 }
 
 func recordStop(cmd *cobra.Command, args []string) error {
-	var prelimLinkMb intoto.Metablock
 	prelimLinkName := fmt.Sprintf(intoto.PreliminaryLinkNameFormat, recordStepName, key.KeyID)
 	prelimLinkPath := filepath.Join(outDir, prelimLinkName)
-	if err := prelimLinkMb.Load(prelimLinkPath); err != nil {
+	prelimLinkMb, err := intoto.LoadMetadata(prelimLinkPath)
+	if err != nil {
 		return fmt.Errorf("failed to load start link file at %s: %w", prelimLinkName, err)
 	}
 
-	linkMb, err := intoto.InTotoRecordStop(prelimLinkMb, recordProductsPaths, key, []string{"sha256"}, exclude, lStripPaths, lineNormalization, followSymlinkDirs)
+	linkMb, err := intoto.InTotoRecordStop(prelimLinkMb, recordProductsPaths, key, []string{"sha256"}, exclude, lStripPaths, lineNormalization, followSymlinkDirs, useDSSE)
 	if err != nil {
 		return fmt.Errorf("failed to create stop link file: %w", err)
 	}

cmd/root.go

@@ -24,6 +24,7 @@ var (
 	outDir            string
 	lineNormalization bool
 	followSymlinkDirs bool
+	useDSSE           bool
 )
 
 var rootCmd = &cobra.Command{

cmd/run.go

@@ -149,6 +149,13 @@ toggles following linked directories only, linked files are always
 recorded independently of this parameter.`,
 	)
 
+	runCmd.PersistentFlags().BoolVar(
+		&useDSSE,
+		"use-dsse",
+		false,
+		"Create metadata using DSSE instead of the legacy signature wrapper.",
+	)
+
 	runCmd.Flags().StringVar(
 		&spiffeUDS,
 		"spiffe-workload-api-path",
@@ -167,15 +174,15 @@ func run(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("no command arguments passed, please specify or use --no-command option")
 	}
 
-	block, err := intoto.InTotoRun(stepName, runDir, materialsPaths, productsPaths, args, key, []string{"sha256"}, exclude, lStripPaths, lineNormalization, followSymlinkDirs)
+	metadata, err := intoto.InTotoRun(stepName, runDir, materialsPaths, productsPaths, args, key, []string{"sha256"}, exclude, lStripPaths, lineNormalization, followSymlinkDirs, useDSSE)
 	if err != nil {
 		return fmt.Errorf("failed to create link metadata: %w", err)
 	}
 
-	linkName := fmt.Sprintf(intoto.LinkNameFormat, block.Signed.(intoto.Link).Name, key.KeyID)
+	linkName := fmt.Sprintf(intoto.LinkNameFormat, metadata.GetPayload().(intoto.Link).Name, key.KeyID)
 
 	linkPath := filepath.Join(outDir, linkName)
-	err = block.Dump(linkPath)
+	err = metadata.Dump(linkPath)
 	if err != nil {
 		return fmt.Errorf("failed to write link metadata to %s: %w", linkPath, err)
 	}

cmd/sign.go

@@ -60,9 +60,8 @@ root layout's signature(s). Passing exactly one key using
 }
 
 func sign(cmd *cobra.Command, args []string) error {
-	var layoutMb intoto.Metablock
-
-	if err := layoutMb.Load(layoutPath); err != nil {
+	layoutEnv, err := intoto.LoadMetadata(layoutPath)
+	if err != nil {
 		return fmt.Errorf("failed to load layout at %s: %w", layoutPath, err)
 	}
 
@@ -72,7 +71,7 @@ func sign(cmd *cobra.Command, args []string) error {
 	}
 
 	if verifyFile {
-		if err := layoutMb.VerifySignature(key); err != nil {
+		if err := layoutEnv.VerifySignature(key); err != nil {
 			return fmt.Errorf("signature verification failed: %w", err)
 		}
 		return nil
@@ -81,8 +80,9 @@ func sign(cmd *cobra.Command, args []string) error {
 	if len(outputPath) == 0 {
 		outputPath = layoutPath
 	}
-	layoutMb.Sign(key)
-	layoutMb.Dump(outputPath)
 
-	return nil
+	if err := layoutEnv.Sign(key); err != nil {
+		return err
+	}
+	return layoutEnv.Dump(outputPath)
 }

cmd/verify.go

@@ -81,9 +81,8 @@ with a new line character.`,
 }
 
 func verify(cmd *cobra.Command, args []string) error {
-	var layoutMb intoto.Metablock
-
-	if err := layoutMb.Load(layoutPath); err != nil {
+	layoutMb, err := intoto.LoadMetadata(layoutPath)
+	if err != nil {
 		return fmt.Errorf("failed to load layout at %s: %w", layoutPath, err)
 	}
 
@@ -109,7 +108,7 @@ func verify(cmd *cobra.Command, args []string) error {
 		intermediatePems = append(intermediatePems, pemBytes)
 	}
 
-	_, err := intoto.InTotoVerify(layoutMb, layoutKeys, linkDir, "", make(map[string]string), intermediatePems, lineNormalization)
+	_, err = intoto.InTotoVerify(layoutMb, layoutKeys, linkDir, "", make(map[string]string), intermediatePems, lineNormalization)
 	if err != nil {
 		return fmt.Errorf("inspection failed: %w", err)
 	}

doc/in-toto_record.md

@@ -40,6 +40,7 @@ failure and zero otherwise.
                                           operating systems. It is done by replacing all line separators
                                           with a new line character.
       --spiffe-workload-api-path string   UDS path for SPIFFE workload API
+      --use-dsse                          Create metadata using DSSE instead of the legacy signature wrapper.
 ```
 
 ### SEE ALSO

doc/in-toto_record_start.md

@@ -51,6 +51,7 @@ in-toto record start [flags]
                                           operating systems. It is done by replacing all line separators
                                           with a new line character.
       --spiffe-workload-api-path string   UDS path for SPIFFE workload API
+      --use-dsse                          Create metadata using DSSE instead of the legacy signature wrapper.
 ```
 
 ### SEE ALSO

doc/in-toto_record_stop.md

@@ -52,6 +52,7 @@ in-toto record stop [flags]
                                           operating systems. It is done by replacing all line separators
                                           with a new line character.
       --spiffe-workload-api-path string   UDS path for SPIFFE workload API
+      --use-dsse                          Create metadata using DSSE instead of the legacy signature wrapper.
 ```
 
 ### SEE ALSO

doc/in-toto_run.md

@@ -52,6 +52,7 @@ in-toto run [flags]
                                           calling process's current directory. The runDir directory must
                                           exist, be writable, and not be a symlink.
       --spiffe-workload-api-path string   UDS path for SPIFFE workload API
+      --use-dsse                          Create metadata using DSSE instead of the legacy signature wrapper.
 ```
 
 ### SEE ALSO

go.mod

@@ -1,10 +1,10 @@
 module github.com/in-toto/in-toto-golang
 
-go 1.17
+go 1.20
 
 require (
 	github.com/google/go-cmp v0.5.9
-	github.com/secure-systems-lab/go-securesystemslib v0.5.0
+	github.com/secure-systems-lab/go-securesystemslib v0.5.1-0.20230502174335-9ebc3aa8b367
 	github.com/shibumi/go-pathspec v1.3.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spiffe/go-spiffe/v2 v2.1.3
@@ -25,10 +25,10 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/zeebo/errs v1.3.0 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
+	golang.org/x/crypto v0.8.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/net v0.8.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/net v0.9.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/genproto v0.0.0-20230223222841-637eb2293923 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect