cliplugin: convert module to package only (#1956)

* create bridge signerverifier.SignerVerifier

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* confirm the plugin program exists

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* convert cliplugin from module to package

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* fix update localkms go.mod

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* remove cliplugin references from ci

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* cleanup

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* deprecate noteice for ProviderNotFoundError

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* typo

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* fix copyright year

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* shortcut returns

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* copy, instead of embed

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* no deprecation, wrap the ProviderNotFoundError, add tests

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* lint

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* typo

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

---------

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

.github/dependabot.yml

@@ -4,7 +4,6 @@ updates:
   - package-ecosystem: gomod
     directories:
       - "/"
-      - "./pkg/signature/kms/cliplugin"
       - "./pkg/signature/kms/aws"
       - "./pkg/signature/kms/azure"
       - "./pkg/signature/kms/gcp"

.github/workflows/sync-module-tags.yaml

@@ -24,7 +24,6 @@ jobs:
     strategy:
       matrix:
         module:
-          - pkg/signature/kms/cliplugin
           - pkg/signature/kms/aws
           - pkg/signature/kms/azure
           - pkg/signature/kms/gcp

.github/workflows/test.yml

@@ -59,7 +59,6 @@ jobs:
       - run: |
           for submodule in \
             . \
-            pkg/signature/kms/cliplugin \
             pkg/signature/kms/aws \
             pkg/signature/kms/azure \
             pkg/signature/kms/gcp \

.github/workflows/verify.yml

@@ -63,7 +63,6 @@ jobs:
           - ./
           - pkg/signature/kms/aws
           - pkg/signature/kms/azure
-          - pkg/signature/kms/cliplugin
           - pkg/signature/kms/gcp
           - pkg/signature/kms/hashivault
 

Makefile

@@ -34,7 +34,7 @@ CLI_PLUGIN_DIR := ./pkg/signature/kms/cliplugin
 
 LDFLAGS ?=
 
-GO_MOD_DIRS = . ./pkg/signature/kms/aws ./pkg/signature/kms/azure ./pkg/signature/kms/gcp ./pkg/signature/kms/hashivault ./pkg/signature/kms/cliplugin
+GO_MOD_DIRS = . ./pkg/signature/kms/aws ./pkg/signature/kms/azure ./pkg/signature/kms/gcp ./pkg/signature/kms/hashivault
 
 lint:
 	for dir in $(GO_MOD_DIRS) ; do \

pkg/signature/kms/cliplugin/client.go

@@ -21,12 +21,13 @@ import (
 	"crypto"
 	"errors"
 	"fmt"
+	"os/exec"
 	"strings"
 
 	"github.com/sigstore/sigstore/pkg/signature"
-	"github.com/sigstore/sigstore/pkg/signature/kms"
 	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/common"
 	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/encoding"
+	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/internal/signerverifier"
 )
 
 const (
@@ -37,21 +38,19 @@ const (
 // ErrorInputKeyResourceID indicates a problem parsing the key resource id.
 var ErrorInputKeyResourceID = errors.New("parsing input key resource id")
 
-// init registers the plugin system as a provider. It does not search for plugin programs.
-// Users must import this package, e.g.,  `import _ "github.com/sigstore/sigstore/pkg/signature/kms/cliplugin"`
-func init() {
-	kms.AddProvider(kms.CLIPluginProviderKey, LoadSignerVerifier)
-}
-
 // LoadSignerVerifier creates a PluginClient with these InitOptions.
-func LoadSignerVerifier(ctx context.Context, inputKeyResourceID string, hashFunc crypto.Hash, opts ...signature.RPCOption) (kms.SignerVerifier, error) {
+// If the plugin executable does not exist, then it returns exec.ErrNotFound.
+func LoadSignerVerifier(ctx context.Context, inputKeyResourceID string, hashFunc crypto.Hash, opts ...signature.RPCOption) (signerverifier.SignerVerifier, error) {
 	if err := ctx.Err(); err != nil {
 		return nil, err
 	}
 	executable, keyResourceID, err := getPluginExecutableAndKeyResourceID(inputKeyResourceID)
 	if err != nil {
 		return nil, err
 	}
+	if _, err := exec.LookPath(executable); err != nil {
+		return nil, err
+	}
 	initOptions := &common.InitOptions{
 		ProtocolVersion: common.ProtocolVersion,
 		KeyResourceID:   keyResourceID,

pkg/signature/kms/cliplugin/handler/dispatch.go

@@ -24,8 +24,8 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/sigstore/sigstore/pkg/signature/kms"
 	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/common"
+	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/internal/signerverifier"
 )
 
 var (
@@ -68,7 +68,7 @@ func WriteErrorResponse(stdout io.Writer, err error) error {
 
 // Dispatch routes to handler functions based on the PluginArgs.
 // If there is an error to be returned, it will also call WriteResponse with the error.
-func Dispatch(stdout io.Writer, stdin io.Reader, pluginArgs *common.PluginArgs, impl kms.SignerVerifier) (*common.PluginResp, error) {
+func Dispatch(stdout io.Writer, stdin io.Reader, pluginArgs *common.PluginArgs, impl signerverifier.SignerVerifier) (*common.PluginResp, error) {
 	var resp common.PluginResp
 	var err error
 	switch pluginArgs.MethodName {

pkg/signature/kms/cliplugin/handler/methods.go

@@ -24,13 +24,13 @@ import (
 	"io"
 
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
-	"github.com/sigstore/sigstore/pkg/signature/kms"
 	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/common"
 	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/encoding"
+	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin/internal/signerverifier"
 )
 
 // DefaultAlgorithm parses arguments and return values to and from the impl.
-func DefaultAlgorithm(_ io.Reader, _ *common.DefaultAlgorithmArgs, impl kms.SignerVerifier) (*common.DefaultAlgorithmResp, error) {
+func DefaultAlgorithm(_ io.Reader, _ *common.DefaultAlgorithmArgs, impl signerverifier.SignerVerifier) (*common.DefaultAlgorithmResp, error) {
 	defaultAlgorithm := impl.DefaultAlgorithm()
 	resp := &common.DefaultAlgorithmResp{
 		DefaultAlgorithm: defaultAlgorithm,
@@ -39,7 +39,7 @@ func DefaultAlgorithm(_ io.Reader, _ *common.DefaultAlgorithmArgs, impl kms.Sign
 }
 
 // SupportedAlgorithms parses arguments and return values to and from the impl.
-func SupportedAlgorithms(_ io.Reader, _ *common.SupportedAlgorithmsArgs, impl kms.SignerVerifier) (*common.SupportedAlgorithmsResp, error) {
+func SupportedAlgorithms(_ io.Reader, _ *common.SupportedAlgorithmsArgs, impl signerverifier.SignerVerifier) (*common.SupportedAlgorithmsResp, error) {
 	supportedAlgorithms := impl.SupportedAlgorithms()
 	resp := &common.SupportedAlgorithmsResp{
 		SupportedAlgorithms: supportedAlgorithms,
@@ -48,7 +48,7 @@ func SupportedAlgorithms(_ io.Reader, _ *common.SupportedAlgorithmsArgs, impl km
 }
 
 // CreateKey parses arguments and return values to and from the impl.
-func CreateKey(_ io.Reader, args *common.CreateKeyArgs, impl kms.SignerVerifier) (*common.CreateKeyResp, error) {
+func CreateKey(_ io.Reader, args *common.CreateKeyArgs, impl signerverifier.SignerVerifier) (*common.CreateKeyResp, error) {
 	ctx := context.Background()
 	if args.CtxDeadline != nil {
 		var cancel context.CancelFunc
@@ -70,7 +70,7 @@ func CreateKey(_ io.Reader, args *common.CreateKeyArgs, impl kms.SignerVerifier)
 }
 
 // PublicKey parses arguments and return values to and from the impl.
-func PublicKey(_ io.Reader, args *common.PublicKeyArgs, impl kms.SignerVerifier) (*common.PublicKeyResp, error) {
+func PublicKey(_ io.Reader, args *common.PublicKeyArgs, impl signerverifier.SignerVerifier) (*common.PublicKeyResp, error) {
 	opts := encoding.UnpackPublicKeyOptions(args.PublicKeyOptions)
 	publicKey, err := impl.PublicKey(opts...)
 	if err != nil {
@@ -87,7 +87,7 @@ func PublicKey(_ io.Reader, args *common.PublicKeyArgs, impl kms.SignerVerifier)
 }
 
 // SignMessage parses arguments and return values to and from the impl.
-func SignMessage(message io.Reader, args *common.SignMessageArgs, impl kms.SignerVerifier) (*common.SignMessageResp, error) {
+func SignMessage(message io.Reader, args *common.SignMessageArgs, impl signerverifier.SignerVerifier) (*common.SignMessageResp, error) {
 	opts := encoding.UnpackSignOptions(args.SignOptions)
 	signature, err := impl.SignMessage(message, opts...)
 	if err != nil {
@@ -100,7 +100,7 @@ func SignMessage(message io.Reader, args *common.SignMessageArgs, impl kms.Signe
 }
 
 // VerifySignature parses arguments and return values to and from the impl.
-func VerifySignature(message io.Reader, args *common.VerifySignatureArgs, impl kms.SignerVerifier) (*common.VerifySignatureResp, error) {
+func VerifySignature(message io.Reader, args *common.VerifySignatureArgs, impl signerverifier.SignerVerifier) (*common.VerifySignatureResp, error) {
 	opts := encoding.UnpackVerifyOptions(args.VerifyOptions)
 	err := impl.VerifySignature(bytes.NewReader(args.Signature), message, opts...)
 	if err != nil {

pkg/signature/kms/cliplugin/internal/signerverifier/interface.go

@@ -0,0 +1,35 @@
+//
+// Copyright 2025 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package signerverifier contains interface for to be implemented by KMSs.
+package signerverifier
+
+import (
+	"context"
+	"crypto"
+
+	"github.com/sigstore/sigstore/pkg/signature"
+)
+
+// SignerVerifier creates and verifies digital signatures over a message using a KMS service
+// The contents must be kept in sync with kms.SignerVerifier, to continue satisfying that interface.
+// We don't directly embed kms.SignerVerfifier because then we would have an import cycle.
+type SignerVerifier interface {
+	signature.SignerVerifier
+	CreateKey(ctx context.Context, algorithm string) (crypto.PublicKey, error)
+	CryptoSigner(ctx context.Context, errFunc func(error)) (crypto.Signer, crypto.SignerOpts, error)
+	SupportedAlgorithms() []string
+	DefaultAlgorithm() string
+}

pkg/signature/kms/cliplugin/signer.go

@@ -43,7 +43,7 @@ var (
 	ErrorPluginReturnError = errors.New("plugin returned error")
 )
 
-// PluginClient implements kms.SignerVerifier with calls to our plugin program.
+// PluginClient implements signerverifier.SignerVerifier with calls to our plugin program.
 type PluginClient struct {
 	executable  string
 	initOptions common.InitOptions

pkg/signature/kms/kms.go

@@ -19,16 +19,13 @@ package kms
 import (
 	"context"
 	"crypto"
+	"errors"
 	"fmt"
+	"os/exec"
 	"strings"
 
 	"github.com/sigstore/sigstore/pkg/signature"
-)
-
-const (
-	// CLIPluginProviderKey is a placeholder used to register the cliplugin as a provider in AddProvider().
-	// Its value should not conflict with any potential callers of AddProvider().
-	CLIPluginProviderKey = "cliplugin"
+	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin"
 )
 
 // ProviderNotFoundError indicates that no matching KMS provider was found
@@ -54,11 +51,10 @@ func AddProvider(keyResourceID string, init ProviderInit) {
 var providersMap = map[string]ProviderInit{}
 
 // Get returns a KMS SignerVerifier for the given resource string and hash function.
-// If no matching provider is found, Get returns a ProviderNotFoundError. It
-// also returns an error if initializing the SignerVerifier fails.
-// If keyResourceID doesn't match any of our hard-coded providers' schemas,
-// it will try to use the plugin system as a provider. If the caller did not import cliplugin
-// to allow it to run its init(), then it returns ProviderNotFoundError.
+// If no matching built-in provider is found, it will try to use the plugin system as a provider.
+// If keyResourceID doesn't match any of our hard-coded providers' schemas, or the plugin program
+// can't be found, then it returns ProviderNotFoundError.
+// It also returns an error if initializing the SignerVerifier fails.
 func Get(ctx context.Context, keyResourceID string, hashFunc crypto.Hash, opts ...signature.RPCOption) (SignerVerifier, error) {
 	for ref, pi := range providersMap {
 		if strings.HasPrefix(keyResourceID, ref) {
@@ -69,14 +65,11 @@ func Get(ctx context.Context, keyResourceID string, hashFunc crypto.Hash, opts .
 			return sv, nil
 		}
 	}
-	if pi, ok := providersMap[CLIPluginProviderKey]; ok {
-		sv, err := pi(ctx, keyResourceID, hashFunc, opts...)
-		if err != nil {
-			return nil, err
-		}
-		return sv, nil
+	sv, err := cliplugin.LoadSignerVerifier(ctx, keyResourceID, hashFunc, opts...)
+	if errors.Is(err, exec.ErrNotFound) {
+		return nil, fmt.Errorf("%w: %w", &ProviderNotFoundError{ref: keyResourceID}, err)
 	}
-	return nil, &ProviderNotFoundError{ref: keyResourceID}
+	return sv, err
 }
 
 // SupportedProviders returns list of initialized providers