Deprecate all packages in in-toto-golang

in_toto/keylib.go

@@ -285,6 +285,8 @@ On success it will return nil. The following errors can happen:
   - no valid PKCS8/PKCS1 private key or PKIX public key
   - errors while marshalling
   - unsupported key types
+
+Deprecated: This method has been deprecated.
 */
 func (k *Key) LoadKey(path string, scheme string, KeyIDHashAlgorithms []string) error {
 	pemFile, err := os.Open(path)
@@ -301,6 +303,9 @@ func (k *Key) LoadKey(path string, scheme string, KeyIDHashAlgorithms []string)
 	return pemFile.Close()
 }
 
+// LoadKeyDefaults has been deprecated.
+//
+// Deprecated: This method has been deprecated.
 func (k *Key) LoadKeyDefaults(path string) error {
 	pemFile, err := os.Open(path)
 	if err != nil {
@@ -317,6 +322,8 @@ func (k *Key) LoadKeyDefaults(path string) error {
 }
 
 // LoadKeyReader loads the key from a supplied reader. The logic matches LoadKey otherwise.
+//
+// Deprecated: This method has been deprecated.
 func (k *Key) LoadKeyReader(r io.Reader, scheme string, KeyIDHashAlgorithms []string) error {
 	if r == nil {
 		return ErrNoPEMBlock
@@ -336,6 +343,9 @@ func (k *Key) LoadKeyReader(r io.Reader, scheme string, KeyIDHashAlgorithms []st
 	return k.loadKey(key, pemData, scheme, KeyIDHashAlgorithms)
 }
 
+// LoadKeyReaderDefaults has been deprecated.
+//
+// Deprecated: This method has been deprecated.
 func (k *Key) LoadKeyReaderDefaults(r io.Reader) error {
 	if r == nil {
 		return ErrNoPEMBlock
@@ -447,7 +457,9 @@ func (k *Key) loadKey(keyObj interface{}, pemData *pem.Block, scheme string, key
 /*
 VerifyCertificateTrust verifies that the certificate has a chain of trust
 to a root in rootCertPool, possibly using any intermediates in
-intermediateCertPool
+intermediateCertPool.
+
+Deprecated: This method has been deprecated.
 */
 func VerifyCertificateTrust(cert *x509.Certificate, rootCertPool, intermediateCertPool *x509.CertPool) ([][]*x509.Certificate, error) {
 	verifyOptions := x509.VerifyOptions{

in_toto/model.go

@@ -816,6 +816,8 @@ a valid JSON formatted Metablock that contains a Link or Layout.
 
 Deprecated: Use LoadMetadata for a signature wrapper agnostic way to load an
 envelope.
+
+Deprecated: This method has been deprecated.
 */
 func (mb *Metablock) Load(path string) error {
 	// Read entire file
@@ -858,6 +860,8 @@ func (mb *Metablock) Load(path string) error {
 /*
 Dump JSON serializes and writes the Metablock on which it was called to the
 passed path.  It returns an error if JSON serialization or writing fails.
+
+Deprecated: This method has been deprecated.
 */
 func (mb *Metablock) Dump(path string) error {
 	// JSON encode Metablock formatted with newlines and indentation
@@ -880,6 +884,8 @@ func (mb *Metablock) Dump(path string) error {
 GetSignableRepresentation returns the canonical JSON representation of the
 Signed field of the Metablock on which it was called.  If canonicalization
 fails the first return value is nil and the second return value is the error.
+
+Deprecated: This method has been deprecated.
 */
 func (mb *Metablock) GetSignableRepresentation() ([]byte, error) {
 	return cjson.EncodeCanonical(mb.Signed)
@@ -899,6 +905,8 @@ that it finds in the Signatures field of the Metablock on which it was called.
 It returns an error if Signatures does not contain a Signature corresponding to
 the passed Key, the object in Signed cannot be canonicalized, or the Signature
 is invalid.
+
+Deprecated: This method has been deprecated.
 */
 func (mb *Metablock) VerifySignature(key Key) error {
 	sig, err := mb.GetSignatureForKeyID(key.KeyID)
@@ -930,6 +938,8 @@ func (mb *Metablock) VerifySignature(key Key) error {
 }
 
 // GetSignatureForKeyID returns the signature that was created by the provided keyID, if it exists.
+//
+// Deprecated: This method has been deprecated.
 func (mb *Metablock) GetSignatureForKeyID(keyID string) (Signature, error) {
 	for _, s := range mb.Signatures {
 		if s.KeyID == keyID {
@@ -943,6 +953,8 @@ func (mb *Metablock) GetSignatureForKeyID(keyID string) (Signature, error) {
 /*
 ValidateMetablock ensures that a passed Metablock object is valid. It indirectly
 validates the Link or Layout that the Metablock object contains.
+
+Deprecated: This method has been deprecated.
 */
 func ValidateMetablock(mb Metablock) error {
 	switch mbSignedType := mb.Signed.(type) {
@@ -971,6 +983,8 @@ Sign creates a signature over the signed portion of the metablock using the Key
 object provided. It then appends the resulting signature to the signatures
 field as provided. It returns an error if the Signed object cannot be
 canonicalized, or if the key is invalid or not supported.
+
+Deprecated: This method has been deprecated.
 */
 func (mb *Metablock) Sign(key Key) error {
 	signer, err := getSignerVerifierFromKey(key)

in_toto/runlib.go

@@ -40,6 +40,8 @@ If reading the file fails, the first return value is nil and the second return
 value is the error.
 NOTE: For cross-platform consistency Windows-style line separators (CRLF) are
 normalized to Unix-style line separators (LF) before hashing file contents.
+
+Deprecated: This method has been deprecated.
 */
 func RecordArtifact(path string, hashAlgorithms []string, lineNormalization bool) (HashObj, error) {
 	supportedHashMappings := getHashMapping()
@@ -91,6 +93,8 @@ the following format:
 
 If recording an artifact fails the first return value is nil and the second
 return value is the error.
+
+Deprecated: This method has been deprecated.
 */
 func RecordArtifacts(paths []string, hashAlgorithms []string, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool) (evalArtifacts map[string]HashObj, err error) {
 	// Make sure to initialize a fresh hashset for every RecordArtifacts call
@@ -273,6 +277,8 @@ If the command cannot be executed or no pipes for stdout or stderr can be
 created the first return value is nil and the second return value is the error.
 NOTE: Since stdout and stderr are captured, they cannot be seen during the
 command execution.
+
+Deprecated: This method has been deprecated.
 */
 func RunCommand(cmdArgs []string, runDir string) (map[string]interface{}, error) {
 	if len(cmdArgs) == 0 {
@@ -318,6 +324,8 @@ metadata.  Link metadata contains recorded products at the passed productPaths
 and materials at the passed materialPaths.  The returned link is wrapped in a
 Metablock object.  If command execution or artifact recording fails the first
 return value is an empty Metablock and the second return value is the error.
+
+Deprecated: This method has been deprecated.
 */
 func InTotoRun(name string, runDir string, materialPaths []string, productPaths []string, cmdArgs []string, key Key, hashAlgorithms []string, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) {
 	materials, err := RecordArtifacts(materialPaths, hashAlgorithms, gitignorePatterns, lStripPaths, lineNormalization, followSymlinkDirs)
@@ -379,6 +387,8 @@ InTotoRecordStart begins the creation of a link metablock file in two steps,
 in order to provide evidence for supply chain steps that cannot be carries out
 by a single command.  InTotoRecordStart collects the hashes of the materials
 before any commands are run, signs the unfinished link, and returns the link.
+
+Deprecated: This method has been deprecated.
 */
 func InTotoRecordStart(name string, materialPaths []string, key Key, hashAlgorithms, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) {
 	materials, err := RecordArtifacts(materialPaths, hashAlgorithms, gitignorePatterns, lStripPaths, lineNormalization, followSymlinkDirs)
@@ -428,6 +438,8 @@ InTotoRecordStart. InTotoRecordStop takes in a signed unfinished link metablock
 created by InTotoRecordStart and records the hashes of any products created by
 commands run between InTotoRecordStart and InTotoRecordStop.  The resultant
 finished link metablock is then signed by the provided key and returned.
+
+Deprecated: This method has been deprecated.
 */
 func InTotoRecordStop(prelimLinkEnv Metadata, productPaths []string, key Key, hashAlgorithms, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) {
 	if err := prelimLinkEnv.VerifySignature(key); err != nil {
@@ -475,6 +487,8 @@ func InTotoRecordStop(prelimLinkEnv Metadata, productPaths []string, key Key, ha
 InTotoMatchProducts checks if local artifacts match products in passed link.
 
 NOTE: Does not check integrity or authenticity of passed link!
+
+Deprecated: This method has been deprecated.
 */
 func InTotoMatchProducts(link *Link, paths []string, hashAlgorithms []string, excludePatterns []string, lstripPaths []string) ([]string, []string, []string, error) {
 	if len(paths) == 0 {

in_toto/runlib_test.go

@@ -450,7 +450,7 @@ func TestInTotoRun(t *testing.T) {
 					},
 				},
 				Products: map[string]HashObj{
-					"foo.tar.gz": HashObj{
+					"foo.tar.gz": {
 						"sha256": "52947cb78b91ad01fe81cd6aef42d1f6817e92b9e6936c1e5aabb7c98514f355",
 					},
 				},

in_toto/slsa_provenance/common/common.go

@@ -1,3 +1,4 @@
+// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
 package common
 
 // DigestSet contains a set of digests. It is represented as a map from

in_toto/slsa_provenance/v0.1/provenance.go

@@ -1,3 +1,4 @@
+// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
 package v01
 
 import (

in_toto/slsa_provenance/v0.2/provenance.go

@@ -1,3 +1,4 @@
+// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
 package v02
 
 import (

in_toto/slsa_provenance/v1/provenance.go

@@ -1,3 +1,4 @@
+// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
 package v1
 
 import (

in_toto/verifylib.go

@@ -2,6 +2,8 @@
 Package in_toto implements types and routines to verify a software supply chain
 according to the in-toto specification.
 See https://github.com/in-toto/docs/blob/master/in-toto-spec.md
+
+Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
 */
 package in_toto
 
@@ -41,6 +43,8 @@ returned.  The format is:
 If executing the inspection command fails, or if the executed command has a
 non-zero exit code, the first return value is an empty Metablock map and the
 second return value is the error.
+
+Deprecated: This method has been deprecated.
 */
 func RunInspections(layout Layout, runDir string, lineNormalization bool, useDSSE bool) (map[string]Metadata, error) {
 	inspectionMetadata := make(map[string]Metadata)
@@ -189,6 +193,8 @@ All rules except for DISALLOW consume queued artifacts on success, and
 leave the queue unchanged on failure.  Hence, it is left to a terminal
 DISALLOW rule to fail overall verification, if artifacts are left in the queue
 that should have been consumed by preceding rules.
+
+Deprecated: This method has been deprecated.
 */
 func VerifyArtifacts(items []interface{},
 	itemsMetadata map[string]Metadata) error {
@@ -384,6 +390,8 @@ step.  The function returns a map with one Metablock (link) per step:
 If links corresponding to the same step report different Materials or different
 Products, the first return value is an empty Metablock map and the second
 return value is the error.
+
+Deprecated: This method has been deprecated.
 */
 func ReduceStepsMetadata(layout Layout,
 	stepsMetadata map[string]map[string]Metadata) (map[string]Metadata,
@@ -447,6 +455,8 @@ VerifyStepCommandAlignment (soft) verifies that for each step of the passed
 layout the command executed, as per the passed link, matches the expected
 command, as per the layout.  Soft verification means that, in case a command
 does not align, a warning is issued.
+
+Deprecated: This method has been deprecated.
 */
 func VerifyStepCommandAlignment(layout Layout,
 	stepsMetadata map[string]map[string]Metadata) {
@@ -482,6 +492,8 @@ LoadLayoutCertificates loads the root and intermediate CAs from the layout if in
 This will be used to check signatures that were used to sign links but not configured
 in the PubKeys section of the step.  No configured CAs means we don't want to allow this.
 Returned CertPools will be empty in this case.
+
+Deprecated: This method has been deprecated.
 */
 func LoadLayoutCertificates(layout Layout, intermediatePems [][]byte) (*x509.CertPool, *x509.CertPool, error) {
 	rootPool := x509.NewCertPool()
@@ -533,6 +545,8 @@ links with valid signatures from distinct functionaries and has the format:
 If for any step of the layout there are not enough links available, the first
 return value is an empty map of Metablock maps and the second return value is
 the error.
+
+Deprecated: This method has been deprecated.
 */
 func VerifyLinkSignatureThesholds(layout Layout,
 	stepsMetadata map[string]map[string]Metadata, rootCertPool, intermediateCertPool *x509.CertPool) (
@@ -646,6 +660,8 @@ If a link cannot be loaded at a constructed link name or is invalid, it is
 ignored. Only a preliminary threshold check is performed, that is, if there
 aren't at least Threshold links for any given step, the first return value
 is an empty map of Metablock maps and the second return value is the error.
+
+Deprecated: This method has been deprecated.
 */
 func LoadLinksForLayout(layout Layout, linkDir string) (map[string]map[string]Metadata, error) {
 	stepsMetadata := make(map[string]map[string]Metadata)
@@ -690,6 +706,8 @@ func LoadLinksForLayout(layout Layout, linkDir string) (map[string]map[string]Me
 /*
 VerifyLayoutExpiration verifies that the passed Layout has not expired.  It
 returns an error if the (zulu) date in the Expires field is in the past.
+
+Deprecated: This method has been deprecated.
 */
 func VerifyLayoutExpiration(layout Layout) error {
 	expires, err := time.Parse(ISO8601DateSchema, layout.Expires)
@@ -709,6 +727,8 @@ corresponding signature of the Layout in the passed Metablock's Signed field.
 Signatures and keys are associated by key id.  If the key map is empty, or the
 Metablock's Signature field does not have a signature for one or more of the
 passed keys, or a matching signature is invalid, an error is returned.
+
+Deprecated: This method has been deprecated.
 */
 func VerifyLayoutSignatures(layoutEnv Metadata,
 	layoutKeys map[string]Key) error {
@@ -732,6 +752,8 @@ chain.
 NOTE: The assumption is that the steps mentioned in the layout are to be
 performed sequentially. So, the first step mentioned in the layout denotes what
 comes into the supply chain and the last step denotes what goes out.
+
+Deprecated: This method has been deprecated.
 */
 func GetSummaryLink(layout Layout, stepsMetadataReduced map[string]Metadata,
 	stepName string, useDSSE bool) (Metadata, error) {
@@ -776,6 +798,8 @@ func GetSummaryLink(layout Layout, stepsMetadataReduced map[string]Metadata,
 VerifySublayouts checks if any step in the supply chain is a sublayout, and if
 so, recursively resolves it and replaces it with a summary link summarizing the
 steps carried out in the sublayout.
+
+Deprecated: This method has been deprecated.
 */
 func VerifySublayouts(layout Layout,
 	stepsMetadataVerified map[string]map[string]Metadata,
@@ -832,6 +856,8 @@ in the following fields:
 The substitution marker is '{}' and the keyword within the braces is replaced
 by a value found in the substitution map passed, parameterDictionary. The
 layout with parameters substituted is returned to the calling function.
+
+Deprecated: This method has been deprecated.
 */
 func SubstituteParameters(layout Layout,
 	parameterDictionary map[string]string) (Layout, error) {
@@ -907,6 +933,8 @@ Metablock object.
 
 NOTE: Artifact rules of type "create", "modify"
 and "delete" are currently not supported.
+
+Deprecated: This method has been deprecated.
 */
 func InTotoVerify(layoutEnv Metadata, layoutKeys map[string]Key,
 	linkDir string, stepName string, parameterDictionary map[string]string, intermediatePems [][]byte, lineNormalization bool) (
@@ -1010,6 +1038,8 @@ func InTotoVerify(layoutEnv Metadata, layoutKeys map[string]Key,
 /*
 InTotoVerifyWithDirectory provides the same functionality as InTotoVerify, but
 adds the possibility to select a local directory from where the inspections are run.
+
+Deprecated: This method has been deprecated.
 */
 func InTotoVerifyWithDirectory(layoutEnv Metadata, layoutKeys map[string]Key,
 	linkDir string, runDir string, stepName string, parameterDictionary map[string]string, intermediatePems [][]byte, lineNormalization bool) (

in_toto/verifylib_test.go

@@ -579,7 +579,7 @@ func TestVerifyArtifact(t *testing.T) {
 		{
 			name:      "Consuming filename material in inspection",
 			item:      []interface{}{Inspection{SupplyChainItem: SupplyChainItem{Name: "foo", ExpectedMaterials: [][]string{{"ALLOW", "foo.py"}, {"DISALLOW", "*"}}}}},
-			metadata:  map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"./bar/..//foo.py": HashObj{"sha265": "abc"}}}}},
+			metadata:  map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"./bar/..//foo.py": {"sha265": "abc"}}}}},
 			expectErr: "",
 		},
 		{
@@ -636,14 +636,14 @@ func TestVerifyMatchRule(t *testing.T) {
 			name:        "Match material foo.py with foo.d/foo.py",
 			rule:        map[string]string{"pattern": "*", "dstName": "foo", "dstType": "materials", "dstPrefix": "foo.d"},
 			srcArtifact: map[string]HashObj{"foo.py": {"sha265": "abc"}},
-			item:        map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.d/foo.py": HashObj{"sha265": "abc"}}}}},
+			item:        map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.d/foo.py": {"sha265": "abc"}}}}},
 			expectSet:   NewSet("foo.py"),
 		},
 		{
 			name:        "Match material foo.d/foo.py with foo.py",
 			rule:        map[string]string{"pattern": "*", "dstName": "foo", "dstType": "materials", "srcPrefix": "foo.d"},
 			srcArtifact: map[string]HashObj{"foo.d/foo.py": {"sha265": "abc"}},
-			item:        map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.py": HashObj{"sha265": "abc"}}}}},
+			item:        map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.py": {"sha265": "abc"}}}}},
 			expectSet:   NewSet("foo.d/foo.py"),
 		},
 		{

internal/spiffe/spiffe.go

@@ -1,3 +1,4 @@
+// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
 package spiffe
 
 import (