Use the slsa-verifier tool as a Go dependencies instead of building the binary separately

[tromai]

Description/Requirements
At the moment, Macaron is using slsa-verifier to verify the content of SLSA provenances. We uses it directly out of the box, therefore, it is built from source to generate a binary which will then be invoked by Macaron. For example, this is the step where we prepare the slsa-verifier binary Makefile.

This works fine, however, we are doing an extra step to generate the binary from source (as compare to using Go to build the whole Go module automatically.) and the version of slsa-verifier is hard-coded not in the conventional go.mod. This would make it very difficult to maintain and update automatically by Dependabot.

Solution
We could address the above issue by writing a simple wrapper using slsa-verifier as a third-party dependency Go library.
In terms of licensing, we won't have any issue as slsa-verifier has been approved prior to open-sourcing.

[tromai]

@behnazh-w Please let me know if this sounds good to you.

[behnazh-w]

@behnazh-w Please let me know if this sounds good to you.

Thanks, sounds good to me.

[tromai]

After having a closer look at this issue, I notices that we could not write a wrapper to directly use the slsa-verifier CLI program because it is a program (specified by main.go) but not an importable Go package. We could not import main.go directly (https://stackoverflow.com/questions/44420826/access-main-package-from-other-package).

To do it properly, our wrapper must need to extend the package here with our implementation of how to handle the parameters. However, it does not make sense as we are not extending the CLI tool or the slsa-verifier package. In additions, we might want to switch to using their remote API in the future. It won't give us any significant benefit atm. I will leave this issue open to future visit.

[tromai]

I will close this issue because it won't be fixed. And we have a different design in #3 .