From 6089e42ac8dad2c09c6ec4125b8ee3d50e4cc09d Mon Sep 17 00:00:00 2001
From: Matt Moore <mattmoor@chainguard.dev>
Date: Fri, 19 Nov 2021 11:06:10 -0800
Subject: [PATCH 1/2] Drop `strfmt.Base64` from `pkg/oci`.

I noticed that vendoring `pkg/oci` was pulling in stuff from `mongodb`, and pulling the thread it seems to come from this line.

`Base64` is an alias of `[]byte`, so this should have a relatively low migration cost.

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
---
 pkg/oci/signatures.go          | 3 +--
 pkg/oci/static/options_test.go | 5 +++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/oci/signatures.go b/pkg/oci/signatures.go
index 2d645276080..82e473d56ea 100644
--- a/pkg/oci/signatures.go
+++ b/pkg/oci/signatures.go
@@ -18,7 +18,6 @@ package oci
 import (
 	"crypto/x509"
 
-	"github.com/go-openapi/strfmt"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
 
@@ -64,7 +63,7 @@ type Signature interface {
 // Bundle holds metadata about recording a Signature's ephemeral key to
 // a Rekor transparency log.
 type Bundle struct {
-	SignedEntryTimestamp strfmt.Base64
+	SignedEntryTimestamp []byte
 	Payload              BundlePayload
 }
 
diff --git a/pkg/oci/static/options_test.go b/pkg/oci/static/options_test.go
index 5994c980c09..5a9ca66be6a 100644
--- a/pkg/oci/static/options_test.go
+++ b/pkg/oci/static/options_test.go
@@ -19,6 +19,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/sigstore/cosign/pkg/oci"
 	ctypes "github.com/sigstore/cosign/pkg/types"
@@ -86,7 +87,7 @@ func TestOptions(t *testing.T) {
 			LayerMediaType:  ctypes.SimpleSigningMediaType,
 			ConfigMediaType: types.OCIConfigJSON,
 			Annotations: map[string]string{
-				BundleAnnotationKey: "{\"SignedEntryTimestamp\":\"\",\"Payload\":{\"body\":null,\"integratedTime\":0,\"logIndex\":0,\"logID\":\"\"}}",
+				BundleAnnotationKey: "{\"SignedEntryTimestamp\":null,\"Payload\":{\"body\":null,\"integratedTime\":0,\"logIndex\":0,\"logID\":\"\"}}",
 			},
 			Bundle: bundle,
 		},
@@ -100,7 +101,7 @@ func TestOptions(t *testing.T) {
 			}
 
 			if !reflect.DeepEqual(got, test.want) {
-				t.Errorf("makeOptions() = %#v, wanted %#v", got, test.want)
+				t.Errorf("makeOptions() = %s", cmp.Diff(got, test.want))
 			}
 		})
 	}

From 11fae2260623366a711ebe3e129172035a5f22ec Mon Sep 17 00:00:00 2001
From: Matt Moore <mattmoor@chainguard.dev>
Date: Fri, 19 Nov 2021 11:18:02 -0800
Subject: [PATCH 2/2] Remove upconvert

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
---
 pkg/cosign/verify.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
index 23428b6b1e8..408331dd375 100644
--- a/pkg/cosign/verify.go
+++ b/pkg/cosign/verify.go
@@ -403,7 +403,7 @@ func VerifyBundle(sig oci.Signature) (bool, error) {
 		return false, errors.Wrap(err, "pem to ecdsa")
 	}
 
-	if err := VerifySET(bundle.Payload, []byte(bundle.SignedEntryTimestamp), rekorPubKey); err != nil {
+	if err := VerifySET(bundle.Payload, bundle.SignedEntryTimestamp, rekorPubKey); err != nil {
 		return false, err
 	}