Request to move away from github.com/chrismellard/docker-credential-acr-env

[petercanva]

Description

Cosign currently uses github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 in go.mod.

This package (https://github.com/chrismellard/docker-credential-acr-env) is inactive and has received no new commits since March 2023. The version v0.0.0-20230304212654-82a0ddb27589 used in cosign has also not been updated since March 2023.

This package brings in some End of Life packages for Azure Authentication, specifically https://pkg.go.dev/github.com/Azure/go-autorest/autorest/adal and https://pkg.go.dev/github.com/Azure/go-autorest/autorest/azure/auth which reached End of Life on 31 March 2023. This means cosign brings in these end of life modules as indirect dependencies: https://github.com/sigstore/cosign/blob/main/go.mod#L86-L87

Running a go mod why shows:

# github.com/Azure/go-autorest/autorest/adal
github.com/sigstore/cosign/v2/cmd/cosign
github.com/sigstore/cosign/v2/cmd/cosign/cli
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/chrismellard/docker-credential-acr-env/pkg/credhelper
github.com/Azure/go-autorest/autorest/azure/auth
github.com/Azure/go-autorest/autorest/adal

Suggested Remediation
I recommend that you remove the use of github.com/chrismellard/docker-credential-acr-env as it does not appear to be actively maintained and introduces end of life packages into cosign, and instead use the azure packages directly.