From 0dca9313bf7ae2eea96fa195eb3ce7ea8f14bea5 Mon Sep 17 00:00:00 2001
From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
Date: Mon, 10 Nov 2025 09:53:18 +0300
Subject: [PATCH] chore: remove commons-codec dependency from sigstore-java

commons-codec might still be used as a transitive, however, the base
code should not rely on commons.

Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
---
 sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java | 5 +++--
 sigstore-java/build.gradle.kts                          | 5 ++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java b/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java
index 779bd056..d7e29b51 100644
--- a/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java
+++ b/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java
@@ -18,6 +18,7 @@
 import static com.google.common.io.Files.asByteSource;
 
 import com.google.common.hash.Hashing;
+import com.google.common.io.BaseEncoding;
 import dev.sigstore.KeylessVerifier;
 import dev.sigstore.TrustedRootProvider;
 import dev.sigstore.VerificationOptions;
@@ -30,7 +31,6 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
 import java.util.concurrent.Callable;
-import org.apache.commons.codec.binary.Hex;
 import picocli.CommandLine.ArgGroup;
 import picocli.CommandLine.Command;
 import picocli.CommandLine.Option;
@@ -117,7 +117,8 @@ static class Policy {
   public Integer call() throws Exception {
     byte[] digest;
     if (artifact.startsWith(SHA256_PREFIX)) {
-      digest = Hex.decodeHex(artifact.substring(SHA256_PREFIX.length()));
+      digest =
+          BaseEncoding.base16().ignoreCase().decode(artifact.substring(SHA256_PREFIX.length()));
     } else {
       if (workingDirectory != null) {
         artifact = workingDirectory.resolve(artifact).toString();
diff --git a/sigstore-java/build.gradle.kts b/sigstore-java/build.gradle.kts
index e9ae5fb6..3b9ab25e 100644
--- a/sigstore-java/build.gradle.kts
+++ b/sigstore-java/build.gradle.kts
@@ -11,6 +11,10 @@ plugins {
 description = "A Java client for signing and verifying using Sigstore"
 
 dependencies {
+    constraints {
+        // Just in case third-party dependencies use it
+        implementation("commons-codec:commons-codec:1.20.0")
+    }
     compileOnly("org.immutables:gson:2.10.1")
     compileOnly("org.immutables:value-annotations:2.10.1")
     annotationProcessor("org.immutables:value:2.10.1")
@@ -34,7 +38,6 @@ dependencies {
     runtimeOnly("io.grpc:grpc-netty-shaded")
     compileOnly("org.apache.tomcat:annotations-api:6.0.53") // java 9+ only
 
-    implementation("commons-codec:commons-codec:1.18.0")
     implementation("com.google.code.gson:gson:2.13.2")
     implementation("org.bouncycastle:bcutil-jdk18on:1.82")
     implementation("org.bouncycastle:bcpkix-jdk18on:1.82")