[Feat]: Use sigstore-go for witness' sigstore keyless signing and verifying #568
Description
Describe the solution you'd like:
Witness' initial integration with things like sigstore Fulcio happened before there was a robust sigstore go client library like sigstore-go. The sigstore-go signing and verifying APIs are almost at v1.0, and there are multiple projects (like cosign and the GitHub CLI) that rely on it. I'll detail the benefits under User value.
User value:
-
You would get some features "for free", like getting verification material more securely via TUF instead of directly from Fulcio - this would simplify the verification process and make it more secure
-
sigstore-go has a substantial number of verification checks
-
sigstore-go is already integrated with sigstore conformance testing to ensure it's interoperable with other sigstore tooling.
Expected behavior:
Of these, the most pressing need would be to automatically get sigstore verification information via TUF instead of directly from the server. Admittedly, this could be done without using sigstore-go! But it would also be nice if witness-signed content was compatible with other sigstore tooling.
Proposed solution:
Use sigstore-go for witness' sigstore keyless signing and verifying
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Testing changes required:
[List possible testing changes required, if none please explain, if unsure assignee will assist]
Documentation changes required:
[List possible documentation changes required, if none please explain, if unsure assignee will assist]