Implement cosign verifier

[binbin-li]

Is your feature request related to a problem?

n/a

What solution do you propose?

n/a

What alternatives have you considered?

n/a

Any additional context?

No response

[junczhu]

Please assign this to me

[junczhu]

Here is the summary about the verifier functionality provided by sigstore/cosign pkg, Stroked on the items that for legacy version support:

1. Creating Cosign Options: The cosign.CheckOpts struct is used to configure the verification options.

2. Loading Public Key: The cosign.PemToECDSAKey function is used to load a public key from a PEM-encoded file:

3. Getting Rekor and CT Log Public Keys: The cosign.GetRekorPubs and cosign.GetCTLogPubs functions are used to fetch the Rekor and Certificate Transparency Log public keys:

4. Creating Static Signature: The static.NewSignature function is used to create a static signature from the blob content:

(5. Processing AKV Signature: The processAKVSignature function uses the static.NewSignature function to create a static signature after processing the Azure Key Vault signature:)

6. Loading Verifier: The signature.LoadVerifier function is used to load the appropriate verifier based on the public key type and bytes:

7. Verifying Image Signature: The cosign.VerifyImageSignature function is used to verify the signature of an image.

[junczhu]

Key verification involves using a public key to verify the signatures. This method ensures that the signatures match the provided public key. Key verification typically includes the following steps:

• Load Public Key: The public key is loaded from a specified reference (KeyRef).
• Rekor Client: A Rekor client is used to fetch and verify the transparency log entries.
• CT Log Public Keys: Certificate Transparency (CT) log public keys are fetched for verifying Signed Certificate Timestamps (SCTs).
• TSA Certificates: If using signed timestamps, TSA certificates are loaded.
• Signature Verifier: The public key is used as the signature verifier.

Keyless verification involves using certificates and certificate chains to verify the signatures. This method relies on trusted certificate authorities (CAs) and transparency logs. Keyless verification typically includes the following steps:

• Load Certificates: Certificates are loaded from specified references (CertRef, CertChain, CARoots, CAIntermediates).
• Fulcio Roots: If no certificates are provided, Fulcio root certificates are fetched.
• Rekor Client: A Rekor client is used to fetch and verify the transparency log entries.
• CT Log Public Keys: Certificate Transparency (CT) log public keys are fetched for verifying Signed Certificate Timestamps (SCTs).
• Certificate Extensions: Various certificate extensions (e.g., GitHub workflow details) are verified.
• Signature Verifier: The certificate is used as the signature verifier.