feat: cosign verifier

[junczhu]

What this PR does / why we need it:

Added design document

Implement cosign verifier

• verify cosign signature including both with key and keyless verification
• truststore mapping, including keys, certificates, and certchains for verification
• using VerfierOptions, is for verifier creatation and VerifyOption and VerifyContext for verification

Which issue(s) this PR resolves

Resolves #39

Please check the following list:

• Does the affected code have corresponding tests, e.g. unit test?
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have an appropriate license header?

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 38.24701% with 155 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
cosign/verifier.go	29.03%	145 Missing and 9 partials ⚠️
...osign/verifycontextoptions/verifycontextoptions.go	90.00%	1 Missing ⚠️

❌ Your patch status has failed because the patch coverage (38.24%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.
❌ Your project status has failed because the head coverage (48.53%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage.

Files with missing lines	Coverage Δ
cosign/truststore/truststore.go	100.00% <100.00%> (ø)
...osign/verifycontextoptions/verifycontextoptions.go	90.00% <90.00%> (ø)
cosign/verifier.go	29.03% <29.03%> (ø)

[binbin-li]

NewTrustStore?

[binbin-li]

does opts get used?

[junczhu]

A1: Shall we rename or create a new package for this structure?
A2: I would read input from opts

[junczhu]

use NewTrustStore

[junczhu]

Updated

[binbin-li]

should we return err if it's not existing.

[junczhu]

skip

[junczhu]

Gonna update the remote branch to apply those newly merged changes.

[binbin-li]

could you briefly explain how to support distinguish cert/keys for different repos/registries.

[binbin-li]

the map seems mapping a digested reference to a context, which means users need to configure the context for each artifact that will be validated. It would be a huge work for users. Does all options in this VerifyContext vary for each artifact?

[junczhu]

Would it be better to have a mapping function

[binbin-li]

seems it's an experimental feature for cosign, probably we still need to support the main user scenario. cc: @shizhMSFT

[binbin-li]

we should either expose it or have a constructor to create it with values.

[binbin-li]

we could remove some options if they are not required in this PR

[junczhu]

Those ones are filtered and indeed used in this PR.
I would keep an eye on the changes based on the change of PR

[shizhMSFT]

I would request a markdown of the design. Otherwise, it is too difficult to understand. Please provide an outline first, and then fill in the details.

[junczhu]

need to remove

[junczhu]

resolved

[junczhu]

rename Imp

[junczhu]

resolved

[junczhu]

use NewTrustStore

[junczhu]

skip

[junczhu]

Would it be better to have a mapping function

[junczhu]

You are right, We should also consider cases that fail to verify but no error.

[junczhu]

Convert to draft as a PoC