Add support for new bundle specification for attesting/verifying OCI image attestations

[codysoyland]

Summary

This PR adds support for the new Cosign Bundle Specification in cosign attest and cosign verify-attestation.

Related: #3139

To test, run the following (replacing MY_IDENTITY, MY_ISSUER, MY_TRUSTED_ROOT and MY_IMAGE as needed -- trusted root is optional). Note that the new OCI support requires passing --new-bundle-format into both commands.

go run ./cmd/cosign attest --predicate my-predicate.json --new-bundle-format MY_IMAGE
go run ./cmd/cosign verify-attestation --certificate-identity MY_IDENTITY --certificate-oidc-issuer MY_ISSUER --new-bundle-format --trusted-root=MY_TRUSTED_ROOT MY_IMAGE

Full example (using crane, but can instead use docker tag/docker push):

make cosign
docker run -d -p 5050:5000 ghcr.io/project-zot/zot-linux-arm64:latest
crane copy busybox:latest localhost:5050/busybox
echo '{"foo": "bar"}' > predicate.json
./cosign attest --predicate predicate.json --new-bundle-format localhost:5050/busybox:latest
# Dex workflow, assuming GitHub as provider
./cosign verify-attestation --certificate-identity=yourname@example.com --certificate-oidc-issuer=https://github.com/login/oauth --new-bundle-format localhost:5050/busybox:latest

To show that it uses the OCI 1.1 referrers API, you can use oras:

oras discover localhost:5050/busybox:latest
Discovered 1 artifact referencing latest
Digest: sha256:db142d433cdde11f10ae479dbf92f3b13d693fd1c91053da9979728cceb1dc68

Artifact Type                                   Digest
application/vnd.dev.sigstore.bundle.v0.3+json   sha256:3fb46d845fe437667a6b3ed45d2b11dea11c43f8fbe76dd642eb71de2a9b8b77

Release Note

Documentation

[codecov]

Codecov Report

Attention: Patch coverage is 10.29412% with 366 lines in your changes missing coverage. Please review.

Project coverage is 35.81%. Comparing base (2ef6022) to head (2c27fc5).
Report is 258 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/verify.go	19.27%	126 Missing and 8 partials ⚠️
pkg/oci/remote/write.go	0.00%	92 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go	0.00%	35 Missing ⚠️
cmd/cosign/cli/attest/attest.go	0.00%	32 Missing ⚠️
pkg/oci/remote/signatures.go	0.00%	31 Missing ⚠️
cmd/cosign/cli/attest/common.go	0.00%	10 Missing ⚠️
cmd/cosign/cli/verify/verify.go	0.00%	8 Missing ⚠️
cmd/cosign/cli/attest/attest_blob.go	14.28%	6 Missing ⚠️
cmd/cosign/cli/verify.go	0.00%	6 Missing ⚠️
pkg/cosign/verify_bundle.go	40.00%	4 Missing and 2 partials ⚠️
... and 4 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3889      +/-   ##
==========================================
- Coverage   40.10%   35.81%   -4.29%     
==========================================
  Files         155      210      +55     
  Lines       10044    13666    +3622     
==========================================
+ Hits         4028     4895     +867     
- Misses       5530     8142    +2612     
- Partials      486      629     +143     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cmurphy]

If they haven't set --trusted-root then they could be using other flags or relying on the TUF v1 setup which might be pointed to something other than the public good instance. I understand that this is only meant to be called when --new-bundle-format is set but I'm worried that this would be surprising behavior if the PGI trusted root is used while the cached TUF metadata is pointed somewhere else.

[cmurphy]

Could you clarify why it's okay for only one bundle to be verified?

[cmurphy]

Is there not a more specific artifact type we can filter by when getting attestations?

[codysoyland]

The artifactType for bundles is something like application/vnd.dev.sigstore.bundle.v0.3+json. Since the version number is baked into the type, we can't use the filter feature here. Therefore, getBundles uses an empty string as the artifactType in the call to Referrers.

[cmurphy]

Maybe out of scope for this PR but a note for the future, this is setting NewBundleFormat without setting TrustedRootPath, which means the TrustedMaterial will default to using PGI. We're trying to avoid making external network calls to live services. The only reason that isn't a problem here is because this test is using a local key pair and is not uploading to Rekor, so it doesn't matter what verification material is used. But a useful test in the future might be to have this use ephemeral keys from Fulcio (localhost:5555) and upload the entry to Rekor (localhost:3000) so that the full verification path with a locally generated trust root could be tested.

[cmurphy]

Is this potentially something that could be split out into its own PR, so that each PR has a clear singular focus?

[codysoyland]

That's a good idea for something we can split out... I think this is needed because the existing timestamp verification in cosign doesn't work with TUF/PGI, and is only enforced if you provide a timestamp cert chain to the verification subcommands.

[codysoyland]

Consider splitting this into separate PR and refactoring existing verifyNewBundle.