Offline verification: verify content checksum

[wlynch]

Description

For offline verification, we are taking the checksum from the signature - we should really be re-computing the checksum ourselves and verifying it matches the signature checksum.

Cut a v0.7.0 release a little too quickly here, so going to retract it.

Version

v0.7.0

[wlynch]

Looking at this more closely - we are doing the right thing, but it's very easy for a consumer of the API to do the wrong thing without realizing.

In typical gitsign usage we're verifying the cert, then using VerifyOffline really as the Rekor inclusion check:

gitsign/pkg/git/verify.go

Lines 68 to 83 in 8a76ba2

	func Verify(ctx context.Context, git Verifier, rekor rekor.Verifier, data, sig []byte, detached bool) (*VerificationSummary, error) {
	claims := []Claim{}
	cert, err := git.Verify(ctx, data, sig, detached)
	if err != nil {
	return nil, err
	}
	claims = append(claims, NewClaim(ClaimValidatedSignature, true))
	if tlog, err := rekor.VerifyOffline(ctx, sig); err == nil {
	return &VerificationSummary{
	Cert: cert,
	LogEntry: tlog,
	Claims: claims,
	}, nil
	}

But if you look at just rekor.OfflineVerify, it's not obvious that it's only doing the inclusion check, rather than the complete verification.

I'm going to refactor things a bit to make it harder to hold wrong.