Add support for new bundle specification for attesting/verifying OCI image attestations

[codysoyland]

Summary

This PR adds support for the new Cosign Bundle Specification in cosign attest and cosign verify-attestation.

Related: #3139

To test, run the following (replacing MY_IDENTITY, MY_ISSUER, MY_TRUSTED_ROOT and MY_IMAGE as needed -- trusted root is optional). Note that the new OCI support requires passing --new-bundle-format into both commands.

go run ./cmd/cosign attest --predicate my-predicate.json --new-bundle-format MY_IMAGE
go run ./cmd/cosign verify-attestation --certificate-identity MY_IDENTITY --certificate-oidc-issuer MY_ISSUER --new-bundle-format --trusted-root=MY_TRUSTED_ROOT MY_IMAGE

Full example (using crane, but can instead use docker tag/docker push):

make cosign
docker run -d -p 5050:5000 ghcr.io/project-zot/zot-linux-arm64:latest
crane copy busybox:latest localhost:5050/busybox
echo '{"foo": "bar"}' > predicate.json
./cosign attest --predicate predicate.json --new-bundle-format localhost:5050/busybox:latest
# Dex workflow, assuming GitHub as provider
./cosign verify-attestation [email protected] --certificate-oidc-issuer=https://github.com/login/oauth --new-bundle-format localhost:5050/busybox:latest

To show that it uses the OCI 1.1 referrers API, you can use oras:

oras discover localhost:5050/busybox:latest
Discovered 1 artifact referencing latest
Digest: sha256:db142d433cdde11f10ae479dbf92f3b13d693fd1c91053da9979728cceb1dc68

Artifact Type                                   Digest
application/vnd.dev.sigstore.bundle.v0.3+json   sha256:3fb46d845fe437667a6b3ed45d2b11dea11c43f8fbe76dd642eb71de2a9b8b77

Release Note

Documentation

[codecov]

Codecov Report

Attention: Patch coverage is 9.95025% with 362 lines in your changes missing coverage. Please review.

Project coverage is 35.86%. Comparing base (2ef6022) to head (1602cc1).
Report is 278 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/verify.go	19.27%	126 Missing and 8 partials ⚠️
pkg/oci/remote/write.go	0.00%	92 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go	0.00%	34 Missing ⚠️
cmd/cosign/cli/attest/attest.go	0.00%	32 Missing ⚠️
pkg/oci/remote/signatures.go	0.00%	31 Missing ⚠️
cmd/cosign/cli/attest/common.go	0.00%	10 Missing ⚠️
cmd/cosign/cli/verify/verify.go	0.00%	7 Missing ⚠️
cmd/cosign/cli/attest/attest_blob.go	14.28%	6 Missing ⚠️
pkg/cosign/verify_bundle.go	40.00%	4 Missing and 2 partials ⚠️
cmd/cosign/cli/verify.go	0.00%	4 Missing ⚠️
... and 4 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3889      +/-   ##
==========================================
- Coverage   40.10%   35.86%   -4.24%     
==========================================
  Files         155      210      +55     
  Lines       10044    13695    +3651     
==========================================
+ Hits         4028     4912     +884     
- Misses       5530     8152    +2622     
- Partials      486      631     +145     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cmurphy]

If they haven't set --trusted-root then they could be using other flags or relying on the TUF v1 setup which might be pointed to something other than the public good instance. I understand that this is only meant to be called when --new-bundle-format is set but I'm worried that this would be surprising behavior if the PGI trusted root is used while the cached TUF metadata is pointed somewhere else.

[cmurphy]

Could you clarify why it's okay for only one bundle to be verified?

[cmurphy]

Is there not a more specific artifact type we can filter by when getting attestations?

[codysoyland]

The artifactType for bundles is something like application/vnd.dev.sigstore.bundle.v0.3+json. Since the version number is baked into the type, we can't use the filter feature here. Therefore, getBundles uses an empty string as the artifactType in the call to Referrers.

[cmurphy]

Maybe out of scope for this PR but a note for the future, this is setting NewBundleFormat without setting TrustedRootPath, which means the TrustedMaterial will default to using PGI. We're trying to avoid making external network calls to live services. The only reason that isn't a problem here is because this test is using a local key pair and is not uploading to Rekor, so it doesn't matter what verification material is used. But a useful test in the future might be to have this use ephemeral keys from Fulcio (localhost:5555) and upload the entry to Rekor (localhost:3000) so that the full verification path with a locally generated trust root could be tested.

[codysoyland]

I rebased and squashed all commits into one as there have been a couple of items refactored into separate PRs (#4006 and #4013) and this ongoing PR was getting a bit messy.

I still need to finish #4013 and rebase this one again, at which point I will be ready for another review pass.

Thanks everyone who has been patiently reviewing and helping me iterate on this!