Extracting CLI signing functionality to be more configurable as a library function

[DennyHoang]

Description
While using cosign as a library, I found that the cli.SignCmd does all the logic that I would require for signing myself, however, it is designed for CLI usage with particular assumptions. One such assumption is that it uses the default keychain. I would like to be able to change the keychain used without having to duplicate the whole function in my own codebase with that one line change and having to maintain it whenever the function changes in the upstream.

I was wondering if there was a design decision made regarding this current implementation or would it be valid to extract this logic out of the CLI portion to be more generic and/or configurable as a library function?

[mattmoor]

It also pulls in a LOT of dependencies 😅

[imjasonh]

Is this a duplicate of #666? Now that #666 is closed (after a bunch of work), is there anything else that needs to be done to close this one?

The specific issue of being able to specify a keychain should be resolved with ociremote.WithRemoteOptions(remote.WithAuthFromKeychain(myKeychain)).

[mattmoor]

I think the next level of stuff is going to be pushing some of the signing (and verification) stuff into different packages, which compose nicely with the pkg/oci stuff.

[DennyHoang]

Stale/outdated issue, closing.