feat: support keyless verification for verify-blob-attestation

[asraa]

Signed-off-by: Asra Ali asraa@google.com

• feat: supports keyless verification for verify-blob-attestation. this includes loading from a bundle & cert verification options
• cleanup: removes DSSE support from verify-blob

Summary

Release Note

Documentation

[codecov-commenter]

Codecov Report

Merging #2525 (914bc31) into main (0081e1a) will decrease coverage by 0.04%.
The diff coverage is 27.16%.

@@            Coverage Diff             @@
##             main    #2525      +/-   ##
==========================================
- Coverage   30.09%   30.05%   -0.05%     
==========================================
  Files         146      146              
  Lines        9113     9245     +132     
==========================================
+ Hits         2743     2779      +36     
- Misses       5961     6040      +79     
- Partials      409      426      +17     

Impacted Files	Coverage Δ
cmd/cosign/cli/options/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go	0.00% <0.00%> (ø)
pkg/cosign/verify.go	39.50% <0.00%> (+0.09%)	⬆️
cmd/cosign/cli/verify/verify_blob_attestation.go	33.64% <31.81%> (+6.27%)	⬆️
cmd/cosign/cli/verify/verify_blob.go	49.33% <50.00%> (-0.26%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[asraa]

IDK what's up with windows regression

[haydentherapper]

    testing.go:1097: TempDir RemoveAll cleanup: remove C:\Users\RUNNER~1\AppData\Local\Temp\TestVerifyBlobCmdWithBundle3198511928\001\attestation.txt: The process cannot access the file because it is being used by another process.

A file not being closed?

[asraa]

A file not being closed?

Yeah, but everything is using temp Mkdir, which should cleanup after every test run

[dlorenc]

Yeah, but everything is using temp Mkdir, which should cleanup after every test run

I think we've seen bugs with this on Windows...

[asraa]

I think we've seen bugs with this on Windows...

Ah got it, I'll add in manual removals then and see if that'll work ok

[asraa]

Nope it was my fault, I found a missing file close.

[haydentherapper]

To reduce duplication, should we refactor verify_blob.go to provide an internal function that does everything but calling cosign.VerifyBlob? Then Exec could call that to do all of the setup, then call cosign.VerifyBlobAttestation and whatever else after. Is there anything else that differs between blob and blob attestation verification?

[asraa]

There's subject claim setting and validating the predicate type. There's not that much I can do here that wouldn't degrade clarity (for simple stuff I think it's better to not obscure behind helpers that work slightly different), except for simplifying some options we can clean up generally across all 4 verification funcs. Stuff like:

• SetFulcioCheckOpts
• SetRekorCheckOpts

over full black-box helpers

[haydentherapper]

I'm fine to punt this refactor to another time, it doesn't seem like it'll add much now

[haydentherapper]

Looks great! Just a failing e2e test