Add experimental TLOG model to cosign

[priyawadhwa]

We turn on sending logs to the tlog by appending TLOG=1 to cosign sign and cosign verify.
I also had to add a --public-key flag to cosign sign to get this to work.

In practice this looks like:

$ TLOG=1 ./cosign sign -key cosign.key --public-key cosign.pub -a signedBy=priya2 gcr.io/priya-wadhwa/test
Enter password for private key: 
Pushing signature to: gcr.io/priya-wadhwa/test:sha256-1d7b639619bdca2d008eca2d5293e3c43ff84cbee597ff76de3b7a7de3e84956.cosign
Sucessfully appended to transparency log

$ TLOG=1 ./cosign verify -key cosign.pub -a signedBy=priya2 gcr.io/priya-wadhwa/test
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"1d7b639619bdca2d008eca2d5293e3c43ff84cbee597ff76de3b7a7de3e84956"},"Type":"cosign container signature"},"Optional":{"signedBy":"priya2"}}
Verified signature, payload and public key exist in transparency log

Copied most of the code for verify from rekor's verify.go

Starts to fix #34, still need to:

• integration test
• Add TLOG info to README
• add in state.json feature

[dlorenc]

Amazing! I'll take a more detailed look tomorrow :)

[priyawadhwa]

Yah I'm not totally sure about it 😅 & I think it probably still needs an integration test!

[dlorenc]

Yah I'm not totally sure about it 😅 & I think it probably still needs an integration test!

Yeah I was thinking about this - it should be straightforward to stand up a local rekor using the compose setup from over here: https://github.com/sigstore/rekor/blob/main/docker-compose.yml

Seems like you'd need an actual that grabs the rekor repo and starts up the local rekor with compose. We have a script here: https://github.com/sigstore/rekor/blob/main/tests/e2e-test.sh and here: https://github.com/sigstore/rekor/blob/main/.github/workflows/main.yml

[priyawadhwa]

Cool, the docker-compose file seems to have worked!

[dlorenc]

So cool! I'm gonna merge and play with it :)