Add cosign init to initialize the SigStore root metadata

[asraa]

• A command cosign init that initializes the local trusted SigStore root and pulls the trusted targets into .sigstore/root
• The initial root keys are added to .sigstore/keys.json. Clients need this to verify the root they pull
• The targets are used for the Fulcio cert and rekor public key, falling back for now to the previous embedded string in case init hasn't been run

Details:

• I implemented a "TUF remote store" located on a GCS bucket (for now it's a testing bucket I set up with the root metadata)
• We only download new metadata/targets from the remote location:
  • initially
  • if, when we retrieve a target, the local metadata no longer verifies
  • the local target does not match hash/size of the signed targets

Fixes
#389

In practice, you can see if you run cosign without init'ing, you get log warnings asking "did you run cosign init?" otherwise, it's silent, we're using the local metadata.

asraa@asraa-glaptop:~/git/cosign$ COSIGN_EXPERIMENTAL=1 ./cosign verify gcr.io/asra-ali/base-builder-new
using embedded fulcio certificate. did you run `cosign init`? error retrieving target:  missing target metadata: tuf: no root keys found in local meta store
using embedded rekor public key. did you run `cosign init`? error retrieving target:  missing target metadata: tuf: no root keys found in local meta store

Verification for gcr.io/asra-ali/base-builder-new --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  [asraa@google.com]
{"critical":{"identity":{"docker-reference":"gcr.io/asra-ali/base-builder-new"},"image":{"docker-manifest-digest":"sha256:291750a9758506b9b3cace9c43e29b1a0f81172f43e9df1d293cb486a5d90abc"},"type":"cosign container image signature"},"optional":null}
asraa@asraa-glaptop:~/git/cosign$ ./cosign init
asraa@asraa-glaptop:~/git/cosign$ COSIGN_EXPERIMENTAL=1 ./cosign verify gcr.io/asra-ali/base-builder-new

Verification for gcr.io/asra-ali/base-builder-new --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  [asraa@google.com]
{"critical":{"identity":{"docker-reference":"gcr.io/asra-ali/base-builder-new"},"image":{"docker-manifest-digest":"sha256:291750a9758506b9b3cace9c43e29b1a0f81172f43e9df1d293cb486a5d90abc"},"type":"cosign container image signature"},"optional":null}

WIP because of tests and some defaults/globals I want to get rid of

[trishankatdatadog]

Hihi, would you need a review? Happy to help! 🙂

[asraa]

I have to do a bit of refactoring, but would love to get a review on the TUF code! I'll ping you

[dekkagaijin]

IMHO we should put this somewhere under cli/ in order to keep logging and cosign binary-specific out of package

[asraa]

Ohhh hmmmm you mean keeping fmt.Println out? It's used elsewhere in this file as well

[dekkagaijin]

hrm yeah

[dekkagaijin]

Suggested change

	fmt.Println("using embedded rekor public key. did you run `cosign init`? error retrieving target: ", err)
	fmt.Fprintln(os.Stderr, "using embedded rekor public key. did you run `cosign init`? error retrieving target: ", err)

[dekkagaijin]

I'm fine with this for now, can always move packages around as we integrate more tuf stuff

[dekkagaijin]

@asraa squashing your local go.sum from upstream/main and running go mod tidy again should fix the conflict

[asraa]

All set, a local test added, and the path to the remote repository is in production.
@trishankatdatadog want to take a quick look at the TUF code? should be pretty simple.
Only question I had was: should we be making a tuf.db file? it works fine without one, except for in the test.