Enable signing and verifying image without registry access

[bkabrda]

Summary

Fixes #3832.
This PR essentially enables:

• Signing an image with the --upload=false flag even if the image registry is (temporarily) unavailable.
• Properly verifying and image offline with certificate, payload and signature
  • There was previously a bug doing this, as the tlog function would attempt to search tlog by public key, when instead it needs to submit the certificate (see Improve clarity that the publicKey field accepts an X509 certificate rekor#809).

I tried my best to test all the code paths that go through this function, but to be honest there are so many that I'm not 100 % everything is still correct - a thorough review would be appreciated.

Release Note

• It is now possible to sign an image when the image registry is unreachable when using --upload=false.
• The TLog search now works properly when verifying image using disconnected certificate, payload and signature.

Documentation

I don't believe this PR requires documentation change.

[codecov]

Codecov Report

Attention: Patch coverage is 18.51852% with 22 lines in your changes missing coverage. Please review.

Project coverage is 36.44%. Comparing base (2ef6022) to head (4535d70).
Report is 278 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/verify.go	20.00%	18 Missing and 2 partials ⚠️
cmd/cosign/cli/sign/sign.go	0.00%	1 Missing ⚠️
cmd/cosign/cli/verify/verify.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4014      +/-   ##
==========================================
- Coverage   40.10%   36.44%   -3.66%     
==========================================
  Files         155      209      +54     
  Lines       10044    13371    +3327     
==========================================
+ Hits         4028     4873     +845     
- Misses       5530     7875    +2345     
- Partials      486      623     +137     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[eiffel-fl]

Hi,

We are also interested in having images signed locally, I tested it and it works fine:

$ docker inspect my-image                       (remotes/slavek/sign-verify-image-no-registry) %
[
    {
        "Id": "sha256:85857b24b2493982a0e55f68a0e95df8a4926dea2a736cdede57a3c9eb2a784e",
        "RepoTags": [
            "my-image:latest"
        ],
        "RepoDigests": [],
...
$ ./cosign sign --key cosign.key --yes --tlog-upload=false --upload=false my-image@sha256:85857b24b2493982a0e55f68a0e95df8a4926dea2a736cdede57a3c9eb2a784e --output-signature my-image.sig --output-payload my-image.pld --output-certificate my-image.cert
Enter password for private key: 
Certificate wrote in the file my-image.cert
$ ./cosign verify --insecure-ignore-tlog=true --key cosign.pub my-image@sha256:85857b24b2493982a0e55f68a0e95df8a4926dea2a736cdede57a3c9eb2a784e --signature my-image.sig --payload my-image.pld --certificate my-image.cert
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.

Verification for index.docker.io/library/my-image@sha256:85857b24b2493982a0e55f68a0e95df8a4926dea2a736cdede57a3c9eb2a784e --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"index.docker.io/library/my-image"},"image":{"docker-manifest-digest":"sha256:85857b24b2493982a0e55f68a0e95df8a4926dea2a736cdede57a3c9eb2a784e"},"type":"cosign container image signature"},"optional":null}]

I am wondering if this would make sense to have the offline signing in a separate commit or even a separate PR as it seems easier than offline verifying?

@codysoyland what do you think about this?

Best regards,