Remove SHA256 assumption in sign-blob/verify-blob

[ret2libc]

Summary

See #3271 .

Release Note

• Use sigstore/sigstore signature.LoadSignerVerifierFromPrivateKey to load default verifiers given a private key.

Documentation

[ret2libc]

cc @haydentherapper

[codecov]

Codecov Report

Attention: Patch coverage is 40.93567% with 101 lines in your changes missing coverage. Please review.

Project coverage is 36.56%. Comparing base (2ef6022) to head (1bc2269).
Report is 341 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/keys.go	35.71%	33 Missing and 3 partials ⚠️
cmd/cosign/cli/sign/sign_blob.go	43.75%	21 Missing and 6 partials ⚠️
cmd/cosign/cli/sign/sign.go	14.28%	18 Missing ⚠️
pkg/cosign/tlog.go	46.15%	14 Missing ⚠️
...cosign/cli/fulcio/fulcioverifier/fulcioverifier.go	0.00%	3 Missing ⚠️
pkg/signature/keys.go	71.42%	2 Missing ⚠️
internal/pkg/cosign/common.go	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4050      +/-   ##
==========================================
- Coverage   40.10%   36.56%   -3.54%     
==========================================
  Files         155      210      +55     
  Lines       10044    13557    +3513     
==========================================
+ Hits         4028     4957     +929     
- Misses       5530     7975    +2445     
- Partials      486      625     +139     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ret2libc]

I'm going to add a few tests to this.

[haydentherapper]

What do you think about limiting this to code under the --new-bundle-format flag, where VerifyBundle is called? Then most changes only need to occur in sigstore-go, we won't have to be concerned about unexpectedly breakages for current users, and we know the code will carry on to cosign 3.x.

[ret2libc]

What do you think about limiting this to code under the --new-bundle-format flag, where VerifyBundle is called? Then most changes only need to occur in sigstore-go, we won't have to be concerned about unexpectedly breakages for current users, and we know the code will carry on to cosign 3.x.

Sounds good, but we still want to modify the "sign"/"sign-blob" flow, don't we? At least to test the signing process through cosign and then the verification process in the new bundle format, correct?

[haydentherapper]

The sign-blob flow, yes, where we also use the new-bundle-format flag. We don’t have to include sign at the moment since we don’t yet support the new bundle format.

[haydentherapper]

Reviewed this for the Fulcio PR. This LGTM and I realize my comment about sign-blob isn't immediately relevant as we need to make all these changes first.

cosign/pkg/cosign/tlog.go

Line 240 in 8dd9e9b

Algorithm: swag.String(models.HashedrekordV001SchemaDataHashAlgorithmSha256),

needs to be updated as well.

[haydentherapper]

If we do the Fulcio change to accept ecdsa-p384-sha-384 and ecdsa-p521-sha-512, I'd add an end-to-end test that verifies signing and verification with these keys. You can generate a key, import it into the Cosign key format, then sign with IssueCertificate:true.

[ret2libc]

@haydentherapper could you approve the workflows please?

[haydentherapper]

Overall LGTM