Adding protobuf bundle support to sign-blob and attest-blob

[steiza]

Summary

This pull requests addresses the first part of #3139: adding protobuf bundle support for cosign sign-blob and cosign attest-blob.

You can test this by generating the new bundles, for example signing a local file with a cosign provisioned key (requesting a signed timestamp to corroborate):

go run cmd/cosign/main.go sign-blob --bundle="test-bundle.sigstore.json" --new-bundle-format=true --key="cosign.key" --tlog-upload=false --timestamp-server-url="https://timestamp.githubapp.com/api/v1/timestamp" ../sigstore-go/examples/sigstore-go-signing/hello_world.txt

Or using Fulcio to get a signing certificate for an attestation:

go run cmd/cosign/main.go attest-blob --bundle="pgi-bundle.sigstore.json" --new-bundle-format=true --fulcio-url='https://fulcio.sigstore.dev' --rekor-url='https://rekor.sigstore.dev' --identity-token='...' --type=something --predicate="../sigstore-go/examples/sigstore-go-signing/intoto.txt" ../sigstore-go/examples/sigstore-go-signing/hello_world.txt

You can then verify the public good instance bundle using sigstore-go doing something like:

go run cmd/sigstore-go/main.go -artifact examples/sigstore-go-signing/hello_world.txt -trustedrootJSONpath public-good-trusted-root.json -expectedIssuer "https://token.actions.githubusercontent.com" -expectedSANRegex ".+" ../cosign/pgi-bundle.sigstore.json

Release Note

NONE - we probably want to finish #3139 (especially the more comprehensive conformance testing!) before we announce this as released.

Documentation

N/A - same as above

[codecov]

Codecov Report

Attention: Patch coverage is 34.44976% with 137 lines in your changes missing coverage. Please review.

Project coverage is 37.67%. Comparing base (2ef6022) to head (5892fed).
Report is 166 commits behind head on main.

Files	Patch %	Lines
cmd/cosign/cli/attest/attest_blob.go	5.68%	82 Missing and 1 partial ⚠️
cmd/cosign/cli/sign/sign_blob.go	46.75%	34 Missing and 7 partials ⚠️
cmd/cosign/cli/options/attest_blob.go	0.00%	4 Missing ⚠️
cmd/cosign/cli/options/signblob.go	0.00%	4 Missing ⚠️
pkg/cosign/bundle/protobundle.go	91.17%	2 Missing and 1 partial ⚠️
cmd/cosign/cli/attest_blob.go	0.00%	1 Missing ⚠️
cmd/cosign/cli/signblob.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3752      +/-   ##
==========================================
- Coverage   40.10%   37.67%   -2.44%     
==========================================
  Files         155      201      +46     
  Lines       10044    12436    +2392     
==========================================
+ Hits         4028     4685     +657     
- Misses       5530     7175    +1645     
- Partials      486      576      +90     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

Fantastic!! Just a few tiny comments, also needs a rebase.

[haydentherapper]

Great work on this!

[haydentherapper]

@steiza can you rebase? Just to check, anything else here or any other testing, or is this good to merge?

[steiza]

Just to check, anything else here or any other testing, or is this good to merge?

I think this is good to merge!