add handling of keyless verification for all verify commands

[dmitris]

Summary

Copy the handling of non-Fulcio keys from the verify to all the other verify commands (verify-attestation,
verify-blob, verify-blob-attestations).

Fix #3759.

Release Note

• add keyless verification and --ca-roots / --ca-intermediates parameters to the
  verify-attestation, verify-blob, and verify-blob-attestations commands (in addition
  to verify)

Documentation

TODO - create a corresponding https://github.com/sigstore/docs PR, in particular in https://docs.sigstore.dev/verifying/verify/#local-verifications need to mention:

Verify image with local certificate and local CA roots and optional CA intermediate certificates file(s):

$ cosign verify --certificate cosign.crt --ca-roots ca-roots.crt [--ca-intermediates=ca-intermediates.crt] --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] user/demo

The command-line help as in cosign verify-blob --help already mentions the new parameter even though they don't yet properly work until this change is merged and released.

[codecov]

Codecov Report

Attention: Patch coverage is 30.76923% with 18 lines in your changes missing coverage. Please review.

Project coverage is 37.06%. Comparing base (2ef6022) to head (88881c9).
Report is 153 commits behind head on main.

Files	Patch %	Lines
cmd/cosign/cli/verify.go	40.00%	9 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go	0.00%	3 Missing ⚠️
cmd/cosign/cli/verify/verify_blob.go	40.00%	2 Missing and 1 partial ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go	0.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3761      +/-   ##
==========================================
- Coverage   40.10%   37.06%   -3.04%     
==========================================
  Files         155      200      +45     
  Lines       10044    12280    +2236     
==========================================
+ Hits         4028     4552     +524     
- Misses       5530     7180    +1650     
- Partials      486      548      +62     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dmitris]

Verification: the script https://github.com/dmitris/cosign-keyless/blob/main/verify-blob.sh fails with the trunk's version of cosign:

$ ./verify-blob.sh
Wrote signature to file README.md.sig
cosign verify-blob (with --certificate-chain):
Verified OK
cosign verify-blob (with --ca-roots):
Error: cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE
main.go:74: error during command execution: cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE

but works with the version build in this PR's branch:

$ COSIGN=$HOME/gh/sigstore/cosign/cosign ./verify-blob.sh
Wrote signature to file README.md.sig
/Users/dsavints/gh/sigstore/cosign/cosign verify-blob (with --certificate-chain):
Verified OK
/Users/dsavints/gh/sigstore/cosign/cosign verify-blob (with --ca-roots):
Verified OK

Similarly with cosign verify-blob --bundle - https://github.com/dmitris/cosign-keyless/blob/main/verify-blob-bundle.sh.

[cpanato]

looks good so far, as you mention to me, i would like to have some tests for those

[haydentherapper]

Looks good, thanks!