chainguard issuer: use the same proof of possession cosign expects

[priyawadhwa]

this should allow the chainguard issuer to work when the email verified claim is set

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 49.61%. Comparing base (cf238ac) to head (552c5c1).
Report is 136 commits behind head on main.

Files	Patch %	Lines
pkg/identity/chainguard/principal.go	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1725      +/-   ##
==========================================
- Coverage   57.93%   49.61%   -8.32%     
==========================================
  Files          50       71      +21     
  Lines        3119     4184    +1065     
==========================================
+ Hits         1807     2076     +269     
- Misses       1154     1879     +725     
- Partials      158      229      +71     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mattmoor]

We want our subject to be our subject. It's the challenge that's wrong.

[mattmoor]

I don't know what else keys off of the principal.Name but I could see us changing that.

I think that Fulcio and cosign using different functions to extract the information being signed for PoP is incredibly fragile because in cases like this the different pieces of logic will disagree even though nothing is actually incorrect (they are just extracting things inconsistently).

[mattmoor]

It looks like this is challenging to call directly the way the principal interface is set up, and the only call site of Name() is for the PoP so I can stage a change to do this with some test cases.

[haydentherapper]

I would create another field, popSubject, set equal to oauthflow.SubjectFromToken, and update Name() to return token.popSubject.

[mattmoor]

I sent: #1726, which I think threads the needle.

I don't love this because Name() could start getting used elsewhere assuming it's subject and it would only break us, but anything more requires more significant surgery.

[mattmoor]

@haydentherapper I just saw your comment, that's what my PR does essentially.

[haydentherapper]

PR LGTM

[haydentherapper]

Closing in favor of the other