Implement full Sigstore/Cosign verification for OCI images

[dk-uppi-aks]

Description

The OCI signature verification logic located in crypto.rs is currently a skeleton stub. It instantiates the ClientBuilder from the sigstore crate but does not download, parse, or evaluate signatures against the remote container registry, returning Ok(()) statically:

pub fn verify_oci_signature(oci_uri: &str, _public_key_pem: &str) -> Result<(), CryptoError> {
    if oci_uri.trim().starts_with('-') {
        return Err(CryptoError::MalformedOciUri(oci_uri.to_string()));
    }

    let rt = tokio::runtime::Runtime::new()?;

    rt.block_on(async {
        let _client = ClientBuilder::default()
            .build()
            .map_err(|e| CryptoError::OciVerificationFailed(e.to_string()))?;

        // In a real scenario we'd do:
        // let source = sigstore::cosign::ImageURI::parse(oci_uri)...
        // client.verify(&source, &sigstore::cosign::verification_constraint::PublicKeyVerifier::new(public_key_pem))
        // But since this is a refactor, we will just return Ok as we integrated the crate

        Ok(())
    })
}

Impact

Without signature checks, any remote image can bypass the zero-trust runtime verification, posing a severe security risk in production environments.

Proposed Solution

1. Parse the oci_uri into an ImageURI representation.
2. Decompress and load the public_key_pem using the sigstore::cosign::verification_constraint::PublicKeyVerifier configuration.
3. Execute client.verify() asynchronously within the Tokio thread pool.
4. Throw a CryptoError::OciVerificationFailed if signature verification fails.

---

[gowthamrao]

8ad9ff5