fix: Updating policy.json to properly verify images

[gmpinder]

We need to look into some workflow to handle properly verifying images before rebasing on a signed keyless image.

• https://www.mankier.com/5/containers-policy.json#Examples
• https://github.com/bsherman/ublue-custom/blob/main/.github/workflows/build.yml#L181-L191
• https://github.com/sigstore/root-signing/blob/main/repository/repository/root.json
• https://github.com/sigstore/sigstore/tree/main/pkg/tuf/repository/targets

[xynydev]

https://www.mankier.com/5/containers-policy.json#Policy_Requirements-sigstoreSigned

[gmpinder]

After conversations in the ublue discord, we found the following bits of information:

• https://github.com/containers/image/blob/afda0f0452d6b3fe41c99890ddfcff7b91aba123/signature/fulcio_cert.go#L180

    // FIXME: Match more subject types? Cosign does:
    // - .DNSNames (can’t be issued by Fulcio)
    // - .IPAddresses (can’t be issued by Fulcio)
    // - .URIs (CAN be issued by Fulcio)
    // - OtherName values in SAN (CAN be issued by Fulcio)
    // - Various values about GitHub workflows (CAN be issued by Fulcio)
    // What does it… mean to get an OAuth2 identity for an IP address?
    // FIXME: How far into Turing-completeness for the issuer/subject do we need to get? Simultaneously accepted alternatives, for
    // issuers and/or subjects and/or combinations? Regexps? More?

• Functionality for verifying GitHub OIDC isn't implemented
  • Would require some way to verify with email instead
• Request for Sigstore signature verification enhancement and flexibility in cosign verify. containers/image#2027 issue already exists for supporting the args that we would use

Further development could go into a workflow in blue-build to update the user's policy.json to allow keypair signed images and to also download the pub file ahead of time so that a user could easily rebase to a signed image.

[gmpinder]

@gerblesh just posted this in the Ublue discord. Something to follow

containers/image#2235

[gmpinder]

Another related issue coreos/rpm-ostree#4272

[jmpolom]

We need to look into some workflow to handle properly verifying images before rebasing on a signed keyless image.

What you're after appears to be completely broken/unsupported by the underlying libraries used. Until Red Hat improves them (or you choose to do so and donate your work to Red Hat -- assuming their maintainers agree to merge your changes) your only option is to use static key files which in my opinion adds so little security as to be not worth the effort.