[v4.2.0-rhel] podman image trust overhaul, incl. sigstore

[mtrmac]

This is a copy of #15533 = #15466 to v4.2.0-rhel, which seems to be necessary.

git cherry-pick 754ec89a8a185d308ca5ed08afaf34d6cbda08da...68ebf13d48be39b3509601527395f8ec2d56a329

Does this PR introduce a user-facing change?

- BREAKING CHANGE: `podman image trust show` may now show multiple entries for the same scope, to better represent separate requirements. GPG IDs on a single row now always represent alternative keys, only one of which is required; if multiple sets of keys are required, each is represented by a single line.
- Fixed `podman image trust set` not to silently discard unknown fields.
- Added support for `sigstoreSigned` to `podman image trust set`
- Added support for `sigstoreSigned` to `podman image trust show`
- Updated `podman image trust show` to recognize new `lookaside` field names
- Updated `podman image trust show` to recognize `keyPaths` in `signedBy` entries
- Fixed `podman image trust show` to potentially show signature enforcement configuration for the default scope
- Fixed `podman image trust show` to not silently ignore multiple kinds of requirements in a single scope

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtrmac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mtrmac]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[TomSweeneyRedHat]

The aarch test is breaking in the build testing, I'm not sure why given the changes.....

[+1080s] not ok 270 bud --pull=false --arch test
[+1080s] # (from function `assert' in file tests/helpers.bash, line 467,
[+1080s] #  from function `expect_output' in file tests/helpers.bash, line 494,
[+1080s] #  in test file tests/bud.bats, line 3986)
[+1080s] #   `expect_output --substring arm64' failed
[+1080s] # /var/tmp/go/src/github.com/containers/podman/test-buildah-v1.27.1/tests /var/tmp/go/src/github.com/containers/podman/test-buildah-v1.27.1
[+1080s] # $ podman build --force-rm=false --layers=false -f Containerfile --pull=false -q --arch=amd64 -t image-amd --signature-policy /var/tmp/go/src/github.com/containers/podman/test-buildah-v1.27.1/tests/policy.json /var/tmp/buildah_tests.16a0as/my-dir
[+1080s] # b06aacb2c1abad5048c2ff7431567bc7eec863734aaa12e8e510a4dca1031bbb
[+1080s] # $ buildah inspect --format {{ index .Docker.Config.Labels "architecture" }} image-amd
[+1080s] # x86_64
[+1080s] # $ buildah tag image-amd localhost/ubi8-minimal
[+1080s] # $ podman build --force-rm=false --layers=false -f Containerfile --pull=false -q --arch=arm64 -t image-arm --signature-policy /var/tmp/go/src/github.com/containers/podman/test-buildah-v1.27.1/tests/policy.json /var/tmp/buildah_tests.16a0as/my-dir
[+1080s] # 7b878a1f3e2d8f299b4271c3b7e8680507d7a742aaf48a9612c4ee28f8181e46
[+1080s] # $ buildah inspect --format {{ index .Docker.Config.Labels "architecture" }} image-arm
[+1080s] # aarch64
[+1080s] # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
[+1080s] # #|     FAIL: buildah inspect --format {{ index .Docker.Config.Labels "architecture" }} image-arm
[+1080s] # #| expected: =~ 'arm64'
[+1080s] # #|   actual:    'aarch64'
[+1080s] # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[+1080s] # /var/tmp/go/src/github.com/containers/podman/test-buildah-v1.27.1

[ypu]

Hi Tom
We found the same failed case in our test. But I think this should be a test case problem. As the base image's arch is aarch64:

# buildah inspect --format '{{ index .Docker.Config.Labels "architecture"  }}' registry.access.redhat.com/ubi8-minimal

aarch64

And I test it with an old ubi8 image, it report arm64:

# cat Containerfile 
FROM registry.access.redhat.com/ubi8-minimal:8.6-902
# buildah bud -f Containerfile  --pull=false -q --arch=arm64 -t image-arm-1  .
bd3f49f6af897d34cc4dc5fe2d95a4c2c0213f698dd4b2e9cccb0798b964eccb
# buildah inspect --format '{{ index .Docker.Config.Labels "architecture" }}'  registry.access.redhat.com/ubi8-minimal:8.6-902
arm64
#  buildah inspect --format '{{ index .Docker.Config.Labels "architecture" }}' image-arm-1
arm64

So I think this should caused by the recently change of ubi8-minimal image. We can just ignore it.

[TomSweeneyRedHat]

@edsantiago any issues with pushing this one through? Looks to be a known issue in the ubi8 image that's not related to these changes.

LGTM, and FWIW, due to timing, we need to get this one decided upon quickly as our window to merge and get into the ZeroDay is closing quickly

[edsantiago]

Yes, feel free to force-merge. bud-test breakage is unrelated and will take a long, long time (days, well into next week) to fix.

[TomSweeneyRedHat]

@baude can you take a look and merge if it LGTY please?

[baude]

merging manually ....

[TomSweeneyRedHat]

This addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2125645