Signature Check: Check Expected Identity in Certificate

[puerco]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR improves the promoter's signature check code to open the image signatures and look for the expected identity. When verifying signatures, kpromo will now open the signature layer and inspect the certificate, matching it against the expected identity.

The default identity is the kubernetes signer service account (krel-trust@k8s-releng-prod.iam.gserviceaccount.com) and the expected OIDC identity issuer is https://accounts.google.com. These can however be modified by defining two new flags: --certificate-identity and --certificate-oidc-issuer.

The PR also introduces two quality of life features: The capability to specify date ranges of images to chack and limit the number of images to verify. Here's what the sigcheck subcommand help looks like now:

kpromo sigcheck --help


sigcheck - Check signature consistency across the K8s mirrors
    
This subcommand checks the signature consistency across promoted images
to ensure copies in all mirrors have their signatures attached.

By default, kpromo sigcheck will look at all images promoted during the last
 days. You can change the default using --from-days and determine a range
using --to-days. For example, to verify all images promoted in an interval
between 10 and 5 days ago run:

   kpromo sigcheck --from-days=10 --to-days=5

To debug the signature checker, you can limit the number of images kpromo
verifies using --limit. When no limit is specified, kpromo will check the
signatures of all images in the specified date range. As an example, to limit
kpromo to the first three images it finds run:

   kpromo sigcheck --limit=3

Which issue(s) this PR fixes:

NONE

Special notes for your reviewer:

👉 Here are some tests that can be done using this branch:

To check an unsigned image:

kpromo sigcheck registry.k8s.io/kube-controller-manager:v1.25.7

To check a signed image:

kpromo sigcheck registry.k8s.io/conformance:v1.23.17

To check an image signed with the wrong identity:

kpromo sigcheck --log-level=debug k8s.gcr.io/kube-apiserver:v1.26.0-alpha.3

/cc @cpanato

Does this PR introduce a user-facing change?

- `kpromo sigcheck` now checks the certificate of the signatures and compares it against an expected identity. If an image is signed by a different service account or user, the promoter will now detect it. Both the expected identity and OIDC issuer default to the Kubernetes signer service account and they can be overridden using `--certificate-identity` and `--certificate-oidc-issuer`. 
- `kpromo sigcheck` can now act on ranges of days by specifying `--from-days=n --to-days=m` still defaults to checking all images from 5 days ago to today. For debugging purposes, the number of checked images can now be limited used --limit .

[puerco]

/retest

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: puerco, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [puerco,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment