feat: support OCI Image

[akashsinghal]

Description

What this PR does / why we need it:

Most verifiers rely on the Blobs field to enumerate the content of each artifact. This field is populated directly from the manifest byte marshalling. In the case of an OCI Image referrer, this marshalling will not populate Blobs causing all other verifiers to prematurely finish before any content is verified. This PR:

• Updates ReferenceManifest to use Blobs and adds logic in ORAS store to marshal Layers/Blobs to the Blobs field depending on the referrer media type.
• Updates Notaryv2 verifier to check for 0 length blob array and fail if no signatures found
• Updates Cosign verifier to use Blobs field

TODO: Add e2e test with OCI Image and OCI Artifact as referrer manifest type

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

• Test A
• Test B

Checklist:

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

[codecov]

Codecov Report

Patch coverage: 40.00% and project coverage change: +0.01 🎉

Comparison is base (3eb708c) 44.57% compared to head (0bb6552) 44.59%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #683      +/-   ##
==========================================
+ Coverage   44.57%   44.59%   +0.01%     
==========================================
  Files          56       56              
  Lines        3244     3301      +57     
==========================================
+ Hits         1446     1472      +26     
- Misses       1651     1682      +31     
  Partials      147      147              

Impacted Files	Coverage Δ
pkg/referrerstore/oras/oras.go	0.63% <0.00%> (-0.08%)	⬇️
pkg/verifier/notaryv2/notaryv2.go	84.67% <50.00%> (+3.36%)	⬆️
pkg/referrerstore/oras/utils.go	29.62% <100.00%> (+29.62%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[susanshi]

LGTM. Left some questions that can be addressed later if needed.

[susanshi]

we can move the image spec version to a variable it can be easily updated.

[susanshi]

we should also add doc to state we support both format incase customer have questions

[binbin-li]

Left one minor comment, lgtm.

[akashsinghal]

we should also add doc to state we support both format incase customer have questions

Yes agreed. I'm struggling to figure out where to put though since we don't have an ORAS store specific doc.

[susanshi]

we should also add doc to state we support both format incase customer have questions

Yes agreed. I'm struggling to figure out where to put though since we don't have an ORAS store specific doc.

We can add a new section under conCecpt -> store , and add a link from store CRDs. https://github.com/deislabs/ratify/blob/main/docs/developer/store.md
https://github.com/deislabs/ratify/blob/main/docs/reference/crds/stores.md

This will be similar to section for Notary at https://github.com/deislabs/ratify/blob/main/docs/developer/verifier.md#section-6-built-in-verifiers