feat: improve the verification message

[developer-guy]

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com

Fixes #2216

Summary

Release Note

feat: print the names of custom extensions (like "GitHub Workflow Trigger") rather than OIDs (like 1.3.6.1.4.1.57264.1.2) in the human-readable output of cosign verify{,-attestation}, and use field names (githubWorkflowTrigger) in keys of the JSON output of these commands (the old OID keys are kept for backwards compatibility, but they are deprecated and their use is discouraged).

thx to @znewman01

Documentation

/cc @znewman01

[codecov-commenter]

Codecov Report

Merging #2268 (1707d00) into main (0baa044) will not change coverage.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##             main    #2268   +/-   ##
=======================================
  Coverage   28.57%   28.57%           
=======================================
  Files         131      131           
  Lines        7866     7866           
=======================================
  Hits         2248     2248           
  Misses       5311     5311           
  Partials      307      307           

Impacted Files	Coverage Δ
cmd/cosign/cli/verify/verify.go	5.97% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[znewman01]

This looks great!

Three points:

1. It's technically a backwards-incompatible change. If you were relying on the output of Cosign, which should stay relatively stable, using jq or similar and looking for the OIDs, this will break that.

   I think we should do both: set ss.Optional[cosign.CertExtensionGitHubWorkflowTrigger] and ss.Optional[cosign.CertExtensionMap[...]].

2. Is there a good way to test this? I know there's no verify_test.go right now. Can you make a (very simple!) one for the JSON output?

3. cosign verify-blob doesn't use PrintVerification like cosign verify and cosign verify-attestation! It may or may not make sense to use PrintVerification there, but we should at least improve the output. You don't need to fix this, but it'd be great if you could file a bug.

[znewman01]

Oh, and can you make the release note a little more detailed? Something like:

feat: print the names of custom extensions (like "GitHub Workflow Trigger") rather than OIDs (like 1.3.6.1.4.1.57264.1.2) in the human-readable output of cosign verify{,-attestation}, and use field names (githubWorkflowTrigger) in keys of the JSON output of these commands (the old OID keys are kept for backwards compatibility, but they are deprecated and their use is discouraged).

[developer-guy]

It's technically a backwards-incompatible change. If you were relying on the output of Cosign, which should stay relatively stable, using jq or similar and looking for the OIDs, this will break that.

Done 🕺🏻

Is there a good way to test this? I know there's no verify_test.go right now. Can you make a (very simple!) one for the JSON output?

Done 🥳

Thx for the really valuable comments and feedbacks ! 🫶

[znewman01]

Can you add a comment about how we want both the OIDs and the cleaned up names for backwards compatibility?

[znewman01]

If you really want, you can add a test for the text-style output (not JSON). But that's totally optional for this PR

[developer-guy]

maybe we can do this later, wdyt?

[hectorj2f]

lgtm