[W.I.P] feat(verify-list): traverse all image tags to verify all of them

[Dentrax]

We (I and @developer-guy) implemented a new command called verify-list.

Fixes #434

Here is an animated image that shows how success will look like:

TODOs

• verify-list (must)
• passing multi-images
• e2e tests
• sign-list? (necessary?)
• concurrency for multi-images?

Caveats

• no concurrency since we used c.VerifyCommand.Exec (i think we need to duplicate cosign.Verify or we should implement some goroutine support here)
• see the Risks & Mitigations section in the issue for the further concerns

Signed-off-by: Furkan furkan.turkal@trendyol.com

[dekkagaijin]

IMHO this isn't different enough from verify with a list of images to want to support in perpetuity. There's value in being able to omit the signature images from verification, but I do think that that is the value of this command

[Dentrax]

Should I move this feature into verify command as a new flag called --list?

[dekkagaijin]

Should I move this feature into verify command as a new flag called --list?

ehhhh

The registry API kinda (really) sucks for listing images. It's actually not possible to list untagged images by default.

IMHO we should have code samples which show how to compose utilities to achieve this without accepting responsibility for maintaining the feature and foot-gunny UX. I think we'll end up regretting the addition of verify-foo surfaces as more values of foo come up, and should probably move to split image discovery from image signature verification

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[github-actions]

This PR was closed because it has been stalled for 10 days with no activity.