feature: add TSA support when verifying authorities

[hectorj2f]

Signed-off-by: Hector Fernandez hector@chainguard.dev

Summary

We are adding support to verify images using timestamp authorities. To test it, we use scaffolding and a working branch to install cosign v2.0.0-rc so we can use TSA verifications (sigstore/cosign-installer#105).

Release Note

Add support to verify images using timeStamp authorities.

Documentation

[codecov-commenter]

Codecov Report

Merging #468 (b5766e5) into main (9d7bafc) will decrease coverage by 0.92%.
The diff coverage is 15.17%.

@@            Coverage Diff             @@
##             main     #468      +/-   ##
==========================================
- Coverage   55.66%   54.73%   -0.93%     
==========================================
  Files          38       38              
  Lines        3992     4129     +137     
==========================================
+ Hits         2222     2260      +38     
- Misses       1598     1688      +90     
- Partials      172      181       +9     

Impacted Files	Coverage Δ
pkg/apis/config/sigstore_keys.go	29.31% <ø> (ø)
...g/apis/policy/v1alpha1/clusterimagepolicy_types.go	0.00% <ø> (ø)
pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go	12.65% <0.00%> (-0.40%)	⬇️
...kg/apis/policy/v1beta1/clusterimagepolicy_types.go	0.00% <ø> (ø)
pkg/apis/policy/v1beta1/zz_generated.deepcopy.go	19.93% <0.00%> (-1.02%)	⬇️
pkg/webhook/validator.go	61.91% <0.00%> (-3.56%)	⬇️
...s/policy/v1alpha1/clusterimagepolicy_validation.go	92.24% <57.14%> (-1.06%)	⬇️
...is/policy/v1beta1/clusterimagepolicy_validation.go	94.18% <62.50%> (-1.09%)	⬇️
...s/policy/v1alpha1/clusterimagepolicy_conversion.go	76.72% <100.00%> (+0.83%)	⬆️
pkg/apis/policy/v1alpha1/trustroot_validation.go	43.35% <0.00%> (+12.72%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[vaikas]

  The TrustRoot "my-sigstore-keys" is invalid: spec.sigstoreKeys.certificateAuthorities: Invalid value: "null": spec.sigstoreKeys.certificateAuthorities in body must be of type array: "null"
  Error: Process completed with exit code 1.

Don't we still need the signing CA added? It's currently listed as 'required', so if this is a bad assumption we need to relax it in the trustroot API.

[hectorj2f]

I am still working on this ... thanks for looking at it. I am adding a WIP.

[hectorj2f]

I'll complete the tests.

[vaikas]

Oh no worries, was just thinking through my assumptions on how things work :) My thinking has been that there always has to be a CA, but maybe that's wrong.

[hectorj2f]

Don't we still need the signing CA added? It's currently listed as 'required', so if this is a bad assumption we need to relax it in the trustroot API.

You can sign using the TSA as verification and a raw key without anything else.

[hectorj2f]

We should relax the validation.

[hectorj2f]

Done

[hectorj2f]

I am waiting for a decision so we can install cosign v2 and RC versions via sigstore/cosign-installer#105

[hectorj2f]

I created #478 to track this change.

[mattmoor]

Can you open tracking issues for updating the installer/tsa/cosign deps once they are released with the changes we need?

[hectorj2f]

@mattmoor Yes, I'll create one issue. I am working myself on the change too sigstore/cosign-installer#105.