Add support for new bundle specification for attesting/verifying OCI image attestations

[codysoyland]

Summary

This PR adds support for the new Cosign Bundle Specification in cosign attest and cosign verify-attestation.

Related: #3139

To test, run the following (replacing MY_IDENTITY, MY_ISSUER, MY_TRUSTED_ROOT and MY_IMAGE as needed -- trusted root is optional). Note that the new OCI support requires passing --new-bundle-format into both commands.

go run ./cmd/cosign attest --predicate my-predicate.json --new-bundle-format MY_IMAGE
go run ./cmd/cosign verify-attestation --certificate-identity MY_IDENTITY --certificate-oidc-issuer MY_ISSUER --new-bundle-format --trusted-root=MY_TRUSTED_ROOT MY_IMAGE

Full example (using crane, but can instead use docker tag/docker push):

make cosign
docker run -d -p 5050:5000 ghcr.io/project-zot/zot-linux-arm64:latest
crane copy busybox:latest localhost:5050/busybox
echo '{"foo": "bar"}' > predicate.json
./cosign attest --predicate predicate.json --new-bundle-format localhost:5050/busybox:latest
# Dex workflow, assuming GitHub as provider
./cosign verify-attestation [email protected] --certificate-oidc-issuer=https://github.com/login/oauth --new-bundle-format localhost:5050/busybox:latest

To show that it uses the OCI 1.1 referrers API, you can use oras:

oras discover localhost:5050/busybox:latest
Discovered 1 artifact referencing latest
Digest: sha256:db142d433cdde11f10ae479dbf92f3b13d693fd1c91053da9979728cceb1dc68

Artifact Type                                   Digest
application/vnd.dev.sigstore.bundle.v0.3+json   sha256:3fb46d845fe437667a6b3ed45d2b11dea11c43f8fbe76dd642eb71de2a9b8b77

Release Note

Documentation

[codecov]

Codecov Report

Attention: Patch coverage is 10.21898% with 369 lines in your changes missing coverage. Please review.

Project coverage is 35.73%. Comparing base (2ef6022) to head (77be5a8).
Report is 241 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/verify.go	18.93%	129 Missing and 8 partials ⚠️
pkg/oci/remote/write.go	0.00%	92 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go	0.00%	36 Missing ⚠️
cmd/cosign/cli/attest/attest.go	0.00%	32 Missing ⚠️
pkg/oci/remote/signatures.go	0.00%	31 Missing ⚠️
cmd/cosign/cli/attest/common.go	0.00%	10 Missing ⚠️
cmd/cosign/cli/verify/verify.go	0.00%	8 Missing ⚠️
cmd/cosign/cli/attest/attest_blob.go	14.28%	6 Missing ⚠️
pkg/cosign/verify_bundle.go	40.00%	4 Missing and 2 partials ⚠️
cmd/cosign/cli/verify.go	0.00%	5 Missing ⚠️
... and 4 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3889      +/-   ##
==========================================
- Coverage   40.10%   35.73%   -4.38%     
==========================================
  Files         155      210      +55     
  Lines       10044    13741    +3697     
==========================================
+ Hits         4028     4910     +882     
- Misses       5530     8196    +2666     
- Partials      486      635     +149     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests