Sigstore technical debt

[mtrmac]

Captured from PRs

• Writes to quay.io currently (Oct 13 2022) fail with HTTP status 500
• Unit tests for Add support for reading and writing Cosign attachments to c/image/docker #1595 , at least the config file handling
• Unit tests for Cosign sign #1597
• Unit tests for Add support for Rekor (“transparency log”) uploads to sigstore signing #1784
• Unit tests for Fulcio signing implementation #1785
• Unit tests for Add a sigstore signing parameter file format, and CLI utility #1787
• Check if we can reduce the binary size
  • Split sagoodkey.NewKeyPolicy from goodkey.NewKeyPolicy letsencrypt/boulder#6651 + Update letsencrypt/boulder after https://github.com/letsencrypt/boulder/pull/6651 #1849
  • UNTESTED: Replace sigstore/rekor/pkg/client with a manually-created client #1845
  • Migrate from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 sigstore/sigstore#969
  • Migrate from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 ocicrypt#82
• Only fetch the attachment config if we actually have a new signature to add (and if we continue to update the DiffID list).
• Only upload an updated attachment config and manifest if we added at least one new signature.
• Use private.UnparsedImage.UntrustedSignatures, not types.UnparsedImage.Signatures, throughout c/image/signature so that non-simple signatures are not silently ignored on some code paths, and the code at least logs that they were not considered.
• Consider accepting any of a set of public keys: Add keyPaths, keyDatas to prSigstoreSigned #2524
• Consider allowing remapIdentity to do repo-only matching.
• Pass the copy.Image report writer and/or progress bar objects to transports, use that for reporting attachment reads/writes
• Do we actually need to add layers to the attachment config’s DiffIDs array?
• Possibly test isManifestUnknown from Add support for reading and writing Cosign attachments to c/image/docker #1595 against various registries?
• Possibly consider accepting an image with a signed manifest list but not the individual images (i.e. cosign sign without --recursive)

[mtrmac]

I have moved the Skopeo-specific items to containers/skopeo#1704 .

[mtrmac]

letsencrypt/boulder#6651 decreases Skopeo binary size on macOS by 295 kB.