Define interfaces for reasoning about signed images.

This starts to layout our augmented interfaces for reasoning about signed images and indices.  The next step will be to try and shoe-horn some of the implementation of these that we currently use into a new `internal/oci/remote` package.

A couple (seemingly) superficial things about how this is set up:
1. The layout of this reflects the layout of GGCR.  The interfaces there are in `pkg/v1`, and implementations of them in `pkg/v1/<name>`.
2. By embedding `v1.Image` instead of *just* surfacing the higher-level things, we enable folks to `remote.Write` and `tarball.Write` the signatures, which feels useful.

None of this stuff is carved in stone, so we'll see how far off we are as we start to use this first-stab for realz.

Related: sigstore#666
Signed-off-by: Matt Moore <mattomata@gmail.com>

internal/oci/attestations.go

@@ -0,0 +1,28 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oci
+
+import v1 "github.com/google/go-containerregistry/pkg/v1"
+
+// Attestations represents a set of attestations that are associated with a particular
+// v1.Image.
+type Attestations interface {
+	v1.Image // The low-level representation of the attestations
+
+	// TODO(mattmoor): Accessors that build on `v1.Image` to provide
+	// higher-level accessors for the attestation data that is embedded in the
+	// wrapped `v1.Image`
+}

internal/oci/image.go

@@ -0,0 +1,32 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oci
+
+import v1 "github.com/google/go-containerregistry/pkg/v1"
+
+// SignedImage represents an OCI Image, complemented with accessors
+// for retrieving signed metadata associated with that image.
+type SignedImage interface {
+	v1.Image
+
+	// Signatures returns the set of signatures currently associated with this
+	// image, or the empty equivalent if none are found.
+	Signatures() (Signatures, error)
+
+	// Attestations returns the set of attestations currently associated with this
+	// image, or the empty equivalent if none are found.
+	Attestations() (Attestations, error)
+}

internal/oci/index.go

@@ -0,0 +1,40 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oci
+
+import v1 "github.com/google/go-containerregistry/pkg/v1"
+
+// SignedIndex represents an OCI ImageIndex, complemented with accessors
+// for retrieving signed metadata associated with that ImageIndex.
+type SignedImageIndex interface {
+	v1.ImageIndex
+
+	// SignedImage is the same as Image, but provides accessors for the nested
+	// image's signed metadata.
+	SignedImage(v1.Hash) (SignedImage, error)
+
+	// SignedImageIndex is the same as ImageIndex, but provides accessors for
+	// the nested image index's signed metadata.
+	SignedImageIndex(v1.Hash) (SignedImageIndex, error)
+
+	// Signatures returns the set of signatures currently associated with this
+	// image, or the empty equivalent if none are found.
+	Signatures() (Signatures, error)
+
+	// Attestations returns the set of attestations currently associated with this
+	// image, or the empty equivalent if none are found.
+	Attestations() (Attestations, error)
+}

internal/oci/signatures.go

@@ -0,0 +1,28 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oci
+
+import v1 "github.com/google/go-containerregistry/pkg/v1"
+
+// Signatures represents a set of signatures that are associated with a particular
+// v1.Image.
+type Signatures interface {
+	v1.Image // The low-level representation of the signatures
+
+	// TODO(mattmoor): Accessors that build on `v1.Image` to provide
+	// higher-level accessors for the signature data that is embedded
+	// in the wrapped `v1.Image`
+}