move verify-blob function to "pkg/cosign" to be consistent with verify

[hirokuni-kitahara]

Signed-off-by: Hirokuni-Kitahara1 hirokuni.kitahara1@ibm.com

Summary

This PR solves the issue #2222 by moving the core function of verify-blob from "cmd/cosign/cli/verify" package to "pkg/cosign" package.
The new function VerifyBlobSignature() is based on basically the same design as VerifyImageSignature(), which is the core function of verify command.
Also the arguments of VerifyBlobSignature() are all non-filepath information such as []byte, so it is easy for developers to invoke this function even on some read-only environment.

Release Note

Documentation

[codecov-commenter]

Codecov Report

Merging #2223 (6e14724) into main (9d3101b) will increase coverage by 0.01%.
The diff coverage is 2.44%.

@@            Coverage Diff             @@
##             main    #2223      +/-   ##
==========================================
+ Coverage   26.62%   26.64%   +0.01%     
==========================================
  Files         131      132       +1     
  Lines        7680     7676       -4     
==========================================
  Hits         2045     2045              
+ Misses       5376     5372       -4     
  Partials      259      259              

Impacted Files	Coverage Δ
cmd/cosign/cli/options/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_blob.go	14.05% <0.00%> (+4.32%)	⬆️
pkg/cosign/verify_blob.go	4.65% <4.65%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[asraa]

Hi! Do you think we could hold off on this for a day or two?

[asraa]

What happens to intoto attestations?

[hirokuni-kitahara]

Thank you for your reviewing! The intoto DSSE verifier will only be available in keyless verification mode with my current codes, and this is simply a mistake.
I will fix this.

[asraa]

How come the TLOG entry time will only be checked if a valid sig does not exist? verifyOCISignature does not check cert expiry time.

[hirokuni-kitahara]

Thank you for the information, I think we should have VerifyBundle() after verifyOCISignature() as VerifyImageSignature does. I will fix this.

[haydentherapper]

We should hold off on moving this code until a) the refactor we are working on is done b) there are most tests so we have confidence in moving code.

[haydentherapper]

Another meta comment, seems like there are functional changes mixed into this. A refactor should be as minimal as possible, so if we did want to move this, it should be clear that we are just moving the functions, not making any changes in them.

[hirokuni-kitahara]

@asraa Thank you for your reviewing and your comments, I will update the changes to fix some problems you mentioned in the comments.

@haydentherapper Thank you for your comment, I totally agree with that we should not mix a refactor and functional changes in 1 PR. I will remove functional changes from this PR and will create another PR for it when the timing is good.
About the refactoring you are working on, could you share some timeline like when the verify-blob codes would be ready for moving if possible?

[haydentherapper]

We'll hopefully have the refactor in by either end of this week or next week.

[hirokuni-kitahara]

That's great! Thank you very much @haydentherapper

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[github-actions]

This PR was closed because it has been stalled for 10 days with no activity.