Certificate Chain Validation via Cosign

[garantir-km]

Describe the feature
Multiple customers would like to use connaisseur in their environment with signing certificates issued from their own custom organizational CA (e.g., an internal PKI that does not make use of Fulcio). This requires them to be able to perform certificate chain validation.

Cosign has just recently added the ability to achieve this by combining both the --cert and the new --cert-chain flags. However, connaisseur currently only supports verifying signatures using a public key, which means it does not support this new feature.

Could you please include the ability to verify signatures using both --cert and --cert-chain ?

[xopham]

@garantir-km I like that request, as using signing certificates offers very strong security guarantees and a cert chain would add revocation.
The key interface is currently re-worked (#540) which will make adding more and different key types much easier. Besides keyless and rsa keys, cert validation should definitely be added.

I have an idea as to why organizations may want to use signing certificates, but would you mind sharing your reasoning for preferring certificates?

[garantir-km]

@xopham Our reason is purely to support our larger customers that are made up of multiple divisions that each sign their images with different signing certificates. In some cases the different divisions want to trust each other, and in other cases they may not. By supporting configurable certificate chains, these customers have the flexibility to deploy a trust model that meets their specific requirements.