Restructuring signing code for shared implementation #4570
Description
Description
Currently, for sign, sign-blob, attest, and attest-blob, we fork the code on whether or not a user provides a signing config, e.g. in sign-blob. When the user provides a signing config, we route signing to the sigstore-go library. Otherwise, we use the Cosign signing code. This choice introduced some unexpected issues with Cosign v3, with missing functionality.
This proposes restructuring the signing restructuring code to not have two divergent signing paths. Roughly, the signing code should be structured like so:
- Setup: Retrieve service URLs, trust root, initialize any configuration
- Sign: Sign a container/attestation/blob
- Return: Construct required outputs, e.g. bundle or detached verification material
For (1), we can retrieve service URLs either from the environment or flags (like with Cosign v2.5-) or from a signing config.
For (2), this will require more design, but our goal should be to use sigstore-go to sign content in all commands. We may need to build an abstraction layer that transforms a container image into a byte stream to pass to sigstore-go (right now, Cosign's sign library does the opposite, taking in an OCI representation of a container, blob or attestation). I'd suggest we start refactoring sign-blob and attest-blob first.
For (3), again we should use the flags to determine what output the user requests. If we support both bundles and detached verification material concurrently, we can easily mark the latter deprecated without maintaining separate codepaths.
We have a common library for sign-related functionality already - https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/signcommon/common.go - which we can continue to expand.
This work will enable future refactoring to have flags shared between sign commands, move towards converging sign and attest implementations, deprecating v2 flags, and ultimately having a single signing implementation from sigstore-go while providing signing containers as a well-formed library.