feat(sign): support for keyless signing and offline verification

[brandtkeller]

Description

Note - Breaking Changes

• The cosign functionality under src/pkg/utils has been moved to `src/pkg/signing
• The embedded structs in signing.Sign|VerifyBlobOptions have been updated to align with cosign.

This PR enables the use of connected keyless signing workflows and offline-compatible verification for a keyless signed package via an embedded trusted root.

This uses the previously implemented zarf tools trusted-root create command to refresh the embedded trusted root. Think of this as a mechanism to streamline the UX of enabling offline verification of keyless-signed packages so that users are not required to bring additional verification material by default - but of which they can overwrite as required.

Additionally this PR enables the bundlesignature feature by default. Note that the VersionRequirement for a package with a bundle signature is v0.71.0 which is the version that introduced the ability to load packages with the bundle file. The feature flag gates are retained such that users who cannot use the bundle still have an opportunity to opt-out until we fully remove.

One early improvement is the UX of retrieving the keyless-signed identity and issuer. These are retrieved on package sign so that we can log the entries that package creators need to provide to those who want to verify - but additionally I believe we could add a zarf package inspect signature <package> command to make this discoverable. We can't place it directly in the build data because it is only accessible post-signing - whereby the zarf definition can no longer be modified without invalidating the signature.

Best practices documentation to follow.

Try it Yourself

# Build the CLI
make build

# Pull a package for signing
zarf tools download-init

# Sign the package (this will conduct browser auth)
./build/zarf package sign zarf-init-arm64-v0.75.0.tar.zst --keyless

# (optional) turn off wifi

# Verify the package
./build/zarf package verify zarf-init-arm64-v0.75.0.tar.zst --certificate-identity brandt.keller@defenseunicorns.com --certificate-oidc-issuer https://github.com/login/oauth

Related Issue

Fixes #2805
Fixes #4571

Relates to #

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[codecov]

Codecov Report

❌ Patch coverage is 40.37855% with 189 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/cmd/package.go	19.62%	86 Missing ⚠️
src/pkg/utils/oci_artifacts.go	0.00%	39 Missing ⚠️
src/pkg/packager/layout/package.go	70.00%	16 Missing and 5 partials ⚠️
src/pkg/signing/cosign.go	5.00%	19 Missing ⚠️
src/pkg/signing/trustedroot.go	30.76%	6 Missing and 3 partials ⚠️
src/pkg/packager/publish.go	0.00%	4 Missing and 3 partials ⚠️
src/pkg/signing/bundle.go	88.88%	4 Missing and 1 partial ⚠️
src/cmd/tools_trustedroot.go	0.00%	1 Missing ⚠️
src/pkg/packager/load.go	0.00%	1 Missing ⚠️
src/pkg/packager/pull.go	0.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
src/cmd/viper.go	60.19% <100.00%> (+4.28%)	⬆️
src/pkg/feature/feature.go	91.12% <100.00%> (ø)
src/pkg/packager/layout/assemble.go	43.17% <100.00%> (ø)
src/cmd/tools_trustedroot.go	75.64% <0.00%> (ø)
src/pkg/packager/load.go	62.89% <0.00%> (ø)
src/pkg/packager/pull.go	50.00% <0.00%> (ø)
src/pkg/signing/bundle.go	88.88% <88.88%> (ø)
src/pkg/packager/publish.go	63.10% <0.00%> (-3.21%)	⬇️
src/pkg/signing/trustedroot.go	30.76% <30.76%> (ø)
src/pkg/signing/cosign.go	1.01% <5.00%> (ø)
... and 3 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netlify]

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	3f63c37
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/6a0549920bad3d00087a05f0

[brandtkeller]

Making a mental note to schedule daily checks and notify the zarf channel using this process. A lag in releasing new trusted roots won't be critical but should be nice to have.

[AustinAbro321]

Excited how signing is taking shape, no doubt this will improve the UX

[brandtkeller]

I kept this function in utils - it is not soo much a signing function as it is a helper for signature/attestation retrieval.

[AustinAbro321]

nit: can we make this an enum

[AustinAbro321]

nit: I think it makes more sense to error if the feature is not enabled and keyless is true. Probably doesn't matter much now that we're enabled by default, but that's the preferred pattern for the codebase imo

[AustinAbro321]

This function is not used

[AustinAbro321]

I believe we can replace this function with github.com/sigstore/sigstore-go/pkg/fulcio/certificate.SummarizeCertificate

[AustinAbro321]

Is the current plan to support tsa using the same enable flag if keyless method? Cosign does use tsa by default and our default trusted root has the timestampAuthorities field