Added support for attaching Time stamp authority Response in attach command

[Mukuls77]

Summary

The PR provide the support to attach Timestamp authority response for signed signature time stamp in attach command.
using this functionality now we can attach a TSR response for the generated signature and attach that along with the associated certificates and certificate chain. This PR will help specifically in private CA cases where now Private CA can issue short lived certificates and attach the Time stamp of the signature. This will help in checking the validity of the associated certificates using the signature time stamp

Release Note

Following files have been modified for the PR.
cmd/cosign/cli/attach.go
cmd/cosign/cli/attach/sig.go
cmd/cosign/cli/options/attach.go
doc/cosign_attach_signature.md
test/e2e_test.go
test/e2e_test_attach.sh
test/testdata/test_attach_freetsacacert.pem
Add a release note for each of the following conditions:

Documentation

This PR introduce a new parameter that can be used in the Attach command to pass the path of the Time stamp Authority response.
The updated command help is as below

$ ./cosign attach signature --help
Attach signatures to the supplied container image

Usage:
cosign attach signature [flags]

Examples:
cosign attach signature

Flags:
--allow-http-registry whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing
--allow-insecure-registry whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing
--attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
--certificate string path to the X.509 certificate in PEM format to include in the OCI Signature
--certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature
-h, --help help for signature
--k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
--payload string path to the payload covered by the signature
--signature string path to the signature, or {-} for stdin
--timeStampedSignatureResponse string path to the Time Stamped Signature Response from RFC3161 compliant TSA

Global Flags:
--output-file string log output to a file
-t, --timeout duration timeout for commands (default 3m0s)
-d, --verbose log debug output

Testing

Make , lint , Docgen test were done. also e2e test related to attach command were done. attached are the logs
Build_Lint_Docgen_test_logs.txt

e2e_attach_test_logs.txt

[codecov]

Codecov Report

Merging #3001 (2b4c9b3) into main (f21081a) will increase coverage by 0.70%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #3001      +/-   ##
==========================================
+ Coverage   30.25%   30.95%   +0.70%     
==========================================
  Files         151      153       +2     
  Lines        9473     9678     +205     
==========================================
+ Hits         2866     2996     +130     
- Misses       6162     6224      +62     
- Partials      445      458      +13     

Impacted Files	Coverage Δ
cmd/cosign/cli/attach.go	0.00% <0.00%> (ø)
cmd/cosign/cli/options/attach.go	0.00% <0.00%> (ø)

... and 11 files with indirect coverage changes

[haydentherapper]

LGTM on the feature, just a comment on flag name and testing.

[haydentherapper]

Can we use the libraries in the sigstore/timestamp-authority repo to generate a timestamp (see unit tests, there should be some examples), or stand up an instance of the tsa for an e2e test (also there should be examples of such). We shouldn’t call out to a third party service as part of our tests.

[Mukuls77]

I tried to check the instance in the existing e2e test cases where we have used a separate instance of the tsa, but was not able to find any example. In the unit test i could see there are many instance of test cases covering the TSA testing and verification. so i think adding a new unit test case for attach case will not add up much functionality as in unit test case we directly modify the signature structure to include cert, cert-chain and tsa.
If it is ok with you i can remove the changes i did to introduce TSA functionality in attach test case, as it is already covered in unit test of sign and verify.

[haydentherapper]

This test has an example of spinning up a local server - https://github.com/sigstore/cosign/blob/main/test/e2e_test.go#L724

[Mukuls77]

Hi Hayden i have created a new test cases for using TSR in attach command in e2e_test.go file also i have reverted the changes in e2e_test_attach.sh file which were using freetsa for getting TSR. kindly review the changes,

[haydentherapper]

Can we use an acronym “—tsr” for the flag name instead?

[Mukuls77]

Agree i will change the flag name from --timeStampedSignatureResponse to --tsr

[malancas]

This LGTM now that the test uses sigstore/timestamp-authority libraries but I'll wait for @haydentherapper to give this another look as well.

[Mukuls77]

Thanks @malancas for the review @haydentherapper can you pls also review the PR changes

[haydentherapper]

Can you delete this cert?

[haydentherapper]

nit: Can you just inline the concatenation of these two, string(append(pemSub, pemRoot...)) and remove appendSlices given it's not used elsewhere?

[haydentherapper]

Looks great! Just two small comments, thanks for updating the tests.

[Mukuls77]

Thanks @haydentherapper for the review i have done the required changes pls check