Document bundle verification

[kommendorkapten]

Description

There is currently no real documentation on how to verify a bundle. There are some drafts like this: https://github.com/kommendorkapten/cosign/blob/bundle_verification/specs/dotsigstore_bundle/verify.md

Also the bundle format alone leaves some things underspecified. Such as hash and signature algorithm used by the transparency log, that has to be documented. This is now captured in the bundle verification interface, and also called out in this issue: #7, but should be properly documented.

During SigstoreCon there was a lot of discussion on this, the general idea was a layered approach:

• The process has a global trust root
• During artifact verification a few steps happen
  1. Based on artifact/policy a subset/filtered of the trust root is selected
  2. The real verification function is executed with the filtered trust root and artifact as input

The primary reason for first filtering the trust root and then running the verification logic is that code with this layout is easier to write and test, as each stage has specific purpose. The verification code should be as simple as possible, with minimal dependencies and possible choices.

Where should the such documentation live? In this repository, the architecture-docs? Separate document or part of the client spec?

cc @znewman01 @asraa @joshuagl @vaikas who was present during the discussions.

[znewman01]

I prefer putting this in the Spec: Sigstore Client doc (join sigstore-dev@googlegroups.com for access).