Adding feature to push and pull images with in-toto metadata

[seb-bah]

This pull request adds functionality to pull/push docker images digest SHA256 alongside in-toto metadata to TUF. When I found signy it was the only way to associate bundles or images with in-toto metadata. Unfortunately, that required using porter to create a bundle, even if you didn't need the full functionality of a bundle. This PR combined features of docker push and docker pull and combines it with signy sign and signy verify. While not part of the CNAB Security Spec, this will help users such as me who were searching for similar functionality.

Usage:

signy --tlscacert root-ca.crt image push -i [image]

This command is nearly identical to the docker CLI command docker push when the environment variable DOCKER_CONTENT_TRUST=1 and DOCKER_CONTENT_TRUST_SERVER=[server:4443] are set. In addition to signing the digest, we additionally push the in-toto metadata to the trust server just like signy sign does.

To pull and image and verify it's digest SHA:

signy --tlscacert root-ca.crt image pull -i [image]

This will pull the image from the registry, verify it's digest against what is stored in notary, and verify it's in-toto metadata that was pulled down from TUF.

[scottbuckel]

@radu-matei This is good to go. After we push this through I can create Issue tickets for the TODO items that I mentioned in the readme.

[radu-matei]

One more thing, @scottbuckel, while you are online - could you please rebase and only keep the useful commits here? I wouldn't want to squash all of them into a single commit.

And thanks a lot for your patience with this PR.

[scottbuckel]

@radu-matei If the issue is that there are too many commits then I don't have an issue with a squash merge. Are there particular commits that you would like me to remove? I think they're all technically 'useful'.