[Feature][1.8] Container image sign & verify functionalities by sigstore

[STARRY-S]

Is your feature request related to a problem?

Original Issue: https://github.com/cnrancher/hangar/issues/15

Split the container image sign & verify functionality into this separate issue.

Describe the solution you'd like

Add container image signing functions (signed by sigstore private key) and validate the signed container image functions (sigstore public key).

The container image sign & verify functionality will based on the containers/image library, no other third-party dependencies were introduced.

[STARRY-S]

Changes

• Add generate-sigstore-key command to generate sigstore key-pair.
• Add sign, sign validate commands to sign images & validate the signed images by sigstore keypair.
• Add --sigstore-private-key, --sigstore-passphrase options for mirror & load commands to sign images when copy images.
• Add --remove-signature option for mirror command to do-not-copy the image signature if the source image have sigstore signature.

[STARRY-S]

Available to test on v1.8.0-rc3. Docs: https://hangar.cnrancher.com/docs/v1.8/sign/

[rootwuj]

When harbor is used as the image repository, the container image fails to be signed.

ip-172-31-33-62:/hangar # hangar generate-sigstore-key --prefix="sigstore"
Enter the passphrase for key "sigstore.key":
Enter the passphrase again:
[03:15:40] [INFO] Write sigstore key-pair to "sigstore.pub", "sigstore.key"
ip-172-31-33-62:/hangar # hangar sign \
>     --file="aaa.txt" \
>     --sigstore-key="sigstore.key" \
>     --arch amd64 \
>     --os linux \
>     --registry="harbor.wujing.fun" \
>     --jobs=1
Enter the passphrase for key "sigstore.key":
[03:15:57] [INFO] Arch List: [amd64]
[03:15:57] [INFO] OS List: [linux]
[03:15:57] [INFO] Signing images in "aaa.txt" with sigstore priv-key "sigstore.key".
[03:15:58] [INFO] [IMG:1] Signing [harbor.wujing.fun/cnrancher/hangar:latest]
[03:15:58] [WARN] Failed, retrying in 100µs ... (1/3). Error: reading signatures: reading manifest sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig in harbor.wujing.fun/cnrancher/hangar: unknown: artifact cnrancher/hangar:sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig not found
[03:15:58] [WARN] Failed, retrying in 100µs ... (2/3). Error: reading signatures: reading manifest sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig in harbor.wujing.fun/cnrancher/hangar: unknown: artifact cnrancher/hangar:sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig not found
[03:15:58] [WARN] Failed, retrying in 100µs ... (3/3). Error: reading signatures: reading manifest sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig in harbor.wujing.fun/cnrancher/hangar: unknown: artifact cnrancher/hangar:sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig not found
[03:15:59] [ERRO] error occurred when sign [harbor.wujing.fun/cnrancher/hangar:latest]: failed to sign [docker://harbor.wujing.fun/cnrancher/hangar:latest]: error occurred when sign image [docker://harbor.wujing.fun/cnrancher/hangar:latest]: reading signatures: reading manifest sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig in harbor.wujing.fun/cnrancher/hangar: unknown: artifact cnrancher/hangar:sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig not found
[03:15:59] [ERRO] Sign failed image list:
cnrancher/hangar:latest
[03:15:59] [INFO] Failed image list exported to "sign-failed.txt"
[03:15:59] [FATA] some images failed to sign
ip-172-31-33-62:/hangar #

[rootwuj]

Version: v1.8.0-rc3

This problem exists when the registry is harbor. The following test uses registry:2 for verification. After the problem is fixed, use harbor for testing.

Verification passed, the test content is as follows:

Test Case	Command	Steps	Expected	Results
Generate sigstore key	hangar generate-sigstore-key	1. Setup registry server. 2. Run Hangar v1.8.0-rc3 docker run -it -v $(pwd):/hangar --network=host cnrancher/hangar:v1.8.0-rc3 3. Run generate-sigstore-key command to generate sigstore key-pair hangar generate-sigstore-key --prefix="sigstore"	The generated sigstore key-pair is sigstore.pub and sigstore.key	PASS
Sign images with sigstore key-pair	hangar sign	1. Use mirror command to copy container images to private registry 2. Sign container images with sigstore private key 3. use inspect command to view the signed sigstore signature.	Sigstore signature is correct	PASS
Validate the signed image signature	hangar sign validate	4.Use hangar sign validate command for validate the signed image sigstore signature.	The verification is successful and the result is PASS.	PASS
Validate the mirrored image signature	--exact-repository	Verify according to documentation instructionsValidate the copied image signature with --exact-repository	It can be verified and the result is returned PASS.	PASS
Use cosign to verify the signed image signature	cosign verify	Verify according to documentation instructionsUse cosign verify to verify the Hangar signed image.	Can be verified successfully	PASS
do not copy image signatures when mirror images	mirror --remove-signature	1. use the --remove-signatures option of mirror command to disable signature copy 2. Use hangar inspect to query to confirm that the image is not signed 3. use the sign command to re-sign the container images with your own sigstore signature. 4. Use hangar inspect to query to confirm that the image has been signed	--remove-signatures parameter takes effect	PASS