support image lists for verify-attestation

[msmeissn]

Description

Currently the verify-attestation command does not handle imagelists well.

The SUSE BCI images are multi-architecture, and so accessing registry.suse.com/bci/golang:latest gives you an image list, not a single image.

see https://codeengineered.com/blog/2022/bci-slsa-attestation/ blog from Matt Farina.

I know verify-blob-attestation or explicit sha256 blob tagging could work, but it is far from userfriendly.

The verify-attestation command should probably be enhanced to select the architecture, or check all of them?

[bailey-coding]

Thanks for sharing the blog posts! It definitely helps look at some cosign vs crane calls and how they're implemented.

I started digging into enabling this, by checking all of them, but we might want to support both.

We'll still need to do the ImageIndex call for a specific platform, but at least we can make fewer calls if we only care about a subset of them.

[bailey-coding]

I have some work in progress on my branch, but I'm not sure it even does the right thing and I am concerned the performance will be worse than the existing code.

https://github.com/sigstore/cosign/compare/main...justbaileym:cosign:b/support-image-lists

[bailey-coding]

For images, it should be possible to not degrade performance at all, if I properly understand how the manifests work.

For ImageIndex refs, the performance will be affected, since it requires an extra request, but if we support both all platforms and specific platforms, at least that'll enable folks to have an option with better performance too.