feat(ISV-6377): let cosign use HashedRekord for TLOG verification of attestations

[BorekZnovustvoritel]

Assisted-by: claude-4.5-sonnet (Cursor)
Signed-off-by: Marek Szymutko mszymutk@redhat.com

Addresses the verification part of #3599

Summary

Without this feature, the hashedRekords cannot be used as TLOG entries for attestations because the cosign verify-attestation would fail. The problem is described in #3599 but the brief summary is:

• cosign attest uses DSSE or in-toto payloads, sends the whole payload to the Rekor server
• In case of SBOMs, the attestations can be too large to be processed by Rekor, disallowing the usage of Rekor for attesting SBOMs
• This change only addresses the verification part. With this change, the command cosign verify-attestation now also supports HashedRekord TLOG entries, which makes sure that a digest is sufficient payload to be uploaded to Rekor.
• Additional changes are required for the full functionality, cosign attest doesn't support uploading the HashedRekord entries. A workaround must be used as of now, the workaround is described in this write-up (with the only difference that when using the version of Cosign built from this PR, the verification succeeds)

Release Note

• New feature: Support for HashedRekords TLOG entries was added to cosign verify-attestation

Documentation

No user-facing API was changed in this PR, I believe comments in code are a sufficient change.

[arewm]

@steiza, fya as I mentioned this to you on a call a couple weeks back.

[Hayden-IO]

Hey y'all, sorry to leave this PR hanging. I will get back to it in a week or so. The approach seems reasonable, but I need to dedicate a bit of time to think through this and if there's any unintended consequences.

[BorekZnovustvoritel]

(I'm just heartbeating so this doesn't become stale or it doesn't auto-close or something) 😄