Add hashedrekord support to attest-blob and attest

[steiza]

Summary

For #3599, as an alternative to #4490

There are cases where people want to have large attestations (like SBOMs) which introduce a couple of issues:

• Rekor won't accept large dsse / intoto entries
• the resulting bundle is quite large (as it contains the large attestation)

attest-blob already has --rekor-entry-type, although previously it only supported dsse and intoto. This change adds hashedrekord support, and the resulting bundle has a messageSignature instead of a large dsseEnvelope.

Of course, you need a way to verify the resulting bundle. With this change you can do so with verify-blob (instead of verify-blob-attestation, where the blob you verify is the DSSE PAE.

We probably wouldn't land this as-is, due to two issues:

• currently the PAE is printed out for convenience, although for large attestations this is not very desirable. We could either have the command save the PAE to disk for you, or we could print out the hash and add hash support to verify-blob (verify-blob-attestation already has hash support).

• this only works when you are using signing config, although Restructuring signing code for shared implementation #4570 / Sign exclusively via sigstore-go #4618 are working on unifying codepaths so that in the future this would also work without signing config.

You can test this with something like:

$ go run cmd/cosign/main.go attest-blob --key=cosign.key --bundle=attest.sigstore.json --rekor-entry-type=hashedrekord --type=something --predicate=../sigstore-go/examples/sigstore-go-signing/intoto.txt ../sigstore-go/examples/sigstore-go-signing/hello_world.txt

$ echo -n "..." > pae.txt

$ go run cmd/cosign/main.go verify-blob --key=cosign.pub --bundle=attest.sigstore.json pae.txt

Release Note

• Added --rekor-entry-type=hashedrekord support to attest and attest-blob when signing config is used

Documentation

N/A

[codecov]

Codecov Report

❌ Patch coverage is 5.55556% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 36.08%. Comparing base (2ef6022) to head (ad31a5c).
⚠️ Report is 650 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/cosign/cli/signcommon/common.go	0.00%	14 Missing ⚠️
cmd/cosign/cli/attest/attest.go	0.00%	1 Missing ⚠️
cmd/cosign/cli/attest/attest_blob.go	50.00%	1 Missing ⚠️
cmd/cosign/cli/sign/sign.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4622      +/-   ##
==========================================
- Coverage   40.10%   36.08%   -4.02%     
==========================================
  Files         155      220      +65     
  Lines       10044    12429    +2385     
==========================================
+ Hits         4028     4485     +457     
- Misses       5530     7250    +1720     
- Partials      486      694     +208     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[steiza]

After exploring this approach, I don't think this is a good idea. We should instead encourage people not to create large bundles that are 100s of MBs.