add SignVSA function and unit tests for VSA signing

Introduce the SignVSA function, which signs a Verification Summary Attestation (VSA)
JSON file using a cosign-compatible private key. The function writes a detached,
base64-encoded signature alongside the VSA and returns the absolute path to the
signature file. It handles key loading, passphrase support, payload reading,
signing, and signature persistence with robust error handling.

Add unit tests for SignVSA, covering:
- Successful signing with a valid cosign private key
- Error handling for missing key files
- Error handling for missing VSA files

https://issues.redhat.com/browse/EC-1308

Author: joejstuart

cmd/validate/image.go

@@ -458,11 +458,31 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 			}
 
 			if data.vsaEnabled {
+				generator := vsa.NewGenerator(report)
+				writer := vsa.NewWriter()
 				for _, comp := range components {
-					if err := processVSA(cmd.Context(), report, comp); err != nil {
-						log.Errorf("[VSA] Error processing VSA for image %s: %v", comp.ContainerImage, err)
+					writtenPath, err := generateAndWrite(cmd.Context(), generator, writer, comp)
+					if err != nil {
+						log.Error(err)
 						continue
 					}
+
+					signer, err := vsa.NewSigner(data.vsaSigningKey, utils.FS(cmd.Context()))
+					if err != nil {
+						log.Error(err)
+						continue
+					}
+					attestor, err := vsa.NewAttestOptions(writtenPath, comp.Source.GitSource.URL, comp.ContainerImage, signer)
+					if err != nil {
+						log.Error(err)
+						continue
+					}
+					envelope, err := attestVSA(cmd.Context(), attestor, comp)
+					if err != nil {
+						log.Error(err)
+						continue
+					}
+					log.Infof("[VSA] VSA attested and envelope written to %s", envelope)
 				}
 			}
 			if data.strict && !report.Success {
@@ -581,50 +601,42 @@ func containsOutput(data []string, value string) bool {
 	return false
 }
 
-// PredicateGenerator defines the interface for generating VSA predicates
-type PredicateGenerator interface {
-	GeneratePredicate(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component) (*vsa.Predicate, error)
+// Create interfaces for the VSA components for easier testing
+type Generator interface {
+	GeneratePredicate(ctx context.Context, comp applicationsnapshot.Component) (*vsa.Predicate, error)
+}
+
+type Writer interface {
+	WriteVSA(pred *vsa.Predicate) (string, error)
 }
 
-// VSAWriter defines the interface for writing VSA files
-type VSAWriter interface {
-	WriteVSA(predicate *vsa.Predicate) (string, error)
+type Attestor interface {
+	AttestPredicate(ctx context.Context) ([]byte, error)
+	WriteEnvelope(data []byte) (string, error)
 }
 
-// generateAndWriteVSA generates a VSA predicate and writes it to a file
-func generateAndWriteVSA(
-	ctx context.Context,
-	report applicationsnapshot.Report,
-	comp applicationsnapshot.Component,
-	generator PredicateGenerator,
-	writer VSAWriter,
-) (string, error) {
-	log.Debugf("[VSA] Generating predicate for image: %s", comp.ContainerImage)
-	pred, err := generator.GeneratePredicate(ctx, report, comp)
+// attestVSA handles VSA attestation and envelope writing for a single component.
+func attestVSA(ctx context.Context, attestor Attestor, comp applicationsnapshot.Component) (string, error) {
+	env, err := attestor.AttestPredicate(ctx)
 	if err != nil {
-		return "", fmt.Errorf("failed to generate predicate for image %s: %w", comp.ContainerImage, err)
+		return "", fmt.Errorf("[VSA] Error attesting VSA for image %s: %w", comp.ContainerImage, err)
 	}
-	log.Debugf("[VSA] Predicate generated for image: %s", comp.ContainerImage)
-
-	log.Debugf("[VSA] Writing VSA for image: %s", comp.ContainerImage)
-	writtenPath, err := writer.WriteVSA(pred)
+	envelopePath, err := attestor.WriteEnvelope(env)
 	if err != nil {
-		return "", fmt.Errorf("failed to write VSA for image %s: %w", comp.ContainerImage, err)
+		return "", fmt.Errorf("[VSA] Error writing envelope for image %s: %w", comp.ContainerImage, err)
 	}
-	log.Debugf("[VSA] VSA written to %s", writtenPath)
-
-	return writtenPath, nil
+	return envelopePath, nil
 }
 
-// processVSA handles the complete VSA generation, signing and upload process for a component
-func processVSA(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component) error {
-	generator := vsa.NewGenerator()
-	writer := vsa.NewWriter()
-
-	vsaPath, err := generateAndWriteVSA(ctx, report, comp, generator, writer)
-	log.Infof("[VSA] VSA written to %s", vsaPath)
+// generateAndWrite generates a VSA predicate and writes it to a file, returning the written path.
+func generateAndWrite(ctx context.Context, generator Generator, writer Writer, comp applicationsnapshot.Component) (string, error) {
+	pred, err := generator.GeneratePredicate(ctx, comp)
 	if err != nil {
-		return err
+		return "", err
 	}
-	return nil
+	writtenPath, err := writer.WriteVSA(pred)
+	if err != nil {
+		return "", err
+	}
+	return writtenPath, nil
 }

cmd/validate/image_test.go

@@ -44,6 +44,7 @@ import (
 	"github.com/conforma/cli/internal/utils"
 	"github.com/conforma/cli/internal/utils/oci"
 	"github.com/conforma/cli/internal/utils/oci/fake"
+	"github.com/conforma/cli/internal/validate/vsa"
 )
 
 type data struct {
@@ -1362,3 +1363,165 @@ func TestContainsAttestation(t *testing.T) {
 		assert.Equal(t, test.expected, result, test.name)
 	}
 }
+
+// --- Mocks and tests for processVSAForComponent ---
+
+type mockGenerator struct {
+	GeneratePredicateFunc func(ctx context.Context, comp applicationsnapshot.Component) (*vsa.Predicate, error)
+}
+
+func (m *mockGenerator) GeneratePredicate(ctx context.Context, comp applicationsnapshot.Component) (*vsa.Predicate, error) {
+	return m.GeneratePredicateFunc(ctx, comp)
+}
+
+type mockWriter struct {
+	WriteVSAFunc func(pred *vsa.Predicate) (string, error)
+}
+
+func (m *mockWriter) WriteVSA(pred *vsa.Predicate) (string, error) {
+	return m.WriteVSAFunc(pred)
+}
+
+type mockAttestor struct {
+	AttestPredicateFunc func(ctx context.Context) ([]byte, error)
+	WriteEnvelopeFunc   func(data []byte) (string, error)
+}
+
+func (m *mockAttestor) AttestPredicate(ctx context.Context) ([]byte, error) {
+	return m.AttestPredicateFunc(ctx)
+}
+
+func (m *mockAttestor) WriteEnvelope(data []byte) (string, error) {
+	return m.WriteEnvelopeFunc(data)
+}
+
+func Test_attestVSA_success(t *testing.T) {
+	ctx := context.Background()
+	comp := applicationsnapshot.Component{
+		SnapshotComponent: app.SnapshotComponent{
+			ContainerImage: "test-image",
+		},
+	}
+
+	attestor := &mockAttestor{
+		AttestPredicateFunc: func(ctx context.Context) ([]byte, error) {
+			return []byte("envelope"), nil
+		},
+		WriteEnvelopeFunc: func(data []byte) (string, error) {
+			if string(data) != "envelope" {
+				t.Errorf("unexpected data passed to WriteEnvelope")
+			}
+			return "/tmp/envelope.json", nil
+		},
+	}
+
+	path, err := attestVSA(ctx, attestor, comp)
+	assert.NoError(t, err)
+	assert.Equal(t, "/tmp/envelope.json", path)
+}
+
+func Test_attestVSA_errors(t *testing.T) {
+	ctx := context.Background()
+	comp := applicationsnapshot.Component{
+		SnapshotComponent: app.SnapshotComponent{
+			ContainerImage: "test-image",
+		},
+	}
+
+	t.Run("attest predicate fails", func(t *testing.T) {
+		attestor := &mockAttestor{
+			AttestPredicateFunc: func(ctx context.Context) ([]byte, error) {
+				return nil, errors.New("attest error")
+			},
+		}
+		path, err := attestVSA(ctx, attestor, comp)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "Error attesting VSA")
+		assert.Empty(t, path)
+	})
+
+	t.Run("write envelope fails", func(t *testing.T) {
+		attestor := &mockAttestor{
+			AttestPredicateFunc: func(ctx context.Context) ([]byte, error) {
+				return []byte("envelope"), nil
+			},
+			WriteEnvelopeFunc: func(data []byte) (string, error) {
+				return "", errors.New("envelope error")
+			},
+		}
+		path, err := attestVSA(ctx, attestor, comp)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "Error writing envelope")
+		assert.Empty(t, path)
+	})
+}
+
+func Test_generateAndWrite_success(t *testing.T) {
+	ctx := context.Background()
+	comp := applicationsnapshot.Component{
+		SnapshotComponent: app.SnapshotComponent{
+			ContainerImage: "test-image",
+		},
+	}
+	pred := &vsa.Predicate{ImageRef: "test-image"}
+
+	gen := &mockGenerator{
+		GeneratePredicateFunc: func(ctx context.Context, c applicationsnapshot.Component) (*vsa.Predicate, error) {
+			return pred, nil
+		},
+	}
+	writer := &mockWriter{
+		WriteVSAFunc: func(p *vsa.Predicate) (string, error) {
+			if p != pred {
+				t.Errorf("unexpected predicate passed to WriteVSA")
+			}
+			return "/tmp/vsa.json", nil
+		},
+	}
+
+	path, err := generateAndWrite(ctx, gen, writer, comp)
+	assert.NoError(t, err)
+	assert.Equal(t, "/tmp/vsa.json", path)
+}
+
+func Test_generateAndWrite_errors(t *testing.T) {
+	ctx := context.Background()
+	comp := applicationsnapshot.Component{
+		SnapshotComponent: app.SnapshotComponent{
+			ContainerImage: "test-image",
+		},
+	}
+	pred := &vsa.Predicate{ImageRef: "test-image"}
+
+	t.Run("predicate generation fails", func(t *testing.T) {
+		gen := &mockGenerator{
+			GeneratePredicateFunc: func(ctx context.Context, c applicationsnapshot.Component) (*vsa.Predicate, error) {
+				return nil, errors.New("predicate generation error")
+			},
+		}
+		writer := &mockWriter{}
+
+		path, err := generateAndWrite(ctx, gen, writer, comp)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "predicate generation error")
+		assert.Empty(t, path)
+	})
+
+	t.Run("write VSA fails", func(t *testing.T) {
+		gen := &mockGenerator{
+			GeneratePredicateFunc: func(ctx context.Context, c applicationsnapshot.Component) (*vsa.Predicate, error) {
+				return pred, nil
+			},
+		}
+		writer := &mockWriter{
+			WriteVSAFunc: func(p *vsa.Predicate) (string, error) {
+				return "", errors.New("write VSA error")
+			},
+		}
+
+		path, err := generateAndWrite(ctx, gen, writer, comp)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "write VSA error")
+		assert.Empty(t, path)
+	})
+}