Test cleartext signature support in gpgme and sequoia backends

Currently, simple signatures are expected to be in the binary GPG
format, and that's what e.g. `podman push --sign-by` produces as well.
But the code for all backends work today with cleartext signatures.

Add a new test to cover this case. But only in the GPGME and Sequoia
backends since the OpenPGP backend does not support it and cannot easily
be supported (see also [1]).

The reason why I'm interested in this is that I'd like to make use
of it for signing Fedora CoreOS container images. The end-goal is to
move to Sigstore signing, but until that's ready, we'd like to use GPG
signing.

We use Robosignatory, the Fedora signing service, which only supports
detached signatures, and while it's theoretically possible to convert
the detached signatures we get back into inline binary signatures,
it's much less cumbersome and error-prone to convert it to cleartext
signatures.

It's worth noting that while Fedora's signing server (Sigul) does
support container image signing, Robosignatory does not surface it yet
(see https://pagure.io/robosignatory/issue/22).

Fixing that wouldn't be too hard I think, but all this is
ideally short-term anyway until we can move to Sigstore
signing + Konflux. There's work in progress on that (see e.g.
https://discussion.fedoraproject.org/t/148999).

The primary goal here is just ensuring that this keeps working until we
move off of it.

Signed-off-by: Jonathan Lebon <[email protected]>

[1]: #307 (review)

Author: jlebon

image/signature/fixtures/invalid-cleartext.signature

@@ -0,0 +1,19 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+This is not JSON
+-----BEGIN PGP SIGNATURE-----
+Comment: generated with `gpg --homedir . --output invalid-cleartext.signature -u 08CD26E446E2E95249B7A405E932F44B23E8DD43 --clear-sign <<< "This is not JSON"`
+
+iQGzBAEBCgAdFiEECM0m5Ebi6VJJt6QF6TL0SyPo3UMFAmi3YlcACgkQ6TL0SyPo
+3UMjQwv/TGivmwhYT8p9F5akuyZ0vkPhB+K4vr+M2VX1vIFGzL6edDWiiRYmysiY
+KtTdrRNnCZo6YbcOgdeL2OUpNWeoEshGhV0TqI/kstUa4vRs30NQ3kHX23+mcaf4
+iWI0RDmc05MHFXmOzMaWlb91hZBTGhHwvvPinqMg24QRNH1z1OEsuyJ2oBxdSj/Y
+dvGaSy0j8FimbfZS9mbf4+wfAUzkQi4PNBg+21l0QnEgl663VgcOQXK412WKNWcW
+vQkSXRFkpJNFF3lWjT4asiAV3T/KHUEq+QZE9rOa945wB0hoE7bZPx2hfZw4Se9/
+KH9O/ZM5WR5GyKbQV/ELNQJkJaDLcM56rBAl2l8eUV+bd8a7QrULjKP0dAffg8t8
+TKWyCSKddtiuJnuidCPV/A1iij0sZiSMzxb+Y33zgIrWThnfggpi0Oo9MYlF5hqF
+kD3b4zV1+7EW5YCEGT8sYhPpp96c1JnJbXZX2ii0KECdhLNB/iv44rSjOcl82nOY
+pa03tP/x
+=RDU4
+-----END PGP SIGNATURE-----

image/signature/mechanism_gpgme_test.go

@@ -48,3 +48,17 @@ func TestGPGMESigningMechanismSupportsSigning(t *testing.T) {
 	err = mech.SupportsSigning()
 	assert.NoError(t, err)
 }
+
+func TestGPGMESigningMechanismVerifyCleartext(t *testing.T) {
+	mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
+	require.NoError(t, err)
+	defer mech.Close()
+
+	// Successful verification of a cleartext signature
+	signature, err := os.ReadFile("./fixtures/invalid-cleartext.signature")
+	require.NoError(t, err)
+	content, signingFingerprint, err := mech.Verify(signature)
+	require.NoError(t, err)
+	assert.Equal(t, []byte("This is not JSON\n"), content)
+	assert.Equal(t, TestKeyFingerprint, signingFingerprint)
+}

image/signature/mechanism_sequoia_test.go

@@ -3,6 +3,7 @@
 package signature
 
 import (
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -34,3 +35,17 @@ func TestSequoiaSigningMechanismSign(t *testing.T) {
 	assert.Error(t, err)
 	assert.IsType(t, SigningNotSupportedError(""), err)
 }
+
+func TestSequoiaSigningMechanismVerifyCleartext(t *testing.T) {
+	mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
+	require.NoError(t, err)
+	defer mech.Close()
+
+	// Successful verification of a cleartext signature
+	signature, err := os.ReadFile("./fixtures/invalid-cleartext.signature")
+	require.NoError(t, err)
+	content, signingFingerprint, err := mech.Verify(signature)
+	require.NoError(t, err)
+	assert.Equal(t, []byte("This is not JSON\n"), content)
+	assert.Equal(t, TestKeyFingerprint, signingFingerprint)
+}