Sign exclusively via sigstore-go

[aaronlew02]

Closes #4570

Summary

This change refactors the signing path in all signing and attestation commands such that all signing events occur via sigstore-go, not just those in which a signing config is used.

In cases where a signing config is not used, all prior functionality remains. This requires the construction of a signing config using TUF- or flag-provided URLs and a Rekor version flag. When a legacy bundle is requested, a legacy bundle is constructed from the new-format bundle provided by sigstore-go.

[codecov]

Codecov Report

❌ Patch coverage is 11.88406% with 304 lines in your changes missing coverage. Please review.
✅ Project coverage is 35.96%. Comparing base (2ef6022) to head (9e0cb28).
⚠️ Report is 662 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/cosign/cli/signcommon/common.go	0.00%	135 Missing ⚠️
cmd/cosign/cli/attest/attest.go	0.00%	89 Missing ⚠️
cmd/cosign/cli/sign/sign_blob.go	42.25%	34 Missing and 7 partials ⚠️
cmd/cosign/cli/attest/attest_blob.go	29.72%	20 Missing and 6 partials ⚠️
pkg/cosign/bundle/sign.go	0.00%	5 Missing ⚠️
cmd/cosign/cli/sign/sign.go	0.00%	4 Missing ⚠️
cmd/cosign/cli/options/rekor.go	0.00%	2 Missing ⚠️
cmd/cosign/cli/attest_blob.go	0.00%	1 Missing ⚠️
cmd/cosign/cli/signblob.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4618      +/-   ##
==========================================
- Coverage   40.10%   35.96%   -4.14%     
==========================================
  Files         155      220      +65     
  Lines       10044    12764    +2720     
==========================================
+ Hits         4028     4591     +563     
- Misses       5530     7473    +1943     
- Partials      486      700     +214     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[steiza]

Awesome work! The only thing I'm not quite sure how about is how we should handle RekorVersion as a user input argument.

[steiza]

I'm a little nervous about adding this option - what should we do if people specify this and SigningConfig?

We could either make those options mutually exclusive (which is a pain) or always default to Rekor v1 when you aren't using SigningConfig and keep moving folks over to use SigningConfig sooner than later. I'm curious what @Hayden-IO thinks here as well.

[aaronlew02]

This is a good question, and I'm also interested in what @Hayden-IO thinks here.

[Hayden-IO]

Yep, I agree with Zach. What was the need for this? The reason we went with creating a configuration for signing was to avoid manually specifying API version, as that’s not a great UX.