feat(sign): support for keyless signing and offline verification

[brandtkeller]

Description

Note - Breaking Changes

• The cosign functionality under src/pkg/utils has been moved to `src/pkg/signing
• The embedded structs in signing.Sign|VerifyBlobOptions have been updated to align with cosign.

This PR enables the use of connected keyless signing workflows and offline-compatible verification for a keyless signed package via an embedded trusted root.

This uses the previously implemented zarf tools trusted-root create command to refresh the embedded trusted root. Think of this as a mechanism to streamline the UX of enabling offline verification of keyless-signed packages so that users are not required to bring additional verification material by default - but of which they can overwrite as required.

Additionally this PR enables the bundlesignature feature by default. Note that the VersionRequirement for a package with a bundle signature is v0.71.0 which is the version that introduced the ability to load packages with the bundle file. The feature flag gates are retained such that users who cannot use the bundle still have an opportunity to opt-out until we fully remove.

One early improvement is the UX of retrieving the keyless-signed identity and issuer. These are retrieved on package sign so that we can log the entries that package creators need to provide to those who want to verify - but additionally I believe we could add a zarf package inspect signature <package> command to make this discoverable. We can't place it directly in the build data because it is only accessible post-signing - whereby the zarf definition can no longer be modified without invalidating the signature.

Best practices documentation to follow.

Try it Yourself

# Build the CLI
make build

# Pull a package for signing
zarf tools download-init

# Sign the package (this will conduct browser auth)
./build/zarf package sign zarf-init-arm64-v0.75.0.tar.zst --keyless

# (optional) turn off wifi

# Verify the package
./build/zarf package verify zarf-init-arm64-v0.75.0.tar.zst --certificate-identity brandt.keller@defenseunicorns.com --certificate-oidc-issuer https://github.com/login/oauth

Related Issue

Fixes #2805
Fixes #4571

Relates to #

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[codecov]

Codecov Report

❌ Patch coverage is 33.13953% with 230 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/cmd/package.go	30.00%	70 Missing ⚠️
src/pkg/signing/cosign.go	2.04%	48 Missing ⚠️
src/pkg/packager/layout/package.go	60.78%	30 Missing and 10 partials ⚠️
src/pkg/utils/oci_artifacts.go	0.00%	39 Missing ⚠️
src/pkg/signing/trustedroot.go	29.41%	8 Missing and 4 partials ⚠️
src/pkg/signing/bundle.go	54.16%	8 Missing and 3 partials ⚠️
src/pkg/packager/publish.go	0.00%	4 Missing and 3 partials ⚠️
src/cmd/tools_trustedroot.go	0.00%	1 Missing ⚠️
src/pkg/packager/load.go	0.00%	1 Missing ⚠️
src/pkg/packager/pull.go	0.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
src/pkg/feature/feature.go	91.12% <100.00%> (ø)
src/pkg/packager/layout/assemble.go	43.17% <100.00%> (ø)
src/cmd/tools_trustedroot.go	75.64% <0.00%> (ø)
src/pkg/packager/load.go	62.89% <0.00%> (ø)
src/pkg/packager/pull.go	50.00% <0.00%> (ø)
src/pkg/packager/publish.go	63.10% <0.00%> (-3.21%)	⬇️
src/pkg/signing/bundle.go	54.16% <54.16%> (ø)
src/pkg/signing/trustedroot.go	29.41% <29.41%> (ø)
src/pkg/utils/oci_artifacts.go	0.00% <0.00%> (ø)
src/pkg/packager/layout/package.go	66.49% <60.78%> (-0.54%)	⬇️
... and 2 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netlify]

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	1e118b8
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/6a0f60d96a674d00099693c1

[brandtkeller]

Making a mental note to schedule daily checks and notify the zarf channel using this process. A lag in releasing new trusted roots won't be critical but should be nice to have.

[AustinAbro321]

Is the current plan to support tsa using the same enable flag if keyless method? Cosign does use tsa by default and our default trusted root has the timestampAuthorities field

[brandtkeller]

Added the flag but not currently thinking about making it populated by default. The current flow needs one and I think the Rekor is a sane default for the "connected signing" scope. If we populate both then there are more to opt-out of versus opt-in and I think that creates more surface area for unwanted network calls.

[brandtkeller]

Removed viper configuration in favor of additional issue / PR to track a few solutions.

[AustinAbro321]

LGTM, excited to see this in