feature: support sign-blob with certificate

[nsmith5]

Summary

The verify-blob and every other signing command all allow folks to specify a custom x509 cert and chain to sign with. This work adds support for specifying the cert and CA chain for the sign-blob command as it was missing.

As specifying a certificate and cert chain is supported in all signing and verifying commands this work also refactors our options.KeyOpt struct to move the certificate details there. This makes the passing of these details to initialize a signer the same for all commands.

Fixes #2635

Release Note

• Adds support for specifying a custom certificate and certificate chain to sign-blob with the --certificate and --certificate-chain flags

Documentation

Added docs in /docs and in CLI options. Can follow up with a PR to docs.sigstore.dev if folks feel we need an example over there.

[codecov-commenter]

Codecov Report

Merging #2636 (2769376) into main (29360f6) will decrease coverage by 0.08%.
The diff coverage is 3.03%.

@@            Coverage Diff             @@
##             main    #2636      +/-   ##
==========================================
- Coverage   30.03%   29.96%   -0.08%     
==========================================
  Files         146      146              
  Lines        9283     9305      +22     
==========================================
  Hits         2788     2788              
- Misses       6065     6087      +22     
  Partials      430      430              

Impacted Files	Coverage Δ
cmd/cosign/cli/attest.go	0.00% <0.00%> (ø)
cmd/cosign/cli/attest/attest.go	0.00% <0.00%> (ø)
cmd/cosign/cli/attest_blob.go	0.00% <0.00%> (ø)
cmd/cosign/cli/options/signblob.go	0.00% <0.00%> (ø)
cmd/cosign/cli/policy_init.go	1.20% <0.00%> (-0.02%)	⬇️
cmd/cosign/cli/sign.go	0.00% <0.00%> (ø)
cmd/cosign/cli/sign/sign.go	15.66% <0.00%> (ø)
cmd/cosign/cli/sign/sign_blob.go	0.00% <0.00%> (ø)
cmd/cosign/cli/signblob.go	0.00% <0.00%> (ø)
cmd/cosign/cli/attest/attest_blob.go	29.37% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[nsmith5]

@asraa and @haydentherapper I think the small refactor here to add the Cert and CertChain to KeyOpts might be the first step towards that --certificate issue we identified in #2633. I think if we just go a step further and plumb that information into cosign.CheckOpts (

cosign/pkg/cosign/verify.go

Line 73 in e69e190

type CheckOpts struct {

) we might be able to distinguish these different cases of public key versus certificate verification

[haydentherapper]

LGTM, I'll let @asraa approve since she's mostly worked in this part of the codebase

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[github-actions]

This PR was closed because it has been stalled for 10 days with no activity.