[delegations] Create a verification script that verifies proof of posession of a key ID

[asraa]

Description

In order to verify opened PRs by delegations, a verification script needs to perform the signature verification over the key ID and the nonce. The nonce can likely be the PR number.

This script will need to be consumed in a GH workflow that the review-bot can automatically verify, as well as distributed on the CLI so users can independently verify PRs.

[kommendorkapten]

As #611 some of the work is done.
With the current tooling, we can achieve this:

$ tuf key-pop-sign -key tests/test_data/cosign.key -challenge registry.npm.js -nonce 0416b77a0ac2328021f6e04b98c7fcee55d78ad3
MEUCIBKyQhNs1o+2D6emnzpD1z1FpNmV4tbx35VIeg9KeYXoAiEA2bjZUQM9lO279bLYBGpNbtgwcePOjZIQnAuMYkhxmUk=
$ tuf key-pop-verify -challenge registry.npm.js -nonce 0416b77a0ac2328021f6e04b98c7fcee55d78ad3 -key tests/test_data/cosign.pub -sig MEUCIBKyQhNs1o+2D6emnzpD1z1FpNmV4tbx35VIeg9KeYXoAiEA2bjZUQM9lO279bLYBGpNbtgwcePOjZIQnAuMYkhxmUk=
Signature verified ok

For the missing work, I would assume a workflow that could:

1. Extract the fork point the PR (i.e the commit SHA used as nonce: git merge-base --fork-point origin/main <topic branch>
2. Extract the key from the updated targets.json
3. Run the tuf key-pop-verify and fail the job if signature does not match

Does that match your expectations @asraa

[asraa]

Yes!

If there is a deterministic title (like "feat: add-delegation for $REGISTRY") or branch name then a review cron workflow can be scheduled like this one: https://github.com/sigstore/root-signing/blob/main/.github/workflows/review-snapshot-timestamp.yml

For the verification, can we output the verified key ID to stderr?

[asraa]

@kommendorkapten can we close this? I believe this is done, with the local script tracked in #708