signature-verification: accommodate changes in cosign cli behavior and add tldr

[mohammed90]

TODO:

• Figure out how to fetch UUID of tlog entry using cosign to retain the multi-perspective verification

This is how the tldr looks

Closes #312

[francislavoie]

I'd maybe add spaces in front of each line of the command for alignment, similar to https://caddyserver.com/docs/running#usage

[mohammed90]

Notes to come back to to finish this PR:

• The command rekor-cli search --artifact ./{artifact} --format json, returns {"UUIDs":["uuid-value"]}
• The command rekor-cli get --uuid {output-from-previous} --format json gives this output:

{
    "Attestation": "",
    "AttestationType": "",
    "Body": {
        "HashedRekordObj": {
            "data": {
                "hash": {
                    "algorithm": "sha256",
                    "value": "7807ee6fcade5e48981fa1f41d5f72ca628cd0dcdaab79cdfe0a49909f606466"
                }
            },
            "signature": {
                "content": "MEUCIFYLRP5bkLk1LurwH6lGBqaU/kOS16s0tbJW+ImlD6TNAiEAmvE6/bvmb94hbGfaA34AOIRnytct6Uj+zikxIm4GACE=",
                "publicKey": {
                    "content": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdxekNDQmpHZ0F3SUJBZ0lVT1VBZmV3ZHpMKzZqdWpjTnJDbzdQcVlQRTNjd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpReE1qTXhNVGN4T0RVMVdoY05NalF4TWpNeE1UY3lPRFUxV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVXV0FZNHl6b1VMa05hTit0Rm9QN29mVHF0VzYwT2VPTVJaY2MKM0s4MHphWnlPdkV2azR6cUx1Y2FYTFBmd0xoRDN0TnBNRG9JS3d2RXVyVzhEZWZ3anFPQ0JWQXdnZ1ZNTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVUxRVpCClBwK2hoKzJkeTF6TEdURVNuYk9hUmJFd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d1lRWURWUjBSQVFIL0JGY3dWWVpUYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJOaFpHUjVjMlZ5ZG1WeQpMMk5oWkdSNUx5NW5hWFJvZFdJdmQyOXlhMlpzYjNkekwzSmxiR1ZoYzJVdWVXMXNRSEpsWm5NdmRHRm5jeTkyCk1pNDVMakF3T1FZS0t3WUJCQUdEdnpBQkFRUXJhSFIwY0hNNkx5OTBiMnRsYmk1aFkzUnBiMjV6TG1kcGRHaDEKWW5WelpYSmpiMjUwWlc1MExtTnZiVEFTQmdvckJnRUVBWU8vTUFFQ0JBUndkWE5vTURZR0Npc0dBUVFCZzc4dwpBUU1FS0RObU0yWTRZak5rTlRJM01HRmtaRFEyWkRWbVl6ZGtPVGxpWkdOak56QTFZV1F5WkRWa1pqUXdGUVlLCkt3WUJCQUdEdnpBQkJBUUhVbVZzWldGelpUQWZCZ29yQmdFRUFZTy9NQUVGQkJGallXUmtlWE5sY25abGNpOWoKWVdSa2VUQWVCZ29yQmdFRUFZTy9NQUVHQkJCeVpXWnpMM1JoWjNNdmRqSXVPUzR3TURzR0Npc0dBUVFCZzc4dwpBUWdFTFF3cmFIUjBjSE02THk5MGIydGxiaTVoWTNScGIyNXpMbWRwZEdoMVluVnpaWEpqYjI1MFpXNTBMbU52CmJUQmpCZ29yQmdFRUFZTy9NQUVKQkZVTVUyaDBkSEJ6T2k4dloybDBhSFZpTG1OdmJTOWpZV1JrZVhObGNuWmwKY2k5allXUmtlUzh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTl5Wld4bFlYTmxMbmx0YkVCeVpXWnpMM1JoWjNNdgpkakl1T1M0d01EZ0dDaXNHQVFRQmc3OHdBUW9FS2d3b00yWXpaamhpTTJRMU1qY3dZV1JrTkRaa05XWmpOMlE1Ck9XSmtZMk0zTURWaFpESmtOV1JtTkRBZEJnb3JCZ0VFQVlPL01BRUxCQThNRFdkcGRHaDFZaTFvYjNOMFpXUXcKTkFZS0t3WUJCQUdEdnpBQkRBUW1EQ1JvZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2WTJGa1pIbHpaWEoyWlhJdgpZMkZrWkhrd09BWUtLd1lCQkFHRHZ6QUJEUVFxRENnelpqTm1PR0l6WkRVeU56QmhaR1EwTm1RMVptTTNaRGs1ClltUmpZemN3TldGa01tUTFaR1kwTUNBR0Npc0dBUVFCZzc4d0FRNEVFZ3dRY21WbWN5OTBZV2R6TDNZeUxqa3UKTURBWUJnb3JCZ0VFQVlPL01BRVBCQW9NQ0RJNU1qQTNOakl4TUM0R0Npc0dBUVFCZzc4d0FSQUVJQXdlYUhSMApjSE02THk5bmFYUm9kV0l1WTI5dEwyTmhaR1I1YzJWeWRtVnlNQmdHQ2lzR0FRUUJnNzh3QVJFRUNnd0lNVEk1Ck5UVTFNamd3WXdZS0t3WUJCQUdEdnpBQkVnUlZERk5vZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2WTJGa1pIbHoKWlhKMlpYSXZZMkZrWkhrdkxtZHBkR2gxWWk5M2IzSnJabXh2ZDNNdmNtVnNaV0Z6WlM1NWJXeEFjbVZtY3k5MApZV2R6TDNZeUxqa3VNREE0QmdvckJnRUVBWU8vTUFFVEJDb01LRE5tTTJZNFlqTmtOVEkzTUdGa1pEUTJaRFZtCll6ZGtPVGxpWkdOak56QTFZV1F5WkRWa1pqUXdGQVlLS3dZQkJBR0R2ekFCRkFRR0RBUndkWE5vTUZnR0Npc0cKQVFRQmc3OHdBUlVFU2d4SWFIUjBjSE02THk5bmFYUm9kV0l1WTI5dEwyTmhaR1I1YzJWeWRtVnlMMk5oWkdSNQpMMkZqZEdsdmJuTXZjblZ1Y3k4eE1qVTJNakEzTnpNek5pOWhkSFJsYlhCMGN5OHhNQllHQ2lzR0FRUUJnNzh3CkFSWUVDQXdHY0hWaWJHbGpNSUdLQmdvckJnRUVBZFo1QWdRQ0JId0VlZ0I0QUhZQTNUMHdhc2JIRVRKakdSNGMKbVdjM0FxSktYcmplUEszL2g0cHlnQzhwN280QUFBR1VIYnBJdGdBQUJBTUFSekJGQWlFQTJoMlZ1Q0tCNWFCYQo2WTJreXpKb3FFSFUvNVNhUlY5UTRKR2NCaGwyN1JNQ0lBN2hMYkVjeGpJaEFWZlBVSy9TRlJZc093bmg3VkJGCmxaZkxOZTg5bkhTVE1Bb0dDQ3FHU000OUJBTURBMmdBTUdVQ01RRGlJTVNhaC8wQ3h4U2tSN28ybjBDL2hnbEUKR1RZcjY1K2taeHp2emZEL2I1UmNiM2llQXZSZHhreE1vUWhUUHNJQ01Ia2FPb25WRVRXNjVrTXIvMi9HckppVgp1UEVmeEUzTjFCWnY5TUpJOXJvY01Ud294akVBdkpjU1p5VGFIZ0k1cmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
                }
            }
        }
    },
    "LogIndex": 158520902,
    "IntegratedTime": 1735665535,
    "UUID": "108e9186e8c5677a3cb05e97b8ef81ac76d9e2d7e2ac4f2c36628c71ab3b2432804b19386e2de964",
    "LogID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}

The value of Body.signature.publicKey.content is the base64 of the certificate generated by cosign in CI/CD pipeline.

I think this closes the verification loop and confirms the blob signature and transparency entry.

[mohammed90]

Note to self:
this repo can be used as reference https://github.com/goreleaser/example-secure