feat: add support for signed user metadata in notation sign and verify cmds

[byronchien]

Adds support for signed user metadata in notation sign and notation verify. Relevant spec

This PR depends on notaryproject/notation-go#242 please review notation-go/pull/242 first

example sign usage:

chienb@a07817b52895 notation % notation sign $IMAGE --user-metadata io.wabbit-networks.buildId=123 --user-metadata io.wabbit-networks.buildTime=123
Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Resolved artifact tag `v1` to digest `sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b` before signing.
Successfully signed localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b

example metadata displayed on verification (without metadata flag)

chienb@a07817b52895 notation % notation verify $IMAGE
Resolved artifact tag `v1` to digest `sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b` before verification.
Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.
Successfully verified signature for localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b

The artifact was signed with the following user metadata.

KEY                          VALUE
io.wabbit-networks.buildTime   123
io.wabbit-networks.buildId     123

example verification:

chienb@a07817b52895 notation % notation verify $IMAGE --user-metadata io.wabbit-networks.buildTime=123
Resolved artifact tag `v1` to digest `sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b` before verification.
Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.
Successfully verified signature for localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b

The artifact was signed with the following user metadata.

KEY                            VALUE
io.wabbit-networks.buildTime   123
io.wabbit-networks.buildId     123

example verification failure

chienb@a07817b52895 notation % notation verify $IMAGE --user-metadata foo=bar
Resolved artifact tag `v1` to digest `sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b` before verification.
Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.
Error: signature verification failed: signature verification failed

Not in this PR: error messaging. In the spec update, we mentioned that there should be an error message if the verification fails due to the metadata not being present, but if there are multiple verifications that fail for different reasons, is there a desired order to prioritize the what the end error message displayed is?

Signed-off-by: Byron Chien chienb@amazon.com

[byronchien]

related: notaryproject/notation-go#242

[priteshbandi]

LGTM

[JeyJeyGao]

The pipeline was failed. Please update the code.

[priteshbandi]

The pipeline was failed. Please update the code.

This PR depends on notaryproject/notation-go#242 and that's the reason build is failing.

@JeyJeyGao In the spirit of expediting the rc2 release, can you please review the code, we can make a small update when notaryproject/notation-go#242 is merged ?

[patrickzheng200]

LGTM with one comment.

[patrickzheng200]

LGTM

[yizha1]

@byronchien could you fix the conflict?

[byronchien]

resolved conflict

[codecov-commenter]

Codecov Report

❌ Patch coverage is 5.26316% with 36 lines in your changes missing coverage. Please review.
✅ Project coverage is 36.06%. Comparing base (5c27944) to head (de7057b).
⚠️ Report is 417 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/notation/verify.go	5.26%	18 Missing ⚠️
cmd/notation/sign.go	5.55%	17 Missing ⚠️
cmd/notation/key.go	0.00%	1 Missing ⚠️

❌ Your project status has failed because the head coverage (36.06%) is below the target coverage (70.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #507      +/-   ##
==========================================
+ Coverage   35.15%   36.06%   +0.90%     
==========================================
  Files          29       29              
  Lines        1502     1528      +26     
==========================================
+ Hits          528      551      +23     
- Misses        955      958       +3     
  Partials       19       19              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.