Discover cosign v3 NewBundleFormat for verification

v2 signatures and v3 bundled signatures both function transparently.
This does require additional queries to the registry.

Signed-off-by: leigh capili <leigh@null.net>

Author: stealthybox

internal/controller/helmchart_controller_test.go

@@ -3468,7 +3468,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureCosign(t *tes
 					Timeout: timeout,
 				}
 
-				err = sign.SignCmd(ro, ko, coptions.SignOptions{
+				err = sign.SignCmd(ctx, ro, ko, coptions.SignOptions{
 					Upload:           true,
 					SkipConfirmation: true,
 					TlogUpload:       false,

internal/controller/ocirepository_controller_test.go

@@ -2211,7 +2211,7 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignatureCosign(t *testing
 				ro := &coptions.RootOptions{
 					Timeout: timeout,
 				}
-				err = sign.SignCmd(ro, ko, coptions.SignOptions{
+				err = sign.SignCmd(ctx, ro, ko, coptions.SignOptions{
 					Upload:           true,
 					SkipConfirmation: true,
 					TlogUpload:       false,

internal/oci/cosign/cosign.go

@@ -27,6 +27,7 @@ import (
 	coptions "github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/v3/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/oci"
 
 	ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
@@ -81,6 +82,7 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 	}
 
 	checkOpts := &cosign.CheckOpts{}
+	checkOpts.NewBundleFormat = true
 
 	ro := coptions.RegistryOptions{}
 	co, err := ro.ClientOpts(ctx)
@@ -147,10 +149,25 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 }
 
 // Verify verifies the authenticity of the given ref OCI image.
+// Both cosign v2 signatures and cosign v3 bundles are supported by
+// attempting to discover bundles before verification.
+// Bundles can be located either via the OCI 1.1 referrer API or an
+// OCI 1.0 referrer tag.
 // It returns a boolean indicating if the verification was successful.
 // It returns an error if the verification fails, nil otherwise.
 func (v *CosignVerifier) Verify(ctx context.Context, ref name.Reference) (soci.VerificationResult, error) {
-	signatures, _, err := cosign.VerifyImageSignatures(ctx, ref, v.opts)
+	var signatures []oci.Signature
+	// copy options since we'll need to change them based on bundle discovery on the ref
+	opts := *v.opts
+	newBundles, _, err := cosign.GetBundles(ctx, ref, opts.RegistryClientOpts)
+	if len(newBundles) == 0 || err != nil {
+		opts.NewBundleFormat = false
+		signatures, _, err = cosign.VerifyImageSignatures(ctx, ref, &opts)
+	} else {
+		opts.NewBundleFormat = true
+		signatures, _, err = cosign.VerifyImageAttestations(ctx, ref, &opts)
+	}
+	fmt.Println(opts.NewBundleFormat, v.opts.NewBundleFormat)
 	if err != nil {
 		return soci.VerificationResultFailed, err
 	}