feat: add support for signing blob

[priteshbandi]

This PR adds support for signing blobs.

• This PR is ready for review**

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 82.85714% with 18 lines in your changes are missing coverage. Please review.

Project coverage is 75.33%. Comparing base (9ff1891) to head (2044e2b).
Report is 5 commits behind head on main.

Files	Patch %	Lines
signer/plugin.go	82.22%	5 Missing and 3 partials ⚠️
signer/signer.go	75.00%	3 Missing and 3 partials ⚠️
notation.go	88.88%	2 Missing and 2 partials ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #379      +/-   ##
==========================================
+ Coverage   73.43%   75.33%   +1.89%     
==========================================
  Files          24       24              
  Lines        2507     2019     -488     
==========================================
- Hits         1841     1521     -320     
+ Misses        526      353     -173     
- Partials      140      145       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[shizhMSFT]

Blob signing introduced by notaryproject/specifications#283 is slightly different from the OCI artifact signing. In summary, blob signing has the same signing / verification core as OCI artifact signing where the digest algorithm in the notary-project specific descriptor is restricted to the signing / verification key.

It is natural to share the same Signer interface with both OCI artifact and blob signing and add a new option IsBlob in SignerSignOptions (and VerifierVerifyOptions for Verifier) since the signing core is the notary-project specific descriptor. However, this solution is vulnerable for those existing implementations (if any) don't support blob signing / verification. Precisely, the IsBlob option may be dropped by those implementations unintentionally where a blob may be verified as an artifact although IsBlob is set to true, which produces unexpected results. Therefore, it is better to split it to two different interfaces as this PR does. In notation-go/v2, maybe we can combine the signing cores into a single one.

To elaborate a bit, we need the following new stuffs for signing

type BlobSigner interface {
    SignBlob(ctx context.Context, desc ocispec.Descriptor, opts SignerSignOptions) ([]byte, *signature.SignerInfo, error)
    BlobDigestAlgorithm(ctx context.Context) (digest.Algorithm, error)
}

type SignBlobOptions struct {
    SignerSignOptions

    ContentMediaType string
    UserMetadata map[string]string
}

func SignBlob(ctx context.Context, signer BlobSigner, reader io.Reader, signOpts SignBlobOptions) ([]byte, error)

The BlobSigner.SignBlob does not take a reader since notation-go, as a library, it should provide flexibility where the digest of a huge blob is generated by other component efficiently. The BlobSigner.SignBlob implementation can later check if the digest algorithm matches the signing key or not and reject if not.

The SignBlob is more like a utility function of BlobSigner.SignBlob where it takes a reader to compute the digest using the algorithm specified by BlobSigner.BlobDigestAlgorithm() backed by the signing key.

/cc @Two-Hearts

[priteshbandi]

As discussed over slack with Shiwei, I will be updating notation blob signing functions to following:

type SignBlobOptions struct {
	SignerSignOptions
	ContentMediaType string
	UserMetadata map[string]string
}

type BlobDescriptorGenerator func(digest.Algorithm) (ocispec.Descriptor, error)

type BlobSigner interface {
	SignBlob(ctx context.Context, genDesc BlobDescriptorGenerator, opts SignerSignOptions) ([]byte, *signature.SignerInfo, error)
}

Reasoning: This approach reduces the number of calls to the plugin's DescribeKey to just one, compared to the two calls required in the previous approach. Additionally, in earlier approach we did explore caching the DescribeKey response based on keyId, but it limits the seamless migration of signing keys behind the KeyId.

[rgnote]

LGTM

[shizhMSFT]

LGTM

[rgnote]

LGTM