switch to uploading DSSE types to rekor instead of intoto

[bobcallaway]

Summary

This switches cosign from uploading intoto Rekor types when dealing with intoto attestations to using dsse Rekor types. This will result in attestations no longer being stored by Rekor, and enforces a more correct behavior in that attestations should be stored along side the artifact in a registry and/or in a bundle file.

Release Note

• cosign now uploads entries to Rekor instances for intoto attestations using the dsse Rekor type. This means that Rekor will no longer return the attestation content as part of an entry response. The entry response includes a digest over both the full DSSE envelope as well as the payload content for verifiers to compare against local copies of the DSSE envelope.

[codecov]

Codecov Report

Merging #3113 (0f4ec60) into main (10a5237) will decrease coverage by 0.02%.
The diff coverage is 27.27%.

@@            Coverage Diff             @@
##             main    #3113      +/-   ##
==========================================
- Coverage   30.43%   30.42%   -0.02%     
==========================================
  Files         155      155              
  Lines        9794     9798       +4     
==========================================
  Hits         2981     2981              
- Misses       6365     6369       +4     
  Partials      448      448              

Files Changed	Coverage Δ
cmd/cosign/cli/attest/attest.go	0.00% <0.00%> (ø)
cmd/cosign/cli/attest/attest_blob.go	29.11% <0.00%> (ø)
pkg/cosign/tlog.go	36.70% <33.33%> (-0.43%)	⬇️

[bobcallaway]

Rekor instance launched by scaffolding is quite old, sigstore/scaffolding#701 needs to merge and a new release cut before that will pass.

[haydentherapper]

Only question is if you think we should do a minor version bump of cosign instead of a patch. This isn’t a breaking change, unless clients are currently relying on this storage.