[Feature] Move verify images from beta to GA

[vishal-chdhry]

Problem Statement

Verify image rules are currently in beta for sometime. Since then several features have been added and the approach have been refined. We have gotten to the point where we should consider bumping verify image rules to stable.

Solution Description

Move verify image rules to stable

Alternatives

No response

Additional Context

No response

Slack discussion

No response

Research

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[welcome]

Thanks for opening your first issue here! Be sure to follow the issue template!

[realshuting]

@vishal-chdhry - what is required to support Image Verification GA?

We also need to upgrade to the Sigstore library, is there a tracking issue?

[vishal-chdhry]

To move verify images to GA we have to do the following:

1. Support for concurrent image verification: There is a KDP for that - feat: image verify performance enhancements KDP#58
2. Move to sigstore-go: As of now, cosign uses a custom signature bundle format which is not directly compatible with sigstore-go. A newer specification for storing Sigstore Bundles has been accepted, which utilizes the OCI 1.1 Manifest Referrers API to attach Sigstore Bundles as referring artifacts to an image. Additionally, GitHub Artifact Attestations attach Sigstore Bundles following the spec, and kyverno cannot verify these attestations.
   Things I have to work on are:
   1. Add the sigstore bundle support in sigstore/cosign.
   2. Add a signature format option in cosign verify image to support the old simplesigning format and the sigstore bundle

[realshuting]

@vishal-chdhry - can we close the issue?

[vishal-chdhry]

@realshuting yes, all the action items except concurrency in image verification has been completed and that is not a requirement for GA and is tracked by another issue