Support RSA PEM files: replace signature.LoadECDSAVerifier() with signature.LoadVerifier() #1566
Description
Throughout the codebase signature.LoadECDSAVerifier() is used when signature.LoadVerifier() is probably more appropriate. The docs suggest that RSA should be supported, but many features only support an ECDSA key currently. It appears that signature.LoadVerifier() will load the correct verifier automatically.
Currently some features crash when provided an RSA PEM file: (signed using an RSA cert on a smartcard, but that shouldn't matter)
$ cosign verify "$image" --cert cert.pem
panic: interface conversion: interface {} is *rsa.PublicKey, not *ecdsa.PublicKey
goroutine 1 [running]:
github.com/sigstore/cosign/cmd/cosign/cli/verify.(*VerifyCommand).Exec(0xc00069fc68, {0x68ed5f0, 0xc0001aa008}, {0xc000b7c990, 0x1, 0x32})
github.com/sigstore/cosign@v1.5.0/cmd/cosign/cli/verify/verify.go:142 +0xbd4
github.com/sigstore/cosign/cmd/cosign/cli.Verify.func1(0xc000b7f900, {0xc000b7c990, 0x1, 0x3})
github.com/sigstore/cosign@v1.5.0/cmd/cosign/cli/verify.go:107 +0x231
github.com/spf13/cobra.(*Command).execute(0xc000b7f900, {0xc000b7c960, 0x3, 0x3})
github.com/spf13/cobra@v1.3.0/command.go:856 +0x60e
github.com/spf13/cobra.(*Command).ExecuteC(0xc000a94780)
github.com/spf13/cobra@v1.3.0/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/cobra@v1.3.0/command.go:902
main.main()
github.com/sigstore/cosign@v1.5.0/cmd/cosign/main.go:45 +0x4c
It's mostly a matter of swapping out the calls, but I don't know if there are any side effects of this change. Are there any limitations that currently require ECDSA keys? Regardless, the current behavior is a go panic which is a bug.