Proof of Possession agility

[ret2libc]

Summary

Closes #1953

Release Note

• Proof of possession signatures now need to be signed with the "default" hash associated with a given public key type. The defaults comes from sigstore/sigstore (see Implement default signing algorithms based on the key type sigstore#2014)

Documentation

This is a breaking change because before all algorithms used SHA256 (except ED25519 which cannot work with it). Now, based on the public key type, a different hash algorithm might be used. In practice, only ECDSA/P384 and ECDSA/P521 are going to be affected by this change because before they were using SHA256 and with this patch they are going to use SHA384 and SHA512.

Considering ECDSA/P256 is the de-facto standard so far for sigstore clients, most users won't notice any difference. However, Cosign supports BYOK, so some users might use ECDSA/P384 (or P521) keys to request Fulcio certificates. Cosign needs to be updated to use the correct hash algorithm based on the key.

[Hayden-IO]

LGTM pending sigstore/sigstore PR being merged, and pending the discussion about ed25519 defaults.

[codecov]

Codecov Report

Attention: Patch coverage is 64.28571% with 5 lines in your changes missing coverage. Please review.

Project coverage is 43.56%. Comparing base (cf238ac) to head (43ab45d).
Report is 311 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/server/grpc_server.go	54.54%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1959       +/-   ##
===========================================
- Coverage   57.93%   43.56%   -14.38%     
===========================================
  Files          50       73       +23     
  Lines        3119     5723     +2604     
===========================================
+ Hits         1807     2493      +686     
- Misses       1154     2999     +1845     
- Partials      158      231       +73     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ret2libc]

TBH I'm a bit unsure what's the problem with the golangci-lint. I don't have any issue locally and those reported issues seems to be false positives to me.

[Hayden-IO]

Thanks!