Description

Inspired by @codysoyland's https://github.com/codysoyland/sigstore-bundle-upgrade and building on the upcoming bundle support (#3139), it would be great to have utilities to work with or create bundles outside of signing and verification workflows. This could include:

cosign bundle upgrade --version 0.3 --in-place foo.sigstore.json
cosign bundle synthesize --certificate foo.crt --signature foo.sig --attestation foo.json --out foo.sigstore.json
~~cosign bundle verify --identity foo foo.sigstore.json~~
cosign bundle inspect foo.sigstore.json
cosign bundle export --format protobuf --output foo.sigstore.pb foo.sigstore.json
cosign bundle export-certificate --output foo.crt foo.sigstore.json

In order:

• Upgrading a bundle version, resolving new requirements
• Merging detached verification material into a bundle
• Verifying that a bundle contains a specified identity (@codysoyland, did you have something else in mind for this? If this is effectively verify-blob without artifact verification, I'd skip this one, or at least rename)
• Provide user-readable bundle output (machine readable should just do cat foo.sigstore.json | jq)
• Export json bundle as protobuf (and should support proto -> json as well)
• Decompose bundle into detached verification material

Discussion: https://sigstore.slack.com/archives/C0440BFT43H/p1721088432507969