Improve GCB verification

[laurentsimon]

• Verify text provenance for GCB #242 human-readable part should match DSSE
• feat: Support for GCB verification #202 summary verification
• feat: Support for GCB verification #202 metadata verification
• feat: support for GCB v0.3 verification #248 Unit tests
• feat: CLI tests for GCB verification #251 CLI tests @laurentsimon
• feat: CLI tests for GCB verification #251 source.uri verification
• tag using -subject-name
• schedule workflows to check for changes in GCB builder keys and update them @asraa to investigate
• maybe check for key corruption (?)
• unit tests for keys of different type (e.g., RSA) invalid key format
• e2e tests building a container and verifying it @asraa to investigate
• Follow same structure as GHA e2e verification: verifier@main should verify all previous GCB provenance versions
• feat: add CLI tests for GCB verification #245 CLI main_test.go tests
• feat: add CLI tests for GCB verification #245 immutable-only images accepted @laurentsimon
• feat: add CLI tests for GCB verification #245 verify image on registry in CLI @laurentsimon
• Documentation for verification (immutable tag) @laurentsimon PRIORITY
• Update builderID from @v0.2 to v0.3 + with new recipe.type @laurentsimon will look into it. PRIORITY
• Make the builder-id flag non-experimental
• Support builder-id without the @vx.y @laurentsimon PRIORITY
  • feat: support builderID matching with or without semver for GCB #256
  • feat: support builderID matching with or without semver for GHA #257
• Support for verification of GitHub tag, branch, etc available in v0.3 @laurentsimon
• blog post on slsa.dev @ianlewis @asraa to lead

[laurentsimon]

@asraa I think you landed some of the features in the check list above, correct?

[asraa]

Just checked one more off - the remaining e2e test items that could be improved (like checking to ensure the container builds are fresh) are here: slsa-framework/example-package#149

[laurentsimon]

• Improve regression tests. I tried using us-west2-docker.pkg.dev/slsa-tooling/example-package-repo/e2e-gcb-tag-main-annotated-slsa3@sha256:87db6d5226440e72f7134b71163df45282127a3f7b0600c946683cb2f43a70a9 in function Test_runVerifyGCBArtifactImage. I used crane manifest $IMAGE but the hash calculation does not match: it outputs d8e178223968fd3f4a95826978796e6cb49ed67cb323625dc582475692ee5c7a instead of 87db6d5226440e72f7134b71163df45282127a3f7b0600c946683cb2f43a70a9.