Add --skip-att-sig-check flag

[simonbaird]

Implement --skip-att-sig-check flag to skip attestation signature validation checks, mirroring the existing --skip-image-sig-check flag. When enabled, attestation signature verification is bypassed during image validation.

Why? Often I'm debugging/troubleshooting something and I get given an image ref to look at. We can use cosign download attestation to inspect the attestation, which is very useful, but if we want to try running Conforma against it, we must either guess, find, or ask to be provided with the public key. Sometimes that's not so difficult, but other times it may be very difficult or even impossible. (Consider for example if the image was built on an ephemeral cluster and the signing secret used is gone forever.)

Now we can use --skip-image-sig-check and --skip-att-sig-check and carry on with the debugging. Note that we added the --skip-image-sig-check recently for other reasons, see https://redhat.atlassian.net/browse/EC-1647. The
--skip-att-sig-check is perhaps a little more complicated because we need to add a function that can download the attestation without verifying it.

The argument against this is that it may encourage less practices, but I would say it's acceptable because we're not changing the default behavior, which is always to require signature verification.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 7ab8833a-25f1-4f0a-b60e-2b66e5c16168

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[simonbaird]

Making it a draft because it has no Jira (yet anyway).

[codecov]

Codecov Report

❌ Patch coverage is 19.64286% with 45 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ation_snapshot_image/application_snapshot_image.go	0.00%	42 Missing ⚠️
internal/image/validate.go	62.50%	3 Missing ⚠️

Flag	Coverage Δ
acceptance	55.03% <19.64%> (-0.18%)	⬇️
generative	17.81% <0.00%> (-0.09%)	⬇️
integration	26.56% <5.35%> (-0.10%)	⬇️
unit	68.75% <16.07%> (-0.26%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
cmd/validate/image.go	91.42% <100.00%> (+0.06%)	⬆️
internal/policy/policy.go	92.04% <100.00%> (+0.07%)	⬆️
internal/image/validate.go	69.71% <62.50%> (-1.09%)	⬇️
...ation_snapshot_image/application_snapshot_image.go	69.96% <0.00%> (-12.73%)	⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.