Add support for creating sigstore signatures, and providing passphrases

- Allow creating sigstore signatures via --sign-by-sigstore-private-key .
  Like existing --sign-by, it does not work remote (in this case
  because we would have to copy the private key to the server).
- Allow passing a passphrase (which is mandatory for sigstore private keys)
  via --sign-passphrase-file; if it is not provided, prompt interactively.
- Also, use that passphrase for --sign-by as well, allowing non-interactive
  GPG use. (But --sign-passphrase-file can only be used with _one of_
  --sign-by and --sign-by-sigstore-private-key.)

Note that unlike the existing code, (podman build) does not yet
implement sigstore (I'm not sure why it needs to, it seems not to
push images?) because Buildah does not expose the feature yet.

Also, (podman image sign) was not extended to support sigstore.

The test for this follows existing (podman image sign) tests
and doesn't work rootless; that could be improved by exposing
a registries.d override option.

The test for push is getting large; I didn't want to
start yet another registry container, but that would be an
alternative.  In the future, Ginkgo's Ordered/BeforeAll
would allow starting a registry once and using it for two
tests.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>

2 files changed, 18 insertions, 2 deletions

diff --git a/docs/source/markdown/podman-manifest-push.1.md b/docs/source/markdown/podman-manifest-push.1.md
index 22e8cae9a..66cdb8324 100644
--- a/docs/source/markdown/podman-manifest-push.1.md
+++ b/docs/source/markdown/podman-manifest-push.1.md
@@ -60,7 +60,15 @@ Delete the manifest list or image index from local storage if pushing succeeds.
 
 #### **--sign-by**=*fingerprint*
 
-Sign the pushed images using the GPG key that matches the specified fingerprint.
+Sign the pushed images with a “simple signing” signature using the specified key. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
+
+#### **--sign-by-sigstore-private-key**=*path*
+
+Sign the pushed images with a sigstore signature using a private key at the specified path. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
+
+#### **--sign-passphrase-file**=*path*
+
+If signing the image (using either **--sign-by** or **--sign-by-sigstore-private-key**), read the passphrase to use from the specified path.
 
 #### **--tls-verify**
 
diff --git a/docs/source/markdown/podman-push.1.md b/docs/source/markdown/podman-push.1.md
index 3cda982ac..a69bdce0a 100644
--- a/docs/source/markdown/podman-push.1.md
+++ b/docs/source/markdown/podman-push.1.md
@@ -99,7 +99,15 @@ Discard any pre-existing signatures in the image.
 
 #### **--sign-by**=*key*
 
-Add a signature at the destination using the specified key. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
+Add a “simple signing” signature at the destination using the specified key. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
+
+#### **--sign-by-sigstore-private-key**=*path*
+
+Add a sigstore signature at the destination using a private key at the specified path. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
+
+#### **--sign-passphrase-file**=*path*
+
+If signing the image (using either **--sign-by** or **--sign-by-sigstore-private-key**), read the passphrase to use from the specified path.
 
 #### **--tls-verify**