Feature Request: Make `kwctl inspect` show pubkey/(issuer, subject), annotations of signatures

[viccuad]

Is your feature request related to a problem?

Right now, kwctl inspect only shows the full payloads, without unwrapping the payloads to see the signature information. Hence, one only gets info on "there's a signature", but not what it entails.

Solution you'd like

Instead, have kwctl inspect print the list of signatures as: timestamp of signature, pubkey or (issuer, subject), annotations.

Have kwctl inspect open the signature body (analogous to crane manifest $COSIGN_IMAGE | \ jq '.layers[0].annotations."dev.sigstore.cosign/bundle" | fromjson | .Payload.body | @base64d | fromjson'). Then, extract the pub key or (issuer, subject), and annotations associated with that specific signature.

This should be possible using sigstore-rs functions.

See also https://github.com/sigstore/sigstore-rs/wiki/Key-based-signing-using-cosign-and-Rekor#the-signature-object.

Alternatives you've considered

No response

Anything else?

No response