update: Package verification refactoring

[patrickzheng200]

PR review order: This PR -> #200.

This PR refactors the verifier package. Files intended to be reviewed in this PR:

1. Files in verifier folder except verifier/trustpolicy and verifier/truststore (they should already been reviewed in feat: Added trustpolicy and truststore packages under verification #192).
2. internal/envelope
3. notation.go, this is for logic change on only returning successful signature verification outcomes.

(This PR incorporates the refactored plugin and plugin/proto into the verifier package.)

This PR removes internal/mock_origin, internal/notation.go, and internal/registry, as they've been refactored in the previous PRs. internal/plugin is there for compile reason. After the refactoring of Sign (#200 ), internal/plugin shall be removed.

This PR does not change code related to Sign, so please skip the signature package for now. (Refactoring of signature package is inside #200)

Edit:
A brief summary after our multiple rounds of discussions:

1. If verification succeeded, one and only one success outcome will be returned.
2. If verification failed,
   a. if the total number of signatures associated with the artifact is larger than the user given MaxSignatureAttempts, errExceededMaxVerificationLimit will be returned.
   b. Otherwise, ErrorVerificationFailed will be returned.

[rgnote]

Reviewed only half of the PR, but publishing comments. Will review the remaining files.

[codecov-commenter]

Codecov Report

Merging #186 (024c85c) into main (fc5044e) will decrease coverage by 3.62%.
The diff coverage is 71.61%.

@@            Coverage Diff             @@
##             main     #186      +/-   ##
==========================================
- Coverage   77.34%   73.71%   -3.63%     
==========================================
  Files          33       27       -6     
  Lines        2189     1769     -420     
==========================================
- Hits         1693     1304     -389     
+ Misses        405      375      -30     
+ Partials       91       90       -1     

Impacted Files	Coverage Δ
signature/signer.go	38.23% <ø> (ø)
notation.go	32.58% <40.00%> (-2.11%)	⬇️
verifier/helpers.go	62.92% <62.92%> (ø)
signature/plugin.go	73.43% <72.00%> (-5.82%)	⬇️
verifier/verifier.go	73.80% <73.80%> (ø)
verifier/trustpolicy/trustpolicy.go	95.06% <82.35%> (ø)
signature/envelope.go	100.00% <100.00%> (ø)
verifier/truststore/truststore.go	55.38% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[shizhMSFT]

This PR will be split into several smaller PRs to be reviewed.

[shizhMSFT]

In verifier_helpers.go, not all receiver functions (i.e. methods associated with structs) are indeed receiver functions. We can make it a "static function".

Meanwhile, I suggest moving all receiver functions of the verifier struct to verifier.go and all others to helper.go, and cleans up verifier_helpers.go.

[rgnote]

Rest looks good to me

[patrickzheng200]

In verifier_helpers.go, not all receiver functions (i.e. methods associated with structs) are indeed receiver functions. We can make it a "static function".

Meanwhile, I suggest moving all receiver functions of the verifier struct to verifier.go and all others to helper.go, and cleans up verifier_helpers.go.

Done.

[shizhMSFT]

LGTM

[yizha1]

As per discussion during community call and aligned with Vani, this PR can be merged with two approvals from one org. The leftover issue is tracked here #201.

[JeyJeyGao]

LGTM