V1 go tuf update

[kommendorkapten]

Summary

Per the latest sigstore/root-signing#1164 in Sigstore Public Good instance, the key type is changing for the TUF keys, to keep cosign v1 continue to work I've updated to the latest go-tuf version.

This is the same PR as #3597 but against release-1.13 branch. We should probably push it to a new branch instead, but opening to get all the tests to run.

Release Note

• Updated go-tuf version to v0.7.0
• Updated sigstore/sigstore to v1.8.0

Documentation

N/A

[codecov]

Codecov Report

Attention: Patch coverage is 1.57480% with 125 lines in your changes are missing coverage. Please review.

Project coverage is 29.73%. Comparing base (ea92927) to head (be9bf89).

Files	Patch %	Lines
cmd/cosign/cli/tuf_policy.go	0.00%	117 Missing ⚠️
cmd/cosign/cli/policy_init.go	0.00%	7 Missing ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.13    #3598      +/-   ##
================================================
- Coverage         30.14%   29.73%   -0.42%     
================================================
  Files               136      137       +1     
  Lines              8443     8560     +117     
================================================
  Hits               2545     2545              
- Misses             5568     5685     +117     
  Partials            330      330              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

@cpanato any concerns with adding this to the release-1.13 branch? and anything special we need to know about triggering a release for 1.13.2?

[cpanato]

@haydentherapper nothing, will be similar from the previous one.

but this will be the last for the branch? or how long will we maintain this?

[kommendorkapten]

I would hope this would be the last update for v1, i.e we won't continue to maintain it anymore. But of course, I'm not the authoritative person to make such a decision :)

[kommendorkapten]

Do we have any data on how many people are still downloading or using cosign v1?

[haydentherapper]

I’m still skeptical that we need this. Kyverno was the only major customer I was aware of but they’ve upgraded to v2. We could hold off on merging until after the root is upgraded and see if there’s any complaints from v1 users?

[cpanato]

Only kyverno was asking in the past.

I think we can hold this for a while

[haydentherapper]

We've had a request for it, so moving forward it this.