Signing of Porter bundles

[kichristensen]

What does this change

Sign porter bundles.
Signing is implemented as an internal plugin, allowing us to support different signing providers in the future. The current ones implemented is Cosign and Notation.

What issue does it fix

Implementation of #2902

Notes for the reviewer

Regarding documentation: I will create another PR with the documentation. That PR should be merged just around the release of the version containing the signing functionality, to avoid the documentation being published before the release.

Checklist

• Did you write tests?
• Did you write documentation?
• Did you change porter.yaml or a storage document record? Update the corresponding schema file.
• If this is your first pull request, please add your name to the bottom of our Contributors list. Thank you for making Porter better! 🙇‍♀️

[schristoff]

😶‍🌫️💖 love this already

[schristoff]

I could nit on more changes, but I first want to clarify my understanding, and I have two main questions:

• Why grpc service?
• Why close in the interface, and is there a different way we can rework this without putting it on the user to have to call close?

Also an ask: documentation on this (but I'm unsure where it would go, under plugins?)
I'm gonna keep looking at this and kicking at it though.

[kichristensen]

I could nit on more changes, but I first want to clarify my understanding, and I have two main questions:

• Why grpc service?
• Why close in the interface, and is there a different way we can rework this without putting it on the user to have to call close?

Also an ask: documentation on this (but I'm unsure where it would go, under plugins?) I'm gonna keep looking at this and kicking at it though.

The reason for the

I could nit on more changes, but I first want to clarify my understanding, and I have two main questions:

• Why grpc service?
• Why close in the interface, and is there a different way we can rework this without putting it on the user to have to call close?

Also an ask: documentation on this (but I'm unsure where it would go, under plugins?) I'm gonna keep looking at this and kicking at it though.

@schristoff
Thanks for the feedback, feel free to nit on everything, the more feedback the better 😄

Why gRPC service? This was done in order to implement the signing as a plugin in the same way as secrets, storage, etc.

Why close in the interface? Your question made me think exactly the same. It is not needed, I will remove it.

Regarding documentation, it should be created. As mentioned in the "Notes for the reviewer" section, we have to discuss how to handle this in such a way that the website is not updated with the documentation until the next release to not confuse users. I have also added that as a topic for the Community Meeting. I would like to avoid giving people the impression that it is available in the current version. Maybe it means that documentation should be added in a follow up PR, to be merged just before or right after the release? Or the way documentation is released should be changed to handle these kind of situations?

[kichristensen]

@schristoff Once this PR is approved and ready to be merged I will create a draft PR with documentation. So documentation is ready for for merge when we do the next release.

[schristoff]

👍