dlorenc/verifybash Secret

## verifybash
$ cosign sign -key cosign.key gcr.io/dlorenc-vmtest2/demo
Enter password for private key:
Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.cosign

# Just show it all here
# get the image digest (to prevent a race condition)
$ crane digest gcr.io/dlorenc-vmtest2/demo
sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd
$ dgst=$(crane digest gcr.io/dlorenc-vmtest2/demo)

$ cosign download gcr.io/dlorenc-vmtest2/demo@$dgst
{"Base64Signature":"MEUCIQDGvHbEyNgeXFyn5A1o5yuAIwdzZIW3AisB2YzEfh5Q9AIgeOFzqV5PFX0RT+6K5S1TJUzDIsd7OSyFS+IgLSSfMNw=","Payload":"eyJjcml0aWNhbCI6eyJpZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiZ2NyLmlvL2Rsb3JlbmMtdm10ZXN0Mi9kZW1vIn0sImltYWdlIjp7ImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiJzaGEyNTY6NDEwYTA3ZjE3MTUxZmZmZmI1MTNmOTQyYTAxNzQ4ZGZkYjkyMWRlOTE1ZWE2NDI3ZDYxZDYwYjAzNTdjMWRjZCJ9LCJ0eXBlIjoiY29zaWduIGNvbnRhaW5lciBpbWFnZSBzaWduYXR1cmUifSwib3B0aW9uYWwiOm51bGx9","Cert":null,"Chain":null}

# You could do this part in a few more lines with crane/oras, or a few more with curl
$ cosign download gcr.io/dlorenc-vmtest2/demo@dgst > sig.json

# extract parts (could be inlined too)
$ cat sig.json | jq -r .Base64Signature | base64 -D > sig
$ cat sig.json | jq -r .Base64Signature | base64 -D > payload.json

# verify!
$ openssl dgst -sha256 -verify cosign.pub -signature sig payload.json
Verified OK

# Now check the claim against the digest
if [[ $dgst == $(cat payload.json | jq -r '.critical.image["docker-manifest-digest"]') ]]; then
  echo "matched"
fi
	$ cosign sign -key cosign.key gcr.io/dlorenc-vmtest2/demo
	Enter password for private key:
	Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.cosign

	# Just show it all here
	# get the image digest (to prevent a race condition)
	$ crane digest gcr.io/dlorenc-vmtest2/demo
	sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd
	$ dgst=$(crane digest gcr.io/dlorenc-vmtest2/demo)

	$ cosign download gcr.io/dlorenc-vmtest2/demo@$dgst
	{"Base64Signature":"MEUCIQDGvHbEyNgeXFyn5A1o5yuAIwdzZIW3AisB2YzEfh5Q9AIgeOFzqV5PFX0RT+6K5S1TJUzDIsd7OSyFS+IgLSSfMNw=","Payload":"eyJjcml0aWNhbCI6eyJpZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiZ2NyLmlvL2Rsb3JlbmMtdm10ZXN0Mi9kZW1vIn0sImltYWdlIjp7ImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiJzaGEyNTY6NDEwYTA3ZjE3MTUxZmZmZmI1MTNmOTQyYTAxNzQ4ZGZkYjkyMWRlOTE1ZWE2NDI3ZDYxZDYwYjAzNTdjMWRjZCJ9LCJ0eXBlIjoiY29zaWduIGNvbnRhaW5lciBpbWFnZSBzaWduYXR1cmUifSwib3B0aW9uYWwiOm51bGx9","Cert":null,"Chain":null}

	# You could do this part in a few more lines with crane/oras, or a few more with curl
	$ cosign download gcr.io/dlorenc-vmtest2/demo@dgst > sig.json

	# extract parts (could be inlined too)
	$ cat sig.json \| jq -r .Base64Signature \| base64 -D > sig
	$ cat sig.json \| jq -r .Base64Signature \| base64 -D > payload.json

	# verify!
	$ openssl dgst -sha256 -verify cosign.pub -signature sig payload.json
	Verified OK

	# Now check the claim against the digest
	if [[ $dgst == $(cat payload.json \| jq -r '.critical.image["docker-manifest-digest"]') ]]; then
	echo "matched"
	fi