Command 'podman image trust set' does not set signedIdentity for type sigstoreSigned

[kilowhiskey]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Command podman image trust set does not set signedIdentity for type sigstoreSignedBy. User needs to manually update /etc/containers/policy.json and set the parameter.

Also the command should be consistent with the policy file type.
Command type: sigstoreSignedBy
Policy file type: sigstoreSigned

Steps to reproduce the issue:

1. podman image trust set --type sigstoreSignedBy --pubkeysfile <public key file path> <registry>

2. Entry in /etc/containers/policy.json created

             "registry1.abc.cde": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/home/signatures/cosign-public-key.pub"
                }
            ]

3. Manual update of /etc/containers/policy.json is necessary

             "registry1.abc.cde": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/home/signatures/cosign-public-key.pub",
                    "signedIdentity": {"type": "matchRepository"}
                }
            ]

Describe the results you received:
Content trust for registry fails unless policy file is manually updated.

Describe the results you expected:
According to https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md
sigstoreSigned images require signedIdentity to be set to matchRepository or exactRepository
The command should set one automatically or allow setting signedIdentity parameters.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Client:       Podman Engine
Version:      4.3.0
API Version:  4.3.0
Go Version:   go1.18.1
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info:

host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2:2.1.4-0ubuntu22.04+obs13.14_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.4, commit: '
  cpuUtilization:
    idlePercent: 71.55
    systemPercent: 17.35
    userPercent: 11.1

  cpus: 3
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  hostname: myvm-VirtualBox
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.15.0-52-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 5396312064
  memTotal: 8335962112
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun_1.6-0ubuntu22.04+obs46.11_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.6
      commit: 18cf2efbb8feb2b2f20e316520e0fd0b6c41ef4d
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.0.1-2_amd64
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.6.1
  swapFree: 968056832
  swapTotal: 968056832
  uptime: 0h 1m 0.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/kingubu/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/kingubu/.local/share/containers/storage
  graphRootAllocated: 20424802304
  graphRootUsed: 11093434368
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  volumePath: /home/kingubu/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.0
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.18.1
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.0

Package info (e.g. output of rpm -q podman or apt list podman or brew info podman):

(paste your output here)

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
Locally running podman installation.

[rhatdan]

@cdoern PTAL

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@cdoern @vrothberg PTAL

[vrothberg]

I can take care of fixing but want @mtrmac's pair of eyes before on the issue.

[mtrmac]

matchRepository is required for cosign interoperability, but I think it’s a bad behavior.

IMHO matchRepository should not be added by podman image trust set, or at the very least not without an explicit opt-in. The ideal approach is to convince cosign to change the identity in signatures it creates. That’s one of the items on my list…

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@mtrmac Reminder