Add more tests

[stefanberger]

Summary

Add test cases for v1.0.1 signatures.
Also add a test that first creates key, certificate, and sigstore type of signatures with the currently active library and tests verification against several older versions of the library that are installed in a venv. This serves the purpose to ensure backwards compatibility. Then also use the older version of the library and model_signing tool to verify against the key, certificate, and sigstore signatures we have in the test directory.

Checklist

• All commits are signed-off, using DCO
• All new code has docstrings and type annotations
• All new code is covered by tests. Aim for at least 90% coverage. CI is configured to highlight lines not covered by tests.
• Public facing changes are paired with documentation changes
• Release note has been added to CHANGELOG.md if needed

[stefanberger]

Putting this into draft mode while I experiment with the oidc-token from here for sigstore signing.

[stefanberger]

It can now sign with sigstore using that test-token as well. It has problems with --use_staging, though, so I cannot use this option.

[spencerschrock]

It has problems with --use_staging, though, so I cannot use this option.

This is specifically for trying to verify new signatures on old versions? I believe rekor v2 is live in staging, which is why you're having this issue (verifying a rekorv2 entry with sigstore-python v3.6.5 which doesnt have support for them yet?) .

I understand verifying old signatures with new versions, but do we need tests for verifying new signatures using old versions?

[stefanberger]

It has problems with --use_staging, though, so I cannot use this option.

This is specifically for trying to verify new signatures on old versions? I believe rekor v2 is live in staging, which is why you're having this issue (verifying a rekorv2 entry with sigstore-python v3.6.5 which doesnt have support for them yet?) .

I got strange errors with insufficient time sources.

I understand verifying old signatures with new versions, but do we need tests for verifying new signatures using old versions?

1. I think it's good to maintain backwards compatibility (for as long as we can) so that signatures created with a newer version of the library still verify with older versions of it, especially if the model-signing library was integrated into a much more complex environment where updating it could be a hassle and users may not know what to do if a signature doesn't verify. FYI, I am trying to have signature verification used by vLLM where installations of vLLM and a potential future plugin could use one version of the library while models get signed with a newer version: Add plugin registry and callbacks for AI model validation vllm-project/vllm#26309
2. I also want to prevent PR Replace sigstore_proto_buf with sigstore_models #533 from introducing unnecessary backwards compatibility issues.
3. For our own awareness I think it's good to know what version of the library can/cannot be used to verify a signature created by a specific version of the library. This can be deduced from the test cases.

[mihaimaruseac]

Minor nit in renaming some files, but otherwise I'd say to get this in for now, even though we might need to do a refactoring of the testing to also take into account that the spec has been moved to a separate repo. But for the next release they can be here.

[mihaimaruseac]

Thank you!