gha: add signed cache support

[tonistiigi]

Add an option to use signed cache with Github backend. Signing needs to happen by an external program set in the toml config (eg. cosign via github OIDC) and is verified against the policy specified in the toml config. This allows reusable workflow running in Github actions environment to ensure that cache can not be modified outside of the workflow, even if full access to cache storage is available.

ref docker/github-builder-experimental#56

[crazy-max]

typo

Suggested change

	TimestampTreshold int `toml:"timestampTreshold"`
	TimestampThreshold int `toml:"timestampThreshold"`

[crazy-max]

I guess in the future we could have some kind of Backend attribute so we can choose different kind of backend if we have built-in ones supported like sigstore:

type SignConfig struct {
	Backend  string           `toml:"backend"`
	Sigstore *SigstoreBackend `toml:"sigstore,omitempty"`
	Command  *CommandBackend  `toml:"command,omitempty"`
}

type SigstoreBackend struct {
	OIDCProvider string `toml:"oidc-provider"`
	TLogUpload   bool   `toml:"tlog-upload"`
}

type CommandBackend struct {
	Commands []string `toml:"commands"`
}

[tonistiigi]

Why do you need the extra params? Isn't the command args flexible enough to do whatever you need to do?

[crazy-max]

I mean if one day we have signing with sigstore built-in in buildkit (similar to remote cache backends) we would not need to copy the cosign binary in the build container and shell out. Maybe better through the gateway as an image?

[tonistiigi]

In the future maybe, but I don't know how it would look like then.

[crazy-max]

Needs https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md update with new sections or maybe a new "signing" page under https://github.com/moby/buildkit/tree/master/docs but we can do it later when we expand on signing in our code base. (cc @dvdksn)

Currently this is tested in the Docker GitHub Builder: docker/github-builder-experimental#60