keyless `verify-attestation` dereferences nil pointer

[mattmoor]

Description
To reproduce this, you effectively need a cosign built at HEAD since keyless attestation was broken until earlier today.

Run the following:

COSIGN_EXPERIMENTAL=true cosign attest --predicate foo.json <DIGEST>
COSIGN_EXPERIMENTAL=true cosign verify-attestation <DIGEST>

The second command will panic because pubKey is nil here:

cosign/cmd/cosign/cli/verify/verify_attestation.go

Lines 115 to 117 in dcfb11d

	co.SigVerifier = &reverseDSSEVerifier{
	Verifier: dsse.WrapVerifier(pubKey),
	}

[dlorenc]

Looks like we don't properly handle the cert and cert validation here, like we do here:

cosign/pkg/cosign/verify.go

Line 154 in fc58838

if cert == nil {

[dlorenc]

Looks like the bug is here: https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L157

We create a new SigVerifier from the public key inside the cert for the keyless path rather than using the passed in SigVerifier.

[vaikas]

If the SigVerifier is set, wouldn't it just take this path here?
https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L143

Which (at least in my repro case) gets created with nil pubKey here:
https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify_attestation.go#L115

Which according to this comment should be ok?
https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify_attestation.go#L96

[vaikas]

Ok, I think I figured it out. I'll send a PR out.