fix: update error message from notation-go

[ghost]

This PR tends to solve the following issues from Notation CLI which requires a few changes in notation-go library:
#699, #700, #701.

This PR includes:
Updated verificationOutcomes in the return of notation.Verify to include verification failed reasons of each signature, so that Notation CLI could display them to the user without having to enable the -v or -d flag.

1. Updated err returned from notation.Verify as a joined error. (based on code review, verificationOutcomes related logic is not changed in this PR.)
2. The error message updates related to trust store, based on discussions from the issues mentioned above.

The updated error messages is displayed in the PR of Notation CLI: notaryproject/notation#771.

[codecov-commenter]

Codecov Report

Merging #345 (e6af52d) into main (effa7cb) will decrease coverage by 0.32%.
The diff coverage is 43.47%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

@@            Coverage Diff             @@
##             main     #345      +/-   ##
==========================================
- Coverage   74.68%   74.36%   -0.32%     
==========================================
  Files          23       24       +1     
  Lines        2228     2251      +23     
==========================================
+ Hits         1664     1674      +10     
- Misses        443      457      +14     
+ Partials      121      120       -1     

Files	Coverage Δ
dir/path.go	88.88% <ø> (ø)
notation.go	66.51% <100.00%> (+1.69%)	⬆️
verifier/verifier.go	81.53% <100.00%> (ø)
verifier/helpers.go	70.51% <50.00%> (ø)
verifier/truststore/truststore.go	52.45% <30.76%> (+0.79%)	⬆️
verifier/truststore/errors.go	20.00% <20.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[JeyJeyGao]

LGTM

[shizhMSFT]

LGTM with suggestions

[shizhMSFT]

LGTM

[priteshbandi]

Couple of observations:

1. IMO we should't return verificationOutcomes for all the signatures we have evaluated; In endless data attack and system will crash with OOM error. Before adding adding more functionality based on verificationOutcomes, we should disuses how we want to mitigate the aforementioned issue.
2. There are some precondition errors such as ts/tp misconfiguration for which we should short circuit and not evaluate signatures. More discussion in fix: update notation verify error messages notation#771 (comment)

[ghost]

Couple of observations:

1. IMO we should't return verificationOutcomes for all the signatures we have evaluated; In endless data attack and system will crash with OOM error. Before adding adding more functionality based on verificationOutcomes, we should disuses how we want to mitigate the aforementioned issue.

@priteshbandi verificationOutcomes related logic is NOT changed in this PR. Sorry that I forgot to update this PR's description, but you could verify it in the code. All this PR doing is updating trust store error messages.
(btw, we have the maxSignatureAttempts. By default, this value is set to 100 from the notation CLI side. So endless attack is not a concern here.)

2. There are some precondition errors such as ts/tp misconfiguration for which we should short circuit and not evaluate signatures. More discussion in fix: update notation verify error messages notation#771 (comment)

I have replied this one in: notaryproject/notation#771 (comment)

[ghost]

Hi @priteshbandi, regarding your concern on returning errors for all the signatures, this won't bring in endless attack: https://github.com/notaryproject/notation-go/blob/main/notation.go#L361, because we use MaxSignatureAttempts to limit the maximum number of signatures processed by notation. The number of errors returned will always be smaller or equal to MaxSignatureAttempts. As a library, returning these errors is an enhancement to notation-go. The caller, such as Notation CLI, can decide whether to display these errors.
(It's backward compatible because we are NOT updating verificationOutcomes, instead we use the new Golang feature errors.Join to do it.)
/cc: @shizhMSFT

[JeyJeyGao]

LGTM

[shizhMSFT]

LGTM

[JeyJeyGao]

LGTM

[priteshbandi]

LGTM