nv2 sign & validate shouldn't require cn = registry name

[SteveLasker]

We're recently decoupled the CN from the registry name as part of the signing and validation.
However, docker nv2 notary sign attempts to match CN with the registry name:

openssl req \
  -x509 \
  -sha256 \
  -nodes \
  -newkey rsa:2048 \
  -days 365 \
  -subj "/CN=registry.wabbit-networks.io/O=wabbit-networks inc/C=US/ST=Washington/L=Seattle" \
  -addext "subjectAltName=DNS:registry.wabbit-networks.io" \
  -keyout ./wabbit-networks.key \
  -out ./wabbit-networks.crt

Followd by:

docker notary sign \
  --key ./wabbit-networks.key \
  --cert ./wabbit-networks.crt \
  localhost:5000/net-monitor:v1

Fails with:

Generating Docker mainfest: localhost:5000/net-monitor:v1
Signing sha256:0da7b8db631b5faeff09f6217de7ac47bdcd53e0e7a15cec559a8140ac164f5c
2021/04/23 17:44:13 x509: certificate is valid for registry.wabbit-networks.io, not localhost

Expected

Signing to not validate against the CN

[shizhMSFT]

docker notary sign adds refereneces in the signature claims automatically. Since the signing certificate does not match the domain name, it fails the signing and verification.

Since the reference indicates the declared origin of the artifact, I won't change the notary library for the verification logic. Instead, I will modify the UX for docker-nv2.

[shizhMSFT]

With #57, the behavior changes to

$ docker notary sign -k wabbit-networks.key -c wabbit-networks.crt localhost:5000/bash:latest
Generating Docker mainfest: localhost:5000/bash:latest
Signing sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2
Signature saved to /home/shizh/.docker/nv2/sha256/d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2/sha256/48aa46ef35d1c545f55c2e76dc78047eaaff6fd7ece951b2f0609bf1a84502ae.jwt
$ docker push localhost:5000/bash:latest
The push refers to repository [localhost:5000/bash]
5318c66bd933: Preparing
93f1f7108e53: Preparing
32f366d666a5: Preparing
5318c66bd933: Pushed
32f366d666a5: Pushed
93f1f7108e53: Pushed
latest: digest: sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2 size: 946
Pushing signature
signature manifest digest: sha256:b08630b80de5c53d5c5a7a7a6c91a5b608cf0dba0e22757213a573bd73a7e8f8 size: 470
$ docker pull localhost:5000/bash:latest
latest digest: sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2 size: 946
Looking up for signatures
Found 1 signatures
Found valid signature: sha256:48aa46ef35d1c545f55c2e76dc78047eaaff6fd7ece951b2f0609bf1a84502ae
localhost:5000/bash@sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2: Pulling from bash
Digest: sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2
Status: Image is up to date for localhost:5000/bash@sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2
localhost:5000/bash@sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2

The references can be explicitly added by --reference / -r parameters:

$ docker notary sign -k wabbit-networks.key -c wabbit-networks.crt -r "registry.wabbit-networks.io/bash:latest" localhost:5000/bash:latest
Generating Docker mainfest: localhost:5000/bash:latest
Signing sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2
Signature saved to /home/shizh/.docker/nv2/sha256/d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2/sha256/506cc3445ca4585d993de8e99d4b166fbd57690d0fee65875d739c6ef8aefb3e.jwt
$ docker push localhost:5000/bash:latest
The push refers to repository [localhost:5000/bash]
5318c66bd933: Preparing
93f1f7108e53: Preparing
32f366d666a5: Preparing
5318c66bd933: Pushed
32f366d666a5: Pushed
93f1f7108e53: Pushed
latest: digest: sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2 size: 946
Pushing signature
signature manifest digest: sha256:88cbb5b010a31e0673ee6fc6fda6dcdf40bf3feb6e8662e50c84c6d942e0fbf2 size: 470
$ docker pull localhost:5000/bash:latest
latest digest: sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2 size: 946
Looking up for signatures
Found 1 signatures
Found valid signature: sha256:506cc3445ca4585d993de8e99d4b166fbd57690d0fee65875d739c6ef8aefb3e
The image is originated from:
- registry.wabbit-networks.io/bash:latest
localhost:5000/bash@sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2: Pulling from bash
Digest: sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2
Status: Image is up to date for localhost:5000/bash@sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2
localhost:5000/bash@sha256:d6fbca4fa8195c4b6a23f8599b022d3d4287b52622b6ebae3291f0f074edd1c2