fix: Improve output when there is no signature associated

[priteshbandi]

Fixes: #624

➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 
Warning: Always inspect the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1 has no associated signature

➜  notation git:(no-sig) ✗ ./notation ls $IMAGE      
Warning: Always list the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1 has no associated signature

➜  notation git:(no-sig) ✗ ./notation sign $IMAGE -e 123h
Warning: Always sign the artifact using digest(@sha256:...) rather than a tag(:v1) because tags are mutable and a tag reference can point to a different artifact than the one signed.
Successfully signed localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1

➜  notation git:(no-sig) ✗ ./notation ls $IMAGE          
Warning: Always list the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1
└── application/vnd.cncf.notary.signature
    └── sha256:be23f992f68a6b3003c83506eb9275188355a451294006e4cac651d2a1b7c716

➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE     
Warning: Always inspect the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
Inspecting all signatures for signed artifact
localhost:6000/net-monitor@sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1
└── application/vnd.cncf.notary.signature
    └── sha256:be23f992f68a6b3003c83506eb9275188355a451294006e4cac651d2a1b7c716
        ├── media type: application/jose+json
        ├── signature algorithm: RSASSA-PSS-SHA-256
        ├── signed attributes
        │   ├── signingTime: Fri May 12 20:16:27 2023
        │   ├── expiry: Wed May 17 23:16:27 2023
        │   └── signingScheme: notary.x509
        ├── user defined attributes
        │   └── (empty)
        ├── unsigned attributes
        │   └── signingAgent: Notation/1.0.0
        ├── certificates
        │   └── SHA1 fingerprint: 091c1a5e57aa401de7fb22ac52b56d79f211bd03
        │       ├── issued to: CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US
        │       ├── issued by: CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US
        │       └── expiry: Sun May 14 00:58:40 2023
        └── signed artifact
            ├── media type: application/vnd.docker.distribution.manifest.v2+json
            ├── digest: sha256:52cc9cf0f2e0cadf49337acc7a45a07a2ce5a0ef37702efb0a851884bc32b7b1
            └── size: 942

[codecov-commenter]

Codecov Report

Merging #666 (b630b3a) into main (5516199) will decrease coverage by 0.12%.
The diff coverage is 0.00%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@            Coverage Diff             @@
##             main     #666      +/-   ##
==========================================
- Coverage   33.33%   33.21%   -0.12%     
==========================================
  Files          32       32              
  Lines        2019     2026       +7     
==========================================
  Hits          673      673              
- Misses       1324     1331       +7     
  Partials       22       22              

Impacted Files	Coverage Δ
cmd/notation/inspect.go	14.21% <0.00%> (-0.15%)	⬇️
cmd/notation/list.go	27.84% <0.00%> (-1.10%)	⬇️
cmd/notation/manifest.go	0.00% <0.00%> (ø)
cmd/notation/verify.go	32.81% <0.00%> (+0.50%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[Two-Hearts]

Do we need this printout? If there is no associated signature, the output of list is just empty.

[priteshbandi]

Yes, otherwise the output (as shown below) looks incomplete.

For unsigned image referred by tag, user wont know which image was inspected/listed.

# unsigned image referred by tag
➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 
Warning: Always inspect the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.

For unsigned image referred by digest, not printing anything doesn't looks right and would like to keep output consistent with unsigned image refereed by tag

# unsigned image referred by digest
➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 

[Two-Hearts]

Yes, otherwise the output (as shown below) looks incomplete.

For unsigned image referred by tag, user wont know which image was inspected/listed.

# unsigned image referred by tag
➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 
Warning: Always inspect the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.

For unsigned image referred by digest, not printing anything doesn't looks right and would like to keep output consistent with unsigned image refereed by tag

# unsigned image referred by digest
➜  notation git:(no-sig) ✗ ./notation inspect $IMAGE 

Got it. Makes sense to me.

[Two-Hearts]

LGTM

[JeyJeyGao]

LGTM

[shizhMSFT]

LGTM