Using CAS for content-trust (#3382)

* Using CAS for content-trust

* v2

* Fix linting errors

* Adjust field checked for status in CAS response

* CI workflow needs CAS not VCN now

* Use cwd in test as code won't be in /usr/src

* Pre-cache CAS pub key for supervisor

* Cas doesn't actually need key file executable

Co-authored-by: Mike Degatano <michael.degatano@gmail.com>

Dockerfile

@@ -5,10 +5,12 @@ ENV \
     S6_SERVICES_GRACETIME=10000 \
     SUPERVISOR_API=http://localhost
 
-ARG BUILD_ARCH
-WORKDIR /usr/src
+ARG \
+    BUILD_ARCH \
+    CAS_VERSION
 
 # Install base
+WORKDIR /usr/src
 RUN \
     set -x \
     && apk add --no-cache \
@@ -18,7 +20,20 @@ RUN \
         libffi \
         libpulse \
         musl \
-        openssl
+        openssl \
+    && apk add --no-cache --virtual .build-dependencies \
+        build-base \
+        go \
+    \
+    && git clone -b "v${CAS_VERSION}" --depth 1 \
+        https://github.com/codenotary/cas \
+    && cd cas \
+    && make cas \
+    && mv cas /usr/bin/cas \
+    \
+    && apk del .build-dependencies \
+    && rm -rf /root/go /root/.cache \
+    && rm -rf /usr/src/cas
 
 # Install requirements
 COPY requirements.txt .