Error message too general for `notation verify` command

[yizha1]

What is the areas you experience the issue in?

Notation CLI

What is not working as expected?

notation verify command returned too general error message which was extremely hard for users to figure out the reason behind it unless users specify --debug flag.

 notation verify localhost:5000/nginx:latest
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:latest) because resolved digest may not point to the same signed artifact, as tags are mutable.
Error: signature verification failed: artifact "localhost:5000/nginx@sha256:bfb112db4075460ec042ce13e0b9c3ebd982f93ae0be155496d050bb70006750" has no applicable trust policy

What did you expect to happen?

With the default log level, the output messages should include the specific reason of a failure

How can we reproduce it?

Reproduced steps:

1. notation sign an image localhost:5000/nginx:latest

2. The registryScopes was set to * for verifying all the images. The trustStores and trustedIdentities didn't include the certificates used for signing, see an example below:

{
 "version": "1.0",
 "trustPolicies": [
     {
         "name": "trust-policy-example",
         "registryScopes": [ "*" ],
         "signatureVerification": {
             "level" : "strict"
         },
         "trustStores": [ "ca:trusted" ],
         "trustedIdentities": [
             "x509.subject: O=MyOrg,ST=MyState,C=MyCountry"
         ]
     }
 ]
}

3. Run notation verify command

 notation verify localhost:5000/nginx:latest
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:latest) because resolved digest may not point to the same signed artifact, as tags are mutable.
Error: signature verification failed: artifact "localhost:5000/nginx@sha256:bfb112db4075460ec042ce13e0b9c3ebd982f93ae0be155496d050bb70006750" has no applicable trust policy

Describe your environment

WSL

What is the version of your Notation CLI or Notation Library?

v1.0.0-rc.3

[patrickzheng200]

@yizha1 I notice that this issue is not covered in the hackmd for scope of 1.0 release: https://hackmd.io/qEQfes82Rb2VuzN6whzfUw. Do we want to add it in?

[yizha1]

Design a proper error message to indicate the real reason behind the failure

[patrickzheng200]

Design a proper error message to indicate the real reason behind the failure

I will take this one. But @yizha1, need your clarification here. What does Design a proper error message to indicate the real reason behind the failure mean? Who's going to design these error messages as it involves changes on the specs?