Support signing firmware

[lulf]

No description provided.

[lulf]

Ideally this should use https://www.sigstore.dev/

CC @bobmcwhirter

[danbev]

@lulf I've written some notes for this task with some initial investigation and wondering if you be able to take a look and see if I'm on the right track with this?

[lulf]

@danbev It's a different approach to what I imagined when looking at ORAS, because one of the examples there is that you attach the signatures as a generic 'metadata' associated with the container image, instead of within the artifact itself. Bundling it as you suggest is an interesting approach as well, maybe we need to think about the pros/cons of each of those and decide if we support both or one of them, or maybe even a combination?

[danbev]

@lulf Thanks for the feedback! I'll take a closer look at the ORAS example today 👍

[danbev]

@lulf I've taken a look at using attachments and the issue I ran into previously was fixed with the latest update of oras (details are in the section linked). Is that what you hand in mind with regards to attachments?

[lulf]

@danbev Yes, I think the signature is a 'layer' with a media type and/or signature type. I think the example I looked at was this https://oras.land/cli/6_reference_types/

[danbev]

I think the example I looked at was this https://oras.land/cli/6_reference_types/

Ah thanks, I'll read through that 👍

[danbev]

@lulf
I've added a section about using references to try to understand how that works.

I've also added an alternatives section which sums up the alternative I think we have.
Do these tasks seem reasonable to you?