verifying the images by using cosign for Dockerfile FROM images

[Dentrax]

As we (@developer-guy) discussed a similar thing at containerd/nerdctl#577, @.AkihiroSuda proposed an idea to verify Dockerfile FROM images in nerdctl build and nerdctl compose up --build. We can traverse the entire base images since cosign already have a support for verifying signatures on the base images that specified in the Dockerfile.

# only verify the base image (the last FROM image)
$ cosign dockerfile verify --base-image-only <path/to/Dockerfile>

Additional Context

• WIP: Hypotenuse - a tool for extracting the base images out of a Dockerfile. sigstore/cosign#189
• https://github.com/dekkagaijin/go-dockerfile
• cosign verify-dockerfile is dangerous sigstore/cosign#648

[AkihiroSuda]

From nerdctl build (and docker buildx) perspective, modifying BuildKit is probably not necessary if we can have cosign dockerfile resolve command proposed in sigstore/cosign#707 sigstore/cosign#648 .

nerdctl build (and docker buildx build) could exec cosign dockerfile resolve to convert the Dockerfile before calling BuildKit.

[developer-guy]

cc: @dlorenc @imjasonh @n3wscott

[dlorenc]

Nice! Yeah we can fix up that command. I think it has a few issues right now.