Demo: Sign and verify container images as OCI layout directory

[yizha1]

Feature - Sign/verify local artifacts

Sign/verify container images as OCI layout directory

OCI layout is defined here

Steps:

1. Build a container image and output as OCI Image layout directory

   • Command: docker buildx build --output=type=oci,dest=alpine.tar -t alpine:v2 -f Dockerfile .
   • extract the tar file alpine.tar to a directory

2. Sign the container image, store signatures in OCI layout directory by default

   • notation sign --local-content alpine:v2
   • User can output the signature envelope to a specified file, using a flag --output
     • notation sign --local-content alpine:v2 --output ./alpine.sig

3. Use notation ls command to list the signatures

   • under development

4. Configure trust policy

   • Option1: global policy with registryScopes set to *
   • Option2: registryScopes set to localhost:5000/alphine

5. Verify the container image

   • Option1: notation verify --local-content alpine:v2
   • Option2: notation verify --local-content alpine:v2 --scope localhost:5000/alphine

Asking for feedback:

• Flag name: --local-content
• Trust policy configuration for local artifacts
• Once flag --output is used, the signature envelope is stored in a specified file, but the signature is not stored in OCI layout directory