Tentative update, IIUC:

• Signing key is optional. Needs new procedure.
• Container image signature verification policy is mandatory, even if images are not signed. If we can provide this policy as a default, we can keep it in the attestation policy module. This procedure is short but multistep, so it might make sense to break the signing key and verification policy to their own module.

Add support for signed image support when creating pod VM image.

Resources

• Google design doc
• OSC internal doc

Update (Oct 29): This task will probably require the following changes:

• Signing a container image with Cosign (new procedure module).
• Adding public key to Trustee (update Trustee secret or not?)
• Adding key to peer pods config map (Update Updating peer pods config map?)
• Creating attestation policy (update Attestation policies)
• Adding attestation policy to Trustee (update Trustee config map. (Might be a good idea to move Trustee config map so that it appears after the attestation policies)

Background

from parent epic:

• Document how to sign a container image. I think https://docs.sigstore.dev/cosign/signing/signing_with_containers/ has the best information (Jens to find out whether key is stored in Azure vault or elsewhere)
• Document how to set the public Key used in the signing to Trustee (e.g. to `kbs:///default/cosign-public-key/osc`)
• Document how to write the policy.json for the customer's use case and how to set it as a resource to `default/security-policy/osc` (or wherever) on trustee
• OSC 1.8.0 changes