Better support for images and OCI artifacts that are signed with cosign through support for copying cosign signatures and visual indication of signed images
Why is this important?
We've started to accept cosign types in Quay 3.6 and we are looking at broader adoption in the future
Quay.io specifically would likely be an early adopter target for cosign signatures
Red Hat Quay customers need to be able to keep the supply chain trust based on image signatures in tact when using the repo mirror feature
Scenarios
A user uploads an image to Red Hat Quay / quay.io and uses cosign to sign it. They want to verify the signing worked and want to be able to use the Quay UI to discover that the image has been signed via a visual indicator
A user wants to mirror a repository with images signed via cosign. In order to retain the trust created by the signatures they need to be copied over to Quay as part of the repo-mirror as well.
Acceptance Criteria
CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.
...
Dependencies (internal and external)
New UI
Previous Work (Optional):
OCI artifact enablement
Cosign type support enabled by default
Open questions::
…
Done Checklist
CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>
Feature
Major
