Signed images support

[ttttodorov]

Making sure a solution works with trusted container images is an important security aspect that has to be covered by any container management solution.

Different projects have already addressed the issue:

• moby's with Notary - obsolete v1 supported and integrated by Docker, v2 - to be scheduled for a future release if/when stable
• sigstore's Cosign - production-ready supported and integrated by different RedHat solutions

Based on the possible options and their status, Cosign can be integrated as a first step to enhance the security of the Kanto container management component for signed images support and verification.

Tasks:

• Update opencontainers/image-spec dependency #92
• Implement signed images verification #67
• Implement signed images verification through CLI and Things #130
• Implement signed images verification with certificates #97
• Provide unit tests covering signed images verification #91
• Provide user documentation for the signed images support  kanto#150

[dimitar-dimitrow]

As this task was delayed in time, here is an update for the current container image signing perspective. While the OCI image spec does not have an official 1.1.0 release, it is on it's fifth release candidate and official 1.1.0 version is expected soon. The main feature in OCI image spec 1.1.0 is to natively store, discover, and pull a graph of content(signatures, SBoM and etc.) associated with specific container images in a registry. The notary/notation-go(aka notary v2) is a library that supports Notation sign, verify, push, pull of OCI artifacts, which adopts the 1.1.0 OCI image spec.

Kanto Container Management must adhere to OCI spec and provide signed image verification using notary instead of cosign.