document and support creating "sealed" base images
We have the underlying code in ostree to create "sealed" images. However, support for this is not explicitly exposed via the container flow we have today.
This issue strongly relates to https://github.com/ostreedev/ostree-rs-ext/issues/630 and https://github.com/ostreedev/ostree-rs-ext/issues/11 which need to be fixed first, but leads into a broader question here of how we promote this.
Aligning with the discussion in https://github.com/containers/podman-bootc/pull/28 around potentially turning bootc-image-builder into a SDK, I think we could have e.g.:
podman run -v .:/out quay.io/fedora/bootc-kit seal-image --rootfs=ephemeral-key --in quay.io/exampleuser/someos:latest --out oci:/out/sealed.oci
which would transform the image, including opinionated bits around an ephemeral key, etc.
However, even this leads to some longer term alignment we need in that we should also support signed composefs for app containers. This is more TBD; I started on https://github.com/containers/composefs/pull/286 to lead to a place where we're sharing more code between the bootc/ostree side and the containers/storage side.