POC: Cosign artifact signing with SBOM and Provenance in OCI registries

Objective

Map out and test cosign integration for artifact signing, SBOM and Provenance signing and storage within OCI compatible registry storage.

Scope

• Test cosign with various OCI compatible registries:
  • GitLab Container Registry
  • DockerHub
  • JFrog Artifactory
  • Other relevant options

Tasks

• Document cosign setup and configuration for each registry
• Test artifact signing workflows
• Test SBOM (Software Bill of Materials) signing and storage
• Test Provenance signing and storage
• Document interactions with sigstore
• Document storage format and details within each registry
• Compare registry capabilities and limitations
• Create design documentation for subsequent implementation tasks

Deliverables

• Design document outlining cosign integration approach
• Registry compatibility matrix
• Storage format specifications
• Sigstore interaction documentation
• Recommendations for implementation

Notes

This issue serves as the discussion, design, and breakdown for subsequent tasks.