Verify image signature when downloading
Some images are now signed, e.g. registry.gitlab.com/sylva-projects/sylva-elements/diskimage-builder/diskimage-builder-hardened:cosign-0.1
It would be worth to check (optionally) the signature when downloading, maybe in the script image-downloader.sh
by getting inspiration from https://gitlab.com/sylva-projects/sylva-elements/diskimage-builder/-/blob/cosign/security/cosign.md#verifying?
what do you think @mederic.deverdilhac ?
Edited by Pierrick Seite