Document how to sign non-container files with Notation
FeynmanZhou opened this issue · comments
Notation supports signing non-container files not only container images. As a user, I would like to sign a supply chain artifact (SBOM, Vulnerability scanning report, etc.) associated with an image. Here is a sample use case that both the associated SBOM and vulnerability scanning report are signed and has the signature as described at https://medium.com/@vishal-chdhry/oci-references-support-in-kyverno-2e9f0a7da5c1. We need to document how to sign non-container files with Notation.
Here is an example. Assuming you have installed ORAS CLI and provisioned a container image and an SBOM file.
# Attach the SBOM file to an image
oras attach localhost:5000/net-monitor:v1 SBOM.json --artifact-type example/sbom
# Sign the digest of the attached SBOM
notation sign localhost:5000/net-monitor@sha256:6cbf7cc5ffa82b030b57ff820d49a86c143d8c6ac483b8e5eead81be8b223fc4
# View the referencing graph. We can also use notation list here
oras discover localhost:5000/net-monitor:v1 -o tree
localhost:5000/net-monitor:v1
└── example/sbom
└── sha256:6cbf7cc5ffa82b030b57ff820d49a86c143d8c6ac483b8e5eead81be8b223fc4
└── application/vnd.cncf.notary.signature
└── sha256:b5f3c7d27160b760ef07aac82a0d11e34fdb560f82cfc00fbcc950e424082b88
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.