add a command (cfsctl oci seal?) that creates an image for the named container, measures it, then records the result into a config label, producing a new container image in the process.
add a command to mount a container by its image ID, looking for the composefs verity label and opening the image via this identifier
Maybe:
when pulling an image from the repo, if it has such a label, create the image immediately and verify it as part of the pull operation. Otherwise we have to do that at mount time, which really ought to be a read-only operation.
Considerations:
do we want to add a way for splitstreams to refer to images now?
add a command (
cfsctl oci seal?) that creates an image for the named container, measures it, then records the result into a config label, producing a new container image in the process.add a command to mount a container by its image ID, looking for the composefs verity label and opening the image via this identifier
Maybe:
Considerations: