signed.kontain.me

[imjasonh]

cosign verify signed.kontain.me/<anything> should return a valid signature for an image that otherwise doesn't exist.

To do this, it would have to:

1. resolve signed.kontain.me/<anything> to a digest, just make one up randomly and serve an empty/random manifest there
2. resolve signed.kontain.me/<anything>:sha256-<digest>.sig to a digest and serve a manifest there pointing to a blob containing the signature bytes
3. serve the blob containing the signature bytes. We can put in some fun easter eggs in the signature, as a treat.

If a user tries to pull or run the image, they'll get an empty/random signature.