Open imjasonh opened 2 years ago
cosign verify signed.kontain.me/<anything> should return a valid signature for an image that otherwise doesn't exist.
cosign verify signed.kontain.me/<anything>
To do this, it would have to:
signed.kontain.me/<anything>
signed.kontain.me/<anything>:sha256-<digest>.sig
If a user tries to pull or run the image, they'll get an empty/random signature.
cosign verify signed.kontain.me/<anything>
should return a valid signature for an image that otherwise doesn't exist.To do this, it would have to:
signed.kontain.me/<anything>
to a digest, just make one up randomly and serve an empty/random manifest theresigned.kontain.me/<anything>:sha256-<digest>.sig
to a digest and serve a manifest there pointing to a blob containing the signature bytesIf a user tries to pull or run the image, they'll get an empty/random signature.