created verify.md for the verification of container images

[Roseline-Bassey]

This PR include:

• A new verify.md page under how-to
• Documentation to fix #107

[netlify[bot]]

✅ Deploy Preview for notarydev ready!

Name	Link
🔨 Latest commit	866534fe00c48a378f82e9b109945a3e3c4c4046
🔍 Latest deploy log	https://app.netlify.com/sites/notarydev/deploys/64dfb152836c8800082e6820
😎 Deploy Preview	https://deploy-preview-329--notarydev.netlify.app/docs/how-to/verify
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[FeynmanZhou]

Thanks @Roseline-Bassey . You may misunderstand the intention of this doc.

As I explained in https://github.com/notaryproject/notaryproject.dev/issues/107#issuecomment-1650121464 , we just need to elaborate on the verification scenarios in Kubernetes and recommend two projects to Notation CLI users on the Notary website. This doc helps users understand the scenario of verifying the image signatures before deploying images to Kubernetes and outlines our recommendations and tools on it. We could add links to the following two external docs.

• Ratify: Sign and verify an image with Notation, Ratify, and OPA Gatekeeper | Ratify and Kyverno website.
• Kyverno: Using Notary Project with Kyverno

We don't need to replicate the same steps from the Ratify and Kyverno websites to the Notary Project doc. Hands-on steps will be maintained on the Ratify and Kyverno sides. It avoids duplicated maintenance.

Does it make sense?

[FeynmanZhou]

Thanks @zr-msft for reviewing it. Let me clarify on these two questions:

@FeynmanZhou @yizha1 Is there a common repo on GHCR that we use to upload testing images for this doc?

Not yet. Users can use any OCI Spec v1.1.0 and v1.1.0 compatible registries not limited to GHCR in signing and verification. Users can create their own repos in any compatible registries for testing purposes.

@Roseline-Bassey have you tested this doc end-to-end to ensure all the commands work and the output is as expected?

I tested it when I wrote the Ratify blog post. We can skip the concerns in Notary Project doc since the hands-on steps will not be maintained in this doc as I clarified above. Thanks

[zr-msft]

@FeynmanZhou @yizha1 would you mind taking a look

[github-actions[bot]]

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 30 days.