As a user, I want to include metadata that I can provide at time of signing. This data should be signed as well ( in addition to the image manifest) and be available for verification.
When verifying signatures, ( At build, deploy or run time) I want to get a list of the signed metadata included with the signature and use it evaluate additional decisions before using the signed image.
Intended outcome
Add CLI commands to add metadata at the point of generating signatures.
Add CLI commands to list the signed metadata at the point of verifying signatures.
When inspecting a signature, or listing its detail a user should be able to see the signed metadata included with the signature.
yizha1
commented
1 year ago
As a user, I want to include metadata that I can provide at time of signing. This data should be signed as well ( in addition to the image manifest) and be available for verification.
When verifying signatures, ( At build, deploy or run time) I want to get a list of the signed metadata included with the signature and use it evaluate additional decisions before using the signed image.
Intended outcome