The current signing method creates a tarball from the input YAML manifest / the input directory for signing, but this causes non-reproducible message serialization and it makes message annotation in the signed manifest difficult to check.
Instead, we add a new signing method which directly signs the raw YAML manifest (or raw manifests in the directory) and it is enabled by --tarball=no option with this PR.
We make the current method deprecated in the next release (v0.3.1) and it will be unavailable in v0.5.0. Once it becomes unavailable, the new signing method will be the default one.
Signed-off-by: Hirokuni-Kitahara1 hirokuni.kitahara1@ibm.com
messageannotation in the signed manifest difficult to check.--tarball=nooption with this PR.