GKM currently promotes signing OCI images before pushing to registry, but today that is an extra step:
- Install Cosign:
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
- Sign image:
cosign sign -y quay.io/tkm/vector-add-cache@sha256:<digest>
- This step requires the user to go to a browser and enter a provide URL and then enter a returned code to the Cosign command.
Cosign supports offline container image signing. This should be added to MCV so that the signing process can be automated.
GKM currently promotes signing OCI images before pushing to registry, but today that is an extra step:
go install github.com/sigstore/cosign/v2/cmd/cosign@latestcosign sign -y quay.io/tkm/vector-add-cache@sha256:<digest>Cosign supports offline container image signing. This should be added to MCV so that the signing process can be automated.