Develop capability to cryptographically sign and verify images

[whatsacomputertho]

Overview

We are working on the ability to copy images between registries, and to/from the filesystem.

• Develop capability to copy images between registries and maintain digest integrity #12
• Develop capability to copy images to and from a directory on the filesystem #44

That would effectively serve as a python-native implementation of the skopeo copy command across combinations of the dir: and docker:// transports.

This issue will then track the implementation of a python-native implementation of...

• The skopeo standalone-sign and skopeo standalone-verify subcommands, in which the images are assumed to be on the filesystem
• The skopeo copy --sign-by option, in which the image is being copied from registry to registry

Acceptance

• It is possible to cryptographically sign an image on the filesystem using containerimage-py
• It is possible to cryptographically verify an image signature on the filesystem using containerimage-py
• It is possible to cryptographically sign an image while copying it using containerimage-py
• The usage of these new capabilities are documented
• Example scripts are written for these new capabilities
• There is unit test coverage for these new capabilities

[tarilabs]

hi, fyi, I believe Cosign has a python library iirc