sign container images after built

[developer-guy]

Description

We (w/@Dentrax) thought that it'd be nice if pack CLI has the support of signing container images right after building them without requiring any additional steps to sign container images based on cosign, a tool developed by the sigstore community that lets you sign, and verify container images according to several types of key management types, or any other signing tool.

Proposed solution

Maybe we can add additional flag to the build command in pack CLI to enable signing, it'll be look like this:

# Set default signer to the config
$ paketo config default-signer cosign

# it'll sign container image right after built
$ pack build --signer cosign <img>

Describe alternatives you've considered

Additional context

• This feature should be documented somewhere

[developer-guy]

kindly ping @samj1912

[sambhav]

Related buildpacks/rfcs#195 and #268 (comment)

@developer-guy perfect timing! We have been actively working to get cosign integration, along with sbom attestations integrated in the project! We would love to have contributors help with the implementation once RFC 195 is merged (which should happen this week or the next).

Would you and @Dentrax be interested in helping with the implementation? This would help not only pack but any buildpacks based platform so it would be a huge win.

[sambhav]

(Accidentally closed, reopened again)

[developer-guy]

OFC, we'd love to help 🤩

[Gauravkumar2701]

@developer-guy @samj1912 @Dentrax Guys I also want to work on this issue @developer-guy could you please guide me with more information.

[natalieparellano]

Closing as duplicate of #268