Content trust support

[rmannibucau]

Description of the issue:

Add support for signed image , aka content trust.

Expected behavior:

Add a key config in the builder to sign the image and wire it in build plugins. For mavennit will use servers typically.

Steps to reproduce:

Environment:

jib-maven-plugin Configuration:

PASTE YOUR pom.xml CONFIGURATION HERE

jib-gradle-plugin Configuration:

PASTE YOUR build.gradle CONFIGURATION HERE

Log output:

Additional Information:

[chanseokoh]

Not sure if we will look into this soon, but I have briefly gone over the Docker Content Trust (DCT) doc to see what it is, but I'm still completely lost in how exactly this can be implemented in Jib. I'd appreciate if you could give us pointers or guidance in terms of what needs to be done on the Jib side implementation-wise. Even high-level descriptions would help. Best if you can contribute to our code directly. :)

[rmannibucau]

I'm not fully sure of the "how" - by guess reading quickly the sources is that it is mainly interacting with a notary server and signing a tag (the digest only?). Main goal is to enforce the from to be a signed image and let a produced image be used in a from in a docker file using content trust.

[bademux]

Hi,
looks like it will be the only option to use DCT with Jib while relying on imageDigest.
It appears that docker trust sign overrides Jib's manifest,
and even more docker pull myimage and then docker pull myimage has the same effect imageDigest is changed (manifest.json is reformatted)
Tested with 20.10.7 and Artifactory 6.17.0

ref docker/cli#3394

[benruland]

Signing images and using technologies such as cosign / sigstore has gained a lot of popularity and adoption, driven by the need for supply-chain security. Would you reconsider prioritizing this issue?

[apakhomov]

+1 for feature