Signing a Docker Image without pushing to a DTR?


I am wanting to build Docker images that we will deliver for disconnected use customers. However, we want to “sign” these images for security purposes so that customers could validate these signed images.

I fully understanding how signing works today, at least in reading the Help doc. I am curious if there is a workflow to support:

  1. Build image.
  2. Sign it.
  3. Export to a .tar.gz
  4. Customer able to import image and validate signature.

Thanks for any thoughts or guidance in this area.