I am new to container signing.
Here is what I experimented.
- Followed instructions from the GitHub Action for
cosignto sign container images using OIDC token. This works. Next steps in my GH Action publishes the image to GHCR.
docker pullagainst the signed image.
docker trust inspectagainst the signed image.
- Empty array results - see below.
 No signatures or cannot access ghcr.io/nsubrahm/image:tag
The “cannot access” part is not right since,
docker pull went through.
- Signing the container image with
cosignand verifying the same with
docker trust inspect- is this supposed to work?
- If not, should images signed by
cosignbe verified by
- Out of curiosity, would the other way around work too? For example,
docker trust signfollowed by
- My goal is to launch my application via
docker compose up -dwith signed container images only. Can you advise a strategy for the same, please? Or, point me to resources?