I am new to container signing.

Here is what I experimented.

1. Followed instructions from the GitHub Action for cosign to sign container images using OIDC token. This works. Next steps in my GH Action publishes the image to GHCR.
2. Did docker pull against the signed image.
3. Ran docker trust inspect against the signed image.
4. Empty array results - see below.

[]
No signatures or cannot access ghcr.io/nsubrahm/image:tag

The “cannot access” part is not right since, docker pull went through.

My questions:

1. Signing the container image with cosign and verifying the same with docker trust inspect - is this supposed to work?
2. If not, should images signed by cosign be verified by cosign only?
3. Out of curiosity, would the other way around work too? For example, docker trust sign followed by cosign verify.
4. My goal is to launch my application via docker compose up -d with signed container images only. Can you advise a strategy for the same, please? Or, point me to resources?