With these secure reusable workflows we want to have the ability to sign The BuildKit-generated provenance and SBOM attestations. This will be a step in our reusable workflows and not part of regular builds with BuildKit.
We want signatures pushed by digest unlike cosign that pushes a tag matching the signed manifest using the format <repo>/<image>:sha256-<manifest-digest>.sig. Verification will be done using the OCI Referrers API.
With these secure reusable workflows we want to have the ability to sign The BuildKit-generated provenance and SBOM attestations. This will be a step in our reusable workflows and not part of regular builds with BuildKit.
We want signatures pushed by digest unlike cosign that pushes a tag matching the signed manifest using the format
<repo>/<image>:sha256-<manifest-digest>.sig. Verification will be done using the OCI Referrers API.