minor suggestion on tag name of signature index

[cppforlife]

while working on https://github.com/vmware-tanzu/imgpkg i've also noodled on the idea of using tags for searching related artifacts (signatures and few other things) since there is no other mechanisms available in registry APIs. i'm glad yall came to a similar conclusion :)

im curious where yall see this project head to (is it a poc)... my team have recently popped into notary OSS WG to see where the community is at with regards to an open standards for signing, so curious about your take on this.

onto minor suggestion:

i think it's worth adding cosign- prefix to sha256-... lookup tag so that it's cosign-sha256-... mostly to have some kind of namespacing between tools using similar approach for lookups.

[dlorenc]

SGTM! What do you think about using a suffix? sha256-dfasfd.cosign ?

[dlorenc]

im curious where yall see this project head to (is it a poc)... my team have recently popped into notary OSS WG to see where the community is at with regards to an open standards for signing, so curious about your take on this.

And on this question - I don't really have a great answer yet. I need to sign containers and can't really wait for nv2. I'd be happy to use nv2 or something else if handled everything this does. So, I'd like to continue to support this until/if something larger/more standardized gets adopted.

I don't want to increase the size/scope of this project too much, but if there are small things that will allow others to adopt it I'm all for that!

[jonjohnsonjr]

We've discussed a couple other approaches that might help avoid collisions, e.g. having a separate child or sibling repository that contains only signatures, or stacking all signatures onto a single tagged artifact:

Of course, both of these approaches make things slightly more complicated, but at least they don't pollute the repository with tons of tag noise... either way, I think these are stopgaps until we have a first-class mechanism for this kind of thing, at which point these can become a fallback for registries that don't support it.

[dlorenc]

I'm so excited for our glorious future of registry polyfills.

[cppforlife]

SGTM! What do you think about using a suffix? sha256-dfasfd.cosign ?

suffix also works. just wanted a good scheme for using sha256-xxx pattern collectively.

[dlorenc]

OK, added the ".cosign" suffix!