Signatures are stored in the OCI Manifest v2 registry [0], and are
expected to follow the Cosign Signature Specification [0]
The following CLI utilities are provided with `dangerzone-image`:
For checking new container images, upgrading them and downloading them:
- `upgrade` allows to upgrade the current installed image to the
last one available on the OCI registry, downloading and storing the
signatures in the process.
- `verify-local` allows the verify the currently installed image against
downloaded signatures and public key.
To prepare and install archives on air-gapped environments:
- `prepare-archive` helps to prepare an archive to install on another
machine
- `load-archive` helps upgrade the local image to the archive given
in argument.
Signatures are stored locally using the format provided by `cosign
download signature`, and the Rekor log index is used to ensure the
requested-to-install container image is fresher than the one already
present on the system.
[0] https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md
