Produce signed .NET container images

[mthalman]

Signing a container image involves using a digital signature that includes information about the image, such as its hash value, and is created using a private key. The consumer can then verify this signature using a public key from a trusted source.

This provides the following benefits:

1. Authenticity: Ensures that the image comes from a trusted source and has not been tampered with.
2. Integrity: Guarantees that the image has not been modified since it was signed.
3. Trust: Builds trust between the image publisher and the consumers of the image.

We should produce .NET container images that are signed to provide these additional benefits.

Validation would be supported via the notation CLI from the Notary project. The entire workflow of signing and validation would be the same as is described in Announcing Image Signing for Windows Containers

[mthalman]

Here's the link for how to configure the infrastructure to produce signed images: https://eng.ms/docs/more/containers-secure-supply-chain/signing (internal link).

[mthalman]

[Triage]

We should determine whether image signing will be done across all images (6.0, 7.0, 8.0) or on a version-by-version basis. Would we apply image signing to already released versions or would this be something only applied to an upcoming version (i.e. 8.0)?