Sign container images with cosign for supply-chain security

[goelakash]

The OpenSSF Scorecard flags the Signed-Releases check because published Docker images are not cryptographically signed.

Signing images with cosign (keyless, via GitHub OIDC) would allow consumers to verify image provenance (e.g. Chainguard Images uses sigstore/cosign-installer in their release workflow).

Related to #2428

[theamitmehra]

Hey, I'd love to take a stab at this. Would this be a good first contribution, or is there anything I should know about the current publish workflow before diving in?

[mathbunnyru]

Hey, I'd love to take a stab at this. Would this be a good first contribution, or is there anything I should know about the current publish workflow before diving in?

Unfortunately, I don't have any experience with signing Docker images, so I can't help here.

What I would definitely like to avoid is creating images that are not inherited from each other in terms of Docker layers.
For example, if you already pulled the latest minimal-notebook, all the layers for docker-stacks-foundation and base-notebook should be available locally, and it shouldn't repull the whole images.

This property is true right now, even for images created in PRs, because we:

• upload an image: https://github.com/jupyter/docker-stacks/blob/main/.github/workflows/docker-build-test-upload.yml#L140
• and then pull it when building any image inherited from that one: https://github.com/jupyter/docker-stacks/blob/main/.github/actions/load-image/action.yml

Signing might not change this property at all, but it's definitely something to be aware of.