Is it possible to sign and verify artifacts while pushing and pulling artifacts using sigstore?

[suzuki-shunsuke]

Thank you for the great project!
I'd like to verify artifacts using Sigstore for security.
cosign supports signing and verifying images, so I guess oras can sign and verify artifacts too.

Workaround

As a workaround, I'm signing and verifying artifacts using cosign myself.
This works fine but it would be great if oras supports the verification natively.

https://github.com/szksh-lab-2/example-oras-cosign/blob/5b64fd6e6c12285e3ab3b5c21752077516a8662d/.github/workflows/test.yaml#L35-L48
https://github.com/szksh-lab-2/example-oras-cosign/blob/5b64fd6e6c12285e3ab3b5c21752077516a8662d/.github/workflows/test.yaml#L68-L87

[Wwwsylvia]

Hi @suzuki-shunsuke , ORAS can store and manage signatures as artifacts, but it doesn’t handle signing or verification directly.
You might be interested in the Notary project, which is dedicated to signing and verifying artifacts and is backed by the oras-go SDK. /cc @shizhMSFT @FeynmanZhou

[suzuki-shunsuke]

Oh, I see. Thank you. I'll take a look at the Notary Project.