Is your feature request related to a problem?

As multi-platform images are getting more and more popular, Notation should consider a way to support signing and verifying a multi-platform image.

Multi-platform images are often published as OCI image indexes or Docker manifest list, containing references to platform-specific images. Currently, Notation CLI primarily focuses on signing and verifying a single image, but this approach has limitations:

• If only the image index is signed, a compromised platform-specific image may go undetected while the signature remains valid.
• If only platform-specific images are signed, the integrity of the image index is not assured.

Supporting signing and verification for both the image index and platform-specific images will enhance security and integrity in multi-platform deployments.

Use cases

• Docker Official Images
  Example: docker.io/library/nginx provides multi-platform support for different CPU architectures.
  Verifying signatures before pulling images in production environments prevents supply chain attacks.

• Kubernetes Official Images
  Example: k8s.gcr.io/kube-apiserver supports multiple architectures such as AMD64, ARM64, and PPC64LE.
  Signing ensures that all platform-specific images are verified before deployment in Kubernetes clusters.

• Other CNCF project images
  Example: ghcr.io/ratify-project/ratify:v1.4.0 and ghcr.io/oras-project/oras:v1.3.0-beta.2 provide multiple architectures. For ratify image signed by `notation, you can find that only the multi-platform image (index) of the ratify image has been signed but all platform-specific images are not yet. See the query result

Here are a few users asked for this feature:

• Add support for image-indexes #1080
• How to sign an index (manifest list) #18
• Sign each platform-specific image of ratify ratify#2157

What solution do you propose?

• Signing Multi-Platform Images: Provide an option in Notation CLI to recursively sign a multi-platform image (index) along with its platform-specific images.
• Verification of Multi-Platform Images:
  • Ensure that verification can check signatures for both the image index and its referenced images.
  • Introduce trust policy to enforce required signatures on either the index, platform images, or both.

What alternatives have you considered?

Signing only the image index: Leaves individual platform images unverified.
Signing only platform-specific images: Leaves the index open to manipulation.
Allowing configurable policy to choose signing strategy: Could provide flexibility for different security models.

Any additional context?

Open question: Should this feature allow selective signing of only the index or specific platform images? For example, users may want to sign a patched image and its index if there is a single-arch vulnerable image in a multi-platform image.