Chains should sign and attest to all Image Manifests in an Image Index

[arewm]

trafficstars

Feature request

If Chains is provided with an Image Index to sign and attest, it should recursively perform this same behavior for all referenced Image Manfiests as well.

Use case

In order to improve the experience for increasing supported architectures for images, some build tasks may choose to always produce Image Index OCI artifacts even if there is only a single architecture referenced. As architectures are added to the Image Index, the Image Manifests should be signed without requiring that the specific pullspecs are included as results on the pipeline.

[lcarva]

+1

This was discussed in chat a few days ago. The only concern raised was that this behavior should be behind a flag, at least initially.

[arewm]

I think that this feature should be slightly modified. It is valid to have nested image indexes. Therefore, I think that Chains should support signing/attesting all nested Image Manifests and Image Indexes.

I can update the original request if you agree that that makes sense.

[lcarva]

It does make sense. I'd like to see this behavior in cosign itself. The CLI does have a recursive flag, but I'm not sure if this will already handle truly recursive Image Indexes or if it needs some tweaking.