Ethan Lowman

The input to the "verify" RPC will need the original image reference as well as the resolved descriptor. The descriptor alone does not include the registry/repository/tag.

Feedback from today's community meeting: the [remotes.Resolver](https://pkg.go.dev/github.com/containerd/containerd/remotes#Resolver)'s `Resolve` method is likely a better place to verify than in the `Fetch` method.

@Jenkins-J Yes it is. I've been attending the containerd community meetings and the guidance has been to hold off on further work on the [WIP PR](https://github.com/containerd/containerd/pull/6994) since there might need...

@tsaarni We are experimenting with an internal implementation structurally very similar to a cosign client, but indeed it would be pragmatic to have a ready-to-go cosign implementation of the plugin...

Rebased on `main` to fix the merge conflict and fixed (at least some of) the CI failures.

@abs007 The relevant code is in `repo.go`, searching for `FileIsStaged`, `Version++`, and `Version =`. We cant remove the `Version` increment completely, since it still needs to be incremented somehow when...

I think what you're describing is the same as this suggestion above: > One option to avoid a breaking change or adding more complex APIs would be to implement them...

@asraa or @joshuagl Could you please provide a followup review when you get the chance?

One way would be to run tests on the branch itself (not a merge commit) but set up a [merge queue](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/using-a-merge-queue) to re-run CI on the simulated merge commit before...

Here is the CI run that failed: https://github.com/theupdateframework/go-tuf/actions/runs/2046098449