Sign images before upload to registry

[gl172]

Is it possible to have kpack sign the image before upload (Cosign 2.1.0 can now do this) so that when there's a policy (for example in Harbor) to not allow pull of unsigned images, then kpack can complete the build without fail.

Message received during image build with kpack when Harbor does not allow pull of unsigned images:
unable to fetch app image: GET : PROJECTPOLICYVIOLATION: The image is not signed in Cosign.

See:
Cosign 2.1.0 feature: Allow cosign to sign digests before they are uploaded. (sigstore/cosign#2959)

[tomkennedy513]

That currently isn’t possible because the upload happens as part of the lifecycle export step and signing happens after the lifecycle finishes executing in the completion step. This would only be possible if the lifecycle supported signing natively

[tomkennedy513]

Maybe kpack could attempt to do signing before it tries to retrieve the build metadata in the completion step as a way to get around this.

[fcaroline2020]

PR #1296 enables building an image in a repo with a policy that disallows pulling unsigned images. Previously this would fail in the "completion" phase with error message:

2023/07/28 16:34:59 cosign sign: unable to sign image with /var/build-secrets/cosign/tutorial-cosign-key-pair/cosign.key: accessing entity: GET registry/v2/cosign-test/my-image/manifests/latest: PROJECTPOLICYVIOLATION: The image is not signed in Notary.
This issue has now been resolved, however, if "latest" is an unsigned image in the repository, fails in the analyze stage

$ kubectl logs test-cosign-image-build-1-build-pod -c analyze
ERROR: failed to initialize analyzer: getting previous image: connect to repo store "harbor-dev.buildservice.dev/cosign-test/my-image": GET https://harbor-dev.buildservice.dev/v2/cosign-test/my-image/manifests/latest: PROJECTPOLICYVIOLATION: The image is not signed in Cosign.