Define the Margo application image and component signing strategy

[ajcraig]

Feature description

Goal: Define the application image and component signing strategy required in Margo.

This feature is critical in a Multi vendor ecosystem and will enable trust and authenticity between the participants.

Provide adequate technical acceptance criteria(s) associated with this feature below:

• Define how application components are signed within Margo
  • Helm packages / compose packages
• Define how oci images are signed within Margo
• Define how WFMs and Devices are able to verify the signature during application deployment
• Define, if necessary, any Margo infrastructure required to enable this verification between vendors
• Describe how these signatures live on even if the end user replicates the artifacts to a local repository

Although not required, it is highly encouraged to provide feature use-cases below:

1. Enables end user to verify the authenticity of the Application from the supplier
2. Device to verify authenticity during deployment activities

Additional information

Discussions have taken place on this topic in various locations.

• https://discord.com/channels/1225812888854200382/1273314391609311294
• linked Issue from previous discussion

https://www.signstore.dev
https://github.com/sigstore/cosign
https://github.com/scitt-community