Signing our container images
When we're dealing with images that have been pulled from external registries, we will have some security concerns related to the potential attack tactics that have been conducted on the containers (see [1] in the Further reading section), especially masquerading techniques, which help the attacker manipulate image components to make them appear legitimate. This could also happen due to a man-in-the-middle (MITM) attack being conducted by an attacker over the wire.
To prevent certain kinds of attacks while you're managing containers, the best solution is to use a detached image signature to trust the image provider and guarantee its reliability.
GNU Privacy Guard (GPG) is a free implementation of the OpenPGP standard and can be used, together with Podman, to sign images and check their valid signatures once they've been pulled.
When an image is pulled, Podman can verify the validity of the signatures and reject images without valid...
