How to sign an index (manifest list)

[reasonerjt]

More specifically, when signing an index (manifest list), should all referenced artifacts be signed?

By looking at the doc, in this section:
https://github.com/notaryproject/nv2/blob/prototype-1/docs/distribution/persistance-discovery-options.md#signature-persistence---option-2a-oci-index-signing-a-multi-arch-manifest

It's not very clear to me whether the objects 6~9 are required when signing the multi-arch manifest.
I'm afraid it may generate too many indexes if we require all referenced artifacts are signed when signing an index.

On the other hand, if we only require object 2,3, it will be hard to tell if the artifact is signed, when registry receives a request to pull manifest of one particular manifest, e.g. object 4

[SteveLasker]

Hi @reasonerjt, please see the current approach for using linked artifacts to sign all content: opencontainers/artifacts#29
We've basically realized simply adding a config object to Index was both disruptive and not as scalable as we had hoped. The iterations and experiments have evolved to supporting links to existing artifacts.

[SteveLasker]

@reasonerjt, do we need this as an active issue at this point? Just dong some house cleaning.

[SteveLasker]

Closing as the current signing design will support signing any oci artifact stored in a registry.