I'm wanting to start signing my docker images before publishing using cosign. Currently we

pants publish ...

which then packages and then publishes the images. Therefore I think I need to write a plugin that creates a new target, something like

signed_docker_image

, and then change the

package

behavior to build the docker image and then sign it. Looking for feedback if this seems like the correct direction or is there a more native way to achieve this without a custom plugin?

I'm not too familiar with the workflow for cosign, but I think this is a reasonable way to implement this. You can have your target reference the

docker_image

target using a SpecialCasedDependencies field. You can then run package in a rule like so. A wrinkle I can see depending on the workflow of cosign is the semantics of having 2 targets. It might be possible to package and publish the docker image without its cosign signature being made (and pushed). It might be desirable to package images without signing them (for example, to run locally), but you'd probably want to only publish with a signature. I'm not sure of a good way to enforce that. Another wrinkle is that if you run cosign on every

package

, you might be signing images that are never pushed to a registry. I'm not sure if that's a problem, I'm not familiar with cosign.