docs: add dm-verity image layer signing

[dallasd1]

This proposal discusses adding per-layer container image signing using the PKCS#7 format. This will enable signing individual container image layers that are later verified by the kernel at runtime.

Runtime verification also depends on milestone 1 of this RFC for code integrity in containerd. At the time of writing, milestone 1.2 is in PR review and milestone 1.3 remains.

[yizha1]

Thanks @dallasd1. LGTM. The proposal strengthens the secure supply chain by extending image integrity from image pull to runtime and offline scenario. We will need to create separate issues to track additional work, such as spec releated work including the Notation CLI specs, the new signature evenlope PKCS#7, the thread model.

You will need to fix the DCO and sign the comments. You can follow this guide https://github.com/notaryproject/.github/blob/main/CONTRIBUTING.md#commit

[FeynmanZhou]

LGTM to make this proposal as the initial version. Thanks @dallasd1 .

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.22%. Comparing base (e49f07c) to head (b4efd40).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1335      +/-   ##
==========================================
+ Coverage   77.00%   79.22%   +2.21%     
==========================================
  Files          68       68              
  Lines        3853     3066     -787     
==========================================
- Hits         2967     2429     -538     
+ Misses        682      433     -249     
  Partials      204      204              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[yizha1]

Hi @NiazFK @vaninrao10 @priteshbandi @rgnote @gokarnm Would you mind take a look at this PR? Thanks.