This PR #590 adds support for validating that a shim artifact has not been corrupted using a sha256 checksum. RCM should also support signature verification to validate authorship. For example, the wasmtime shim can be verified with cosign by running
cosign verify-blob \
--certificate containerd-shim-wasmtime-v1.pem \
--signature containerd-shim-wasmtime-v1.sig \
--certificate-identity https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
containerd-shim-wasmtime-v1
This PR #590 adds support for validating that a shim artifact has not been corrupted using a sha256 checksum. RCM should also support signature verification to validate authorship. For example, the wasmtime shim can be verified with cosign by running