Lab8 submission: Basanov Maxim

[scruffyscarf]

Goal

Sign and verify container images, attach and verify attestations (SBOM/provenance), and optionally sign non-container artifacts — all locally, without code changes.

Changes

Added labs/lab4/syft/juice-shop-syft-native.json
Added labs/lab8/analysis/ref-after-tamper.txt
Added labs/lab8/analysis/ref.txt
Added labs/lab8/artifacts/sample.tar.gz
Added labs/lab8/artifacts/sample.tar.gz.bundle
Added labs/lab8/artifacts/sample.txt
Added labs/lab8/artifacts/verify-blob.txt
Added labs/lab8/attest/juice-shop.cdx.json
Added labs/lab8/attest/provenance.json
Added labs/lab8/attest/verify-provenance.txt
Added labs/lab8/attest/verify-sbom-attestation.txt
Added labs/lab8/signing/cosign.key
Added labs/lab8/signing/cosign.pub
Added labs/submission8.md

Testing

No testing

Artifacts & Screenshots

labs/lab8
├── analysis
│   ├── ref-after-tamper.txt
│   └── ref.txt
├── artifacts
│   ├── sample.tar.gz
│   ├── sample.tar.gz.bundle
│   ├── sample.txt
│   └── verify-blob.txt
├── attest
│   ├── juice-shop.cdx.json
│   ├── provenance.json
│   ├── verify-provenance.txt
│   └── verify-sbom-attestation.txt
├── registry
└── signing
    ├── cosign.key
    └── cosign.pub

Checklist

• Task 1 — Local registry, signing, verification (+ tamper demo)
• Task 2 — Attestations (SBOM or provenance) + payload inspection
• Task 3 — Artifact signing (blob/tarball)
• PR has a clear and descriptive title
• Documentation has been updated if necessary
• No sensitive data or large temporary files have been committed