docs: add lab8 submission — signing + attestations

[Uiyrte]

Goal

The goal of this lab was to implement container image security practices using Cosign for cryptographic signing and verification, establish local registry operations, and explore software supply chain security through SBOM generation and attestations. The lab focused on protecting against tag tampering, verifying image authenticity, and creating transparent build provenance.

Changes

• Set up local Docker registry on port 5001 to host container images
• Implemented Cosign key pair generation for cryptographic operations
• Performed image signing and verification workflows using both keyless and key-based approaches
• Created SBOM (Software Bill of Materials) attestations using Syft for comprehensive component inventory
• Established provenance attestations to document build processes and environments
• Configured secure artifact signing for non-container files and binaries

Testing

• Verified local registry functionality by pushing and pulling juice-shop:v19.0.0 image
• Tested Cosign signing process using generated key pairs
• Validated signature verification with successful authentication checks
• Confirmed SBOM generation contained complete package and dependency information
• Tested attestation creation and verification workflows
• Validated blob signing capabilities for non-container artifacts
• Conducted tamper detection tests by attempting to verify modified images

Artifacts & Screenshots

• Generated RSA key pair (cosign.key, cosign.pub) for cryptographic operations
• SBOM JSON file (juice-shop-syft-native.json) containing complete component inventory
• Cosign verification output showing successful signature validation
• Local registry catalog demonstrating stored images and signatures
• Attestation JSON files documenting build provenance and metadata
• Signature bundles for blob artifacts and configuration files
• Terminal output confirming all security checks and verification processes

Checklist

• Clear title
• Docs updated if needed
• No secrets/large temp files
• Task 1 — Local registry, signing, verification (+ tamper demo)
• Task 2 — Attestations (SBOM or provenance) + payload inspection
• Task 3 — Artifact signing (blob/tarball)