Update docs for co#tegration

[a-mccarthy]

Signed-off-by: Abigail McCarthy mabigail@vmware.com

[a-mccarthy]

Setting this as draft because I still need to add screenshots.

@wy65701436 Can you review if you have some time?

I also had a few questions:

• For replication, will cosign signatures only be replicated when replicating between Harbor instances? Wanted to confirm from the proposal

• Can you have both the Notary and Cosign deployment security policy enabled? If you have both enabled, how does that work on artifacts? would they need to be signed by both?

• Notary and Cosign deployment policies are per-project. There is no system level policy, right?

[wy65701436]

we can also add comments that Harbor doesn't support cosign clean to remove signature since it has to implement tag delete API which is not required by OCI distribution spec.

[a-mccarthy]

is the tag delete API a part of cosign, or sigstore? just want to make sure i understand how its connected :)

[wy65701436]

This is what I mean, https://github.com/opencontainers/distribution-spec/blob/main/spec.md#content-management

Harbor doesn't choose to imple tag deletion, but cosign clean is using it.

[a-mccarthy]

I've updated the docs to include this information

[wy65701436]

Thanks @a-mccarthy, should we also consider to add the following?

1. We should mention that replication between Harbor instances.
2. As for the deletaion, all the signatures are associated with the subject manifest, once the subject manifest is removed, all the signatures are removed as well.
3. GC will not remove any signature individually. In other worlds, given the signature is an OCI artifact, but from the perspective of GC, it only can see the standard artifact -- the standalong artifact no matter with or without accessories.

For example, if user chooses to GC untagged artifact, and given any signature has no tag, GC will also not remove it.

5. Copy Artifact opertaion supports copy signtuare.
6. Signature does not support scanning.

[wy65701436]

Setting this as draft because I still need to add screenshots.

@wy65701436 Can you review if you have some time?

I also had a few questions:

* For replication, will cosign signatures only be replicated when replicating between Harbor instances? Wanted to confirm from the [proposal](https://github.com/goharbor/community/blob/3894bd7d858fdccbc163619d0f0fda74c302c9ce/proposals/new/cosign-integration.md#replication)

* Can you have both the Notary and Cosign deployment security policy enabled? If you have both enabled, how does that work on artifacts? would they need to be signed by both?

* Notary and Cosign deployment policies are per-project. There is no system level policy, right?

• As for the replication, singuare will be replicated to any kind of target endpoint.

1. Harbor-2-Harbor, the target Harbor will manage the link of signed artifact and its signature, user will see the relation in UI like it does in source.
2. Harbor-2-Others, the target will not. So, user will see they are two coordinate artifacts under the same repository.

• Yes, we can and it needs to be signed by both.

• Yes, no system level configuration for pull policy.

[wy65701436]

Harbor?

[wy65701436]

Do we also add reason for why？

[a-mccarthy]

i updated this

[wy65701436]

lgtm

[OrlinVasilev]

LGTM

[a-mccarthy]

Thanks for the reviews @wy65701436 and @OrlinVasilev!