use cosign v2.4.1+carbide.2 to address containerd annotation in index.json

[amartin120]

Please check below, if the PR fulfills these requirements:

• Commit(s) and code follow the repositories guidelines.
• Test(s) have been added or updated to support these change(s).
• Doc(s) have been added or updated to support these change(s).

Associated Links:

Types of Changes:

• Bugfix

Proposed Changes:

• In order to support Hauler hauls seeding RKE2 in an air-gapped installation, we needed to adjust an annotation in the image.json created by our cosign fork.

• the annotation for default registry needs to be docker.io instead of index.docker.io despite them being the same thing.

Verification/Testing of Changes:

Doesn't work:

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.oci.image.index.v1+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 526,
         "digest": "sha256:c2280d2f5f56cf9c9a01bb64b2db4651e35efd6d62a54dcfc12049fe6449c5e4",
         "annotations": {
            "io.containerd.image.name": "index.docker.io/rancher/mirrored-pause:3.6",
            "kind": "dev.cosignproject.cosign/image",
            "org.opencontainers.image.ref.name": "rancher/mirrored-pause:3.6"
         }
      }
   ]
}

Works:

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.oci.image.index.v1+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 526,
         "digest": "sha256:c2280d2f5f56cf9c9a01bb64b2db4651e35efd6d62a54dcfc12049fe6449c5e4",
         "annotations": {
            "io.containerd.image.name": "docker.io/rancher/mirrored-pause:3.6",
            "kind": "dev.cosignproject.cosign/image",
            "org.opencontainers.image.ref.name": "rancher/mirrored-pause:3.6"
         }
      }
   ]
}

Additional Context:

• Libraries like github.com/google/go-containerregistry default to index.docker.io when parsing an image reference. This behavior originates from historical conventions tied to Docker Hub's full domain name (index.docker.io), which was explicitly used in the early days of Docker.

• Why index.docker.io in go-containerregistry?

  • Historical Naming:
    Docker Hub was initially identified as index.docker.io, and this full domain persisted in older tooling and libraries.
    While docker.io became the shorthand, index.docker.io remained the "canonical" name in certain libraries and APIs.
  • Standardized Parsing:
    The go-containerregistry library adheres to a stricter parsing approach, considering the full domain name (index.docker.io) rather than relying on the default alias docker.io.
    This avoids ambiguities when working with other registries or configurations that might not alias docker.io correctly.
  • Compatibility with OCI Image Spec:
    The library prioritizes adherence to the OCI image spec, where fully qualified references are preferred.
    Using index.docker.io ensures an explicit, unambiguous reference to the Docker Hub.

• Impact on containerd and Similar Tools:

  • When using go-containerregistry or similar libraries, the explicit reference to index.docker.io might cause issues with tools like containerd that do not treat index.docker.io as a default alias for docker.io.

[zackbradys]

LGTM based off hauler-dev/cosign@ee9b762a922a6081fff41386eabcef6ad05babbet!!