To ensure images are not modified after being pushed, you can now sign an image in OCI Registry using master encryption keys stored in OCI Vault. You can view signatures and verify the image signatures have not changed, ensuring the integrity of the image has not been compromised.
You can also configure OCI Container Engine for Kubernetes with a cluster-specific policy to allow only container images in OCI Registry that have been signed by particular master encryption keys to be deployed to a cluster. Images without the correct signature will be denied.
For more information see: