Open ralphbean opened 1 year ago
Thanks for your report.
Currently (with an use-sigstore-attachments
opt-in) we read data from the .sig
tag; not from the .att
nor .sbom
tags used here.
Adding the other ones seems reasonable short-term (or maybe we should just wait for https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers or at least the intermediate referrers compat API?).
We would need to figure out how to opt-in; is that a global property per-repo or per operation?
Either way, this would almost all happen in c/image, so moving there.
It would be nice if skopeo copy supported the naming convention used by
cosign triangulate
to additionally copy cosign artifacts when copying an image.Related: https://blog.sigstore.dev/cosign-image-signatures-77bab238a93/