Using artifactType to identify the signature type while pushing

[MinerYang]

Is your feature request related to a problem?

Would notation consider to wrap the application/vnd.cncf.notary.signature from config.MediaType to artifactType field in the signature manifest to better utilize oci-spec v1.1

• Current behavior Signature manifest would looks like below:

  {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
  "mediaType": "application/vnd.cncf.notary.signature",
  "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
  "size": 2
  },
  "layers": [
  {
    "mediaType": "application/jose+json",
    "digest": "sha256:fb748695cc875eeec78c644d5346e560bfd84782bc1f4ff914d9e970792430d4",
    "size": 2121
  }
  ],
  "subject": {
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "digest": "sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7",
  "size": 524
  },
  "annotations": {
  "io.cncf.notary.x509chain.thumbprint#S256": "[\"0f653b1a75d8fe98fcb04dd73aab8a00c746985f2aafa427a04ace1b5adb2822\"]",
  "org.opencontainers.image.created": "2024-06-18T08:24:22Z"
  }
  }

What solution do you propose?

• Expected behavior Using artifactType in signature manifest to specify sig type

  {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "artifactType": "application/vnd.cncf.notary.signature",
  "config": {
  "mediaType": "application/vnd.oci.image.config.v1+json",
  "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
  "size": 2
  },
  "layers": [
  {
    "mediaType": "application/jose+json",
    "digest": "sha256:fb748695cc875eeec78c644d5346e560bfd84782bc1f4ff914d9e970792430d4",
    "size": 2121
  }
  ],
  "subject": {
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "digest": "sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7",
  "size": 524
  },
  "annotations": {
  "io.cncf.notary.x509chain.thumbprint#S256": "[\"0f653b1a75d8fe98fcb04dd73aab8a00c746985f2aafa427a04ace1b5adb2822\"]",
  "org.opencontainers.image.created": "2024-06-18T08:24:22Z"
  }
  }

What alternatives have you considered?

While notation verify server/registry compatible with oci-spec 1.1 and referrer-api available, render signature manifest with Subject and artifactType fields.

Any additional context?

notaion version

Version:     1.2.0-alpha.1
Go version:  go1.22.4
Git commit:  2f4387276b4a73fb4b81f9499afe0aa156b56218

[yizha1]

The Notary Project specification work is tracked by issue https://github.com/notaryproject/specifications/issues/295