VEX documents in a image manifest

[RealHarshThakur]

Docker builds are storing SBOMs and Attestations in a image manifest as described here in OCI spec . I wonder if we can store the VEX documents in the same manifest as new layers. Doing this can allow for attestations to be in a single image manifest that'll help build tooling on top with a single workflow.

[puerco]

Hey @RealHarshThakur vexctl already supports attesting openvex documents and attaching them to images in OCI registries (see vexctl attest --attach). We use the sigstore tooling under the hood.

[RealHarshThakur]

@puerco I mean, can we store the VEX documents as an image manifest similar to how a "docker build" produces it right now? It seems like vexctl is currently storing the VEX documents in a sha256-hash.att as an image tag rather than a image manifest

[puerco]

The attestations are designed to be added to the att bundle where cosign can find, download and verify them, so this is how we'll keep doing it by default at least. What's the use case?

[RealHarshThakur]

For VEX documents that are constantly being added, it may get tricky to store them as image manifest. After having a chat with OCI spec maintainers, it looks like referrers API is the way to go. Similar to how cosign has this:

COSIGN_EXPERIMENTAL=1 cosign sign --allow-insecure-registry --registry-referrers-mode=oci-1-1

[puerco]

Yep, that's where we are heading. Once 1.1 is released and cosign moves we'll also inherit it.

Should we close this then?

[RealHarshThakur]

yep, thanks!