The OCI spec defines the use of annotations to contain arbitrary metadata. While cosign supports creating key, value pairs when signing, these are added into the optional section and therefore will not be easily discovered by any tooling that is looking at annotations directly.
In order to enable annotations to be applied to the generated OCI artifacts to maintain consistency with the signed ones, cosign should support the addition of the following annotations for both signatures and attestations:
Description
The OCI spec defines the use of annotations to contain arbitrary metadata. While
cosign
supports creating key, value pairs when signing, these are added into theoptional
section and therefore will not be easily discovered by any tooling that is looking at annotations directly.In order to enable annotations to be applied to the generated OCI artifacts to maintain consistency with the signed ones,
cosign
should support the addition of the following annotations for both signatures and attestations: