search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.24k stars 507 forks source link

Enable annotations to be set on attestations and signatures when OCI artifacts are uploaded #3640

Open arewm opened 3 months ago

arewm commented 3 months ago

Description

The OCI spec defines the use of annotations to contain arbitrary metadata. While cosign supports creating key, value pairs when signing, these are added into the optional section and therefore will not be easily discovered by any tooling that is looking at annotations directly.

In order to enable annotations to be applied to the generated OCI artifacts to maintain consistency with the signed ones, cosign should support the addition of the following annotations for both signatures and attestations:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:e7a5e4c881a175fcc603b868322a63e74e5c9ee39ba4008972d64fe91f63f353",
    "size": 7659
  },
  "layers": [
    [...]
  ],
  "annotations": {
    "org.opencontainers.image.base.digest": [...], [...]
  }
}