Why not using an empty configuration for the signature on OCI 1.1?

sigstore / cosign

Code signing and transparency for containers and binaries

Apache License 2.0

4.4k stars 541 forks source link

Why not using an empty configuration for the signature on OCI 1.1? #3750

Open Silvanoc opened 3 months ago

Silvanoc commented 3 months ago

Question

From what I see, the configuration file of the referrer containing the signature in OCI 1.1 format is needless. Why not using an empty one then, as foreseen by the spec? Please see here for guidance for an empty configuration.

The artifact is nevertheless not valid for container images, so keeping the configuration file for compliance with them is worthless.

Silvanoc commented 3 months ago

After looking at the part of the specification about "artifact usage", I am unsure if using an empty config ({}) with a media type other than application/vnd.oci.empty.v1+json (since that is the way cosign specifies the artifact type) is allowed. I'll try to clarify it.