dlorenc

Was that last commit an accident? It looks like it was supposed to go here: https://github.com/notaryproject/artifacts/tree/prototype-2

I really really like this. Pretty much every usage of "OCI Artifacts" I've seen so far has been to upload a single layer blob with some config. It would be...

I can't actually find any Artifact examples that use more than one layer. Helm mentions using a second layer for signatures/provenance in their HIP, but I can't find anything else...

Sorry I'll get to this one this week!

> My preference would be to rename the existing SANs to be platform-agnostic, rather than register new OIDs Either works for me. Renaming is simpler, no idea if that's frowned...

This sounds good! I think we should probably get a document started for these new claims. Do you want to track them here @fkorotkov? Or we could use markdown in...

Do we have enough of a set of claims that we can try to add this one?

Hey! Unfortunately we don't support this today, you can see some of the discussion over at #60. There are a lot of caveats involved in the way digests get calculated...

> @dlorenc would it be enough to accept an image reference with a digest (vs a tag) without querying a registry to lookup that digest? I think some logic would...

Just to make sure I understand, the annotations don't make it into the attestation, they're stored separately on the OCI object right?