notation icon indicating copy to clipboard operation
notation copied to clipboard

Published 20 hours ago verified publisher icon notaryproject

Using artifactType to identify the signature type while pushing

Open MinerYang opened this issue 8 months ago • 1 comments

Is your feature request related to a problem?

Would notation consider to wrap the application/vnd.cncf.notary.signature from config.MediaType to artifactType field in the signature manifest to better utilize oci-spec v1.1

  • Current behavior Signature manifest would looks like below:
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.cncf.notary.signature",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2
  },
  "layers": [
    {
      "mediaType": "application/jose+json",
      "digest": "sha256:fb748695cc875eeec78c644d5346e560bfd84782bc1f4ff914d9e970792430d4",
      "size": 2121
    }
  ],
  "subject": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "digest": "sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7",
    "size": 524
  },
  "annotations": {
    "io.cncf.notary.x509chain.thumbprint#S256": "[\"0f653b1a75d8fe98fcb04dd73aab8a00c746985f2aafa427a04ace1b5adb2822\"]",
    "org.opencontainers.image.created": "2024-06-18T08:24:22Z"
  }
}

What solution do you propose?

  • Expected behavior Using artifactType in signature manifest to specify sig type
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "artifactType": "application/vnd.cncf.notary.signature",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2
  },
  "layers": [
    {
      "mediaType": "application/jose+json",
      "digest": "sha256:fb748695cc875eeec78c644d5346e560bfd84782bc1f4ff914d9e970792430d4",
      "size": 2121
    }
  ],
  "subject": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "digest": "sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7",
    "size": 524
  },
  "annotations": {
    "io.cncf.notary.x509chain.thumbprint#S256": "[\"0f653b1a75d8fe98fcb04dd73aab8a00c746985f2aafa427a04ace1b5adb2822\"]",
    "org.opencontainers.image.created": "2024-06-18T08:24:22Z"
  }
}

What alternatives have you considered?

While notation verify server/registry compatible with oci-spec 1.1 and referrer-api available, render signature manifest with Subject and artifactType fields.

Any additional context?

notaion version

Version:     1.2.0-alpha.1
Go version:  go1.22.4
Git commit:  2f4387276b4a73fb4b81f9499afe0aa156b56218

MinerYang avatar Jun 18 '24 09:06 MinerYang