ratify icon indicating copy to clipboard operation
ratify copied to clipboard
verified publisher icon ratify-project

Support Cosign OCI 1.1 signatures

Open akashsinghal opened this issue 1 year ago • 0 comments

What would you like to be added?

Currently, Cosign defaults to use a single image tagged with sha of the reference image with a postfix of .sig. All signatures exist in the same artifact manifest and the artifact is updated with new signatures. Now OCI 1.1 is GA, cosign community will shift to use referrers as the standard (timeline is unknown).

This changes how Ratify is considering multiple signature policies in the workstream #1166. Ratify must support both standards concurrently and have a good experience for signature policy config.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • [X] Yes, I am willing to implement it.

akashsinghal avatar Feb 22 '24 20:02 akashsinghal