sigstore
Add org.opencontainers.image.title annotation to attestation layers
Summary
This adds the org.opencontainers.image.title annotation to layer descriptors in attestation manifests to enable tools like 'oras pull' to download attestation bundles with collision-free filenames.
The annotation format is {algorithm}-{hex}.sigstore.json where the hyphen separator ensures cross-platform filename compatibility, particularly for Windows which forbids colons in filenames.
Changes:
- Add Annotations field to layer descriptors in WriteReferrer
- Update tests to verify annotation is set correctly
- Document the optional layer annotation in BUNDLE_SPEC.md
Fixes #4497
🤖 Generated with Claude Code
Release Note
Added org.opencontainers.image.title annotation to attestation layers, enabling oras pull to save bundles locally.
Documentation
I don't believe that a documentation update beyond the update to the bundle spec here is required.
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 36.76%. Comparing base (2ef6022) to head (b7fc7d9).
:warning: Report is 569 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #4498 +/- ##
==========================================
- Coverage 40.10% 36.76% -3.35%
==========================================
Files 155 220 +65
Lines 10044 12119 +2075
==========================================
+ Hits 4028 4455 +427
- Misses 5530 6976 +1446
- Partials 486 688 +202
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}