Ratify support OCI spec 1.1

Question

Ratify support OCI spec 1.1

Closed this issue 6 months ago · 2 comments

What would you like to be added?

OCI spec 1.1 was released recently. This issue is for discussion Ratify supports of OCI spec 1.1, as a result, work items and release plan can be created.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

Yes, I am willing to implement it.

Answer 1 · 2024-03-14T00:25:04.000Z

As discussed in the community meeting 03/13/2024, we aligned that Ratify will be consistent with ORAS behaviors, i.e. first attempt to call Referrers API and provide auto-fallback to Referrers Tag Schema if Referrers API call fails. This is the current behavior in Ratify but need to double confirm this.

We will also need to bump up the oras-go to v2.5.0 to be compatible with OCI Spec v1.1.0.

Answer 2 · 2024-03-14T17:39:41.000Z

I have double checked that Ratify is using the correct oras-go function here. This function will perform a check to see if the target registry is referrers API enabled. If not, it will fallback to the tag schema.

Once oras-go 2.5.0 is released, dependabot will automatically send a PR for ratify to upgrade.