Enable annotations to be set on attestations and signatures when OCI artifacts are uploaded

Question

Enable annotations to be set on attestations and signatures when OCI artifacts are uploaded

Opened this issue 2 months ago · 0 comments

Description

The OCI spec defines the use of annotations to contain arbitrary metadata. While cosign supports creating key, value pairs when signing, these are added into the optional section and therefore will not be easily discovered by any tooling that is looking at annotations directly.

In order to enable annotations to be applied to the generated OCI artifacts to maintain consistency with the signed ones, cosign should support the addition of the following annotations for both signatures and attestations:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:e7a5e4c881a175fcc603b868322a63e74e5c9ee39ba4008972d64fe91f63f353",
    "size": 7659
  },
  "layers": [
    [...]
  ],
  "annotations": {
    "org.opencontainers.image.base.digest": [...], [...]
  }
}