Attaching the signature artifact to the Image artifact #3935
Labels
question
Further information is requested
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I use oras (or
gcloud artifacts attachments create) to attach an artifact to an image artifact, it's displayed in a parent/child relation in the UI of Google Cloud Artifact registry.When I use cosign this is not the case. The signature artifact is displayed like a normal artifact and no relationship is visible at first glance.
After comparing some of the manifests, I noticed that oras adds a field called subject to the manifest of the added artifact with a reference to the digest of the image artifact.
"subject": { "mediaType": "application/vnd.oci.image.index.v1+json", "digest": "sha256:the_digest_of_the_image", "size": 856 }
opencontainers/image-spec#1020
docker/build-push-action#1260
You can use the following command
oras attach --artifact-type doc/example --annotation "key1=val1" --annotation "key2=val2" localhost:5000/hello:v1to quickly create an attached artifact at that location.Can cosign support the subject field as well?
The text was updated successfully, but these errors were encountered: