You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CLI docs for cosign attach attestation make a brief mention of the attachment prefix, but don't go into much detail about the suffix, i.e., what AttachmentName refers to, or is in the case of attestations.
--attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
I think we might want to hoist the tag-based discovery docs out into a separate spec, and reference them from docs for signatures, SBOMs, attestations, etc., as specific examples of attachments.
The text was updated successfully, but these errors were encountered:
Description
The tag naming scheme cosign relies on to attach signatures, SBOMs, etc., to images in any OCI registry is not very well documented.
https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md#tag-based-discovery mentions the
.sig
suffix for signatures, but there aren't similar docs for attestations or SBOMs.CLI docs for
cosign attach attestation
make a brief mention of the attachment prefix, but don't go into much detail about the suffix, i.e., whatAttachmentName
refers to, or is in the case of attestations.I think we might want to hoist the tag-based discovery docs out into a separate spec, and reference them from docs for signatures, SBOMs, attestations, etc., as specific examples of attachments.
The text was updated successfully, but these errors were encountered: