diff --git a/gen/jsonschema/schemas/ClientTrustConfig.schema.json b/gen/jsonschema/schemas/ClientTrustConfig.schema.json
index 24367583..f3397097 100644
--- a/gen/jsonschema/schemas/ClientTrustConfig.schema.json
+++ b/gen/jsonschema/schemas/ClientTrustConfig.schema.json
@@ -188,6 +188,10 @@
         },
         "dev.sigstore.trustroot.v1.SigningConfig": {
             "properties": {
+                "mediaType": {
+                    "type": "string",
+                    "description": "MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json"
+                },
                 "caUrl": {
                     "type": "string",
                     "description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
diff --git a/gen/jsonschema/schemas/SigningConfig.schema.json b/gen/jsonschema/schemas/SigningConfig.schema.json
index 71d7723b..74c12fea 100644
--- a/gen/jsonschema/schemas/SigningConfig.schema.json
+++ b/gen/jsonschema/schemas/SigningConfig.schema.json
@@ -4,6 +4,10 @@
     "definitions": {
         "SigningConfig": {
             "properties": {
+                "mediaType": {
+                    "type": "string",
+                    "description": "MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json"
+                },
                 "caUrl": {
                     "type": "string",
                     "description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
index c8e00755..e86dfed4 100644
--- a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
+++ b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
@@ -369,6 +369,8 @@ type SigningConfig struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
+	// MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json
+	MediaType string `protobuf:"bytes,5,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"`
 	// A URL to a Fulcio-compatible CA, capable of receiving
 	// Certificate Signing Requests (CSRs) and responding with
 	// issued certificates.
@@ -429,6 +431,13 @@ func (*SigningConfig) Descriptor() ([]byte, []int) {
 	return file_sigstore_trustroot_proto_rawDescGZIP(), []int{3}
 }
 
+func (x *SigningConfig) GetMediaType() string {
+	if x != nil {
+		return x.MediaType
+	}
+	return ""
+}
+
 func (x *SigningConfig) GetCaUrl() string {
 	if x != nil {
 		return x.CaUrl
@@ -597,8 +606,10 @@ var file_sigstore_trustroot_proto_rawDesc = []byte{
 	0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x65, 0x72,
 	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
 	0x79, 0x52, 0x14, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68,
-	0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0x79, 0x0a, 0x0d, 0x53, 0x69, 0x67, 0x6e, 0x69,
-	0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x15, 0x0a, 0x06, 0x63, 0x61, 0x5f, 0x75,
+	0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0x98, 0x01, 0x0a, 0x0d, 0x53, 0x69, 0x67, 0x6e,
+	0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x65, 0x64,
+	0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d,
+	0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x15, 0x0a, 0x06, 0x63, 0x61, 0x5f, 0x75,
 	0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x61, 0x55, 0x72, 0x6c, 0x12,
 	0x19, 0x0a, 0x08, 0x6f, 0x69, 0x64, 0x63, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28,
 	0x09, 0x52, 0x07, 0x6f, 0x69, 0x64, 0x63, 0x55, 0x72, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x6c,
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
index e50f2cfd..00f73142 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
@@ -159,6 +159,9 @@ class SigningConfig(betterproto.Message):
     signer may need to connect to for the online aspects of signing.
     """
 
+    media_type: str = betterproto.string_field(5)
+    """MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json"""
+
     ca_url: str = betterproto.string_field(1)
     """
     A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing
diff --git a/gen/pb-ruby/lib/sigstore_trustroot_pb.rb b/gen/pb-ruby/lib/sigstore_trustroot_pb.rb
index 19c93e2e..f4be94fe 100644
--- a/gen/pb-ruby/lib/sigstore_trustroot_pb.rb
+++ b/gen/pb-ruby/lib/sigstore_trustroot_pb.rb
@@ -29,6 +29,7 @@
       repeated :timestamp_authorities, :message, 5, "dev.sigstore.trustroot.v1.CertificateAuthority"
     end
     add_message "dev.sigstore.trustroot.v1.SigningConfig" do
+      optional :media_type, :string, 5
       optional :ca_url, :string, 1
       optional :oidc_url, :string, 2
       repeated :tlog_urls, :string, 3
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs
index 42d7f77f..4aee83ac 100644
--- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs
+++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs
@@ -170,6 +170,9 @@ pub struct TrustedRoot {
 #[allow(clippy::derive_partial_eq_without_eq)]
 #[derive(Clone, PartialEq, ::prost::Message)]
 pub struct SigningConfig {
+    /// MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json
+    #[prost(string, tag = "5")]
+    pub media_type: ::prost::alloc::string::String,
     /// A URL to a Fulcio-compatible CA, capable of receiving
     /// Certificate Signing Requests (CSRs) and responding with
     /// issued certificates.
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
index 66e9233b..1585c0a0 100644
Binary files a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin and b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin differ
diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
index ef6e96b4..09738bd0 100644
--- a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
+++ b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
@@ -167,6 +167,8 @@ export interface TrustedRoot {
  * signer may need to connect to for the online aspects of signing.
  */
 export interface SigningConfig {
+  /** MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json */
+  mediaType: string;
   /**
    * A URL to a Fulcio-compatible CA, capable of receiving
    * Certificate Signing Requests (CSRs) and responding with
@@ -327,12 +329,13 @@ export const TrustedRoot = {
 };
 
 function createBaseSigningConfig(): SigningConfig {
-  return { caUrl: "", oidcUrl: "", tlogUrls: [], tsaUrls: [] };
+  return { mediaType: "", caUrl: "", oidcUrl: "", tlogUrls: [], tsaUrls: [] };
 }
 
 export const SigningConfig = {
   fromJSON(object: any): SigningConfig {
     return {
+      mediaType: isSet(object.mediaType) ? String(object.mediaType) : "",
       caUrl: isSet(object.caUrl) ? String(object.caUrl) : "",
       oidcUrl: isSet(object.oidcUrl) ? String(object.oidcUrl) : "",
       tlogUrls: Array.isArray(object?.tlogUrls) ? object.tlogUrls.map((e: any) => String(e)) : [],
@@ -342,6 +345,7 @@ export const SigningConfig = {
 
   toJSON(message: SigningConfig): unknown {
     const obj: any = {};
+    message.mediaType !== undefined && (obj.mediaType = message.mediaType);
     message.caUrl !== undefined && (obj.caUrl = message.caUrl);
     message.oidcUrl !== undefined && (obj.oidcUrl = message.oidcUrl);
     if (message.tlogUrls) {
diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto
index 32c07a91..9adaf604 100644
--- a/protos/sigstore_trustroot.proto
+++ b/protos/sigstore_trustroot.proto
@@ -148,6 +148,9 @@ message TrustedRoot {
 // signing. In particular, it primarily contains service URLs that a Sigstore
 // signer may need to connect to for the online aspects of signing.
 message SigningConfig {
+        // MUST be application/vnd.dev.sigstore.signingconfig.v0.1+json
+        string media_type = 5;
+
         // A URL to a Fulcio-compatible CA, capable of receiving
         // Certificate Signing Requests (CSRs) and responding with
         // issued certificates.