diff --git a/pkg/tuf/registry_test.go b/pkg/tuf/registry_test.go
index 78dd92a..0844257 100644
--- a/pkg/tuf/registry_test.go
+++ b/pkg/tuf/registry_test.go
@@ -56,13 +56,15 @@ func TestRegistryFetcher(t *testing.T) {
 	delegatedDir := CreateTempDir(t, dir, delegatedRole)
 	delegatedTargetFile := fmt.Sprintf("%s/%s", delegatedRole, targetFile)
 
-	cfg, err := config.New(metadataRepo, DockerTUFRootDev.Data)
+	// note - url is ignored here - needed to make http url parsing happy even when using oci
+	cfg, err := config.New("", DockerTUFRootDev.Data)
 	require.NoError(t, err)
 
 	cfg.Fetcher = NewRegistryFetcher(metadataRepo, metadataImgTag, targetsRepo)
 	cfg.LocalMetadataDir = dir
 	cfg.LocalTargetsDir = dir
 	cfg.RemoteTargetsURL = targetsRepo
+	cfg.RemoteMetadataURL = metadataRepo
 
 	// create a new Updater instance
 	up, err := updater.New(cfg)
@@ -356,9 +358,6 @@ func RunTestRegistry(t *testing.T) (*registry.RegistryContainer, *url.URL) {
 	if err != nil {
 		t.Fatalf("failed to parse container address: %s", err)
 	}
-	if addr.Hostname() == "127.0.0.1" {
-		addr.Host = "localhost:" + addr.Port()
-	}
 	return registryContainer, addr
 }
 
diff --git a/pkg/tuf/tuf.go b/pkg/tuf/tuf.go
index 7a2b324..b376e59 100644
--- a/pkg/tuf/tuf.go
+++ b/pkg/tuf/tuf.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/distribution/reference"
 	"github.com/docker/attest/internal/embed"
 	"github.com/docker/attest/internal/util"
 	"github.com/theupdateframework/go-tuf/v2/metadata"
@@ -107,20 +108,28 @@ func NewClient(opts *ClientOptions) (*Client, error) {
 	}
 
 	// create updater configuration
-	cfg, err := config.New(opts.MetadataSource, rootBytes) // default config
+	// this is parsed as an HTTP url (which doesn't work for OCI). We're setting this to make TUF happy
+	// and overwriding the configuration below
+	cfg, err := config.New("", rootBytes) // default config
 	if err != nil {
 		return nil, fmt.Errorf("failed to create TUF updater configuration: %w", err)
 	}
 	cfg.LocalMetadataDir = metadataPath
 	cfg.LocalTargetsDir = filepath.Join(metadataPath, "download")
+	cfg.RemoteMetadataURL = opts.MetadataSource
 	cfg.RemoteTargetsURL = opts.TargetsSource
 
 	if tufSource == OCISource {
-		metadataRepo, metadataTag, found := strings.Cut(opts.MetadataSource, ":")
-		if !found {
-			fmt.Printf("metadata tag not found in URL, using latest\n")
-			metadataTag = LatestTag
+		ref, err := reference.ParseNormalizedNamed(opts.MetadataSource)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse metadata source: %w", err)
 		}
+		// add latest tag
+		metadataTag := LatestTag
+		if tag, ok := ref.(reference.Tagged); ok {
+			metadataTag = tag.Tag()
+		}
+		metadataRepo := ref.Name()
 		cfg.Fetcher = NewRegistryFetcher(metadataRepo, metadataTag, opts.TargetsSource)
 	}
 
diff --git a/pkg/tuf/tuf_test.go b/pkg/tuf/tuf_test.go
index 6eaf2a1..8c300a6 100644
--- a/pkg/tuf/tuf_test.go
+++ b/pkg/tuf/tuf_test.go
@@ -130,7 +130,7 @@ func TestDownloadTarget(t *testing.T) {
 
 		// download delegated target
 		targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 		_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
 		assert.NoError(t, err)
 	}