diff --git a/pkg/attestation/attestation.go b/pkg/attestation/attestation.go
index c1a522c..306cf1b 100644
--- a/pkg/attestation/attestation.go
+++ b/pkg/attestation/attestation.go
@@ -249,7 +249,7 @@ func (manifest *Manifest) BuildReferringArtifacts() ([]v1.Image, error) {
 	return images, nil
 }
 
-// build and image containing only layers.
+// build an image containing only layers.
 func buildImage(layers []*Layer, manifest *v1.Descriptor, subject *v1.Descriptor, opts *ManifestImageOptions) (v1.Image, error) {
 	newImg := empty.Image
 	var err error
diff --git a/pkg/mirror/mirror.go b/pkg/mirror/mirror.go
index e9e35de..5125e70 100644
--- a/pkg/mirror/mirror.go
+++ b/pkg/mirror/mirror.go
@@ -134,21 +134,30 @@ func SaveReferrers(manifest *attestation.Manifest, outputs []*oci.ImageSpec) err
 			continue
 		}
 		// so that we use the same tag each time to reduce number of tags (tags aren't needed for referrers but we must push one)
-		attOut, err := oci.ReplaceTagInSpec(output, manifest.SubjectDescriptor.Digest)
-		if err != nil {
-			return err
-		}
-		// otherwise we end up with the detected platform, though I'm not sure it matters
-		attOut.Platform = &v1.Platform{
-			OS:           "unknown",
-			Architecture: "unknown",
-		}
+		// attOut, err := oci.ReplaceTagInSpec(output, manifest.SubjectDescriptor.Digest)
+		// if err != nil {
+		// 	return err
+		// }
 		images, err := manifest.BuildReferringArtifacts()
 		if err != nil {
 			return fmt.Errorf("failed to build image: %w", err)
 		}
 		for _, image := range images {
-			err := PushImageToRegistry(image, attOut.Identifier)
+			layers, err := image.Layers()
+			if err != nil {
+				return fmt.Errorf("failed to get attestation image layers: %w", err)
+			}
+			digest, err := layers[0].Digest()
+			if err != nil {
+				return fmt.Errorf("failed to get attestation image digest: %w", err)
+			}
+			digest2, _ := image.Digest()
+			fmt.Printf("digest: %s, digest2: %s\n", digest, digest2)
+			attOut, err := oci.ReplaceDigestInSpec(output, digest2)
+			if err != nil {
+				return fmt.Errorf("failed to create attestation image spec: %w", err)
+			}
+			err = PushImageToRegistry(image, attOut.Identifier)
 			if err != nil {
 				return fmt.Errorf("failed to push image: %w", err)
 			}
diff --git a/pkg/oci/oci.go b/pkg/oci/oci.go
index f362224..f3a5961 100644
--- a/pkg/oci/oci.go
+++ b/pkg/oci/oci.go
@@ -172,3 +172,26 @@ func replaceTag(image string, digest v1.Hash) (string, error) {
 	}
 	return fmt.Sprintf("%s:%s-%s.att", notag, digest.Algorithm, digest.Hex), nil
 }
+
+func ReplaceDigestInSpec(src *ImageSpec, digest v1.Hash) (*ImageSpec, error) {
+	newName, err := replaceDigest(src.Identifier, digest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse repo name: %w", err)
+	}
+	return &ImageSpec{
+		Identifier: newName,
+		Type:       src.Type,
+		Platform:   src.Platform,
+	}, nil
+}
+
+func replaceDigest(image string, digest v1.Hash) (string, error) {
+	if strings.HasPrefix(image, LocalPrefix) {
+		return image, nil
+	}
+	notag, err := WithoutTag(image)
+	if err != nil {
+		return "", nil
+	}
+	return fmt.Sprintf("%s@%s:%s", notag, digest.Algorithm, digest.Hex), nil
+}