feat: roll out updates on release (#100 )

* feat: roll out updates on release * Use app token. Fix repo
feat(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 (#98 )
2024-07-25 16:15:35 +01:00 · 2024-07-24 13:30:56 +01:00 · 2024-07-23 19:08:01 +00:00 · 2024-07-23 19:03:53 +00:00 · 2024-07-23 08:03:03 -05:00 · 2024-07-22 16:03:23 -05:00
235 changed files with 9088 additions and 551 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @docker/supply-chain-security
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,24 @@
+name: release
+on:
+  release:
+    types: [published]
+jobs:
+  trigger_attest_update:
+    name: Update attest lib - ALL
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        with:
+            app-id: ${{ vars.ATTEST_RELEASE_APP_ID }}
+            private-key: ${{ secrets.ATTEST_RELEASE_APP_PRIVATE_KEY }}
+            repositories: "attest-actions"
+      - name: Send repository_dispatch event
+        uses: peter-evans/repository-dispatch@v3.0.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          event-type: update_attest_all
+          repository: docker/attest-actions
+          client-payload: '{"attest_version": "${{ github.ref_name }}"}'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,6 +7,9 @@ on:
  workflow_dispatch:
 jobs:
  golang:
+    permissions:
+      contents: read
+      id-token: write
    strategy:
      matrix:
        go-version: [1.21.x]
@@ -21,9 +24,42 @@ jobs:
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ matrix.go-version }}
+      - name: Login to Docker Hub
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        uses: docker/login-action@v3
+        with:
+          username: dockerpublicbot
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+      - name: Authenticate to AWS
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2
+        with:
+          aws-region: "us-east-1"
+          role-to-assume: arn:aws:iam::175142243308:role/doi-github-actions-signing
+      - name: auth-with-gcp
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: 'attest-kms-test'
+          export_environment_variables: true
+          workload_identity_provider: 'projects/385966116051/locations/global/workloadIdentityPools/attest-kms-test/providers/attest-kms-test'
+          service_account: 'attest-kms-test@attest-kms-test.iam.gserviceaccount.com'
      - name: Setup Testcontainers Cloud Client
        uses: atomicjar/testcontainers-cloud-setup-action@v1
        with:
          token: ${{ secrets.TC_CLOUD_TOKEN }}
-      - name: go test
-        run: go test ./...
+      - name: go test including e2e
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        run: go test -tags=e2e -v ./... -coverprofile=coverage.out -covermode=atomic
+      - name: go test excluding e2e
+        if: matrix.os == 'macos-latest' || github.actor == 'dependabot[bot]'
+        run: go test -v ./...
+      - name: Upload coverage to Codecov
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        uses: codecov/codecov-action@v4
+        with:
+          file: ./coverage.out
+          flags: unittests
+          name: codecov-umbrella
+          fail_ci_if_error: true
+          token: ${{ secrets.CODECOV_TOKEN }}
--- a/README.md
+++ b/README.md
@@ -1,2 +1,16 @@
 # attest
-Library to create, verify, and evaluate policy for attestations on container images
+library to create, verify, and evaluate policy for attestations on container images
+
+[![codecov](https://codecov.io/gh/docker/attest/graph/badge.svg?token=cGT0f1ACKg)](https://codecov.io/gh/docker/attest)
+
+# usage
+## signing and verifying attestations
+See [example_sign_test.go](./pkg/attest/example_sign_test.go)
+
+See [example_verify_test.go](./pkg/attest/example_verify_test.go)
+
+## mirroring TUF repositories to OCI
+See [example_mirror_test.go](./pkg/mirror/example_mirror_test.go)
+
+### using `go-tuf` OCI registry client
+See [example_registry_test.go](./pkg/tuf/example_registry_test.go)
--- a/codecov.yml
+++ b/codecov.yml
@@ -0,0 +1,2 @@
+ignore:
+  - "internal/test"
--- a/go.mod
+++ b/go.mod
@@ -1,82 +1,204 @@
 module github.com/docker/attest

-go 1.22.1
+go 1.22.5

 require (
-	github.com/google/go-containerregistry v0.19.1
+	github.com/Masterminds/semver/v3 v3.2.1
+	github.com/aws/aws-sdk-go-v2/config v1.27.27
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8
+	github.com/containerd/platforms v0.2.1
+	github.com/distribution/reference v0.6.0
+	github.com/go-openapi/runtime v0.28.0
+	github.com/go-openapi/strfmt v0.23.0
+	github.com/google/go-containerregistry v0.20.1
+	github.com/hashicorp/go-cleanhttp v0.5.2
+	github.com/in-toto/in-toto-golang v0.9.0
+	github.com/open-policy-agent/opa v0.66.0
+	github.com/opencontainers/image-spec v1.1.0
+	github.com/package-url/packageurl-go v0.1.3
+	github.com/pkg/errors v0.9.1
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0
+	github.com/sigstore/cosign/v2 v2.3.0
+	github.com/sigstore/rekor v1.3.6
+	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7
+	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.7
 	github.com/stretchr/testify v1.9.0
-	github.com/testcontainers/testcontainers-go v0.30.0
-	github.com/testcontainers/testcontainers-go/modules/registry v0.30.0
-	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240402164131-b2e024ad4752
+	github.com/testcontainers/testcontainers-go/modules/registry v0.32.0
+	github.com/theupdateframework/go-tuf/v2 v2.0.0
+	google.golang.org/api v0.189.0
+	gopkg.in/yaml.v3 v3.0.1
+	sigs.k8s.io/yaml v1.4.0
 )

-replace github.com/theupdateframework/go-tuf/v2 => github.com/mrjoelkamp/go-tuf/v2 v2.0.1 // for https://github.com/theupdateframework/go-tuf/pull/632
+// fork of a fork (in case it goes away) with changes to support ArtifactType (https://github.com/google/go-containerregistry/pull/1931)
+replace github.com/google/go-containerregistry => github.com/kipz/go-containerregistry v0.0.0-20240722163910-ebe90246535d

 require (
+	cloud.google.com/go v0.115.0 // indirect
+	cloud.google.com/go/auth v0.7.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.5.0 // indirect
+	cloud.google.com/go/iam v1.1.10 // indirect
+	cloud.google.com/go/kms v1.18.2 // indirect
+	cloud.google.com/go/longrunning v0.5.9 // indirect
 	dario.cat/mergo v1.0.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/Microsoft/hcsshim v0.11.4 // indirect
-	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
-	github.com/containerd/containerd v1.7.12 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.12.3 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.35.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
+	github.com/aws/smithy-go v1.20.3 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudflare/circl v1.3.8 // indirect
+	github.com/containerd/containerd v1.7.19 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/distribution/reference v0.5.0 // indirect
-	github.com/docker/cli v24.0.0+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v25.0.5+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
+	github.com/docker/cli v26.1.3+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v27.0.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.1 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/certificate-transparency-go v1.2.1 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/klauspost/compress v1.16.5 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
-	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.5 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
+	github.com/jellydator/ttlcache/v3 v3.2.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/klauspost/compress v1.17.8 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
+	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
-	github.com/shirou/gopsutil/v3 v3.23.12 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/shirou/gopsutil/v3 v3.24.4 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
-	github.com/sigstore/sigstore v1.8.3 // indirect
+	github.com/sigstore/sigstore v1.8.7 // indirect
+	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/testcontainers/testcontainers-go v0.32.0 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
-	github.com/tklauser/go-sysconf v0.3.12 // indirect
-	github.com/tklauser/numcpus v0.6.1 // indirect
-	github.com/vbatts/tar-split v0.11.3 // indirect
-	github.com/yusufpapurcu/wmi v1.2.3 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	go.opentelemetry.io/otel v1.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.24.0 // indirect
-	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
-	google.golang.org/grpc v1.58.3 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.14 // indirect
+	github.com/tklauser/numcpus v0.8.0 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/yashtewari/glob-intersection v0.2.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.mongodb.org/mongo-driver v1.15.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
+	go.opentelemetry.io/otel v1.28.0 // indirect
+	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/genproto v0.0.0-20240722135656-d784300faade // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/embed/embedded-roots/1.root-dev.json
+++ b/internal/embed/embedded-roots/1.root-dev.json
@@ -1,42 +1,42 @@
 {
 "signatures": [
  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": "3064023037bbb03c3472b140572a7d5a2895bd80e74435bbcb7053949731f81b104c6d05a0876590cd6a2e94d7ed619426a2f6fa02303adc8c9006fa5506fdd7ea87d2960074a537ad8bf2459f2863e806b47682cbb2f9b01b7502eaf5437a1a68fdaaeac114"
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": "3065023000f7d0a866576e94eaabc173b9233d4c8fcfa495527088f9022dff5a553f7a457da1015a6d0fc714f84848ec627387360231009fa70b2eebbe15241a2ec9b96a094ebd28661e30b8c3d1eab8d694df2b340bda511c489393630c9a9dacde42c99e9fa1"
  }
 ],
 "signed": {
  "_type": "root",
  "consistent_snapshot": true,
-  "expires": "2034-04-02T17:00:22Z",
+  "expires": "2034-05-29T20:14:11Z",
  "keys": {
-   "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3": {
-    "keytype": "ecdsa",
-    "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
-    },
-    "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
-   },
-   "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
    "keytype": "ecdsa",
    "keyval": {
     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
    },
    "scheme": "ecdsa-sha2-nistp384",
    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
   }
  },
  "roles": {
   "root": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
    ],
    "threshold": 1
   },
   "snapshot": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
@@ -44,13 +44,13 @@
   },
   "targets": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
    ],
    "threshold": 1
   },
   "timestamp": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
--- a/internal/embed/embedded-roots/1.root.json
+++ b/internal/embed/embedded-roots/1.root.json
@@ -0,0 +1,152 @@
+{
+ "signatures": [
+  {
+   "keyid": "08d6f4ca1d0be93a6ceddca15051c0aeec6b98c73e29f3a714de301042d6eeee",
+   "sig": "306502307ddba543fbd1b9e2ccbee604349024e62bbb1a37906bbd5605a7403fbdb51b701b52f5fcd1b0a0ebfaeef97fa9c344f8023100c37ab675fe96b3976469a5e0cc8a5ffb5d8d6de15020f493d7cf28b0c7e60f450b65c02bfbac0e40642863a1ae3bfa4a"
+  },
+  {
+   "keyid": "3ebd40525193d7628d0b9eccd4771df7297bc87519ec6f312863bb4470966bea",
+   "sig": "3065023100bc963925fb139dd65653b5e9640572876c5bcd0a3f8bb81e4b0cbd397c10ec4fa0aed7942d77ec78b865e14c72e20e76023043ce7ff39067f054d6d2eaca5dd5176b2c25e27bd763b4ef873aaf4c75762bfb085bb766613692b68206ea0df2863426"
+  },
+  {
+   "keyid": "9c8e1be7d8d0e30656adc81ac201e05cb47a5a097d4d301fd121b77c320231c4",
+   "sig": "306502307e82d7bc0c66074b06cfc13bac3761c8f677eef252c08448eb33c0249569500e8be2a1ae78c87b5888ed80d088f97fbb023100c358c6ebe18d237bae9a9daeaf2db82297cda8eca635fc22719142740fb23b32eac0341754dd2a85b684c46e3a087ada"
+  },
+  {
+   "keyid": "373d0a38247919a78cf400cf9a90abb9aa23a3c3dce1deee995fdd6a81507117",
+   "sig": "306402305d9b5fdf3b24240b266a7ae7e02bbcadce8e06f8c111dcef03282faa0baaffb8114653cecda3da115d7859f657508d4f02304b5939fc4404f9e1e8b9d3eb49e195a779b501bd4000cef6cff7a8e657020176dae99cce2a7300b88e549d427278309c"
+  },
+  {
+   "keyid": "48a873aa6c4189804228590af4d48ee5ad3b76417592efdbcef2532401925669",
+   "sig": "306402306bc5f44621c0d6e18ce16155ebc7890def8fb283859175f7a8425190f0f233e4270b2688df05b017cfc852dee30f9f5b023016572d059d6f27968976df2aaff8238ee0970cea229e5ef30350f2c91347b04e794683da69cf6afe6cf9206dcebc81f4"
+  }
+ ],
+ "signed": {
+  "_type": "root",
+  "consistent_snapshot": true,
+  "expires": "2025-06-04T15:05:22Z",
+  "keys": {
+   "08d6f4ca1d0be93a6ceddca15051c0aeec6b98c73e29f3a714de301042d6eeee": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEC4ggHc/D9koyS1/AMNsMGiydM2jDzdsI\nrkC/nyZf8d4UtYJJRxuFRfmyKw9Mh0Ulw/IIyf8ZW2NsnkHgJwGre9/Ici6uomOX\n8yAOlX0Du/oAa7v4igCG7tsW0Z1ljAID\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@jeanlaurent"
+   },
+   "2ff207ae7d7b595ef69589622067ef5b6668e1a43081377d942ed8749fa919b4": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE5pyJ/RXlRO/a2WBSAprikm+VVPqZGC1M\nqgVXE3avwqb9d9lPc9Cphfd4CIAzPCKgeUkGMzQWcC1OwVjOwiB+GRq2Owf7T8pa\nKUe/zRoLjAlUnzUITHP226L1DmQ6Swos\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@kipz"
+   },
+   "373d0a38247919a78cf400cf9a90abb9aa23a3c3dce1deee995fdd6a81507117": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER2zST05lNvybLsSe4UA/hiUrJbA6aFyz\nDimwewwbHvw+gt29EHYtHPqTlO/hSZD5vqZ94Cga9rDsOm3eI5bPkPHApUjw4W7u\n5lDnxuuFKluQ7EiUbswUN0ONTPnmY7Wo\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@binman-docker"
+   },
+   "3ebd40525193d7628d0b9eccd4771df7297bc87519ec6f312863bb4470966bea": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE9C53JKQtD1RYLiSwmR4XRhI7jf28W9TK\nhV3aXW0Z87JyJ4wGNOFnGRE6PuEh7Bbu4ecH0PpsEoirWzzRIgBMR3yHVCSkFBDu\nqfycsInCTAS1jvzLiDHciKXENxAWARHj\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@ingshtrom"
+   },
+   "48a873aa6c4189804228590af4d48ee5ad3b76417592efdbcef2532401925669": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEpQrE8o+fz6kBrs3TD6zqcDPwRZf3FxOX\n+SiT0k3SL1JHsMbxwFAKq+wJzqpqbhzFySuO1VVT93xNDd/rmjEU6HSY7wvT0m/l\nZ0S7yIwl3UnlplzKUYg/8wWJM0C2Qdpj\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@cdupuis"
+   },
+   "6132f1f2dd14bf3e9ba1a8df4c8435a77d2fd57f4a99bbb699ae61f85907818e": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkFPn3WTH/xVIEFhdP/TCqtnuiOqdgb/v\nEIBjng1TBCVmr7NnW4y4bdZG4Tf9OVTSqlJzuUFThJT/JQR3M7xEzW9WJqUfBTS1\nUuF980elHtMpRkS3NtRp/T0IrkH7+COa\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@jonnystoten"
+   },
+   "9c8e1be7d8d0e30656adc81ac201e05cb47a5a097d4d301fd121b77c320231c4": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWDreR+iXRtTStv5zmCLGoSmvvfV9/agY\nkx4O1XpRinBwAAA/IO4MI+YCoY0EQpKlSxl0DoVe6hmiXq2ezjTbebGDO66+fTZH\nkrr4KiCsZ8QcdPAR2cUvXkgyBp0WtYYS\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@rachel-taylor-docker"
+   },
+   "aef160e03958d5346c903dda755c07e952127ef523df5ec33bd9b24d41fe1cf4": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5gH1kg/MZeiF/GO222hxMerv7MBC\nn91IJG8BbYWKmqZm2za+/QDyrMZExTguYlutu77jZqbkRZEFb/LbL4Ntuw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:654654578585:key/751429f1-0aea-4bd8-b450-bb1bce6b058f"
+   },
+   "cda750ab29ce33e19ad2fdee4204ad0190b0a33f79e1c5c18a38992d576143d7": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYTPARe9DPvvVVf7ch5fTVWXtS9FS97lh\nyZr3Pk33qRprnVB9u7BaEzvQtTYycPO7cmYW5yTOC5ZZa9p2B/v15bOK4NTU0WTT\nXTwSgKmJDh8CD/PBp386S8cwyyIp7NiR\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@whalelines"
+   },
+   "f2149d8b7c1ece56d87d81f27fa68b745efc841892b3acfa382ad7f611e612ec": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEtWRLfl1pLhd5pn4gOmiCQwxE68U0+mIl\n1sU9ugeUz2aCZ9GcTjDNFE/7ZOat74ajeaFi9zmdeCi3UTYioLXNOXfbN6mxM9iQ\nGG3Z5OWYsZpeAv+5jhly2JeWUhFTuJpd\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "08d6f4ca1d0be93a6ceddca15051c0aeec6b98c73e29f3a714de301042d6eeee",
+     "3ebd40525193d7628d0b9eccd4771df7297bc87519ec6f312863bb4470966bea",
+     "9c8e1be7d8d0e30656adc81ac201e05cb47a5a097d4d301fd121b77c320231c4",
+     "373d0a38247919a78cf400cf9a90abb9aa23a3c3dce1deee995fdd6a81507117",
+     "48a873aa6c4189804228590af4d48ee5ad3b76417592efdbcef2532401925669"
+    ],
+    "threshold": 3
+   },
+   "snapshot": {
+    "keyids": [
+     "aef160e03958d5346c903dda755c07e952127ef523df5ec33bd9b24d41fe1cf4"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 365,
+    "x-tuf-on-ci-signing-period": 60
+   },
+   "targets": {
+    "keyids": [
+     "f2149d8b7c1ece56d87d81f27fa68b745efc841892b3acfa382ad7f611e612ec",
+     "2ff207ae7d7b595ef69589622067ef5b6668e1a43081377d942ed8749fa919b4",
+     "6132f1f2dd14bf3e9ba1a8df4c8435a77d2fd57f4a99bbb699ae61f85907818e",
+     "cda750ab29ce33e19ad2fdee4204ad0190b0a33f79e1c5c18a38992d576143d7"
+    ],
+    "threshold": 2
+   },
+   "timestamp": {
+    "keyids": [
+     "aef160e03958d5346c903dda755c07e952127ef523df5ec33bd9b24d41fe1cf4"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 2,
+    "x-tuf-on-ci-signing-period": 1
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 1,
+  "x-tuf-on-ci-expiry-period": 365,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}
--- a/internal/embed/root.go
+++ b/internal/embed/root.go
@@ -2,12 +2,44 @@ package embed

 import (
 	_ "embed"
+	"fmt"
 )

 //go:embed embedded-roots/1.root-dev.json
-var DevRoot []byte
+var devRoot []byte

 //go:embed embedded-roots/1.root-staging.json
-var StagingRoot []byte
+var stagingRoot []byte

-var DefaultRoot = StagingRoot
+//go:embed embedded-roots/1.root.json
+var prodRoot []byte
+
+var defaultRoot = prodRoot
+
+type RootName string
+type EmbeddedRoot struct {
+	Data []byte
+	Name RootName
+}
+
+var (
+	RootDev     = EmbeddedRoot{Data: devRoot, Name: "dev"}
+	RootStaging = EmbeddedRoot{Data: stagingRoot, Name: "staging"}
+	RootProd    = EmbeddedRoot{Data: prodRoot, Name: "prod"}
+	RootDefault = EmbeddedRoot{Data: defaultRoot, Name: ""}
+)
+
+func GetRootFromName(root string) (*EmbeddedRoot, error) {
+	switch root {
+	case string(RootDev.Name):
+		return &RootDev, nil
+	case string(RootStaging.Name):
+		return &RootStaging, nil
+	case string(RootProd.Name):
+		return &RootProd, nil
+	case string(RootDefault.Name):
+		return &RootDefault, nil
+	default:
+		return nil, fmt.Errorf("invalid tuf root: %s", root)
+	}
+}
--- a/internal/test/mocks.go
+++ b/internal/test/mocks.go
@@ -0,0 +1,64 @@
+package test
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/signerverifier"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+type MockResolver struct {
+	Envs []*attestation.Envelope
+}
+
+func (r MockResolver) Attestations(ctx context.Context, mediaType string) ([]*attestation.Envelope, error) {
+	return r.Envs, nil
+}
+
+func (r MockResolver) ImageName(ctx context.Context) (string, error) {
+	return "library/alpine:latest", nil
+}
+
+func (r MockResolver) ImageDescriptor(ctx context.Context) (*v1.Descriptor, error) {
+	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+	if err != nil {
+		return nil, err
+	}
+	return &v1.Descriptor{
+		Digest:    digest,
+		Size:      1234,
+		MediaType: "application/vnd.oci.image.manifest.v1+json",
+	}, nil
+
+}
+
+func (r MockResolver) ImagePlatform(ctx context.Context) (*v1.Platform, error) {
+	return oci.ParsePlatform("linux/amd64")
+}
+
+type MockRegistryResolver struct {
+	Subject      *v1.Descriptor
+	ImageNameStr string
+	*MockResolver
+}
+
+func (r *MockRegistryResolver) ImageDescriptor(ctx context.Context) (*v1.Descriptor, error) {
+	return r.Subject, nil
+}
+
+func (r *MockRegistryResolver) ImageName(ctx context.Context) (string, error) {
+	return r.ImageNameStr, nil
+}
+
+func GetMockSigner(ctx context.Context) (dsse.SignerVerifier, error) {
+	priv, err := os.ReadFile(filepath.Join("..", "..", "test", "testdata", "test-signing-key.pem"))
+	if err != nil {
+		return nil, err
+	}
+	return signerverifier.LoadKeyPair(priv)
+}
--- a/internal/test/test.go
+++ b/internal/test/test.go
@@ -1,8 +1,32 @@
 package test

 import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
 	"os"
+	"strings"
 	"testing"
+
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/pkg/tlog"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+const (
+	USE_MOCK_TL     = true
+	USE_MOCK_KMS    = true
+	USE_MOCK_POLICY = true
+
+	AwsRegion    = "us-east-1"
+	AwsKmsKeyArn = "arn:aws:kms:us-east-1:175142243308:alias/doi-signing" // sandbox
 )

 func CreateTempDir(t *testing.T, dir, pattern string) string {
@@ -20,3 +44,143 @@ func CreateTempDir(t *testing.T, dir, pattern string) string {
 	})
 	return tempDir
 }
+
+func Setup(t *testing.T) (context.Context, dsse.SignerVerifier) {
+	var tl tlog.TL
+	if USE_MOCK_TL {
+		tl = tlog.GetMockTL()
+	} else {
+		tl = &tlog.RekorTL{}
+	}
+
+	ctx := tlog.WithTL(context.Background(), tl)
+
+	var policyEvaluator policy.PolicyEvaluator
+	if USE_MOCK_POLICY {
+		policyEvaluator = policy.GetMockPolicy()
+	} else {
+		policyEvaluator = policy.NewRegoEvaluator(true)
+	}
+
+	ctx = policy.WithPolicyEvaluator(ctx, policyEvaluator)
+
+	var signer dsse.SignerVerifier
+	var err error
+	if USE_MOCK_KMS {
+		signer, err = GetMockSigner(ctx)
+		if err != nil {
+			t.Fatal(err)
+		}
+	} else {
+		signer, err = signerverifier.GetAWSSigner(ctx, AwsKmsKeyArn, AwsRegion)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	return ctx, signer
+}
+
+type AnnotatedStatement struct {
+	OCIDescriptor   *v1.Descriptor
+	InTotoStatement *intoto.Statement
+	Annotations     map[string]string
+}
+
+func ExtractStatementsFromIndex(idx v1.ImageIndex, mediaType string) ([]*AnnotatedStatement, error) {
+	mfs2, err := idx.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract IndexManifest from ImageIndex: %w", err)
+	}
+
+	var statements []*AnnotatedStatement
+
+	for _, mf := range mfs2.Manifests {
+		if mf.Annotations[attestation.DockerReferenceType] != "attestation-manifest" {
+			continue
+		}
+
+		attestationImage, err := idx.Image(mf.Digest)
+		if err != nil {
+			return nil, fmt.Errorf("failed to extract attestation image with digest %s: %w", mf.Digest.String(), err)
+		}
+		layers, err := attestationImage.Layers()
+		if err != nil {
+			return nil, fmt.Errorf("failed to extract layers from attestation image: %w", err)
+		}
+
+		for _, layer := range layers {
+			// parse layer blob as json
+			mt, err := layer.MediaType()
+			if err != nil {
+				return nil, fmt.Errorf("failed to get layer media type: %w", err)
+			}
+
+			if string(mt) != mediaType {
+				continue
+			}
+			r, err := layer.Uncompressed()
+			if err != nil {
+				return nil, fmt.Errorf("failed to get layer contents: %w", err)
+			}
+			defer r.Close()
+			var intotoStatement = new(intoto.Statement)
+			var desc *v1.Descriptor
+			if strings.HasSuffix(string(mt), "+dsse") {
+				var env = new(attestation.Envelope)
+				err = json.NewDecoder(r).Decode(env)
+				if err != nil {
+					return nil, fmt.Errorf("failed to decode env: %w", err)
+				}
+				payload, err := base64.StdEncoding.Strict().DecodeString(env.Payload)
+				if err != nil {
+					return nil, fmt.Errorf("failed to decode payload: %w", err)
+				}
+				err = json.Unmarshal([]byte(payload), intotoStatement)
+				if err != nil {
+					return nil, fmt.Errorf("failed to decode %s statement: %w", mediaType, err)
+				}
+			} else {
+				desc := new(v1.Descriptor)
+				err = json.NewDecoder(r).Decode(desc)
+				if err != nil {
+					return nil, fmt.Errorf("failed to decode statement: %w", err)
+				}
+			}
+
+			layerDesc, err := partial.Descriptor(layer)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get descriptor for layer: %w", err)
+			}
+			annotations := make(map[string]string)
+			for k, v := range layerDesc.Annotations {
+				annotations[k] = v
+			}
+			statements = append(statements, &AnnotatedStatement{
+				OCIDescriptor:   desc,
+				InTotoStatement: intotoStatement,
+				Annotations:     annotations,
+			})
+		}
+	}
+	return statements, nil
+}
+
+func ExtractAnnotatedStatements(path string, mediaType string) ([]*AnnotatedStatement, error) {
+	idx, err := layout.ImageIndexFromPath(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load image index: %w", err)
+	}
+
+	idxm, err := idx.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get digest: %w", err)
+	}
+	idxDigest := idxm.Manifests[0].Digest
+
+	mfs, err := idx.ImageIndex(idxDigest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract ImageIndex for digest %s: %w", idxDigest.String(), err)
+	}
+	return ExtractStatementsFromIndex(mfs, mediaType)
+}
--- a/internal/test/test_test.go
+++ b/internal/test/test_test.go
@@ -0,0 +1,23 @@
+package test
+
+import (
+	"path/filepath"
+	"testing"
+
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/stretchr/testify/assert"
+)
+
+var (
+	UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+)
+
+const (
+	ExpectedStatements = 4
+)
+
+func TestExtractAnnotatedStatements(t *testing.T) {
+	statements, err := ExtractAnnotatedStatements(UnsignedTestImage, intoto.PayloadType)
+	assert.NoError(t, err)
+	assert.Equalf(t, len(statements), ExpectedStatements, "expected %d statement, got %d", ExpectedStatements, len(statements))
+}
--- a/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38
+++ b/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3","sig":"3044022039b56cd2e3597df74e57d200a652ba020cdc9a8cd050bd65b5f8e2640d50691d02205e073e4b6fc260acc64327a331e4440601af5b1cbff594ea91cf7b70d5828fb1"}],"signed":{"_type":"snapshot","expires":"2034-04-03T15:59:47Z","meta":{"targets.json":{"version":5},"test-role.json":{"version":3}},"spec_version":"1.0.31","version":6}}
--- a/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950
+++ b/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3","sig":"3045022011f2afa9b448fcbbac983c11fc3e264e95d5d7a9c9527b09d83a316ee762635f022100d05197a78ccc7a713ebdb0bccb44844f67a7c5208af8d346e201064b7ce11055"}],"signed":{"_type":"timestamp","expires":"2034-04-03T15:59:47Z","meta":{"snapshot.json":{"version":6}},"spec_version":"1.0.31","version":6}}
--- a/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/a152e59e7b58a3a1ec718192b07fbf630d2fe2d80a6f1a9dc09e1321cbd338a7
+++ b/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/a152e59e7b58a3a1ec718192b07fbf630d2fe2d80a6f1a9dc09e1321cbd338a7
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:ad4cacc170229608305ffccd8d09eeb59578fcb72ae394763cf7ef492175b1ee"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2607,"digest":"sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2200,"digest":"sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":410,"digest":"sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","annotations":{"tuf.io/filename":"6.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1683,"digest":"sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","annotations":{"tuf.io/filename":"5.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950","annotations":{"tuf.io/filename":"timestamp.json"}}]}
--- a/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87
+++ b/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","sig":"3066023100e99acc5f74777ebf40376b60f0216e8fe1829c1a49a5f6a6899126c15de1df7a56533baf493b2b53159c50843a289102023100b6a006b24da62ea0b743fbe38e1497ff485bf3a0833894985fc27a0305ad0693eeb968a7b52723ed3c49af8bef2027b6"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"30440220136debcc2f60dd1d63c9c2704f9b13c2cb2f5d2df58ea93f07f7c10f54f36742022059d7f8c6620e33506c6f1766394a32f86c9b008328f6398831ba7ebcf4ce0838"}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-04-03T08:45:50Z","keys":{"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":{"root":{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"snapshot":{"keyids":["198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"timestamp":{"keyids":["198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/a744a2f1e62ae4ce410822b5e3f5508dbaf6a76768a9d23741828172bab1dc97
+++ b/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/a744a2f1e62ae4ce410822b5e3f5508dbaf6a76768a9d23741828172bab1dc97
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:c927b30f17fa8c64e3c20b8f92b7e348733f9c1281b5b7e6b6d669a8a74230a7"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2200,"digest":"sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2607,"digest":"sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":410,"digest":"sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","annotations":{"tuf.io/filename":"6.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1683,"digest":"sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","annotations":{"tuf.io/filename":"5.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950","annotations":{"tuf.io/filename":"timestamp.json"}}]}
--- a/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/ad4cacc170229608305ffccd8d09eeb59578fcb72ae394763cf7ef492175b1ee
+++ b/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/ad4cacc170229608305ffccd8d09eeb59578fcb72ae394763cf7ef492175b1ee
@@ -1 +0,0 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950"]},"config":{}}
--- a/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/c927b30f17fa8c64e3c20b8f92b7e348733f9c1281b5b7e6b6d669a8a74230a7
+++ b/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/c927b30f17fa8c64e3c20b8f92b7e348733f9c1281b5b7e6b6d669a8a74230a7
@@ -1 +0,0 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950"]},"config":{}}
--- a/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260
+++ b/internal/test/testdata/test-repo-oci/metadata/blobs/sha256/ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","sig":""},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"3046022100f892a496c9bd96082e3b06d5eae85429355876b8eb455aa04b53ab9051911d90022100a3e89c29b15bccfc2877278c0fb2d3b34500da6351e245ad0b3f8c0ae6b67eff"}],"signed":{"_type":"targets","delegations":{"keys":{"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":[{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-04-03T15:28:29Z","spec_version":"1.0.31","targets":{"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31}},"version":5,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/internal/test/testdata/test-repo-oci/metadata/test-role/blobs/sha256/2b2d4fba192ec164e05e6d90399c5cf4a45e4fe2ddebb9066c55aa2bcf0a73d3
+++ b/internal/test/testdata/test-repo-oci/metadata/test-role/blobs/sha256/2b2d4fba192ec164e05e6d90399c5cf4a45e4fe2ddebb9066c55aa2bcf0a73d3
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","sig":""},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"3044022015b6ebe9d30895e3be20e707a6738e38460197d90cae3dc37527ddb7c437868602207f85f3d4e068bef4c51a749f5d166cc7fe2cb9483999ea197e72395081c3aa61"}],"signed":{"_type":"targets","expires":"2034-04-03T15:39:02Z","spec_version":"1.0.31","targets":{"test-role/dir1/dir2/dir3/myfile.txt":{"hashes":{"sha256":"ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1"},"length":10},"test-role/test.txt":{"hashes":{"sha256":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"},"length":32}},"version":3,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/internal/test/testdata/test-repo-oci/metadata/test-role/blobs/sha256/7c8d8f5dfca62068e3a4b18bb41cf85dad23ec9cdc7d7d2e10bc37b86ebffff5
+++ b/internal/test/testdata/test-repo-oci/metadata/test-role/blobs/sha256/7c8d8f5dfca62068e3a4b18bb41cf85dad23ec9cdc7d7d2e10bc37b86ebffff5
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:9edf24c022c2cd6796e87f49ec6a6ea2fad3e7c939c32a8219aaa4726792457c"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":764,"digest":"sha256:2b2d4fba192ec164e05e6d90399c5cf4a45e4fe2ddebb9066c55aa2bcf0a73d3","annotations":{"tuf.io/filename":"3.test-role.json"}}]}
--- a/internal/test/testdata/test-repo-oci/targets/test-role/blobs/sha256/8d320e9d3f3663613df6e4fca1651604a6c0323011023145a140b38f02105b04
+++ b/internal/test/testdata/test-repo-oci/targets/test-role/blobs/sha256/8d320e9d3f3663613df6e4fca1651604a6c0323011023145a140b38f02105b04
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:0b6b8fdb10421310b9aca2f1fb6ce51537baa243fb9fccca03f2ff3c15fb52f8"},"layers":[{"mediaType":"application/vnd.tuf.target","size":10,"digest":"sha256:ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1","annotations":{"tuf.io/filename":"ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1.myfile.txt"}}]}
--- a/internal/test/testdata/test-repo-oci/targets/test-role/blobs/sha256/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1
+++ b/internal/test/testdata/test-repo-oci/targets/test-role/blobs/sha256/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1
@@ -1 +0,0 @@
-hello tuf
--- a/internal/test/testdata/test-repo-oci/targets/test-role/index.json
+++ b/internal/test/testdata/test-repo-oci/targets/test-role/index.json
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":495,"digest":"sha256:8d320e9d3f3663613df6e4fca1651604a6c0323011023145a140b38f02105b04","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1.myfile.txt"}},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}
--- a/internal/test/testdata/test-repo/metadata/3.test-role.json
+++ b/internal/test/testdata/test-repo/metadata/3.test-role.json
@@ -1,34 +0,0 @@
-{
- "signatures": [
-  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": ""
-  },
-  {
-   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
-   "sig": "3044022015b6ebe9d30895e3be20e707a6738e38460197d90cae3dc37527ddb7c437868602207f85f3d4e068bef4c51a749f5d166cc7fe2cb9483999ea197e72395081c3aa61"
-  }
- ],
- "signed": {
-  "_type": "targets",
-  "expires": "2034-04-03T15:39:02Z",
-  "spec_version": "1.0.31",
-  "targets": {
-   "test-role/dir1/dir2/dir3/myfile.txt": {
-    "hashes": {
-     "sha256": "ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1"
-    },
-    "length": 10
-   },
-   "test-role/test.txt": {
-    "hashes": {
-     "sha256": "d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"
-    },
-    "length": 32
-   }
-  },
-  "version": 3,
-  "x-tuf-on-ci-expiry-period": 3650,
-  "x-tuf-on-ci-signing-period": 60
- }
-}
--- a/internal/test/testdata/test-repo/metadata/5.targets.json
+++ b/internal/test/testdata/test-repo/metadata/5.targets.json
@@ -1,65 +0,0 @@
-{
- "signatures": [
-  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": ""
-  },
-  {
-   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
-   "sig": "3046022100f892a496c9bd96082e3b06d5eae85429355876b8eb455aa04b53ab9051911d90022100a3e89c29b15bccfc2877278c0fb2d3b34500da6351e245ad0b3f8c0ae6b67eff"
-  }
- ],
- "signed": {
-  "_type": "targets",
-  "delegations": {
-   "keys": {
-    "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
-     "keytype": "ecdsa",
-     "keyval": {
-      "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
-     },
-     "scheme": "ecdsa-sha2-nistp256",
-     "x-tuf-on-ci-keyowner": "@kipz"
-    },
-    "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09": {
-     "keytype": "ecdsa",
-     "keyval": {
-      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
-     },
-     "scheme": "ecdsa-sha2-nistp384",
-     "x-tuf-on-ci-keyowner": "@mrjoelkamp"
-    }
-   },
-   "roles": [
-    {
-     "keyids": [
-      "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-      "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
-     ],
-     "name": "test-role",
-     "paths": [
-      "test-role/*",
-      "test-role/*/*",
-      "test-role/*/*/*",
-      "test-role/*/*/*/*"
-     ],
-     "terminating": true,
-     "threshold": 1
-    }
-   ]
-  },
-  "expires": "2034-04-03T15:28:29Z",
-  "spec_version": "1.0.31",
-  "targets": {
-   "test.txt": {
-    "hashes": {
-     "sha256": "02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"
-    },
-    "length": 31
-   }
-  },
-  "version": 5,
-  "x-tuf-on-ci-expiry-period": 3650,
-  "x-tuf-on-ci-signing-period": 60
- }
-}
--- a/internal/test/testdata/test-repo/metadata/6.snapshot.json
+++ b/internal/test/testdata/test-repo/metadata/6.snapshot.json
@@ -1,22 +0,0 @@
-{
- "signatures": [
-  {
-   "keyid": "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3",
-   "sig": "3044022039b56cd2e3597df74e57d200a652ba020cdc9a8cd050bd65b5f8e2640d50691d02205e073e4b6fc260acc64327a331e4440601af5b1cbff594ea91cf7b70d5828fb1"
-  }
- ],
- "signed": {
-  "_type": "snapshot",
-  "expires": "2034-04-03T15:59:47Z",
-  "meta": {
-   "targets.json": {
-    "version": 5
-   },
-   "test-role.json": {
-    "version": 3
-   }
-  },
-  "spec_version": "1.0.31",
-  "version": 6
- }
-}
--- a/internal/test/testdata/test-repo/metadata/timestamp.json
+++ b/internal/test/testdata/test-repo/metadata/timestamp.json
@@ -1,19 +0,0 @@
-{
- "signatures": [
-  {
-   "keyid": "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3",
-   "sig": "3045022011f2afa9b448fcbbac983c11fc3e264e95d5d7a9c9527b09d83a316ee762635f022100d05197a78ccc7a713ebdb0bccb44844f67a7c5208af8d346e201064b7ce11055"
-  }
- ],
- "signed": {
-  "_type": "timestamp",
-  "expires": "2034-04-03T15:59:47Z",
-  "meta": {
-   "snapshot.json": {
-    "version": 6
-   }
-  },
-  "spec_version": "1.0.31",
-  "version": 6
- }
-}
--- a/internal/test/testdata/test-repo/targets/test-role/dir1/dir2/dir3/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1.myfile.txt
+++ b/internal/test/testdata/test-repo/targets/test-role/dir1/dir2/dir3/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1.myfile.txt
@@ -1 +0,0 @@
-hello tuf
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@@ -5,9 +5,11 @@ import (
 	"encoding/hex"
 )

-func HexHashBytes(input []byte) string {
-	s256 := sha256.New()
-	s256.Write(input)
-	hashSum := s256.Sum(nil)
-	return hex.EncodeToString(hashSum)
+func SHA256Hex(input []byte) string {
+	return hex.EncodeToString(SHA256(input))
+}
+
+func SHA256(data []byte) []byte {
+	h := sha256.Sum256(data)
+	return h[:]
 }
--- a/pkg/attest/example_sign_test.go
+++ b/pkg/attest/example_sign_test.go
@@ -0,0 +1,77 @@
+package attest_test
+
+import (
+	"context"
+
+	"github.com/docker/attest/pkg/attest"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/mirror"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/signerverifier"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/empty"
+	"github.com/google/go-containerregistry/pkg/v1/mutate"
+)
+
+func ExampleSignStatements_remote() {
+	// configure signerverifier
+	// local signer (unsafe for production)
+	signer, err := signerverifier.GenKeyPair()
+	if err != nil {
+		panic(err)
+	}
+	// example using AWS KMS signer
+	// aws_arn := "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
+	// aws_region := "us-west-2"
+	// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)
+
+	// configure signing options
+	opts := &attestation.SigningOptions{
+		SkipTL: true, // skip trust logging to a transparency log
+	}
+
+	// load image index with unsigned attestation-manifests
+	ref := "docker/image-signer-verifier:latest"
+	attIdx, err := oci.IndexFromRemote(ref)
+	if err != nil {
+		panic(err)
+	}
+	// example for local image index
+	// path := "/myimage"
+	// attIdx, err = oci.IndexFromPath(path)
+	// if err != nil {
+	// 	panic(err)
+	// }
+
+	// sign all attestations in an image index
+	signedManifests, err := attest.SignStatements(context.Background(), attIdx.Index, signer, opts)
+	if err != nil {
+		panic(err)
+	}
+	signedIndex := attIdx.Index
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
+	if err != nil {
+		panic(err)
+	}
+
+	// push image index with signed attestation-manifests
+	err = mirror.PushIndexToRegistry(signedIndex, ref)
+	if err != nil {
+		panic(err)
+	}
+	// output image index to filesystem (optional)
+	path := "/myimage"
+	idx := v1.ImageIndex(empty.Index)
+	idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
+		Add: signedIndex,
+		Descriptor: v1.Descriptor{
+			Annotations: map[string]string{
+				oci.OciReferenceTarget: attIdx.Name,
+			},
+		},
+	})
+	err = mirror.SaveIndexAsOCILayout(idx, path)
+	if err != nil {
+		panic(err)
+	}
+}
--- a/pkg/attest/example_verify_test.go
+++ b/pkg/attest/example_verify_test.go
@@ -0,0 +1,68 @@
+package attest_test
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/attest/internal/embed"
+	"github.com/docker/attest/pkg/attest"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/pkg/tuf"
+)
+
+func createTufClient(outputPath string) (*tuf.TufClient, error) {
+	// using oci tuf metadata and targets
+	metadataURI := "registry-1.docker.io/docker/tuf-metadata:latest"
+	targetsURI := "registry-1.docker.io/docker/tuf-targets"
+	// example using http tuf metadata and targets
+	// metadataURI := "https://docker.github.io/tuf-staging/metadata"
+	// targetsURI := "https://docker.github.io/tuf-staging/targets"
+
+	return tuf.NewTufClient(embed.RootStaging.Data, outputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
+}
+
+func ExampleVerify_remote() {
+	// create a tuf client
+	home, err := os.UserHomeDir()
+	if err != nil {
+		panic(err)
+	}
+	tufOutputPath := filepath.Join(home, ".docker", "tuf")
+	tufClient, err := createTufClient(tufOutputPath)
+	if err != nil {
+		panic(err)
+	}
+
+	// create a resolver for remote attestations
+	image := "registry-1.docker.io/library/notary:server"
+	platform := "linux/amd64"
+
+	// configure policy options
+	opts := &policy.PolicyOptions{
+		TufClient:       tufClient,
+		LocalTargetsDir: filepath.Join(home, ".docker", "policy"), // location to store policy files downloaded from TUF
+		LocalPolicyDir:  "",                                       // overrides TUF policy for local policy files if set
+		PolicyId:        "",                                       // set to ignore policy mapping and select a policy by id
+	}
+
+	// verify attestations
+	src, err := oci.ParseImageSpec(image, oci.WithPlatform(platform))
+	if err != nil {
+		panic(err)
+	}
+	result, err := attest.Verify(context.Background(), src, opts)
+	if err != nil {
+		panic(err)
+	}
+	switch result.Outcome {
+	case attest.OutcomeSuccess:
+		fmt.Println("policy passed")
+	case attest.OutcomeNoPolicy:
+		fmt.Println("no policy for image")
+	case attest.OutcomeFailure:
+		fmt.Println("policy failed")
+	}
+}
--- a/pkg/attest/sign.go
+++ b/pkg/attest/sign.go
@@ -0,0 +1,29 @@
+package attest
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/attest/pkg/attestation"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+// this is only relevant if there are (unsigned) in-toto statements
+func SignStatements(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVerifier, opts *attestation.SigningOptions) ([]*attestation.AttestationManifest, error) {
+	// extract attestation manifests from index
+	attestationManifests, err := attestation.GetAttestationManifestsFromIndex(idx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load attestation manifests from index: %w", err)
+	}
+	// sign every attestation layer in each manifest
+	for _, manifest := range attestationManifests {
+		for _, layer := range manifest.OriginalLayers {
+			err = manifest.AddAttestation(ctx, signer, layer.Statement, opts)
+			if err != nil {
+				return nil, fmt.Errorf("failed to sign attestation layer %w", err)
+			}
+		}
+	}
+	return attestationManifests, nil
+}
--- a/pkg/attest/sign_test.go
+++ b/pkg/attest/sign_test.go
@@ -0,0 +1,246 @@
+package attest
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http/httptest"
+	"net/url"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/mirror"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/policy"
+	"github.com/google/go-containerregistry/pkg/registry"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/empty"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/google/go-containerregistry/pkg/v1/mutate"
+	"github.com/google/go-containerregistry/pkg/v1/static"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	UnsignedTestImage   = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+	NoProvenanceImage   = filepath.Join("..", "..", "test", "testdata", "no-provenance-image")
+	PassPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-pass")
+	PassMirrorPolicyDir = filepath.Join("..", "..", "test", "testdata", "local-policy-mirror")
+	PassNoTLPolicyDir   = filepath.Join("..", "..", "test", "testdata", "local-policy-no-tl")
+	FailPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-fail")
+	TestTempDir         = "attest-sign-test"
+)
+
+func TestSignVerifyOCILayout(t *testing.T) {
+	ctx, signer := test.Setup(t)
+
+	testCases := []struct {
+		name                 string
+		TestImage            string
+		expectedStatements   int
+		expectedAttestations int
+		replace              bool
+	}{
+		{"signed replaced", UnsignedTestImage, 0, 4, true},
+		{"without replace", UnsignedTestImage, 4, 4, false},
+		// image without provenance doesn't fail
+		{"no provenance (replace)", NoProvenanceImage, 0, 2, true},
+		{"no provenance (no replace)", NoProvenanceImage, 2, 2, false},
+	}
+	policyOpts := &policy.PolicyOptions{
+		LocalPolicyDir: PassPolicyDir,
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			outputLayout := test.CreateTempDir(t, "", TestTempDir)
+			opts := &attestation.SigningOptions{}
+			attIdx, err := oci.IndexFromPath(tc.TestImage)
+			require.NoError(t, err)
+			signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
+			require.NoError(t, err)
+			signedIndex := attIdx.Index
+			signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(tc.replace))
+			require.NoError(t, err)
+			// output signed attestations
+			idx := v1.ImageIndex(empty.Index)
+			idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
+				Add: signedIndex,
+				Descriptor: v1.Descriptor{
+					Annotations: map[string]string{
+						oci.OciReferenceTarget: attIdx.Name,
+					},
+				},
+			})
+			_, err = layout.Write(outputLayout, idx)
+			require.NoError(t, err)
+			src, err := oci.ParseImageSpec("oci://" + outputLayout)
+			require.NoError(t, err)
+			policy, err := Verify(ctx, src, policyOpts)
+			require.NoError(t, err)
+			assert.Equalf(t, OutcomeSuccess, policy.Outcome, "Policy should have been found")
+
+			var allEnvelopes []*test.AnnotatedStatement
+			for _, predicate := range []string{intoto.PredicateSPDX, v02.PredicateSLSAProvenance, attestation.VSAPredicateType} {
+				mt, _ := attestation.DSSEMediaType(predicate)
+				statements, err := test.ExtractAnnotatedStatements(outputLayout, mt)
+				require.NoError(t, err)
+				allEnvelopes = append(allEnvelopes, statements...)
+
+				for _, stmt := range statements {
+					assert.Equalf(t, predicate, stmt.Annotations[attestation.InTotoPredicateType], "expected predicate-type annotation to be set to %s, got %s", predicate, stmt.Annotations[attestation.InTotoPredicateType])
+					assert.Equalf(t, attestation.LifecycleStageExperimental, stmt.Annotations[attestation.InTotoReferenceLifecycleStage], "expected reference lifecycle stage annotation to be set to %s, got %s", attestation.LifecycleStageExperimental, stmt.Annotations[attestation.InTotoReferenceLifecycleStage])
+				}
+			}
+			assert.Equalf(t, tc.expectedAttestations, len(allEnvelopes), "expected %d attestations, got %d", tc.expectedAttestations, len(allEnvelopes))
+			statements, err := test.ExtractAnnotatedStatements(outputLayout, intoto.PayloadType)
+			require.NoError(t, err)
+			assert.Equalf(t, tc.expectedStatements, len(statements), "expected %d statement, got %d", tc.expectedStatements, len(statements))
+		})
+	}
+}
+
+func TestAddSignedLayerAnnotations(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	testCases := []struct {
+		name    string
+		replace bool
+	}{
+		{"replaced", true},
+		{"not replaced", false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			data := []byte("signed")
+			testLayer := static.NewLayer(data, types.MediaType(intoto.PayloadType))
+			mediaType := types.OCIManifestSchema1
+			opts := &attestation.SigningOptions{}
+			originalLayer := &attestation.AttestationLayer{
+				Layer: testLayer,
+				Statement: &intoto.Statement{
+					StatementHeader: intoto.StatementHeader{
+						PredicateType: attestation.VSAPredicateType,
+					},
+				},
+				Annotations: map[string]string{"test": "test"},
+			}
+
+			manifest := &attestation.AttestationManifest{
+				OriginalDescriptor: &v1.Descriptor{
+					MediaType: mediaType,
+				},
+				OriginalLayers: []*attestation.AttestationLayer{
+					originalLayer,
+				},
+				SubjectDescriptor: &v1.Descriptor{},
+			}
+			err := manifest.AddAttestation(ctx, signer, originalLayer.Statement, opts)
+			require.NoError(t, err)
+
+			newImg, err := manifest.BuildAttestationImage(attestation.WithReplacedLayers(tc.replace))
+			require.NoError(t, err)
+			mf, _ := newImg.RawManifest()
+			type Annotations struct {
+				Annotations map[string]string `json:"annotations"`
+			}
+			type Layers struct {
+				Layers []Annotations `json:"layers"`
+			}
+			l := &Layers{}
+			err = json.Unmarshal(mf, l)
+			require.NoError(t, err)
+			_, ok := l.Layers[0].Annotations["test"]
+			assert.Truef(t, ok, "missing annotations")
+		})
+	}
+}
+
+func TestSimpleStatementSigning(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	empty := types.MediaType("application/vnd.oci.empty.v1+json")
+	testCases := []struct {
+		name    string
+		replace bool
+	}{
+		{"replaced", true},
+		{"not replaced", false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			opts := &attestation.SigningOptions{}
+			statement := &intoto.Statement{
+				StatementHeader: intoto.StatementHeader{
+					PredicateType: attestation.VSAPredicateType,
+				},
+			}
+			statement2 := &intoto.Statement{
+				StatementHeader: intoto.StatementHeader{
+					PredicateType: attestation.VSAPredicateType,
+				},
+			}
+			digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+			require.NoError(t, err)
+			subject := &v1.Descriptor{
+				MediaType: "application/vnd.oci.image.manifest.v1+json",
+				Digest:    digest,
+			}
+			manifest, err := NewAttestationManifest(subject)
+			require.NoError(t, err)
+			err = manifest.AddAttestation(ctx, signer, statement, opts)
+			require.NoError(t, err)
+
+			err = manifest.AddAttestation(ctx, signer, statement2, opts)
+			require.NoError(t, err)
+
+			// fake that the manfifest was loaded from a real image
+			manifest.OriginalLayers = manifest.SignedLayers
+			envelopes, err := oci.ExtractEnvelopes(manifest, attestation.VSAPredicateType)
+			require.NoError(t, err)
+			assert.Len(t, envelopes, 2)
+
+			newImg, err := manifest.BuildAttestationImage(attestation.WithReplacedLayers(tc.replace))
+			require.NoError(t, err)
+			layers, err := newImg.Layers()
+			require.NoError(t, err)
+			if tc.replace {
+				assert.Len(t, layers, 2)
+			} else {
+				assert.Len(t, layers, 4)
+			}
+
+			newImgs, err := manifest.BuildReferringArtifacts()
+			require.NoError(t, err)
+			assert.Len(t, newImgs, 2)
+			for _, img := range newImgs {
+				mf, err := img.Manifest()
+				require.NoError(t, err)
+				assert.Contains(t, mf.ArtifactType, "application/vnd.in-toto")
+				assert.Contains(t, mf.ArtifactType, "+dsse")
+				assert.Equal(t, subject.MediaType, mf.MediaType)
+				assert.Equal(t, empty, mf.Config.MediaType)
+				assert.Equal(t, int64(2), mf.Config.Size)
+				assert.Equal(t, "{}", string(mf.Config.Data))
+				layers, err := img.Layers()
+				require.NoError(t, err)
+				assert.Len(t, layers, 1)
+			}
+			server := httptest.NewServer(registry.New(registry.WithReferrersSupport(true)))
+			defer server.Close()
+
+			u, err := url.Parse(server.URL)
+			require.NoError(t, err)
+
+			indexName := fmt.Sprintf("%s/repo:root", u.Host)
+			output, err := oci.ParseImageSpecs(indexName)
+			require.NoError(t, err)
+			err = mirror.SaveReferrers(manifest, output)
+			require.NoError(t, err)
+		})
+	}
+}
--- a/pkg/attest/types.go
+++ b/pkg/attest/types.go
@@ -0,0 +1,37 @@
+package attest
+
+import (
+	"fmt"
+
+	"github.com/docker/attest/pkg/policy"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+)
+
+type Outcome string
+
+const (
+	OutcomeSuccess  Outcome = "success"
+	OutcomeFailure  Outcome = "failure"
+	OutcomeNoPolicy Outcome = "no_policy"
+)
+
+func (o Outcome) StringForVSA() (string, error) {
+	switch o {
+	case OutcomeSuccess:
+		return "PASSED", nil
+	case OutcomeFailure:
+		return "FAILED", nil
+	default:
+		return "", fmt.Errorf("unknown outcome: %s", o)
+	}
+}
+
+type VerificationResult struct {
+	Outcome           Outcome
+	Policy            *policy.Policy
+	Input             *policy.PolicyInput
+	VSA               *intoto.Statement
+	Violations        []policy.Violation
+	SubjectDescriptor *v1.Descriptor
+}
--- a/pkg/attest/verify.go
+++ b/pkg/attest/verify.go
@@ -0,0 +1,176 @@
+package attest
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/distribution/reference"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/config"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/policy"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+)
+
+func Verify(ctx context.Context, src *oci.ImageSpec, opts *policy.PolicyOptions) (result *VerificationResult, err error) {
+	// so that we can resolve mapping from the image name earlier
+	detailsResolver, err := policy.CreateImageDetailsResolver(src)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create image details resolver: %w", err)
+	}
+	if opts.AttestationStyle == "" {
+		opts.AttestationStyle = config.AttestationStyleReferrers
+	}
+	if opts.ReferrersRepo != "" && opts.AttestationStyle != config.AttestationStyleReferrers {
+		return nil, fmt.Errorf("referrers repo specified but attestation source not set to referrers")
+	}
+	pctx, err := policy.ResolvePolicy(ctx, detailsResolver, opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve policy: %w", err)
+	}
+
+	if pctx == nil {
+		return &VerificationResult{
+			Outcome: OutcomeNoPolicy,
+		}, nil
+	}
+	// this is overriding the mapping with a referrers config. Useful for testing if nothing else
+	if opts.ReferrersRepo != "" {
+		pctx.Mapping.Attestations = &config.AttestationConfig{
+			Repo:  opts.ReferrersRepo,
+			Style: config.AttestationStyleReferrers,
+		}
+	} else if opts.AttestationStyle == config.AttestationStyleAttached {
+		pctx.Mapping.Attestations = &config.AttestationConfig{
+			Repo:  opts.ReferrersRepo,
+			Style: config.AttestationStyleAttached,
+		}
+	}
+	// because we have a mapping now, we can select a resolver based on its contents (ie. referrers or attached)
+	resolver, err := policy.CreateAttestationResolver(detailsResolver, pctx.Mapping)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create attestation resolver: %w", err)
+	}
+	result, err = VerifyAttestations(ctx, resolver, pctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to evaluate policy: %w", err)
+	}
+	return result, nil
+}
+
+func toVerificationResult(p *policy.Policy, input *policy.PolicyInput, result *policy.Result) (*VerificationResult, error) {
+	dgst, err := oci.SplitDigest(input.Digest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to split digest: %w", err)
+	}
+	subject := intoto.Subject{
+		Name:   input.Purl,
+		Digest: dgst,
+	}
+	resourceUri, err := attestation.ToVSAResourceURI(subject)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create resource uri: %w", err)
+	}
+
+	var outcome Outcome
+	if result.Success {
+		outcome = OutcomeSuccess
+	} else {
+		outcome = OutcomeFailure
+	}
+
+	outcomeStr, err := outcome.StringForVSA()
+	if err != nil {
+		return nil, err
+	}
+
+	return &VerificationResult{
+		Policy:     p,
+		Outcome:    outcome,
+		Violations: result.Violations,
+		Input:      input,
+		VSA: &intoto.Statement{
+			StatementHeader: intoto.StatementHeader{
+				PredicateType: attestation.VSAPredicateType,
+				Type:          intoto.StatementInTotoV01,
+				Subject:       result.Summary.Subjects,
+			},
+			Predicate: attestation.VSAPredicate{
+				Verifier: attestation.VSAVerifier{
+					ID: result.Summary.Verifier,
+				},
+				TimeVerified:       time.Now().UTC().Format(time.RFC3339),
+				ResourceUri:        resourceUri,
+				Policy:             attestation.VSAPolicy{URI: result.Summary.PolicyURI},
+				VerificationResult: outcomeStr,
+				VerifiedLevels:     result.Summary.SLSALevels,
+			},
+		},
+	}, nil
+}
+
+func VerifyAttestations(ctx context.Context, resolver oci.AttestationResolver, pctx *policy.Policy) (*VerificationResult, error) {
+	desc, err := resolver.ImageDescriptor(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get image descriptor: %w", err)
+	}
+	digest := desc.Digest.String()
+	name, err := resolver.ImageName(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get image name: %w", err)
+	}
+	platform, err := resolver.ImagePlatform(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if pctx.ResolvedName != "" {
+		// this means the name we have is not the one we want to use for policy evaluation
+		// so we need to replace it with the one we resolved during policy resolution.
+		// this can happen if the name is an alias for another image, e.g. if it is a mirror
+		ref, err := reference.ParseNormalizedNamed(name)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse image name: %w", err)
+		}
+		oldName := ref.Name()
+		name = strings.Replace(name, oldName, pctx.ResolvedName, 1)
+	}
+
+	purl, canonical, err := oci.RefToPURL(name, platform)
+	if err != nil {
+		return nil, fmt.Errorf("failed to convert ref to purl: %w", err)
+	}
+	input := &policy.PolicyInput{
+		Digest:      digest,
+		Purl:        purl,
+		IsCanonical: canonical,
+	}
+
+	evaluator, err := policy.GetPolicyEvaluator(ctx)
+	if err != nil {
+		return nil, err
+	}
+	result, err := evaluator.Evaluate(ctx, resolver, pctx, input)
+	if err != nil {
+		return nil, fmt.Errorf("policy evaluation failed: %w", err)
+	}
+	verificationResult, err := toVerificationResult(pctx, input, result)
+	if err != nil {
+		return nil, fmt.Errorf("failed to convert to policy result: %w", err)
+	}
+	verificationResult.SubjectDescriptor = desc
+	return verificationResult, nil
+}
+
+func NewAttestationManifest(subject *v1.Descriptor) (*attestation.AttestationManifest, error) {
+	return &attestation.AttestationManifest{
+		OriginalDescriptor: &v1.Descriptor{
+			MediaType: "application/vnd.oci.image.manifest.v1+json",
+		},
+		OriginalLayers:    []*attestation.AttestationLayer{},
+		SubjectDescriptor: subject,
+	}, nil
+}
--- a/pkg/attest/verify_test.go
+++ b/pkg/attest/verify_test.go
@@ -0,0 +1,259 @@
+package attest
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/policy"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/empty"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/google/go-containerregistry/pkg/v1/mutate"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	ExampleAttestation = filepath.Join("..", "..", "test", "testdata", "example_attestation.json")
+)
+
+const (
+	LinuxAMD64 = "linux/amd64"
+)
+
+func TestVerifyAttestations(t *testing.T) {
+	ex, err := os.ReadFile(ExampleAttestation)
+	assert.NoError(t, err)
+
+	var env = new(attestation.Envelope)
+	err = json.Unmarshal(ex, env)
+	assert.NoError(t, err)
+	resolver := &test.MockResolver{
+		Envs: []*attestation.Envelope{env},
+	}
+
+	testCases := []struct {
+		name                  string
+		policyEvaluationError error
+		expectedError         error
+	}{
+		{"policy ok", nil, nil},
+		{"policy error", fmt.Errorf("policy error"), fmt.Errorf("policy evaluation failed: policy error")},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+
+			mockPE := policy.MockPolicyEvaluator{
+				EvaluateFunc: func(ctx context.Context, resolver oci.AttestationResolver, pctx *policy.Policy, input *policy.PolicyInput) (*policy.Result, error) {
+					return policy.AllowedResult(), tc.policyEvaluationError
+				},
+			}
+
+			ctx := policy.WithPolicyEvaluator(context.Background(), &mockPE)
+			_, err := VerifyAttestations(ctx, resolver, &policy.Policy{ResolvedName: ""})
+			if tc.expectedError != nil {
+				if assert.Error(t, err) {
+					assert.Equal(t, tc.expectedError.Error(), err.Error())
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestVSA(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	ctx = policy.WithPolicyEvaluator(ctx, policy.NewRegoEvaluator(true))
+	// setup an image with signed attestations
+	outputLayout := test.CreateTempDir(t, "", TestTempDir)
+
+	opts := &attestation.SigningOptions{}
+	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+	assert.NoError(t, err)
+	signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
+	require.NoError(t, err)
+	signedIndex := attIdx.Index
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
+	require.NoError(t, err)
+
+	// output signed attestations
+	idx := v1.ImageIndex(empty.Index)
+	idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
+		Add: signedIndex,
+		Descriptor: v1.Descriptor{
+			Annotations: map[string]string{
+				oci.OciReferenceTarget: attIdx.Name,
+			},
+		},
+	})
+	_, err = layout.Write(outputLayout, idx)
+	assert.NoError(t, err)
+
+	// mocked vsa query should pass
+	policyOpts := &policy.PolicyOptions{
+		LocalPolicyDir: PassPolicyDir,
+	}
+	src, err := oci.ParseImageSpec("oci://"+outputLayout, oci.WithPlatform(LinuxAMD64))
+	require.NoError(t, err)
+	results, err := Verify(ctx, src, policyOpts)
+	require.NoError(t, err)
+	assert.Equal(t, OutcomeSuccess, results.Outcome)
+	assert.Empty(t, results.Violations)
+
+	if assert.NotNil(t, results.Input) {
+		assert.Equal(t, "sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620", results.Input.Digest)
+		assert.False(t, results.Input.IsCanonical)
+	}
+
+	assert.Equal(t, intoto.StatementInTotoV01, results.VSA.Type)
+	assert.Equal(t, attestation.VSAPredicateType, results.VSA.PredicateType)
+	assert.Len(t, results.VSA.Subject, 1)
+
+	require.IsType(t, attestation.VSAPredicate{}, results.VSA.Predicate)
+	attestationPredicate := results.VSA.Predicate.(attestation.VSAPredicate)
+
+	assert.Equal(t, "PASSED", attestationPredicate.VerificationResult)
+	assert.Equal(t, "docker-official-images", attestationPredicate.Verifier.ID)
+	assert.Equal(t, []string{"SLSA_BUILD_LEVEL_3"}, attestationPredicate.VerifiedLevels)
+	assert.Equal(t, "https://docker.com/official/policy/v0.1", attestationPredicate.Policy.URI)
+}
+
+func TestVerificationFailure(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	ctx = policy.WithPolicyEvaluator(ctx, policy.NewRegoEvaluator(true))
+	// setup an image with signed attestations
+	outputLayout := test.CreateTempDir(t, "", TestTempDir)
+
+	opts := &attestation.SigningOptions{}
+	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+	assert.NoError(t, err)
+	signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
+	require.NoError(t, err)
+	signedIndex := attIdx.Index
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true))
+	require.NoError(t, err)
+
+	// output signed attestations
+	idx := v1.ImageIndex(empty.Index)
+	idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
+		Add: signedIndex,
+		Descriptor: v1.Descriptor{
+			Annotations: map[string]string{
+				oci.OciReferenceTarget: attIdx.Name,
+			},
+		},
+	})
+	_, err = layout.Write(outputLayout, idx)
+	assert.NoError(t, err)
+
+	// mocked vsa query should fail
+	policyOpts := &policy.PolicyOptions{
+		LocalPolicyDir: FailPolicyDir,
+	}
+	src, err := oci.ParseImageSpec("oci://"+outputLayout, oci.WithPlatform(LinuxAMD64))
+	require.NoError(t, err)
+	results, err := Verify(ctx, src, policyOpts)
+	require.NoError(t, err)
+	assert.Equal(t, OutcomeFailure, results.Outcome)
+	assert.Len(t, results.Violations, 1)
+
+	violation := results.Violations[0]
+	assert.Equal(t, "missing_attestation", violation.Type)
+	assert.Equal(t, "Attestation missing for subject", violation.Description)
+	assert.Nil(t, violation.Attestation)
+
+	assert.Equal(t, intoto.StatementInTotoV01, results.VSA.Type)
+	assert.Equal(t, attestation.VSAPredicateType, results.VSA.PredicateType)
+	assert.Len(t, results.VSA.Subject, 1)
+
+	require.IsType(t, attestation.VSAPredicate{}, results.VSA.Predicate)
+	attestationPredicate := results.VSA.Predicate.(attestation.VSAPredicate)
+
+	assert.Equal(t, "FAILED", attestationPredicate.VerificationResult)
+	assert.Equal(t, "docker-official-images", attestationPredicate.Verifier.ID)
+	assert.Equal(t, []string{"SLSA_BUILD_LEVEL_3"}, attestationPredicate.VerifiedLevels)
+	assert.Equal(t, "https://docker.com/official/policy/v0.1", attestationPredicate.Policy.URI)
+}
+
+func TestSignVerify(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	ctx = policy.WithPolicyEvaluator(ctx, policy.NewRegoEvaluator(true))
+	// setup an image with signed attestations
+	outputLayout := test.CreateTempDir(t, "", TestTempDir)
+
+	testCases := []struct {
+		name        string
+		signTL      bool
+		policyDir   string
+		imageName   string
+		expectError bool
+	}{
+		{name: "happy path", signTL: true, policyDir: PassNoTLPolicyDir},
+		{name: "sign tl, verify no tl", signTL: true, policyDir: PassPolicyDir},
+		{name: "no tl", signTL: false, policyDir: PassPolicyDir},
+		{name: "mirror", signTL: true, policyDir: PassMirrorPolicyDir, imageName: "mirror.org/library/test-image:test"},
+		{name: "mirror no match", signTL: true, policyDir: PassMirrorPolicyDir, imageName: "incorrect.org/library/test-image:test", expectError: true},
+	}
+
+	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+	assert.NoError(t, err)
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			opts := &attestation.SigningOptions{
+				SkipTL: tc.signTL,
+			}
+
+			signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
+			require.NoError(t, err)
+			signedIndex := attIdx.Index
+			signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true))
+			require.NoError(t, err)
+
+			imageName := tc.imageName
+			if imageName == "" {
+				imageName = attIdx.Name
+			}
+			// output signed attestations
+			idx := v1.ImageIndex(empty.Index)
+			idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
+				Add: signedIndex,
+				Descriptor: v1.Descriptor{
+					Annotations: map[string]string{
+						oci.OciReferenceTarget: imageName,
+					},
+				},
+			})
+			_, err = layout.Write(outputLayout, idx)
+			assert.NoError(t, err)
+
+			policyOpts := &policy.PolicyOptions{
+				LocalPolicyDir: tc.policyDir,
+			}
+			src, err := oci.ParseImageSpec("oci://"+outputLayout, oci.WithPlatform(LinuxAMD64))
+			require.NoError(t, err)
+			results, err := Verify(ctx, src, policyOpts)
+			if tc.expectError {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, OutcomeSuccess, results.Outcome)
+			platform, err := oci.ParsePlatform(LinuxAMD64)
+			require.NoError(t, err)
+			expectedPURL, _, err := oci.RefToPURL(attIdx.Name, platform)
+			require.NoError(t, err)
+			assert.Equal(t, expectedPURL, results.Input.Purl)
+		})
+	}
+}
--- a/pkg/attestation/attestation.go
+++ b/pkg/attestation/attestation.go
@@ -0,0 +1,324 @@
+package attestation
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"maps"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/empty"
+	"github.com/google/go-containerregistry/pkg/v1/match"
+	"github.com/google/go-containerregistry/pkg/v1/mutate"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
+	"github.com/google/go-containerregistry/pkg/v1/static"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+// GetAttestationManifestsFromIndex extracts all attestation manifests from an index
+func GetAttestationManifestsFromIndex(index v1.ImageIndex) ([]*AttestationManifest, error) {
+	idx, err := index.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract IndexManifest from ImageIndex: %w", err)
+	}
+	subjects := make(map[string]*v1.Descriptor)
+	for _, subject := range idx.Manifests {
+		subjects[subject.Digest.String()] = &subject
+	}
+
+	var attestationManifests []*AttestationManifest
+	for _, desc := range idx.Manifests {
+		if desc.Annotations[DockerReferenceType] == AttestationManifestType {
+			subject := subjects[desc.Annotations[DockerReferenceDigest]]
+			if subject == nil {
+				return nil, fmt.Errorf("failed to find subject for attestation manifest: %w", err)
+			}
+			attestationImage, err := index.Image(desc.Digest)
+			if err != nil {
+				return nil, fmt.Errorf("failed to extract attestation image with digest %s: %w", desc.Digest.String(), err)
+			}
+			attestationLayers, err := GetAttestationsFromImage(attestationImage)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get attestations from image: %w", err)
+			}
+			attestationManifests = append(attestationManifests,
+				&AttestationManifest{
+					OriginalDescriptor: &desc,
+					SubjectDescriptor:  subject,
+					OriginalLayers:     attestationLayers})
+		}
+	}
+	return attestationManifests, nil
+}
+
+// GetAttestationsFromImage extracts all attestation layers from an image
+func GetAttestationsFromImage(image v1.Image) ([]*AttestationLayer, error) {
+	layers, err := image.Layers()
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract layers from image: %w", err)
+	}
+	var attestationLayers []*AttestationLayer
+	for _, layer := range layers {
+		// parse layer blob as json
+		r, err := layer.Uncompressed()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get layer contents: %w", err)
+		}
+		defer r.Close()
+		mt, err := layer.MediaType()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get layer media type: %w", err)
+		}
+		layerDesc, err := partial.Descriptor(layer)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get descriptor for layer: %w", err)
+		}
+		// copy original annotations
+		ann := maps.Clone(layerDesc.Annotations)
+		// only decode intoto statements
+		var stmt = new(intoto.Statement)
+		if mt == types.MediaType(intoto.PayloadType) {
+			err = json.NewDecoder(r).Decode(&stmt)
+			if err != nil {
+				return nil, fmt.Errorf("failed to decode statement layer contents: %w", err)
+			}
+		}
+		attestationLayers = append(attestationLayers, &AttestationLayer{Layer: layer, Statement: stmt, Annotations: ann})
+	}
+	return attestationLayers, nil
+}
+
+func (manifest *AttestationManifest) AddAttestation(ctx context.Context, signer dsse.SignerVerifier, statement *intoto.Statement, opts *SigningOptions) error {
+	layer, err := createSignedImageLayer(ctx, statement, signer, opts)
+	if err != nil {
+		return fmt.Errorf("failed to create signed layer: %w", err)
+	}
+	manifest.SignedLayers = append(manifest.SignedLayers, layer)
+	return nil
+}
+
+func createSignedImageLayer(ctx context.Context, statement *intoto.Statement, signer dsse.SignerVerifier, opts *SigningOptions) (*AttestationLayer, error) {
+	// sign the statement
+	env, err := SignInTotoStatement(ctx, statement, signer, opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign statement: %w", err)
+	}
+
+	mediaType, err := DSSEMediaType(statement.PredicateType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get DSSE media type: %w", err)
+	}
+	data, err := json.Marshal(env)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal envelope: %w", err)
+	}
+	return &AttestationLayer{
+		Statement: statement,
+		Annotations: map[string]string{
+			InTotoPredicateType:           statement.PredicateType,
+			InTotoReferenceLifecycleStage: LifecycleStageExperimental,
+		},
+		Layer: static.NewLayer(data, types.MediaType(mediaType)),
+	}, nil
+}
+
+func SignInTotoStatement(ctx context.Context, statement *intoto.Statement, signer dsse.SignerVerifier, opts *SigningOptions) (*Envelope, error) {
+	payload, err := json.Marshal(statement)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal statement: %w", err)
+	}
+	env, err := SignDSSE(ctx, payload, signer, opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign statement: %w", err)
+	}
+	return env, nil
+}
+
+func UpdateIndexImage(
+	idx v1.ImageIndex,
+	manifest *AttestationManifest,
+	options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) {
+	image, err := manifest.BuildAttestationImage(options...)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to build image: %w", err)
+	}
+	newDesc, err := partial.Descriptor(image)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get descriptor: %w", err)
+	}
+	newDesc.Platform = &v1.Platform{
+		Architecture: "unknown",
+		OS:           "unknown",
+	}
+	newDesc.MediaType = manifest.OriginalDescriptor.MediaType
+	newDesc.Annotations = manifest.OriginalDescriptor.Annotations
+	idx = mutate.RemoveManifests(idx, match.Digests(manifest.OriginalDescriptor.Digest))
+	idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
+		Add:        image,
+		Descriptor: *newDesc,
+	})
+	return idx, nil
+}
+
+func UpdateIndexImages(idx v1.ImageIndex, manifest []*AttestationManifest, options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) {
+	var err error
+	for _, m := range manifest {
+		idx, err = UpdateIndexImage(idx, m, options...)
+		if err != nil {
+			return nil, fmt.Errorf("failed to add image to index: %w", err)
+		}
+	}
+	return idx, nil
+}
+
+func newOptions(options ...func(*AttestationManifestImageOptions) error) (*AttestationManifestImageOptions, error) {
+	opts := &AttestationManifestImageOptions{}
+	for _, opt := range options {
+		err := opt(opts)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return opts, nil
+}
+
+func WithoutSubject(skipSubject bool) func(*AttestationManifestImageOptions) error {
+	return func(r *AttestationManifestImageOptions) error {
+		r.skipSubject = skipSubject
+		return nil
+	}
+}
+
+func WithReplacedLayers(replaceLayers bool) func(*AttestationManifestImageOptions) error {
+	return func(r *AttestationManifestImageOptions) error {
+		r.replaceLayers = replaceLayers
+		return nil
+	}
+}
+
+// build an image with signed attestations, optionally replacing existing layers with signed layers
+func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*AttestationManifestImageOptions) error) (v1.Image, error) {
+	opts, err := newOptions(options...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create options: %w", err)
+	}
+	resultLayers := manifest.SignedLayers
+	for _, existingLayer := range manifest.OriginalLayers {
+		var found bool
+		for _, signedLayer := range manifest.SignedLayers {
+			if existingLayer.Statement == signedLayer.Statement {
+				found = true
+				// copy over original annotations
+				for k, v := range existingLayer.Annotations {
+					signedLayer.Annotations[k] = v
+				}
+				break
+			}
+		}
+		//add existing layers if they've not been signed or we're not replacing them
+		if !found || !opts.replaceLayers {
+			resultLayers = append(resultLayers, existingLayer)
+		}
+	}
+	// so taht we attach all attestations to a single attestations image - as per current buildkit
+	opts.laxReferrers = true
+	newImg, err := buildImage(resultLayers, manifest.OriginalDescriptor, manifest.SubjectDescriptor, opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build image: %w", err)
+	}
+	return newImg, nil
+}
+
+// build an image per attestation (layer) suitable for use as Referrers
+func (manifest *AttestationManifest) BuildReferringArtifacts() ([]v1.Image, error) {
+	var images []v1.Image
+	for _, layer := range manifest.SignedLayers {
+		opts := &AttestationManifestImageOptions{}
+		newImg, err := buildImage([]*AttestationLayer{layer}, manifest.OriginalDescriptor, manifest.SubjectDescriptor, opts)
+		if err != nil {
+			return nil, fmt.Errorf("failed to build image: %w", err)
+		}
+		images = append(images, newImg)
+	}
+	return images, nil
+}
+
+// build and image containing only layers
+func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1.Descriptor, opts *AttestationManifestImageOptions) (v1.Image, error) {
+	newImg := empty.Image
+	var err error
+	if len(layers) == 0 {
+		return nil, fmt.Errorf("no layers supplied to build image")
+	}
+	// NB: if we add the subject before the layers, it does not end up being computed/serialised in the output for some reason
+	//TODO - recreate this bug and push upstream
+	for _, layer := range layers {
+		add := mutate.Addendum{
+			Layer:       layer.Layer,
+			Annotations: layer.Annotations,
+		}
+		newImg, err = mutate.Append(newImg, add)
+		if err != nil {
+			return nil, fmt.Errorf("failed to add layer to image: %w", err)
+		}
+	}
+
+	// this is for attaching attestations to an attestation image in the index
+	if opts.laxReferrers {
+		newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.image.config.v1+json")
+	} else {
+		dsseMediatType, err := DSSEMediaType(layers[0].Statement.PredicateType)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get DSSE media type: %w", err)
+		}
+		newImg = mutate.ArtifactType(newImg, dsseMediatType)
+		newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.empty.v1+json")
+	}
+	// we need to set this even when we set the artifact type otherwise things break (even the go-container-registry client)
+	// even though it's allowed to be empty by spec when setting artifact type
+	newImg = mutate.MediaType(newImg, manifest.MediaType)
+
+	// see note above - must be added after the layers!
+	if !opts.skipSubject {
+		subject.Platform = nil
+		newImg = mutate.Subject(newImg, *subject).(v1.Image)
+	}
+	if !opts.laxReferrers {
+		// as per https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidance-for-an-empty-descriptor
+		newImg = &EmptyConfigImage{newImg}
+	}
+	return newImg, nil
+}
+
+type EmptyConfigImage struct {
+	v1.Image
+}
+
+func (i *EmptyConfigImage) RawConfigFile() ([]byte, error) {
+	return []byte("{}"), nil
+}
+
+func (i *EmptyConfigImage) Manifest() (*v1.Manifest, error) {
+	mf, err := i.Image.Manifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get manifest: %w", err)
+	}
+	mf.Config = v1.Descriptor{
+		MediaType: "application/vnd.oci.empty.v1+json",
+		Size:      2,
+		Digest:    v1.Hash{Algorithm: "sha256", Hex: "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"},
+		Data:      []byte("{}"),
+	}
+	return mf, nil
+}
+
+func (i *EmptyConfigImage) RawManifest() ([]byte, error) {
+	mf, err := i.Manifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get manifest: %w", err)
+	}
+	return json.Marshal(mf)
+}
--- a/pkg/attestation/referrers_test.go
+++ b/pkg/attestation/referrers_test.go
@@ -0,0 +1,328 @@
+package attestation_test
+
+import (
+	"fmt"
+	"net/http/httptest"
+	"net/url"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attest"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/config"
+	"github.com/docker/attest/pkg/mirror"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/policy"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/registry"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	UnsignedTestImage   = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+	NoProvenanceImage   = filepath.Join("..", "..", "test", "testdata", "no-provenance-image")
+	PassPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-pass")
+	LocalPolicy         = filepath.Join("..", "..", "test", "testdata", "local-policy")
+	LocalPolicyAttached = filepath.Join("..", "..", "test", "testdata", "local-policy-attached")
+	PassNoTLPolicyDir   = filepath.Join("..", "..", "test", "testdata", "local-policy-no-tl")
+	FailPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-fail")
+	TestTempDir         = "attest-sign-test"
+)
+
+func TestAttestationReferenceTypes(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	ctx = policy.WithPolicyEvaluator(ctx, policy.NewRegoEvaluator(true))
+	platforms := []string{"linux/amd64", "linux/arm64"}
+	for _, tc := range []struct {
+		name              string
+		server            *httptest.Server
+		referrersServer   *httptest.Server
+		useDigest         bool
+		referrersRepo     string
+		attestationSource config.AttestationStyle
+		expectFailure     bool
+	}{
+		{
+			name:   "referrers support, defaults",
+			server: httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+		},
+		{
+			name:      "use digest",
+			server:    httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			useDigest: true,
+		},
+		{
+			name:              "attached attestations, referrers repo (mismatched args)",
+			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			expectFailure:     true, //mismatched args
+			attestationSource: config.AttestationStyleAttached,
+			referrersRepo:     "referrers",
+		},
+		{
+			name:              "referrers attestations, referrers repo (no policy)",
+			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			expectFailure:     true, // no policy
+			attestationSource: config.AttestationStyleReferrers,
+			referrersRepo:     "referrers",
+		},
+		{
+			name:              "referrers attestations",
+			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			attestationSource: config.AttestationStyleReferrers,
+		},
+		{
+			name:              "referrers attestations, no referrers support on server",
+			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(false))),
+			attestationSource: config.AttestationStyleReferrers,
+			referrersServer:   httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			s := tc.server
+			defer s.Close()
+
+			if tc.referrersServer != nil {
+				defer tc.referrersServer.Close()
+			}
+			u, err := url.Parse(s.URL)
+			require.NoError(t, err)
+
+			opts := &attestation.SigningOptions{
+				SkipTL: true,
+			}
+			attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+			require.NoError(t, err)
+
+			indexName := fmt.Sprintf("%s/repo:root", u.Host)
+			require.NoError(t, err)
+
+			outputRepo := indexName
+			if tc.referrersServer != nil {
+				ru, err := url.Parse(s.URL)
+				require.NoError(t, err)
+				tc.referrersRepo = fmt.Sprintf("%s/referrers", ru.Host)
+				outputRepo = tc.referrersRepo
+			}
+			// sign all the statements in the index
+			signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+			require.NoError(t, err)
+
+			// push subject image so that it can be resolved
+			require.NoError(t, err)
+			err = mirror.PushIndexToRegistry(attIdx.Index, indexName)
+			require.NoError(t, err)
+
+			// upload referrers
+			output, err := oci.ParseImageSpec(outputRepo)
+			require.NoError(t, err)
+			for _, attIdx := range signedManifests {
+				err = mirror.SaveReferrers(attIdx, []*oci.ImageSpec{output})
+				require.NoError(t, err)
+			}
+
+			for _, platform := range platforms {
+				// can eval policy in the normal way
+				ref := indexName
+				if tc.useDigest {
+					options := oci.WithOptions(ctx, nil)
+					subjectRef, err := name.ParseReference(indexName)
+					require.NoError(t, err)
+					desc, err := remote.Index(subjectRef, options...)
+					require.NoError(t, err)
+					idxDigest, err := desc.Digest()
+					require.NoError(t, err)
+					ref = fmt.Sprintf("%s/repo@%s", u.Host, idxDigest.String())
+				}
+
+				policyOpts := &policy.PolicyOptions{
+					LocalPolicyDir: LocalPolicy,
+				}
+
+				if tc.referrersRepo != "" {
+					policyOpts.ReferrersRepo = tc.referrersRepo
+				}
+
+				if tc.attestationSource != "" {
+					policyOpts.AttestationStyle = tc.attestationSource
+				}
+				src, err := oci.ParseImageSpec(ref, oci.WithPlatform(platform))
+				require.NoError(t, err)
+				results, err := attest.Verify(ctx, src, policyOpts)
+				if tc.expectFailure {
+					require.Error(t, err)
+					continue
+				}
+				require.NoError(t, err)
+				assert.Equal(t, attest.OutcomeSuccess, results.Outcome)
+
+				if tc.useDigest {
+					p, err := oci.ParsePlatform(platform)
+					require.NoError(t, err)
+					options := oci.WithOptions(ctx, p)
+					subjectRef, err := name.ParseReference(indexName)
+					require.NoError(t, err)
+					desc, err := remote.Image(subjectRef, options...)
+					require.NoError(t, err)
+					subjectDigest, err := desc.Digest()
+					require.NoError(t, err)
+					ref = fmt.Sprintf("%s/repo@%s", u.Host, subjectDigest.String())
+				}
+				src, err = oci.ParseImageSpec(ref, oci.WithPlatform(platform))
+				require.NoError(t, err)
+				results, err = attest.Verify(ctx, src, policyOpts)
+				require.NoError(t, err)
+				assert.Equal(t, attest.OutcomeSuccess, results.Outcome)
+			}
+		})
+	}
+}
+
+func TestReferencesInDifferentRepo(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	repoName := "repo"
+	for _, tc := range []struct {
+		name      string
+		server    *httptest.Server
+		refServer *httptest.Server
+	}{
+		{
+			name:      "referrers support",
+			server:    httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			refServer: httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+		},
+		{
+			name:      "no referrers support",
+			server:    httptest.NewServer(registry.New()),
+			refServer: httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+		},
+	} {
+		server := tc.server
+		defer server.Close()
+		serverUrl, err := url.Parse(server.URL)
+		require.NoError(t, err)
+
+		refServer := tc.refServer
+		defer refServer.Close()
+		refServerUrl, err := url.Parse(refServer.URL)
+		require.NoError(t, err)
+
+		opts := &attestation.SigningOptions{
+			SkipTL: true,
+		}
+		attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+		require.NoError(t, err)
+
+		indexName := fmt.Sprintf("%s/%s:latest", serverUrl.Host, repoName)
+		err = mirror.PushIndexToRegistry(attIdx.Index, indexName)
+		require.NoError(t, err)
+
+		signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+		require.NoError(t, err)
+
+		// push signed attestation image to the ref server
+		for _, signedManifest := range signedManifests {
+			// push references using subject-digest.att convention
+			image, err := signedManifest.BuildAttestationImage()
+			require.NoError(t, err)
+			err = mirror.PushImageToRegistry(image, fmt.Sprintf("%s/%s:tag-does-not-matter", refServerUrl.Host, repoName))
+			require.NoError(t, err)
+
+			refServer := tc.refServer
+			defer refServer.Close()
+			refServerUrl, err := url.Parse(refServer.URL)
+			require.NoError(t, err)
+
+			opts := &attestation.SigningOptions{
+				SkipTL: true,
+			}
+			attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+			require.NoError(t, err)
+
+			indexName := fmt.Sprintf("%s/%s:latest", serverUrl.Host, repoName)
+			err = mirror.PushIndexToRegistry(attIdx.Index, indexName)
+			require.NoError(t, err)
+
+			signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+			require.NoError(t, err)
+
+			// push signed attestation image to the ref server
+			for _, mf := range signedManifests {
+				// push references using subject-digest.att convention
+				imgs, err := mf.BuildReferringArtifacts()
+				require.NoError(t, err)
+				for _, img := range imgs {
+					err = mirror.PushImageToRegistry(img, fmt.Sprintf("%s/%s:tag-does-not-matter", refServerUrl.Host, repoName))
+					require.NoError(t, err)
+				}
+			}
+			mfs2, err := attIdx.Index.IndexManifest()
+			require.NoError(t, err)
+			for _, mf := range mfs2.Manifests {
+				//skip signed/unsigned attestations
+				if mf.Annotations[attestation.DockerReferenceType] == attestation.AttestationManifestType {
+					continue
+				}
+				// can evaluate policy using referrers in a different repo
+				referencedImage := fmt.Sprintf("%s@%s", indexName, mf.Digest.String())
+				policyOpts := &policy.PolicyOptions{
+					LocalPolicyDir: PassPolicyDir,
+				}
+				src, err := oci.ParseImageSpec(referencedImage)
+				require.NoError(t, err)
+				results, err := attest.Verify(ctx, src, policyOpts)
+				require.NoError(t, err)
+				assert.Equal(t, attest.OutcomeSuccess, results.Outcome)
+			}
+		}
+	}
+}
+
+func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	server := httptest.NewServer(registry.New())
+
+	defer server.Close()
+	serverUrl, err := url.Parse(server.URL)
+	require.NoError(t, err)
+
+	repoName := "repo"
+
+	opts := &attestation.SigningOptions{
+		SkipTL: true,
+	}
+	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+	require.NoError(t, err)
+
+	indexName := fmt.Sprintf("%s/%s:latest", serverUrl.Host, repoName)
+	err = mirror.PushIndexToRegistry(attIdx.Index, indexName)
+	require.NoError(t, err)
+
+	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+	require.NoError(t, err)
+
+	// this should create and maintain an index of referrers
+	for _, mf := range signedManifests {
+		imgs, err := mf.BuildReferringArtifacts()
+		require.NoError(t, err)
+		for _, img := range imgs {
+			err = mirror.PushImageToRegistry(img, fmt.Sprintf("%s/%s:tag-does-not-matter", serverUrl.Host, repoName))
+			require.NoError(t, err)
+			mf, err := img.Manifest()
+			require.NoError(t, err)
+			subject := mf.Subject
+			subjectRef, err := name.ParseReference(fmt.Sprintf("%s/%s:sha256-%s", serverUrl.Host, repoName, subject.Digest.Hex))
+			require.NoError(t, err)
+			idx, err := remote.Index(subjectRef)
+			require.NoError(t, err)
+			imf, err := idx.IndexManifest()
+			require.NoError(t, err)
+			for _, m := range imf.Manifests {
+				assert.Contains(t, m.ArtifactType, "application/vnd.in-toto")
+				assert.Contains(t, m.ArtifactType, "+dsse")
+			}
+		}
+	}
+}
--- a/pkg/attestation/sign.go
+++ b/pkg/attestation/sign.go
@@ -0,0 +1,77 @@
+package attestation
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/attest/internal/util"
+	"github.com/docker/attest/pkg/tlog"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+// SignDSSE signs a payload with a given signer and uploads the signature to the transparency log
+func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, opts *SigningOptions) (*Envelope, error) {
+	payloadType := intoto.PayloadType
+	env := new(Envelope)
+	env.Payload = base64Encoding.EncodeToString(payload)
+	env.PayloadType = payloadType
+	encPayload := dsse.PAE(payloadType, payload)
+
+	// statement message digest
+	hash := util.SHA256(encPayload)
+
+	// sign message digest
+	sig, err := signer.Sign(ctx, hash)
+	if err != nil {
+		return nil, fmt.Errorf("error signing attestation: %w", err)
+	}
+
+	// get Key ID from signer
+	keyId, err := signer.KeyID()
+	if err != nil {
+		return nil, fmt.Errorf("error getting public key ID: %w", err)
+	}
+
+	dsseSig := Signature{
+		KeyID: keyId,
+		Sig:   base64Encoding.EncodeToString(sig),
+	}
+	if !opts.SkipTL {
+		ext, err := logSignature(ctx, tlog.GetTL(ctx), &sig, &encPayload, signer)
+		if err != nil {
+			return nil, fmt.Errorf("failed to log to rekor: %w", err)
+		}
+		dsseSig.Extension = *ext
+	}
+	// add signature to dsse envelope
+	env.Signatures = []Signature{dsseSig}
+
+	return env, nil
+}
+
+// returns a new envelope with the transparency log entry added to the signature extension
+func logSignature(ctx context.Context, t tlog.TL, sig *[]byte, encPayload *[]byte, signer dsse.SignerVerifier) (*Extension, error) {
+	// get Key ID from signer
+	keyId, err := signer.KeyID()
+	if err != nil {
+		return nil, fmt.Errorf("error getting public key ID: %w", err)
+	}
+	entry, err := t.UploadLogEntry(ctx, keyId, *encPayload, *sig, signer)
+	if err != nil {
+		return nil, fmt.Errorf("error uploading TL entry: %w", err)
+	}
+	entryObj, err := t.UnmarshalEntry(entry)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshaling tl entry: %w", err)
+	}
+	return &Extension{
+		Kind: DockerDsseExtKind,
+		Ext: DockerDsseExtension{
+			Tl: DockerTlExtension{
+				Kind: RekorTlExtKind,
+				Data: entryObj, // transparency log entry metadata
+			},
+		},
+	}, nil
+}
--- a/pkg/attestation/sign_test.go
+++ b/pkg/attestation/sign_test.go
@@ -0,0 +1,151 @@
+package attestation_test
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"encoding/json"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/signerverifier"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSignVerifyAttestation(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	stmt := &intoto.Statement{
+		StatementHeader: intoto.StatementHeader{
+			Type:          intoto.StatementInTotoV01,
+			PredicateType: intoto.PredicateSPDX,
+		},
+		Predicate: "test",
+	}
+
+	payload, err := json.Marshal(stmt)
+	require.NoError(t, err)
+	opts := &attestation.SigningOptions{}
+	env, err := attestation.SignDSSE(ctx, payload, signer, opts)
+	require.NoError(t, err)
+
+	// marshal envelope to json to test for bugs when marshaling envelope data
+	serializedEnv, err := json.Marshal(env)
+	require.NoError(t, err)
+	deserializedEnv := new(attestation.Envelope)
+	err = json.Unmarshal(serializedEnv, deserializedEnv)
+	require.NoError(t, err)
+
+	// signer.Public() calls AWS API when using AWS signer, use attestation.GetPublicVerificationKey() to get key from TUF repo
+	// signer.Public() used here for test purposes
+	ecPub, ok := signer.Public().(*ecdsa.PublicKey)
+	assert.True(t, ok)
+	pem, err := signerverifier.ToPEM(ecPub)
+	assert.NoError(t, err)
+	keyId, err := signerverifier.KeyID(ecPub)
+	assert.NoError(t, err)
+
+	badKeyPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+	badKey := &badKeyPriv.PublicKey
+	badPEM, err := signerverifier.ToPEM(badKey)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name          string
+		keyId         string
+		pem           []byte
+		distrust      bool
+		from          time.Time
+		to            *time.Time
+		status        string
+		expectedError string
+	}{
+		{
+			name:          "all OK",
+			keyId:         keyId,
+			pem:           pem,
+			distrust:      false,
+			from:          time.Time{},
+			to:            nil,
+			status:        "active",
+			expectedError: "",
+		},
+		{
+			name:          "key not found",
+			keyId:         "someotherkey",
+			pem:           pem,
+			distrust:      false,
+			from:          time.Time{},
+			to:            nil,
+			status:        "active",
+			expectedError: fmt.Sprintf("key not found: %s", keyId),
+		},
+		{
+			name:          "key distrusted",
+			keyId:         keyId,
+			pem:           pem,
+			distrust:      true,
+			from:          time.Time{},
+			to:            nil,
+			status:        "active",
+			expectedError: "distrusted",
+		},
+		{
+			name:          "key not yet valid",
+			keyId:         keyId,
+			pem:           pem,
+			distrust:      false,
+			from:          time.Now().Add(time.Hour),
+			to:            nil,
+			status:        "active",
+			expectedError: "not yet valid",
+		},
+		{
+			name:          "key already revoked",
+			keyId:         keyId,
+			pem:           pem,
+			distrust:      false,
+			from:          time.Time{},
+			to:            new(time.Time),
+			status:        "revoked",
+			expectedError: "already revoked",
+		},
+		{
+			name:          "bad key",
+			keyId:         keyId,
+			pem:           badPEM,
+			distrust:      false,
+			from:          time.Time{},
+			to:            nil,
+			status:        "active",
+			expectedError: "signature is not valid",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			keyMeta := attestation.KeyMetadata{
+				ID:       tc.keyId,
+				PEM:      string(tc.pem),
+				Distrust: tc.distrust,
+				From:     tc.from,
+				To:       tc.to,
+				Status:   tc.status,
+			}
+			opts := &attestation.VerifyOptions{
+				Keys: attestation.Keys{keyMeta},
+			}
+			_, err = attestation.VerifyDSSE(ctx, deserializedEnv, opts)
+			if tc.expectedError != "" {
+				assert.Contains(t, err.Error(), tc.expectedError)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
--- a/pkg/attestation/types.go
+++ b/pkg/attestation/types.go
@@ -0,0 +1,101 @@
+package attestation
+
+import (
+	"encoding/base64"
+	"fmt"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+const (
+	DockerReferenceType           = "vnd.docker.reference.type"
+	AttestationManifestType       = "attestation-manifest"
+	InTotoPredicateType           = "in-toto.io/predicate-type"
+	DockerReferenceDigest         = "vnd.docker.reference.digest"
+	DockerDsseExtKind             = "application/vnd.docker.attestation-verification.v1+json"
+	RekorTlExtKind                = "Rekor"
+	OCIDescriptorDSSEMediaType    = ociv1.MediaTypeDescriptor + "+dsse"
+	InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
+	LifecycleStageExperimental    = "experimental"
+)
+
+var base64Encoding = base64.StdEncoding.Strict()
+
+type AttestationLayer struct {
+	Statement   *intoto.Statement
+	Layer       v1.Layer
+	Annotations map[string]string
+}
+
+type AttestationManifest struct {
+	OriginalDescriptor *v1.Descriptor
+	OriginalLayers     []*AttestationLayer
+
+	// accumulated during signing
+	SignedLayers []*AttestationLayer
+	// details of subect image
+	SubjectName       string
+	SubjectDescriptor *v1.Descriptor
+}
+
+type AttestationManifestImageOptions struct {
+	// how to output the image
+	skipSubject   bool
+	replaceLayers bool
+	laxReferrers  bool
+}
+
+// the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged
+type Envelope struct {
+	PayloadType string      `json:"payloadType"`
+	Payload     string      `json:"payload"`
+	Signatures  []Signature `json:"signatures"`
+}
+type Signature struct {
+	KeyID     string    `json:"keyid"`
+	Sig       string    `json:"sig"`
+	Extension Extension `json:"extension,omitempty"`
+}
+type Extension struct {
+	Kind string              `json:"kind"`
+	Ext  DockerDsseExtension `json:"ext"`
+}
+
+type DockerDsseExtension struct {
+	Tl DockerTlExtension `json:"tl"`
+}
+
+type DockerTlExtension struct {
+	Kind string `json:"kind"`
+	Data any    `json:"data"`
+}
+
+type VerifyOptions struct {
+	Keys   []KeyMetadata `json:"keys"`
+	SkipTL bool          `json:"skip_tl"`
+}
+
+type SigningOptions struct {
+	// don't log to the configured transparency log
+	SkipTL bool
+}
+
+func DSSEMediaType(predicateType string) (string, error) {
+	var predicateName string
+	switch predicateType {
+	case v02.PredicateSLSAProvenance:
+		predicateName = "provenance"
+	case intoto.PredicateSPDX:
+		predicateName = "spdx"
+	case VSAPredicateType:
+		predicateName = "verification_summary"
+
+	default:
+		return "", fmt.Errorf("unknown predicate type %q", predicateType)
+	}
+
+	return fmt.Sprintf("application/vnd.in-toto.%s+dsse", predicateName), nil
+}
--- a/pkg/attestation/verify.go
+++ b/pkg/attestation/verify.go
@@ -0,0 +1,137 @@
+package attestation
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/docker/attest/internal/util"
+	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/pkg/tlog"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+type KeyMetadata struct {
+	ID            string     `json:"id"`
+	PEM           string     `json:"key"`
+	From          time.Time  `json:"from"`
+	To            *time.Time `json:"to"`
+	Status        string     `json:"status"`
+	SigningFormat string     `json:"signing-format"`
+	Distrust      bool       `json:"distrust,omitempty"`
+}
+
+type Keys []KeyMetadata
+type KeysMap map[string]KeyMetadata
+
+func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error) {
+	// enforce payload type
+	if !ValidPayloadType(env.PayloadType) {
+		return nil, fmt.Errorf("unsupported payload type %s", env.PayloadType)
+	}
+
+	if len(env.Signatures) == 0 {
+		return nil, fmt.Errorf("no signatures found")
+	}
+
+	payload, err := base64Encoding.DecodeString(env.Payload)
+	if err != nil {
+		return nil, fmt.Errorf("error failed to decode payload: %w", err)
+	}
+
+	encPayload := dsse.PAE(env.PayloadType, payload)
+
+	// verify signatures and transparency log entry
+	for _, sig := range env.Signatures {
+		err := verifySignature(ctx, sig, encPayload, opts)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return payload, nil
+}
+
+func verifySignature(ctx context.Context, sig Signature, payload []byte, opts *VerifyOptions) error {
+	keys := make(map[string]KeyMetadata, len(opts.Keys))
+	for _, key := range opts.Keys {
+		keys[key.ID] = key
+	}
+	keyMeta, ok := keys[sig.KeyID]
+	if !ok {
+		return fmt.Errorf("error key not found: %s", sig.KeyID)
+	}
+
+	if keyMeta.Distrust {
+		return fmt.Errorf("key %s is distrusted", keyMeta.ID)
+	}
+	// TODO: this is unmarshalling with MarshalPKIXPublicKey only for us to marshal it again
+	publicKey, err := signerverifier.Parse([]byte(keyMeta.PEM))
+	if err != nil {
+		return fmt.Errorf("failed to parse public key: %w", err)
+	}
+
+	if !opts.SkipTL {
+		t := tlog.GetTL(ctx)
+
+		if sig.Extension.Kind == "" {
+			return fmt.Errorf("error missing signature extension kind")
+		}
+		if sig.Extension.Kind != DockerDsseExtKind {
+			return fmt.Errorf("error unsupported signature extension kind: %s", sig.Extension.Kind)
+		}
+
+		// verify TL entry
+		if sig.Extension.Ext.Tl.Kind != RekorTlExtKind {
+			return fmt.Errorf("error unsupported TL extension kind: %s", sig.Extension.Ext.Tl.Kind)
+		}
+		entry := sig.Extension.Ext.Tl.Data
+		entryBytes, err := json.Marshal(entry)
+		if err != nil {
+			return fmt.Errorf("failed to marshal TL entry: %w", err)
+		}
+
+		integratedTime, err := t.VerifyLogEntry(ctx, entryBytes)
+		if err != nil {
+			return fmt.Errorf("TL entry failed verification: %w", err)
+		}
+		if integratedTime.Before(keyMeta.From) {
+			return fmt.Errorf("key %s was not yet valid at TL log time %s (key valid from %s)", keyMeta.ID, integratedTime, keyMeta.From)
+		}
+		if keyMeta.To != nil && !integratedTime.Before(*keyMeta.To) {
+			return fmt.Errorf("key %s was already %s at TL log time %s (key %s at %s)", keyMeta.ID, keyMeta.Status, integratedTime, keyMeta.Status, *keyMeta.To)
+		}
+		// verify TL entry payload
+		encodedPub, err := x509.MarshalPKIXPublicKey(publicKey)
+		if err != nil {
+			return fmt.Errorf("error failed to marshal public key: %w", err)
+		}
+		err = t.VerifyEntryPayload(entryBytes, payload, encodedPub)
+		if err != nil {
+			return fmt.Errorf("TL entry failed payload verification: %w", err)
+		}
+	}
+
+	// decode signature
+	signature, err := base64.StdEncoding.Strict().DecodeString(sig.Sig)
+	if err != nil {
+		return fmt.Errorf("error failed to decode signature: %w", err)
+	}
+	// verify payload ecdsa signature
+	ok = ecdsa.VerifyASN1(publicKey, util.SHA256(payload), signature)
+	if !ok {
+		return fmt.Errorf("payload signature is not valid")
+	}
+
+	return nil
+}
+
+func ValidPayloadType(payloadType string) bool {
+	return payloadType == intoto.PayloadType || payloadType == ociv1.MediaTypeDescriptor
+}
--- a/pkg/attestation/verify_test.go
+++ b/pkg/attestation/verify_test.go
@@ -0,0 +1,49 @@
+package attestation_test
+
+import (
+	"encoding/base64"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attestation"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidPayloadType(t *testing.T) {
+	testCases := []struct {
+		name        string
+		payloadType string
+		expected    bool
+	}{
+		{"valid in-toto payload type", intoto.PayloadType, true},
+		{"valid oci descriptor payload type", ociv1.MediaTypeDescriptor, true},
+		{"invalid payload type", "application/vnd.test.fail", false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equalf(t, tc.expected, attestation.ValidPayloadType(tc.payloadType), "expected %v for payload type %s", tc.expected, tc.payloadType)
+		})
+	}
+}
+
+func TestVerifyUnsignedAttestation(t *testing.T) {
+	ctx, _ := test.Setup(t)
+
+	payload := []byte("payload")
+	env := &attestation.Envelope{
+		// no signatures
+		Signatures:  []attestation.Signature{},
+		Payload:     base64.StdEncoding.EncodeToString(payload),
+		PayloadType: intoto.PayloadType,
+	}
+	opts := &attestation.VerifyOptions{
+		Keys: attestation.Keys{},
+	}
+
+	_, err := attestation.VerifyDSSE(ctx, env, opts)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "no signatures")
+}
--- a/pkg/attestation/vsa.go
+++ b/pkg/attestation/vsa.go
@@ -0,0 +1,49 @@
+package attestation
+
+import (
+	"fmt"
+
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/package-url/packageurl-go"
+)
+
+const (
+	VSAPredicateType = "https://slsa.dev/verification_summary/v1"
+)
+
+type VSAPredicate struct {
+	Verifier           VSAVerifier           `json:"verifier"`
+	TimeVerified       string                `json:"timeVerified"`
+	ResourceUri        string                `json:"resourceUri"`
+	Policy             VSAPolicy             `json:"policy"`
+	InputAttestations  []VSAInputAttestation `json:"inputAttestations"`
+	VerificationResult string                `json:"verificationResult"`
+	VerifiedLevels     []string              `json:"verifiedLevels"`
+}
+
+type VSAVerifier struct {
+	ID string `json:"id"`
+}
+
+type VSAPolicy struct {
+	URI string `json:"uri"`
+}
+
+type VSAInputAttestation struct {
+	Digest    map[string]string `json:"digest"`
+	MediaType string            `json:"mediaType"`
+}
+
+func ToVSAResourceURI(sub intoto.Subject) (string, error) {
+	//parse purl
+	purl, err := packageurl.FromString(sub.Name)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse package url: %w", err)
+	}
+	quals := purl.Qualifiers.Map()
+	if quals["digest"] == "" {
+		quals["digest"] = "sha256:" + sub.Digest["sha256"]
+	}
+	purl.Qualifiers = packageurl.QualifiersFromMap(quals)
+	return purl.String(), nil
+}
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -0,0 +1,77 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+
+	"github.com/docker/attest/pkg/tuf"
+	goyaml "gopkg.in/yaml.v3"
+)
+
+const (
+	MappingFilename = "mapping.yaml"
+)
+
+func LoadLocalMappings(configDir string) (*PolicyMappings, error) {
+	if configDir == "" {
+		return nil, nil
+	}
+	mappings := &policyMappingsFile{}
+	path := filepath.Join(configDir, MappingFilename)
+	mappingFile, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read local policy mapping file %s: %w", path, err)
+	}
+	err = goyaml.Unmarshal(mappingFile, mappings)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal policy mapping file %s: %w", path, err)
+	}
+	return expandMappingFile(mappings)
+}
+
+func LoadTufMappings(tufClient tuf.TUFClient, localTargetsDir string) (*PolicyMappings, error) {
+	if tufClient == nil {
+		return nil, fmt.Errorf("tuf client not set")
+	}
+	filename := MappingFilename
+	_, fileContents, err := tufClient.DownloadTarget(filename, filepath.Join(localTargetsDir, filename))
+	if err != nil {
+		return nil, fmt.Errorf("failed to download policy mapping file %s: %w", filename, err)
+	}
+	mappings := &policyMappingsFile{}
+
+	err = goyaml.Unmarshal(fileContents, mappings)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal policy mapping file %s: %w", filename, err)
+	}
+	return expandMappingFile(mappings)
+}
+
+func expandMappingFile(mappingFile *policyMappingsFile) (*PolicyMappings, error) {
+	policies := make(map[string]*PolicyMapping)
+	for _, policy := range mappingFile.Policies {
+		policies[policy.Id] = policy
+	}
+
+	var rules []*PolicyRule
+	for _, rule := range mappingFile.Rules {
+		r, err := regexp.Compile(rule.Pattern)
+		if err != nil {
+			return nil, err
+		}
+		rules = append(rules, &PolicyRule{
+			Pattern:     r,
+			PolicyId:    rule.PolicyId,
+			Replacement: rule.Replacement,
+		})
+	}
+
+	return &PolicyMappings{
+		Version:  mappingFile.Version,
+		Kind:     mappingFile.Kind,
+		Policies: policies,
+		Rules:    rules,
+	}, nil
+}
--- a/pkg/config/types.go
+++ b/pkg/config/types.go
@@ -0,0 +1,52 @@
+package config
+
+import "regexp"
+
+type policyMappingsFile struct {
+	Version  string            `yaml:"version"`
+	Kind     string            `yaml:"kind"`
+	Policies []*PolicyMapping  `yaml:"policies"`
+	Rules    []*policyRuleFile `yaml:"rules"`
+}
+
+type policyRuleFile struct {
+	Pattern     string `yaml:"pattern"`
+	PolicyId    string `yaml:"policy-id"`
+	Replacement string `yaml:"rewrite"`
+}
+
+type PolicyMappings struct {
+	Version  string
+	Kind     string
+	Policies map[string]*PolicyMapping
+	Rules    []*PolicyRule
+}
+
+type AttestationStyle string
+
+const (
+	AttestationStyleAttached  AttestationStyle = "attached"
+	AttestationStyleReferrers AttestationStyle = "referrers"
+)
+
+type PolicyMapping struct {
+	Id           string              `yaml:"id"`
+	Description  string              `yaml:"description"`
+	Files        []PolicyMappingFile `yaml:"files"`
+	Attestations *AttestationConfig  `yaml:"attestations"`
+}
+
+type AttestationConfig struct {
+	Style AttestationStyle `yaml:"style"`
+	Repo  string           `yaml:"repo"`
+}
+
+type PolicyMappingFile struct {
+	Path string `yaml:"path"`
+}
+
+type PolicyRule struct {
+	Pattern     *regexp.Regexp
+	PolicyId    string
+	Replacement string
+}
--- a/pkg/mirror/authn_test.go
+++ b/pkg/mirror/authn_test.go
@@ -0,0 +1,34 @@
+//go:build e2e
+
+package mirror_test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/pkg/mirror"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRegistryAuth(t *testing.T) {
+	UnsignedTestImage := filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+
+	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+	require.NoError(t, err)
+	// test cases for ecr, gcr and dockerhub
+	testCases := []struct {
+		Image string
+	}{
+		{Image: "175142243308.dkr.ecr.us-east-1.amazonaws.com/e2e-test-image:latest"},
+		{Image: "docker/image-signer-verifier-test:latest"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Image, func(t *testing.T) {
+			err := mirror.PushIndexToRegistry(attIdx.Index, tc.Image)
+			require.NoError(t, err)
+			_, err = oci.IndexFromRemote(tc.Image)
+			require.NoError(t, err)
+		})
+	}
+}
--- a/pkg/mirror/example_mirror_test.go
+++ b/pkg/mirror/example_mirror_test.go
@@ -0,0 +1,152 @@
+package mirror_test
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/attest/internal/embed"
+	"github.com/docker/attest/pkg/mirror"
+	"github.com/docker/attest/pkg/tuf"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+type TufMirrorOutput struct {
+	metadata          v1.Image
+	delegatedMetadata []*mirror.MirrorImage
+	targets           []*mirror.MirrorImage
+	delegatedTargets  []*mirror.MirrorIndex
+}
+
+func ExampleNewTufMirror() {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		panic(err)
+	}
+	tufOutputPath := filepath.Join(home, ".docker", "tuf")
+
+	// configure TUF mirror
+	metadataURI := "https://docker.github.io/tuf-staging/metadata"
+	targetsURI := "https://docker.github.io/tuf-staging/targets"
+	m, err := mirror.NewTufMirror(embed.RootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
+	if err != nil {
+		panic(err)
+	}
+
+	// create metadata manifest
+	metadataManifest, err := m.GetMetadataManifest(metadataURI)
+	if err != nil {
+		panic(err)
+	}
+	// create delegated targets metadata manifests
+	delegatedMetadata, err := m.GetDelegatedMetadataMirrors()
+	if err != nil {
+		panic(err)
+	}
+
+	// create targets manifest
+	targets, err := m.GetTufTargetMirrors()
+	if err != nil {
+		panic(err)
+	}
+	// create delegated targets manifests
+	delegatedTargets, err := m.GetDelegatedTargetMirrors()
+	if err != nil {
+		panic(err)
+	}
+
+	mirrorOutput := &TufMirrorOutput{
+		metadata:          metadataManifest,
+		delegatedMetadata: delegatedMetadata,
+		targets:           targets,
+		delegatedTargets:  delegatedTargets,
+	}
+
+	// push metadata and targets to registry (optional)
+	err = mirrorToRegistry(mirrorOutput)
+	if err != nil {
+		panic(err)
+	}
+
+	// save metadata and targets to local directory (optional)
+	mirrorOutputPath := filepath.Join(home, ".docker", "tuf", "mirror")
+	err = mirrorToLocal(mirrorOutput, mirrorOutputPath)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func mirrorToRegistry(o *TufMirrorOutput) error {
+	// push metadata to registry
+	metadataRepo := "registry-1.docker.io/docker/tuf-metadata:latest"
+	err := mirror.PushImageToRegistry(o.metadata, metadataRepo)
+	if err != nil {
+		return err
+	}
+	// push delegated metadata to registry
+	for _, metadata := range o.delegatedMetadata {
+		repo, _, ok := strings.Cut(metadataRepo, ":")
+		if !ok {
+			return fmt.Errorf("failed to get repo without tag: %s", metadataRepo)
+		}
+		imageName := fmt.Sprintf("%s:%s", repo, metadata.Tag)
+		err = mirror.PushImageToRegistry(metadata.Image, imageName)
+		if err != nil {
+			return err
+		}
+	}
+
+	// push top-level targets to registry
+	targetsRepo := "registry-1.docker.io/docker/tuf-targets"
+	for _, target := range o.targets {
+		imageName := fmt.Sprintf("%s:%s", targetsRepo, target.Tag)
+		err = mirror.PushImageToRegistry(target.Image, imageName)
+		if err != nil {
+			return err
+		}
+	}
+	// push delegated targets to registry
+	for _, target := range o.delegatedTargets {
+		imageName := fmt.Sprintf("%s:%s", targetsRepo, target.Tag)
+		err = mirror.PushIndexToRegistry(target.Index, imageName)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func mirrorToLocal(o *TufMirrorOutput, outputPath string) error {
+	// output metadata to local directory
+	err := mirror.SaveImageAsOCILayout(o.metadata, outputPath)
+	if err != nil {
+		return err
+	}
+	// output delegated metadata to local directory
+	for _, metadata := range o.delegatedMetadata {
+		path := filepath.Join(outputPath, metadata.Tag)
+		err = mirror.SaveImageAsOCILayout(metadata.Image, path)
+		if err != nil {
+			return err
+		}
+	}
+
+	// output top-level targets to local directory
+	for _, target := range o.targets {
+		path := filepath.Join(outputPath, target.Tag)
+		err = mirror.SaveImageAsOCILayout(target.Image, path)
+		if err != nil {
+			return err
+		}
+	}
+	// output delegated targets to local directory
+	for _, target := range o.delegatedTargets {
+		path := filepath.Join(outputPath, target.Tag)
+		err = mirror.SaveIndexAsOCILayout(target.Index, path)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/pkg/mirror/metadata.go
+++ b/pkg/mirror/metadata.go
@@ -17,7 +17,7 @@ import (
 // -----------------

 // GetMetadataManifest returns an image with TUF root metadata as layers
-func (m *TufMirror) GetMetadataManifest(metadataURL string) (*v1.Image, error) {
+func (m *TufMirror) GetMetadataManifest(metadataURL string) (v1.Image, error) {
 	metadata, err := m.getTufMetadataMirror(metadataURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get metadata: %w", err)
@@ -78,7 +78,7 @@ func (m *TufMirror) getTufMetadataMirror(metadataURL string) (*TufMetadata, erro
 }

 // buildMetadataManifest returns an OCI image with TUF metadata as layers with annotations
-func (m *TufMirror) buildMetadataManifest(metadata *TufMetadata) (*v1.Image, error) {
+func (m *TufMirror) buildMetadataManifest(metadata *TufMetadata) (v1.Image, error) {
 	img := empty.Image
 	img = mutate.MediaType(img, types.OCIManifestSchema1)
 	img = mutate.ConfigMediaType(img, types.OCIConfigJSON)
@@ -87,17 +87,17 @@ func (m *TufMirror) buildMetadataManifest(metadata *TufMetadata) (*v1.Image, err
 		if err != nil {
 			return nil, fmt.Errorf("failed to make role layer: %w", err)
 		}
-		img, err = mutate.Append(img, *layers...)
+		img, err = mutate.Append(img, layers...)
 		if err != nil {
 			return nil, fmt.Errorf("failed to append role layer to image: %w", err)
 		}
 	}
-	return &img, nil
+	return img, nil
 }

 // makeRoleLayers returns a list of layers for a given TUF role
-func (m *TufMirror) makeRoleLayers(role TufRole, tufMetadata *TufMetadata) (*[]mutate.Addendum, error) {
-	layers := new([]mutate.Addendum)
+func (m *TufMirror) makeRoleLayers(role TufRole, tufMetadata *TufMetadata) ([]mutate.Addendum, error) {
+	var layers []mutate.Addendum
 	ann := map[string]string{tufFileAnnotation: ""}
 	switch role {
 	case metadata.ROOT:
@@ -108,7 +108,7 @@ func (m *TufMirror) makeRoleLayers(role TufRole, tufMetadata *TufMetadata) (*[]m
 		layers = m.annotatedMetaLayers(tufMetadata.Targets)
 	case metadata.TIMESTAMP:
 		ann[tufFileAnnotation] = fmt.Sprintf("%s.json", role)
-		*layers = append(*layers, mutate.Addendum{Layer: static.NewLayer(tufMetadata.Timestamp, tufMetadataMediaType), Annotations: ann})
+		layers = append(layers, mutate.Addendum{Layer: static.NewLayer(tufMetadata.Timestamp, tufMetadataMediaType), Annotations: ann})
 	default:
 		return nil, fmt.Errorf("unsupported TUF role: %s", role)
 	}
@@ -116,11 +116,11 @@ func (m *TufMirror) makeRoleLayers(role TufRole, tufMetadata *TufMetadata) (*[]m
 }

 // annotatedMetaLayers returns a list of layers with annotations for each TUF metadata file
-func (m *TufMirror) annotatedMetaLayers(meta map[string][]byte) *[]mutate.Addendum {
-	layers := new([]mutate.Addendum)
+func (m *TufMirror) annotatedMetaLayers(meta map[string][]byte) []mutate.Addendum {
+	var layers []mutate.Addendum
 	for name, data := range meta {
 		ann := map[string]string{tufFileAnnotation: name}
-		*layers = append(*layers, mutate.Addendum{Layer: static.NewLayer(data, tufMetadataMediaType), Annotations: ann})
+		layers = append(layers, mutate.Addendum{Layer: static.NewLayer(data, tufMetadataMediaType), Annotations: ann})
 	}
 	return layers
 }
@@ -144,8 +144,8 @@ func (m *TufMirror) GetDelegatedMetadataMirrors() ([]*MirrorImage, error) {
 }

 // getDelegatedTargetsMetadata returns delegated targets metadata as a list of DelegatedTargetMetadata (role name and data)
-func (m *TufMirror) getDelegatedTargetsMetadata() (*[]DelegatedTargetMetadata, error) {
-	delegatedTargets := new([]DelegatedTargetMetadata)
+func (m *TufMirror) getDelegatedTargetsMetadata() ([]DelegatedTargetMetadata, error) {
+	var delegatedTargets []DelegatedTargetMetadata
 	md := m.TufClient.GetMetadata()
 	for _, role := range md.Targets[metadata.TARGETS].Signed.Delegations.Roles {
 		roleMetadata, err := m.TufClient.LoadDelegatedTargets(role.Name, metadata.TARGETS)
@@ -165,15 +165,15 @@ func (m *TufMirror) getDelegatedTargetsMetadata() (*[]DelegatedTargetMetadata, e
 		if md.Root.Signed.ConsistentSnapshot {
 			version = strconv.FormatInt(meta.Version, 10)
 		}
-		*delegatedTargets = append(*delegatedTargets, DelegatedTargetMetadata{Name: role.Name, Version: version, Data: roleBytes})
+		delegatedTargets = append(delegatedTargets, DelegatedTargetMetadata{Name: role.Name, Version: version, Data: roleBytes})
 	}
 	return delegatedTargets, nil
 }

 // buildDelegatedMetadataManifests returns a list of mirrors (image/tag pairs) for each delegated target role metadata
-func (m *TufMirror) buildDelegatedMetadataManifests(delegated *[]DelegatedTargetMetadata) ([]*MirrorImage, error) {
+func (m *TufMirror) buildDelegatedMetadataManifests(delegated []DelegatedTargetMetadata) ([]*MirrorImage, error) {
 	manifests := []*MirrorImage{}
-	for _, role := range *delegated {
+	for _, role := range delegated {
 		img := empty.Image
 		img = mutate.MediaType(img, types.OCIManifestSchema1)
 		img = mutate.ConfigMediaType(img, types.OCIConfigJSON)
@@ -183,7 +183,7 @@ func (m *TufMirror) buildDelegatedMetadataManifests(delegated *[]DelegatedTarget
 		if err != nil {
 			return nil, fmt.Errorf("failed to append delegated targets layer to image: %w", err)
 		}
-		manifests = append(manifests, &MirrorImage{Image: &img, Tag: role.Name})
+		manifests = append(manifests, &MirrorImage{Image: img, Tag: role.Name})
 	}
 	return manifests, nil
 }
--- a/pkg/mirror/metadata_test.go
+++ b/pkg/mirror/metadata_test.go
@@ -11,20 +11,21 @@ import (

 	"github.com/docker/attest/internal/embed"
 	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/tuf"
 	"github.com/stretchr/testify/assert"
 	"github.com/theupdateframework/go-tuf/v2/metadata"
 )

 func TestGetTufMetadataMirror(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets")
-	assert.Nil(t, err)
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	assert.NoError(t, err)

 	tufMetadata, err := m.getTufMetadataMirror(server.URL + "/metadata")
-	assert.Nil(t, err)
+	assert.NoError(t, err)

 	// check that all roles are not empty
 	assert.Greater(t, len(tufMetadata.Root), 0)
@@ -34,20 +35,19 @@ func TestGetTufMetadataMirror(t *testing.T) {
 }

 func TestGetMetadataManifest(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets")
-	assert.Nil(t, err)
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	assert.NoError(t, err)

 	img, err := m.GetMetadataManifest(server.URL + "/metadata")
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 	assert.NotNil(t, img)

-	image := *img
-	mf, err := image.RawManifest()
-	assert.Nil(t, err)
+	mf, err := img.RawManifest()
+	assert.NoError(t, err)

 	type Annotations struct {
 		Annotations map[string]string `json:"annotations"`
@@ -57,7 +57,7 @@ func TestGetMetadataManifest(t *testing.T) {
 	}
 	l := &Layers{}
 	err = json.Unmarshal(mf, l)
-	assert.Nil(t, err)
+	assert.NoError(t, err)

 	// check that layers are annotated and use consistent snapshot naming
 	for _, layer := range l.Layers {
@@ -69,20 +69,20 @@ func TestGetMetadataManifest(t *testing.T) {
 			continue
 		}
 		_, err := strconv.Atoi(parts[0])
-		assert.Nil(t, err)
+		assert.NoError(t, err)
 	}
 }

 func TestGetDelegatedMetadataMirrors(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets")
-	assert.Nil(t, err)
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	assert.NoError(t, err)

 	delegations, err := m.GetDelegatedMetadataMirrors()
-	assert.Nil(t, err)
+	assert.NoError(t, err)

 	assert.NotNil(t, delegations)
 	assert.Greater(t, len(delegations), 0)
--- a/pkg/mirror/mirror.go
+++ b/pkg/mirror/mirror.go
@@ -2,81 +2,156 @@ package mirror

 import (
 	"fmt"
-	"log"
 	"os"

 	"github.com/docker/attest/internal/embed"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/oci"
 	"github.com/docker/attest/pkg/tuf"
-	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 )

-func NewTufMirror(root []byte, tufPath, metadataURL, targetsURL string) (*TufMirror, error) {
+func NewTufMirror(root []byte, tufPath, metadataURL, targetsURL string, versionChecker tuf.VersionChecker) (*TufMirror, error) {
 	if root == nil {
-		root = embed.DefaultRoot
+		root = embed.RootDefault.Data
 	}
-	tufClient, err := tuf.NewTufClient(root, tufPath, metadataURL, targetsURL)
+	tufClient, err := tuf.NewTufClient(root, tufPath, metadataURL, targetsURL, versionChecker)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create TUF client: %w", err)
 	}
 	return &TufMirror{TufClient: tufClient, tufPath: tufPath, metadataURL: metadataURL, targetsURL: targetsURL}, nil
 }

-func PushToRegistry(image any, imageName string) error {
-	// Parse the image name
+func PushImageToRegistry(image v1.Image, imageName string) error {
 	ref, err := name.ParseReference(imageName)
 	if err != nil {
-		log.Fatalf("Failed to parse image name: %v", err)
-	}
-	// Get the authenticator from the default Docker keychain
-	auth, err := authn.DefaultKeychain.Resolve(ref.Context())
-	if err != nil {
-		log.Fatalf("Failed to get authenticator: %v", err)
+		return fmt.Errorf("Failed to parse image name '%s': %w", imageName, err)
 	}
+
 	// Push the image to the registry
-	switch image := image.(type) {
-	case *v1.Image:
-		if err := remote.Write(ref, *image, remote.WithAuth(auth)); err != nil {
-			return fmt.Errorf("failed to push image %s: %w", imageName, err)
-		}
-	case *v1.ImageIndex:
-		if err := remote.WriteIndex(ref, *image, remote.WithAuth(auth)); err != nil {
-			return fmt.Errorf("failed to push image index %s: %w", imageName, err)
-		}
-	default:
-		return fmt.Errorf("unknown image type: %T", image)
+	return remote.Write(ref, image, oci.MultiKeychainOption())
+}
+
+func PushIndexToRegistry(index v1.ImageIndex, imageName string) error {
+	// Parse the index name
+	ref, err := name.ParseReference(imageName)
+	if err != nil {
+		return fmt.Errorf("Failed to parse image name: %w", err)
+	}
+
+	// Push the index to the registry
+	return remote.WriteIndex(ref, index, oci.MultiKeychainOption())
+}
+
+func SaveImageAsOCILayout(image v1.Image, path string) error {
+	// Save the image to the local filesystem
+	err := os.MkdirAll(path, os.ModePerm)
+	if err != nil {
+		return fmt.Errorf("failed to create directory: %w", err)
+	}
+	index := empty.Index
+	l, err := layout.Write(path, index)
+	if err != nil {
+		return fmt.Errorf("failed to create index: %w", err)
+	}
+	return l.AppendImage(image)
+}
+
+func SaveIndexAsOCILayout(image v1.ImageIndex, path string) error {
+	// Save the index to the local filesystem
+	err := os.MkdirAll(path, os.ModePerm)
+	if err != nil {
+		return fmt.Errorf("failed to create directory: %w", err)
+	}
+
+	_, err = layout.Write(path, image)
+	if err != nil {
+		return fmt.Errorf("failed to create index: %w", err)
 	}
 	return nil
 }

-func SaveAsOCILayout(image any, path string) error {
-	// Save the image to the local filesystem
-	err := os.MkdirAll(path, os.FileMode(0744))
-	if err != nil {
-		return fmt.Errorf("failed to create directory: %w", err)
-	}
-	switch image := image.(type) {
-	case *v1.Image:
-		index := empty.Index
-		l, err := layout.Write(path, index)
-		if err != nil {
-			return fmt.Errorf("failed to create index: %w", err)
+func SaveIndex(outputs []*oci.ImageSpec, index v1.ImageIndex, indexName string) error {
+	// split output by comma and write or push each one
+	for _, output := range outputs {
+		if output.Type == oci.OCI {
+			idx := v1.ImageIndex(empty.Index)
+			idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
+				Add: index,
+				Descriptor: v1.Descriptor{
+					Annotations: map[string]string{
+						oci.OciReferenceTarget: indexName,
+					},
+				},
+			})
+			err := SaveIndexAsOCILayout(idx, output.Identifier)
+			if err != nil {
+				return fmt.Errorf("failed to write signed image: %w", err)
+			}
+		} else {
+			err := PushIndexToRegistry(index, output.Identifier)
+			if err != nil {
+				return fmt.Errorf("failed to push signed image: %w", err)
+			}
+		}
+	}
+	return nil
+}
+
+func SaveImage(output *oci.ImageSpec, image v1.Image, imageName string) error {
+	if output.Type == oci.OCI {
+		idx := v1.ImageIndex(empty.Index)
+		idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
+			Add: image,
+			Descriptor: v1.Descriptor{
+				Annotations: map[string]string{
+					oci.OciReferenceTarget: imageName,
+				},
+			},
+		})
+		err := SaveIndexAsOCILayout(idx, output.Identifier)
+		if err != nil {
+			return fmt.Errorf("failed to write signed image: %w", err)
+		}
+	} else {
+		err := PushImageToRegistry(image, output.Identifier)
+		if err != nil {
+			return fmt.Errorf("failed to push signed image: %w", err)
+		}
+	}
+	return nil
+}
+
+func SaveReferrers(manifest *attestation.AttestationManifest, outputs []*oci.ImageSpec) error {
+	for _, output := range outputs {
+		if output.Type == oci.OCI {
+			continue
+		}
+		// so that we use the same tag each time to reduce number of tags (tags aren't needed for referrers but we must push one)
+		attOut, err := oci.ReplaceTagInSpec(output, manifest.SubjectDescriptor.Digest)
+		if err != nil {
+			return err
+		}
+		//otherwise we end up with the detected platform, though I'm not sure it matters
+		attOut.Platform = &v1.Platform{
+			OS:           "unknown",
+			Architecture: "unknown",
+		}
+		images, err := manifest.BuildReferringArtifacts()
+		if err != nil {
+			return fmt.Errorf("failed to build image: %w", err)
+		}
+		for _, image := range images {
+			err = SaveImage(attOut, image, "")
+		}
+		if err != nil {
+			return fmt.Errorf("failed to push image: %w", err)
 		}
-		err = l.AppendImage(*image)
-		if err != nil {
-			return fmt.Errorf("failed to append image to index: %w", err)
-		}
-	case *v1.ImageIndex:
-		_, err := layout.Write(path, *image)
-		if err != nil {
-			return fmt.Errorf("failed to create index: %w", err)
-		}
-	default:
-		return fmt.Errorf("unknown image type: %T", image)
 	}
 	return nil
 }
--- a/pkg/mirror/mirror_test.go
+++ b/pkg/mirror/mirror_test.go
@@ -0,0 +1,111 @@
+package mirror
+
+import (
+	"fmt"
+	"net/http/httptest"
+	"net/url"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attest"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/google/go-containerregistry/pkg/registry"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/empty"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSavingIndex(t *testing.T) {
+	UnsignedTestImage := filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+	outputLayout := test.CreateTempDir(t, "", "mirror-test")
+	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+	require.NoError(t, err)
+
+	server := httptest.NewServer(registry.New())
+	defer server.Close()
+
+	u, err := url.Parse(server.URL)
+	require.NoError(t, err)
+
+	indexName := fmt.Sprintf("%s/repo:root", u.Host)
+	output, err := oci.ParseImageSpecs(indexName)
+	require.NoError(t, err)
+	err = SaveIndex(output, attIdx.Index, indexName)
+	require.NoError(t, err)
+
+	ociOutput, err := oci.ParseImageSpecs("oci://" + outputLayout)
+	require.NoError(t, err)
+	err = SaveIndex(ociOutput, attIdx.Index, indexName)
+	require.NoError(t, err)
+}
+
+func TestSavingImage(t *testing.T) {
+
+	outputLayout := test.CreateTempDir(t, "", "mirror-test")
+
+	img := empty.Image
+
+	server := httptest.NewServer(registry.New())
+	defer server.Close()
+
+	u, err := url.Parse(server.URL)
+	require.NoError(t, err)
+
+	indexName := fmt.Sprintf("%s/repo:root", u.Host)
+	output, err := oci.ParseImageSpec(indexName)
+	require.NoError(t, err)
+	err = SaveImage(output, img, indexName)
+	require.NoError(t, err)
+
+	ociOutput, err := oci.ParseImageSpec("oci://" + outputLayout)
+	require.NoError(t, err)
+	err = SaveImage(ociOutput, img, indexName)
+	require.NoError(t, err)
+}
+
+func TestSavingReferrers(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	opts := &attestation.SigningOptions{}
+	statement := &intoto.Statement{
+		StatementHeader: intoto.StatementHeader{
+			PredicateType: attestation.VSAPredicateType,
+		},
+	}
+
+	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+	require.NoError(t, err)
+	subject := &v1.Descriptor{
+		MediaType: "application/vnd.oci.image.manifest.v1+json",
+		Digest:    digest,
+	}
+	manifest, err := attest.NewAttestationManifest(subject)
+	require.NoError(t, err)
+	err = manifest.AddAttestation(ctx, signer, statement, opts)
+	require.NoError(t, err)
+	server := httptest.NewServer(registry.New(registry.WithReferrersSupport(true)))
+	defer server.Close()
+
+	u, err := url.Parse(server.URL)
+	require.NoError(t, err)
+
+	indexName := fmt.Sprintf("%s/repo:root", u.Host)
+	output, err := oci.ParseImageSpecs(indexName)
+	require.NoError(t, err)
+	err = SaveReferrers(manifest, output)
+	require.NoError(t, err)
+
+	reg := &test.MockRegistryResolver{
+		Subject:      subject,
+		MockResolver: &test.MockResolver{},
+		ImageNameStr: indexName,
+	}
+	require.NoError(t, err)
+	refResolver, err := oci.NewReferrersAttestationResolver(reg)
+	require.NoError(t, err)
+	attestations, err := refResolver.Attestations(ctx, attestation.VSAPredicateType)
+	require.NoError(t, err)
+	require.Len(t, attestations, 1)
+}
--- a/pkg/mirror/targets.go
+++ b/pkg/mirror/targets.go
@@ -35,14 +35,14 @@ func (m *TufMirror) GetTufTargetMirrors() ([]*MirrorImage, error) {
 		if !ok {
 			return nil, fmt.Errorf("missing sha256 hash for target %s", t.Path)
 		}
-		name := strings.Join([]string{hash.String(), t.Path}, ".")
+		name := hash.String() + "." + t.Path
 		ann := map[string]string{tufFileAnnotation: name}
 		layer := mutate.Addendum{Layer: static.NewLayer(data, tufTargetMediaType), Annotations: ann}
 		img, err = mutate.Append(img, layer)
 		if err != nil {
 			return nil, fmt.Errorf("failed to append role layer to image: %w", err)
 		}
-		targetMirrors = append(targetMirrors, &MirrorImage{Image: &img, Tag: name})
+		targetMirrors = append(targetMirrors, &MirrorImage{Image: img, Tag: name})
 	}
 	return targetMirrors, nil
 }
@@ -86,7 +86,7 @@ func (m *TufMirror) GetDelegatedTargetMirrors() ([]*MirrorIndex, error) {
 			if !ok {
 				return nil, fmt.Errorf("failed to find target subdirectory [%s] in path: %s", subdir, target.Path)
 			}
-			name := strings.Join([]string{hash.String(), filename}, ".")
+			name := hash.String() + "." + filename
 			ann := map[string]string{tufFileAnnotation: name}
 			layer := mutate.Addendum{Layer: static.NewLayer(data, tufTargetMediaType), Annotations: ann}
 			img, err = mutate.Append(img, layer)
@@ -103,7 +103,7 @@ func (m *TufMirror) GetDelegatedTargetMirrors() ([]*MirrorIndex, error) {
 				},
 			})
 		}
-		mirror = append(mirror, &MirrorIndex{Index: &index, Tag: role.Name})
+		mirror = append(mirror, &MirrorIndex{Index: index, Tag: role.Name})
 	}
 	return mirror, nil
 }
--- a/pkg/mirror/targets_test.go
+++ b/pkg/mirror/targets_test.go
@@ -10,6 +10,7 @@ import (

 	"github.com/docker/attest/internal/embed"
 	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/tuf"
 	"github.com/stretchr/testify/assert"
 )

@@ -22,82 +23,82 @@ type Layers struct {
 }

 func TestGetTufTargetsMirror(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets")
-	assert.Nil(t, err)
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	assert.NoError(t, err)

 	targets, err := m.GetTufTargetMirrors()
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 	assert.Greater(t, len(targets), 0)

 	// check for image layer annotations
 	for _, target := range targets {
-		img := *target.Image
+		img := target.Image
 		mf, err := img.RawManifest()
-		assert.Nil(t, err)
+		assert.NoError(t, err)

 		// unmarshal manifest with annotations
 		l := &Layers{}
 		err = json.Unmarshal(mf, l)
-		assert.Nil(t, err)
+		assert.NoError(t, err)

 		// check that layers are annotated
 		for _, layer := range l.Layers {
 			ann, ok := layer.Annotations[tufFileAnnotation]
 			assert.True(t, ok)
 			parts := strings.Split(ann, ".")
-			// <digest>.filename.json
-			assert.Equal(t, len(parts), 3)
+			// <digest>.filename.<ext|optional>
+			assert.GreaterOrEqual(t, len(parts), 2)
 		}
 	}
 }

 func TestTargetDelegationMetadata(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
-	tm, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets")
-	assert.Nil(t, err)
+	tm, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	assert.NoError(t, err)

 	targets, err := tm.TufClient.LoadDelegatedTargets("test-role", "targets")
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 	assert.Greater(t, len(targets.Signed.Targets), 0)
 }

 func TestGetDelegatedTargetMirrors(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()

 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets")
-	assert.Nil(t, err)
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	assert.NoError(t, err)

 	mirrors, err := m.GetDelegatedTargetMirrors()
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 	assert.Greater(t, len(mirrors), 0)

 	// check for index image annotations
 	for _, mirror := range mirrors {
-		idx := *mirror.Index
+		idx := mirror.Index
 		mf, err := idx.RawManifest()
-		assert.Nil(t, err)
+		assert.NoError(t, err)

 		// unmarshal manifest with annotations
 		l := &Layers{}
 		err = json.Unmarshal(mf, l)
-		assert.Nil(t, err)
+		assert.NoError(t, err)

 		// check that layers are annotated
 		for _, layer := range l.Layers {
 			ann, ok := layer.Annotations[tufFileAnnotation]
 			assert.True(t, ok)
 			parts := strings.Split(ann, ".")
-			// <subdir>/<digest>.filename.json
-			assert.Equal(t, len(parts), 3)
+			// <subdir>/<digest>.filename.<ext|optional>
+			assert.GreaterOrEqual(t, len(parts), 2)
 		}
 	}
 }
--- a/pkg/mirror/types.go
+++ b/pkg/mirror/types.go
@@ -7,8 +7,8 @@ import (
 )

 const (
-	DefaultMetadataURL   = "https://docker.github.io/tuf-staging/metadata"
-	DefaultTargetsURL    = "https://docker.github.io/tuf-staging/targets"
+	DefaultMetadataURL   = "https://docker.github.io/tuf/metadata"
+	DefaultTargetsURL    = "https://docker.github.io/tuf/targets"
 	tufMetadataMediaType = "application/vnd.tuf.metadata+json"
 	tufTargetMediaType   = "application/vnd.tuf.target"
 	tufFileAnnotation    = "tuf.io/filename"
@@ -32,12 +32,12 @@ type DelegatedTargetMetadata struct {
 }

 type MirrorImage struct {
-	Image *v1.Image
+	Image v1.Image
 	Tag   string
 }

 type MirrorIndex struct {
-	Index *v1.ImageIndex
+	Index v1.ImageIndex
 	Tag   string
 }

--- a/pkg/oci/authn.go
+++ b/pkg/oci/authn.go
@@ -0,0 +1,21 @@
+package oci
+
+import (
+	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/v1/google"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+func MultiKeychainOption() remote.Option {
+	return remote.WithAuthFromKeychain(MultiKeychainAll())
+}
+
+func MultiKeychainAll() authn.Keychain {
+	// Create a multi-keychain that will use the default Docker, Google, or ECR keychain
+	return authn.NewMultiKeychain(
+		authn.DefaultKeychain,
+		google.Keychain,
+		authn.NewKeychainFromHelper(ecr.NewECRHelper()),
+	)
+}
--- a/pkg/oci/http.go
+++ b/pkg/oci/http.go
@@ -0,0 +1,27 @@
+package oci
+
+import (
+	"net/http"
+
+	"github.com/hashicorp/go-cleanhttp"
+)
+
+type userAgentTransporter struct {
+	ua string
+	rt http.RoundTripper
+}
+
+type Option = func(*http.Client)
+
+func (u *userAgentTransporter) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Set("User-Agent", u.ua)
+
+	return u.rt.RoundTrip(req)
+}
+
+func HttpTransport() http.RoundTripper {
+	return &userAgentTransporter{
+		ua: "Docker-Client",
+		rt: cleanhttp.DefaultTransport(),
+	}
+}
--- a/pkg/oci/layout.go
+++ b/pkg/oci/layout.go
@@ -0,0 +1,144 @@
+package oci
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/attest/pkg/attestation"
+	att "github.com/docker/attest/pkg/attestation"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/pkg/errors"
+)
+
+// implementation of AttestationResolver that closes over attestations from an oci layout
+type OCILayoutResolver struct {
+	*attestation.AttestationManifest
+	*ImageSpec
+}
+
+func NewOCILayoutAttestationResolver(src *ImageSpec) (*OCILayoutResolver, error) {
+	r := &OCILayoutResolver{
+		ImageSpec: src,
+	}
+	_, err := r.fetchAttestationManifest()
+	if err != nil {
+		return nil, err
+	}
+	return r, nil
+}
+
+func (r *OCILayoutResolver) fetchAttestationManifest() (*attestation.AttestationManifest, error) {
+	if r.AttestationManifest == nil {
+		m, err := attestationManifestFromOCILayout(r.Identifier, r.ImageSpec.Platform)
+		if err != nil {
+			return nil, err
+		}
+		r.AttestationManifest = m
+	}
+
+	return r.AttestationManifest, nil
+}
+
+func (r *OCILayoutResolver) Attestations(ctx context.Context, predicateType string) ([]*att.Envelope, error) {
+	var envs []*att.Envelope
+	dsseMediaType, err := attestation.DSSEMediaType(predicateType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
+	}
+	for _, attestationLayer := range r.AttestationManifest.OriginalLayers {
+		mt, err := attestationLayer.Layer.MediaType()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get layer media type: %w", err)
+		}
+		mts := string(mt)
+		if mts != dsseMediaType {
+			continue
+		}
+		var env = new(att.Envelope)
+		// parse layer blob as json
+		r, err := attestationLayer.Layer.Uncompressed()
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to get layer contents: %w", err)
+		}
+		defer r.Close()
+		err = json.NewDecoder(r).Decode(env)
+		if err != nil {
+			return nil, fmt.Errorf("failed to decode envelope: %w", err)
+		}
+		envs = append(envs, env)
+	}
+	return envs, nil
+}
+
+func (r *OCILayoutResolver) ImageName(ctx context.Context) (string, error) {
+	return r.SubjectName, nil
+}
+
+func (r *OCILayoutResolver) ImageDescriptor(ctx context.Context) (*v1.Descriptor, error) {
+	return r.SubjectDescriptor, nil
+}
+
+func (r *OCILayoutResolver) ImagePlatform(ctx context.Context) (*v1.Platform, error) {
+	return r.ImageSpec.Platform, nil
+}
+
+func attestationManifestFromOCILayout(path string, platform *v1.Platform) (*attestation.AttestationManifest, error) {
+	idx, err := layout.ImageIndexFromPath(path)
+	if err != nil {
+		return nil, err
+	}
+
+	idxm, err := idx.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get digest: %w", err)
+	}
+
+	idxDescriptor := idxm.Manifests[0]
+	name := idxDescriptor.Annotations["org.opencontainers.image.ref.name"]
+	idxDigest := idxDescriptor.Digest
+
+	mfs, err := idx.ImageIndex(idxDigest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract ImageIndex for digest %s: %w", idxDigest.String(), err)
+	}
+	mfs2, err := mfs.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract IndexManifest from ImageIndex: %w", err)
+	}
+	var subjectDescriptor *v1.Descriptor
+	for _, mf := range mfs2.Manifests {
+		if mf.Platform.Equals(*platform) {
+			subjectDescriptor = &mf
+			break
+		}
+	}
+	for _, mf := range mfs2.Manifests {
+		if mf.Annotations[att.DockerReferenceType] != attestation.AttestationManifestType {
+			continue
+		}
+
+		if mf.Annotations[att.DockerReferenceDigest] != subjectDescriptor.Digest.String() {
+			continue
+		}
+
+		attestationImage, err := mfs.Image(mf.Digest)
+		if err != nil {
+			return nil, fmt.Errorf("failed to extract attestation image with digest %s: %w", mf.Digest.String(), err)
+		}
+		layers, err := attestation.GetAttestationsFromImage(attestationImage)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get attestations from image: %w", err)
+		}
+		attest := &attestation.AttestationManifest{
+			OriginalLayers:     layers,
+			OriginalDescriptor: &mf,
+			SubjectName:        name,
+			SubjectDescriptor:  subjectDescriptor,
+		}
+		return attest, nil
+	}
+	return nil, errors.New("attestation manifest not found")
+}
--- a/pkg/oci/oci.go
+++ b/pkg/oci/oci.go
@@ -0,0 +1,174 @@
+package oci
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/containerd/platforms"
+	"github.com/distribution/reference"
+	"github.com/docker/attest/pkg/attestation"
+	att "github.com/docker/attest/pkg/attestation"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/package-url/packageurl-go"
+	"github.com/pkg/errors"
+)
+
+// ParsePlatform parses the provided platform string or attempts to obtain
+// the platform of the current host system
+func ParsePlatform(platformStr string) (*v1.Platform, error) {
+	if platformStr == "" {
+		cdp := platforms.Normalize(platforms.DefaultSpec())
+		if cdp.OS != "windows" {
+			cdp.OS = "linux"
+		}
+		return &v1.Platform{
+			OS:           cdp.OS,
+			Architecture: cdp.Architecture,
+			Variant:      cdp.Variant,
+		}, nil
+	} else {
+		return v1.ParsePlatform(platformStr)
+	}
+}
+
+func WithOptions(ctx context.Context, platform *v1.Platform) []remote.Option {
+	// prepare options
+	options := []remote.Option{MultiKeychainOption(), remote.WithTransport(HttpTransport()), remote.WithContext(ctx)}
+
+	// add in platform into remote Get operation; this might conflict with an explicit digest, but we are trying anyway
+	if platform != nil {
+		options = append(options, remote.WithPlatform(*platform))
+	}
+	return options
+}
+
+func ExtractEnvelopes(manifest *attestation.AttestationManifest, predicateType string) ([]*att.Envelope, error) {
+	var envs []*att.Envelope
+	dsseMediaType, err := attestation.DSSEMediaType(predicateType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
+	}
+	for _, attestationLayer := range manifest.OriginalLayers {
+		mt, err := attestationLayer.Layer.MediaType()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get layer media type: %w", err)
+		}
+		if string(mt) == dsseMediaType {
+			reader, err := attestationLayer.Layer.Uncompressed()
+			if err != nil {
+				return nil, fmt.Errorf("failed to get layer contents: %w", err)
+			}
+			defer reader.Close()
+			var env = new(att.Envelope)
+			err = json.NewDecoder(reader).Decode(&env)
+			if err != nil {
+				return nil, fmt.Errorf("failed to decode envelope: %w", err)
+			}
+			envs = append(envs, env)
+		}
+	}
+
+	return envs, nil
+}
+
+func imageDescriptor(ix *v1.IndexManifest, platform *v1.Platform) (*v1.Descriptor, error) {
+	for _, m := range ix.Manifests {
+		if (m.MediaType == ocispec.MediaTypeImageManifest || m.MediaType == "application/vnd.docker.distribution.manifest.v2+json") && m.Platform.Equals(*platform) {
+			return &m, nil
+		}
+	}
+	return nil, errors.New(fmt.Sprintf("no image found for platform %v", platform))
+}
+
+func attestationDigestForDigest(ix *v1.IndexManifest, imageDigest string, attestType string) (string, error) {
+	for _, m := range ix.Manifests {
+		if v, ok := m.Annotations[att.DockerReferenceType]; ok && v == attestType {
+			if d, ok := m.Annotations[att.DockerReferenceDigest]; ok && d == imageDigest {
+				return m.Digest.String(), nil
+			}
+		}
+	}
+	return "", errors.New(fmt.Sprintf("no attestation found for image %s", imageDigest))
+}
+
+func RefToPURL(ref string, platform *v1.Platform) (string, bool, error) {
+	var isCanonical bool
+	named, err := reference.ParseNormalizedNamed(ref)
+	if err != nil {
+		return "", false, fmt.Errorf("failed to parse ref %q: %w", ref, err)
+	}
+	var qualifiers []packageurl.Qualifier
+
+	if canonical, ok := named.(reference.Canonical); ok {
+		qualifiers = append(qualifiers, packageurl.Qualifier{
+			Key:   "digest",
+			Value: canonical.Digest().String(),
+		})
+		isCanonical = true
+	} else {
+		named = reference.TagNameOnly(named)
+	}
+
+	version := ""
+	if tagged, ok := named.(reference.Tagged); ok {
+		version = tagged.Tag()
+	}
+
+	name := reference.FamiliarName(named)
+
+	ns := ""
+	parts := strings.Split(name, "/")
+	if len(parts) > 1 {
+		ns = strings.Join(parts[:len(parts)-1], "/")
+	}
+	name = parts[len(parts)-1]
+
+	if platform != nil {
+		qualifiers = append(qualifiers, packageurl.Qualifier{
+			Key:   "platform",
+			Value: platform.String(),
+		})
+	}
+
+	p := packageurl.NewPackageURL("docker", ns, name, version, qualifiers, "")
+	return p.ToString(), isCanonical, nil
+}
+
+func SplitDigest(digest string) (common.DigestSet, error) {
+	parts := strings.SplitN(digest, ":", 2)
+	if len(parts) != 2 {
+		return nil, fmt.Errorf("invalid digest %q", digest)
+	}
+	return common.DigestSet{
+		parts[0]: parts[1],
+	}, nil
+}
+
+func ReplaceTagInSpec(src *ImageSpec, digest v1.Hash) (*ImageSpec, error) {
+	newName, err := replaceTag(src.Identifier, digest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse repo name: %w", err)
+	}
+	return &ImageSpec{
+		Identifier: newName,
+		Type:       src.Type,
+		Platform:   src.Platform,
+	}, nil
+}
+
+// so that the index tag is replaced with a tag unique to the image digest and doesn't overwrite it
+func replaceTag(image string, digest v1.Hash) (string, error) {
+	if strings.HasPrefix(image, LocalPrefix) {
+		return image, nil
+	}
+	notag, err := WithoutTag(image)
+	if err != nil {
+		return "", nil
+	}
+	return fmt.Sprintf("%s:%s-%s.att", notag, digest.Algorithm, digest.Hex), nil
+}
--- a/pkg/oci/oci_test.go
+++ b/pkg/oci/oci_test.go
@@ -0,0 +1,139 @@
+package oci
+
+import (
+	"path/filepath"
+	"testing"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRefToPurl(t *testing.T) {
+	arm, err := ParsePlatform("arm64/linux")
+	require.NoError(t, err)
+	purl, canonical, err := RefToPURL("alpine", arm)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:docker/alpine@latest?platform=arm64%2Flinux", purl)
+	assert.False(t, canonical)
+
+	purl, canonical, err = RefToPURL("alpine:123", arm)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl)
+	assert.False(t, canonical)
+
+	purl, canonical, err = RefToPURL("google/alpine:123", arm)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:docker/google/alpine@123?platform=arm64%2Flinux", purl)
+	assert.False(t, canonical)
+
+	purl, canonical, err = RefToPURL("library/alpine:123", arm)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl)
+	assert.False(t, canonical)
+
+	purl, canonical, err = RefToPURL("docker.io/library/alpine:123", arm)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl)
+	assert.False(t, canonical)
+
+	purl, canonical, err = RefToPURL("localhost:5001/library/alpine:123", arm)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:docker/localhost%3A5001/library/alpine@123?platform=arm64%2Flinux", purl)
+	assert.False(t, canonical)
+
+	purl, canonical, err = RefToPURL("localhost:5001/alpine:123", arm)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:docker/localhost%3A5001/alpine@123?platform=arm64%2Flinux", purl)
+	assert.False(t, canonical)
+
+	purl, canonical, err = RefToPURL("localhost:5001/alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b", arm)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:docker/localhost%3A5001/alpine?digest=sha256%3Ac5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b&platform=arm64%2Flinux", purl)
+	assert.True(t, canonical)
+}
+
+var (
+	UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+)
+
+// Test fix for https://github.com/docker/secure-artifacts-team-issues/issues/202
+func TestImageDigestForPlatform(t *testing.T) {
+	idx, err := layout.ImageIndexFromPath(UnsignedTestImage)
+	assert.NoError(t, err)
+
+	idxm, err := idx.IndexManifest()
+	assert.NoError(t, err)
+
+	idxDescriptor := idxm.Manifests[0]
+	idxDigest := idxDescriptor.Digest
+
+	mfs, err := idx.ImageIndex(idxDigest)
+	assert.NoError(t, err)
+	mfs2, err := mfs.IndexManifest()
+	assert.NoError(t, err)
+
+	p, err := ParsePlatform("linux/amd64")
+	assert.NoError(t, err)
+	desc, err := imageDescriptor(mfs2, p)
+	assert.NoError(t, err)
+	digest := desc.Digest.String()
+	assert.Equal(t, "sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620", digest)
+
+	p, err = ParsePlatform("linux/arm64")
+	assert.NoError(t, err)
+	desc, err = imageDescriptor(mfs2, p)
+	assert.NoError(t, err)
+	digest = desc.Digest.String()
+	assert.Equal(t, "sha256:7a76cec943853f9f7105b1976afa1bf7cd5bb6afc4e9d5852dd8da7cf81ae86e", digest)
+}
+
+func TestWithoutTag(t *testing.T) {
+	tc := []struct {
+		name     string
+		expected string
+	}{
+		{name: "image:tag", expected: "index.docker.io/library/image"},
+		{name: "image", expected: "index.docker.io/library/image"},
+		{name: "image:sha256-digest.att", expected: "index.docker.io/library/image"},
+		{name: "docker://image:tag", expected: "docker://index.docker.io/library/image"},
+		{name: "image@sha256:166710df254975d4a6c4c407c315951c22753dcaa829e020a3fd5d18fff70dd2", expected: "index.docker.io/library/image"},
+		{name: "docker://image@sha256:166710df254975d4a6c4c407c315951c22753dcaa829e020a3fd5d18fff70dd2", expected: "docker://index.docker.io/library/image"},
+		{name: "docker://127.0.0.1:36555/repo:latest", expected: "docker://127.0.0.1:36555/repo"},
+	}
+	for _, c := range tc {
+		t.Run(c.name, func(t *testing.T) {
+			notag, _ := WithoutTag(c.name)
+			assert.Equal(t, c.expected, notag)
+		})
+	}
+}
+
+func TestReplaceTag(t *testing.T) {
+	tc := []struct {
+		name     string
+		expected string
+	}{
+		{name: "image:tag", expected: "index.docker.io/library/image:sha256-digest.att"},
+		{name: "image", expected: "index.docker.io/library/image:sha256-digest.att"},
+		{name: "image:sha256-digest.att", expected: "index.docker.io/library/image:sha256-digest.att"},
+		{name: "docker://image:tag", expected: "docker://index.docker.io/library/image:sha256-digest.att"},
+		{name: "image@sha256:166710df254975d4a6c4c407c315951c22753dcaa829e020a3fd5d18fff70dd2", expected: "index.docker.io/library/image:sha256-digest.att"},
+		{name: "oci://foobar", expected: "oci://foobar"},
+		{name: "docker://image@sha256:166710df254975d4a6c4c407c315951c22753dcaa829e020a3fd5d18fff70dd2", expected: "docker://index.docker.io/library/image:sha256-digest.att"},
+		{name: "docker://127.0.0.1:36555/repo:latest", expected: "docker://127.0.0.1:36555/repo:sha256-digest.att"},
+	}
+
+	digest := v1.Hash{
+		Algorithm: "sha256",
+		Hex:       "digest",
+	}
+	for _, c := range tc {
+		t.Run(c.name, func(t *testing.T) {
+			replaced, err := replaceTag(c.name, digest)
+			require.NoError(t, err)
+			assert.Equal(t, c.expected, replaced)
+		})
+	}
+}
--- a/pkg/oci/referrers.go
+++ b/pkg/oci/referrers.go
@@ -0,0 +1,125 @@
+package oci
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/attest/pkg/attestation"
+	att "github.com/docker/attest/pkg/attestation"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+type ReferrersResolver struct {
+	referrersRepo string
+	ImageDetailsResolver
+}
+
+func NewReferrersAttestationResolver(src ImageDetailsResolver, options ...func(*ReferrersResolver) error) (*ReferrersResolver, error) {
+	res := &ReferrersResolver{
+		ImageDetailsResolver: src,
+	}
+	for _, opt := range options {
+		err := opt(res)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return res, nil
+}
+
+func WithReferrersRepo(repo string) func(*ReferrersResolver) error {
+	return func(r *ReferrersResolver) error {
+		r.referrersRepo = repo
+		return nil
+	}
+}
+
+func (r *ReferrersResolver) resolveAttestations(ctx context.Context, predicateType string) ([]*attestation.AttestationManifest,
+	error) {
+	dsseMediaType, err := attestation.DSSEMediaType(predicateType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
+	}
+	imageName, err := r.ImageName(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get image name: %w", err)
+	}
+	subjectRef, err := name.ParseReference(imageName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse reference: %w", err)
+	}
+	desc, err := r.ImageDescriptor(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get descriptor: %w", err)
+	}
+	subjectDigest := desc.Digest.String()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get digest: %w", err)
+	}
+	var referrersSubjectRef name.Digest
+	if r.referrersRepo != "" {
+		referrersSubjectRef, err = name.NewDigest(fmt.Sprintf("%s@%s", r.referrersRepo, subjectDigest))
+		if err != nil {
+			return nil, fmt.Errorf("failed to create referrers reference: %w", err)
+		}
+	} else {
+		referrersSubjectRef = subjectRef.Context().Digest(subjectDigest)
+	}
+	options := WithOptions(ctx, nil)
+	options = append(options, remote.WithFilter("artifactType", dsseMediaType))
+	referrersIndex, err := remote.Referrers(referrersSubjectRef, options...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get referrers: %w", err)
+	}
+	referrersIndexManifest, err := referrersIndex.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get index manifest: %w", err)
+	}
+	aManifests := make([]*attestation.AttestationManifest, 0)
+	for _, m := range referrersIndexManifest.Manifests {
+		remoteRef := referrersSubjectRef.Context().Digest(m.Digest.String())
+		attestationImage, err := remote.Image(remoteRef)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get referred image: %w", err)
+		}
+		layers, err := attestation.GetAttestationsFromImage(attestationImage)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get attestations from image: %w", err)
+		}
+		if len(layers) != 1 {
+			return nil, fmt.Errorf("expected exactly one layer, got %d", len(layers))
+		}
+		mt, err := layers[0].Layer.MediaType()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get layer media type: %w", err)
+		}
+		if string(mt) != dsseMediaType {
+			return nil, fmt.Errorf("expected layer media type %s, got %s", dsseMediaType, mt)
+		}
+		attest := &attestation.AttestationManifest{
+			SubjectName:        imageName,
+			OriginalLayers:     layers,
+			OriginalDescriptor: &m,
+			SubjectDescriptor:  desc,
+		}
+		aManifests = append(aManifests, attest)
+	}
+	return aManifests, nil
+}
+
+func (r *ReferrersResolver) Attestations(ctx context.Context, predicateType string) ([]*att.Envelope, error) {
+	manifests, err := r.resolveAttestations(ctx, predicateType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve attestations: %w", err)
+	}
+	var envs []*att.Envelope
+	for _, attest := range manifests {
+		es, err := ExtractEnvelopes(attest, predicateType)
+		if err != nil {
+			return nil, fmt.Errorf("failed to extract envelopes: %w", err)
+		}
+		envs = append(envs, es...)
+	}
+	return envs, nil
+}
--- a/pkg/oci/registry.go
+++ b/pkg/oci/registry.go
@@ -0,0 +1,141 @@
+package oci
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/attest/pkg/attestation"
+	att "github.com/docker/attest/pkg/attestation"
+	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+type RegistryResolver struct {
+	*RegistryImageDetailsResolver
+	*attestation.AttestationManifest
+}
+
+type RegistryImageDetailsResolver struct {
+	*ImageSpec
+	descriptor *v1.Descriptor
+}
+
+func NewRegistryImageDetailsResolver(src *ImageSpec) (*RegistryImageDetailsResolver, error) {
+	return &RegistryImageDetailsResolver{
+		ImageSpec: src,
+	}, nil
+}
+
+func NewRegistryAttestationResolver(src *RegistryImageDetailsResolver) (*RegistryResolver, error) {
+	return &RegistryResolver{
+		RegistryImageDetailsResolver: src,
+	}, nil
+}
+
+func (r *RegistryImageDetailsResolver) ImageName(ctx context.Context) (string, error) {
+	return r.Identifier, nil
+}
+
+func (r *RegistryImageDetailsResolver) ImagePlatform(ctx context.Context) (*v1.Platform, error) {
+	return r.Platform, nil
+}
+
+func (r *RegistryImageDetailsResolver) ImageDescriptor(ctx context.Context) (*v1.Descriptor, error) {
+	if r.descriptor == nil {
+		subjectRef, err := name.ParseReference(r.Identifier)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse reference: %w", err)
+		}
+		options := WithOptions(ctx, r.Platform)
+		image, err := remote.Image(subjectRef, options...)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get image manifest: %w", err)
+		}
+		digest, err := image.Digest()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get image digest: %w", err)
+		}
+		size, err := image.Size()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get image size: %w", err)
+		}
+		mediaType, err := image.MediaType()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get image media type: %w", err)
+		}
+		r.descriptor = &v1.Descriptor{
+			Digest:    digest,
+			Size:      size,
+			MediaType: mediaType,
+		}
+	}
+	return r.descriptor, nil
+}
+
+func (r *RegistryResolver) Attestations(ctx context.Context, predicateType string) ([]*att.Envelope, error) {
+	if r.AttestationManifest == nil {
+		attest, err := FetchAttestationManifest(ctx, r.Identifier, r.ImageSpec.Platform)
+		if err != nil {
+			return nil, err
+		}
+		r.AttestationManifest = attest
+	}
+	return ExtractEnvelopes(r.AttestationManifest, predicateType)
+}
+
+func FetchAttestationManifest(ctx context.Context, image string, platform *v1.Platform) (*attestation.AttestationManifest, error) {
+	// we want to get to the image index, so ignoring platform for now
+	options := WithOptions(ctx, nil)
+	ref, err := name.ParseReference(image)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse reference: %w", err)
+	}
+	index, err := remote.Index(ref, options...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get index: %w", err)
+	}
+	indexManifest, err := index.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get index manifest: %w", err)
+	}
+	subjectDescriptor, err := imageDescriptor(indexManifest, platform)
+	if err != nil {
+		return nil, fmt.Errorf("failed to obtain image for platform: %w", err)
+	}
+
+	digest := subjectDescriptor.Digest.String()
+	ref, err = name.ParseReference(fmt.Sprintf("%s@%s", ref.Context().Name(), digest))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse attestation reference: %w", err)
+	}
+
+	attestationDigest, err := attestationDigestForDigest(indexManifest, digest, "attestation-manifest")
+	if err != nil {
+		return nil, fmt.Errorf("failed to obtain attestation for image: %w", err)
+	}
+	ref, err = name.ParseReference(fmt.Sprintf("%s@%s", ref.Context().Name(), attestationDigest))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse attestation reference: %w", err)
+	}
+	remoteDescriptor, err := remote.Get(ref, options...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get attestation: %w", err)
+	}
+	attestationImage, err := remoteDescriptor.Image()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get attestation image: %w", err)
+	}
+
+	layers, err := attestation.GetAttestationsFromImage(attestationImage)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get attestations from image: %w", err)
+	}
+	attest := &attestation.AttestationManifest{
+		OriginalLayers:     layers,
+		OriginalDescriptor: &remoteDescriptor.Descriptor,
+		SubjectName:        image,
+		SubjectDescriptor:  subjectDescriptor,
+	}
+	return attest, nil
+}
--- a/pkg/oci/registry_test.go
+++ b/pkg/oci/registry_test.go
@@ -0,0 +1,51 @@
+package oci_test
+
+import (
+	"fmt"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attest"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/mirror"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/policy"
+	"github.com/google/go-containerregistry/pkg/registry"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRegistry(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	server := httptest.NewServer(registry.New(registry.WithReferrersSupport(false)))
+	defer server.Close()
+	u, err := url.Parse(server.URL)
+	require.NoError(t, err)
+
+	opts := &attestation.SigningOptions{}
+	attIdx, err := oci.IndexFromPath(oci.UnsignedTestImage)
+	require.NoError(t, err)
+	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+	require.NoError(t, err)
+	signedIndex := attIdx.Index
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
+	require.NoError(t, err)
+
+	indexName := fmt.Sprintf("%s/repo:root", u.Host)
+	require.NoError(t, err)
+	err = mirror.PushIndexToRegistry(signedIndex, indexName)
+	require.NoError(t, err)
+
+	spec, err := oci.ParseImageSpec(indexName)
+	require.NoError(t, err)
+
+	resolver, err := policy.CreateImageDetailsResolver(spec)
+	require.NoError(t, err)
+	desc, err := resolver.ImageDescriptor(ctx)
+	require.NoError(t, err)
+	digest := desc.Digest.String()
+	assert.True(t, strings.Contains(digest, "sha256:"))
+}
--- a/pkg/oci/resolver.go
+++ b/pkg/oci/resolver.go
@@ -0,0 +1,19 @@
+package oci
+
+import (
+	"context"
+
+	att "github.com/docker/attest/pkg/attestation"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+type AttestationResolver interface {
+	ImageDetailsResolver
+	Attestations(ctx context.Context, mediaType string) ([]*att.Envelope, error)
+}
+
+type ImageDetailsResolver interface {
+	ImageName(ctx context.Context) (string, error)
+	ImagePlatform(ctx context.Context) (*v1.Platform, error)
+	ImageDescriptor(ctx context.Context) (*v1.Descriptor, error)
+}
--- a/pkg/oci/types.go
+++ b/pkg/oci/types.go
@@ -0,0 +1,181 @@
+package oci
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+const (
+	OciReferenceTarget            = "org.opencontainers.image.ref.name"
+	LocalPrefix                   = "oci://"
+	RegistryPrefix                = "docker://"
+	OCI                SourceType = "OCI"
+	Docker             SourceType = "Docker"
+)
+
+type SourceType string
+type NamedIndex struct {
+	Index v1.ImageIndex
+	Name  string
+}
+
+type AttestationOptions struct {
+	NoReferrers   bool
+	Attach        bool
+	ReferrersRepo string
+}
+
+type ImageSpecOption func(*ImageSpec) error
+
+type ImageSpec struct {
+	// OCI or Docker
+	Type SourceType
+	// without oci:// or docker:// (name or path)
+	Identifier string
+	Platform   *v1.Platform
+}
+
+func IndexFromPath(path string) (*NamedIndex, error) {
+	wrapperIdx, err := layout.ImageIndexFromPath(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load image index: %w", err)
+	}
+
+	idxm, err := wrapperIdx.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get digest: %w", err)
+	}
+	imageName := idxm.Manifests[0].Annotations[OciReferenceTarget]
+	idxDigest := idxm.Manifests[0].Digest
+
+	idx, err := wrapperIdx.ImageIndex(idxDigest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract ImageIndex for digest %s: %w", idxDigest.String(), err)
+	}
+	return &NamedIndex{
+		Index: idx,
+		Name:  imageName,
+	}, nil
+}
+
+func IndexFromRemote(image string) (*NamedIndex, error) {
+	ref, err := name.ParseReference(image)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse image reference %s: %w", image, err)
+	}
+
+	// Pull the image from the registry
+	idx, err := remote.Index(ref, MultiKeychainOption())
+	if err != nil {
+		return nil, fmt.Errorf("failed to pull image %s: %w", image, err)
+	}
+	return &NamedIndex{
+		Index: idx,
+		Name:  image,
+	}, nil
+}
+
+func LoadIndex(input *ImageSpec) (*NamedIndex, error) {
+	if input.Type == OCI {
+		return IndexFromPath(input.Identifier)
+	} else {
+		return IndexFromRemote(input.Identifier)
+	}
+}
+
+func (i *ImageSpec) ForPlatforms(platform string) ([]*ImageSpec, error) {
+	platforms := strings.Split(platform, ",")
+	var specs []*ImageSpec
+	for _, pStr := range platforms {
+		p, err := ParsePlatform(pStr)
+		if err != nil {
+			return nil, err
+		}
+		spec := &ImageSpec{
+			Type:       i.Type,
+			Identifier: i.Identifier,
+			Platform:   p,
+		}
+		specs = append(specs, spec)
+	}
+	return specs, nil
+}
+
+func ParseImageSpec(img string, options ...ImageSpecOption) (*ImageSpec, error) {
+	img = strings.TrimSpace(img)
+	if strings.Contains(img, ",") {
+		return nil, fmt.Errorf("only one image is supported")
+	}
+	withoutPrefix := strings.TrimPrefix(strings.TrimPrefix(img, LocalPrefix), RegistryPrefix)
+	src := &ImageSpec{
+		Identifier: withoutPrefix,
+	}
+	if strings.HasPrefix(img, LocalPrefix) {
+		src.Type = OCI
+	} else {
+		src.Type = Docker
+	}
+	for _, option := range options {
+		err := option(src)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if src.Platform == nil {
+		platform, err := ParsePlatform("")
+		if err != nil {
+			return nil, err
+		}
+		src.Platform = platform
+	}
+	return src, nil
+}
+
+func WithPlatform(platform string) ImageSpecOption {
+	return func(i *ImageSpec) error {
+		if strings.Contains(platform, ",") {
+			return fmt.Errorf("only one platform is supported")
+		}
+		p, err := ParsePlatform(platform)
+		if err != nil {
+			return err
+		}
+		i.Platform = p
+		return nil
+	}
+}
+
+func ParseImageSpecs(img string) ([]*ImageSpec, error) {
+	outputs := strings.Split(img, ",")
+	var sources []*ImageSpec
+	for _, output := range outputs {
+		src, err := ParseImageSpec(output)
+		if err != nil {
+			return nil, err
+		}
+		sources = append(sources, src)
+	}
+	return sources, nil
+}
+
+func WithoutTag(image string) (string, error) {
+	if strings.HasPrefix(image, LocalPrefix) {
+		return image, nil
+	}
+	prefix := ""
+	if strings.HasPrefix(image, RegistryPrefix) {
+		image = strings.TrimPrefix(image, RegistryPrefix)
+		prefix = RegistryPrefix
+	}
+	ref, err := name.ParseReference(image)
+	if err != nil {
+		return "", err
+	}
+	repo := ref.Context().Name()
+	return prefix + repo, nil
+}
--- a/pkg/policy/evaluator.go
+++ b/pkg/policy/evaluator.go
@@ -0,0 +1,30 @@
+package policy
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/attest/pkg/oci"
+)
+
+type policyEvaluatorCtxKeyType struct{}
+
+var PolicyEvaluatorCtxKey policyEvaluatorCtxKeyType
+
+// sets PolicyEvaluator in context
+func WithPolicyEvaluator(ctx context.Context, pe PolicyEvaluator) context.Context {
+	return context.WithValue(ctx, PolicyEvaluatorCtxKey, pe)
+}
+
+// gets PolicyEvaluator from context, defaults to Rego PolicyEvaluator if not set
+func GetPolicyEvaluator(ctx context.Context) (PolicyEvaluator, error) {
+	t, ok := ctx.Value(PolicyEvaluatorCtxKey).(PolicyEvaluator)
+	if !ok {
+		return nil, fmt.Errorf("no policy evaluator client set on context (set one with policy.WithPolicyEvaluator)")
+	}
+	return t, nil
+}
+
+type PolicyEvaluator interface {
+	Evaluate(ctx context.Context, resolver oci.AttestationResolver, pctx *Policy, input *PolicyInput) (*Result, error)
+}
--- a/pkg/policy/mock.go
+++ b/pkg/policy/mock.go
@@ -0,0 +1,32 @@
+package policy
+
+import (
+	"context"
+
+	"github.com/docker/attest/pkg/oci"
+)
+
+type MockPolicyEvaluator struct {
+	EvaluateFunc func(ctx context.Context, resolver oci.AttestationResolver, pctx *Policy, input *PolicyInput) (*Result, error)
+}
+
+func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationResolver, pctx *Policy, input *PolicyInput) (*Result, error) {
+	if pe.EvaluateFunc != nil {
+		return pe.EvaluateFunc(ctx, resolver, pctx, input)
+	}
+	return AllowedResult(), nil
+}
+
+func GetMockPolicy() PolicyEvaluator {
+	return &MockPolicyEvaluator{
+		EvaluateFunc: func(ctx context.Context, resolver oci.AttestationResolver, pctx *Policy, input *PolicyInput) (*Result, error) {
+			return AllowedResult(), nil
+		},
+	}
+}
+
+func AllowedResult() *Result {
+	return &Result{
+		Success: true,
+	}
+}
--- a/pkg/policy/policy.go
+++ b/pkg/policy/policy.go
@@ -0,0 +1,238 @@
+package policy
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+
+	"github.com/distribution/reference"
+	"github.com/docker/attest/pkg/config"
+	"github.com/docker/attest/pkg/oci"
+)
+
+func resolveLocalPolicy(opts *PolicyOptions, mapping *config.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
+	if opts.LocalPolicyDir == "" {
+		return nil, fmt.Errorf("local policy dir not set")
+	}
+	files := make([]*PolicyFile, 0, len(mapping.Files))
+	for _, f := range mapping.Files {
+		filename := f.Path
+		filePath := path.Join(opts.LocalPolicyDir, filename)
+		fileContents, err := os.ReadFile(filePath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read policy file %s: %w", filename, err)
+		}
+		files = append(files, &PolicyFile{
+			Path:    filename,
+			Content: fileContents,
+		})
+	}
+	policy := &Policy{
+		InputFiles: files,
+		Mapping:    mapping,
+	}
+	if imageName != matchedName {
+		policy.ResolvedName = matchedName
+	}
+	return policy, nil
+}
+
+func resolveTufPolicy(opts *PolicyOptions, mapping *config.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
+	files := make([]*PolicyFile, 0, len(mapping.Files))
+	for _, f := range mapping.Files {
+		filename := f.Path
+		_, fileContents, err := opts.TufClient.DownloadTarget(filename, filepath.Join(opts.LocalTargetsDir, filename))
+		if err != nil {
+			return nil, fmt.Errorf("failed to download policy file %s: %w", filename, err)
+		}
+		files = append(files, &PolicyFile{
+			Path:    filename,
+			Content: fileContents,
+		})
+	}
+	policy := &Policy{
+		InputFiles: files,
+		Mapping:    mapping,
+	}
+	if imageName != matchedName {
+		policy.ResolvedName = matchedName
+	}
+	return policy, nil
+}
+
+type matchType string
+
+const (
+	matchTypePolicy        matchType = "policy"
+	matchTypeMatchNoPolicy matchType = "match_no_policy"
+	matchTypeNoMatch       matchType = "no_match"
+)
+
+type policyMatch struct {
+	matchType   matchType
+	policy      *config.PolicyMapping
+	rule        *config.PolicyRule
+	matchedName string
+}
+
+func findPolicyMatch(imageName string, mappings *config.PolicyMappings) (*policyMatch, error) {
+	if mappings == nil {
+		return &policyMatch{matchType: matchTypeNoMatch, matchedName: imageName}, nil
+	}
+	return findPolicyMatchImpl(imageName, mappings, make(map[*config.PolicyRule]bool))
+}
+
+func findPolicyMatchImpl(imageName string, mappings *config.PolicyMappings, matched map[*config.PolicyRule]bool) (*policyMatch, error) {
+	for _, rule := range mappings.Rules {
+		if rule.Pattern.MatchString(imageName) {
+			switch {
+			case rule.PolicyId == "" && rule.Replacement == "":
+				return nil, fmt.Errorf("rule %s has neither policy-id nor rewrite", rule.Pattern)
+			case rule.PolicyId != "" && rule.Replacement != "":
+				return nil, fmt.Errorf("rule %s has both policy-id and rewrite", rule.Pattern)
+			case rule.PolicyId != "":
+				policy := mappings.Policies[rule.PolicyId]
+				if policy != nil {
+					return &policyMatch{
+						matchType:   matchTypePolicy,
+						policy:      policy,
+						rule:        rule,
+						matchedName: imageName,
+					}, nil
+				}
+				return &policyMatch{
+					matchType:   matchTypeMatchNoPolicy,
+					rule:        rule,
+					matchedName: imageName,
+				}, nil
+			case rule.Replacement != "":
+				if matched[rule] {
+					return nil, fmt.Errorf("rewrite loop detected")
+				}
+				matched[rule] = true
+				imageName = rule.Pattern.ReplaceAllString(imageName, rule.Replacement)
+				return findPolicyMatchImpl(imageName, mappings, matched)
+			}
+		}
+	}
+	return &policyMatch{matchType: matchTypeNoMatch, matchedName: imageName}, nil
+}
+
+func resolvePolicyById(opts *PolicyOptions) (*Policy, error) {
+	if opts.PolicyId != "" {
+		localMappings, err := config.LoadLocalMappings(opts.LocalPolicyDir)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load local policy mappings: %w", err)
+		}
+		if localMappings != nil {
+			policy := localMappings.Policies[opts.PolicyId]
+			if policy != nil {
+				return resolveLocalPolicy(opts, policy, "", "")
+			}
+		}
+
+		// must check tuf
+		tufMappings, err := config.LoadTufMappings(opts.TufClient, opts.LocalTargetsDir)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load tuf policy mappings by id: %w", err)
+		}
+		policy := tufMappings.Policies[opts.PolicyId]
+		if policy != nil {
+			return resolveTufPolicy(opts, policy, "", "")
+		}
+		return nil, fmt.Errorf("policy with id %s not found", opts.PolicyId)
+	}
+	return nil, nil
+}
+
+func ResolvePolicy(ctx context.Context, detailsResolver oci.ImageDetailsResolver, opts *PolicyOptions) (*Policy, error) {
+	p, err := resolvePolicyById(opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve policy by id: %w", err)
+	}
+	if p != nil {
+		return p, nil
+	}
+	imageName, err := detailsResolver.ImageName(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get image name: %w", err)
+	}
+	imageName, err = normalizeImageName(imageName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse image name: %w", err)
+	}
+	localMappings, err := config.LoadLocalMappings(opts.LocalPolicyDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load local policy mappings: %w", err)
+	}
+	match, err := findPolicyMatch(imageName, localMappings)
+	if err != nil {
+		return nil, err
+	}
+	if match.matchType == matchTypePolicy {
+		return resolveLocalPolicy(opts, match.policy, imageName, match.matchedName)
+	}
+	// must check tuf
+	tufMappings, err := config.LoadTufMappings(opts.TufClient, opts.LocalTargetsDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load tuf policy mappings as fallback: %w", err)
+	}
+
+	// it's a mirror of a tuf policy
+	if match.matchType == matchTypeMatchNoPolicy {
+		for _, mapping := range tufMappings.Policies {
+			if mapping.Id == match.rule.PolicyId {
+				return resolveTufPolicy(opts, mapping, imageName, match.matchedName)
+			}
+		}
+	}
+
+	// try to resolve a tuf policy directly
+	match, err = findPolicyMatch(imageName, tufMappings)
+	if err != nil {
+		return nil, err
+	}
+	if match.matchType == matchTypePolicy {
+		return resolveTufPolicy(opts, match.policy, imageName, match.matchedName)
+	}
+	return nil, nil
+}
+
+func normalizeImageName(imageName string) (string, error) {
+	named, err := reference.ParseNormalizedNamed(imageName)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse image name: %w", err)
+	}
+	return named.Name(), nil
+}
+
+func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsResolver, error) {
+	switch imageSource.Type {
+	case oci.OCI:
+		return oci.NewOCILayoutAttestationResolver(imageSource)
+	case oci.Docker:
+		return oci.NewRegistryImageDetailsResolver(imageSource)
+	}
+	return nil, fmt.Errorf("unsupported image source type: %s", imageSource.Type)
+}
+
+func CreateAttestationResolver(resolver oci.ImageDetailsResolver, mapping *config.PolicyMapping) (oci.AttestationResolver, error) {
+	switch resolver := resolver.(type) {
+	case *oci.RegistryImageDetailsResolver:
+		if mapping.Attestations != nil && mapping.Attestations.Style == config.AttestationStyleAttached {
+			return oci.NewRegistryAttestationResolver(resolver)
+		} else {
+			if mapping.Attestations != nil && mapping.Attestations.Repo != "" {
+				return oci.NewReferrersAttestationResolver(resolver, oci.WithReferrersRepo(mapping.Attestations.Repo))
+			} else {
+				return oci.NewReferrersAttestationResolver(resolver)
+			}
+		}
+	case *oci.OCILayoutResolver:
+		return resolver, nil
+	default:
+		return nil, fmt.Errorf("unsupported image details resolver type: %T", resolver)
+	}
+}
--- a/pkg/policy/policy_match_test.go
+++ b/pkg/policy/policy_match_test.go
@@ -0,0 +1,121 @@
+package policy
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/pkg/config"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFindPolicyMatch(t *testing.T) {
+	testCases := []struct {
+		name       string
+		imageName  string
+		mappingDir string
+
+		expectError       bool
+		expectedMatchType matchType
+		expectedPolicyID  string
+		expectedImageName string
+	}{
+		{
+			name:       "alpine",
+			mappingDir: "doi",
+			imageName:  "docker.io/library/alpine",
+
+			expectedMatchType: matchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "no match",
+			mappingDir: "doi",
+			imageName:  "docker.io/something/else",
+
+			expectedMatchType: matchTypeNoMatch,
+			expectedImageName: "docker.io/something/else",
+		},
+		{
+			name:       "match, no policy",
+			mappingDir: "local",
+			imageName:  "docker.io/library/alpine",
+
+			expectedMatchType: matchTypeMatchNoPolicy,
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "simple rewrite",
+			mappingDir: "simple-rewrite",
+			imageName:  "mycoolmirror.org/library/alpine",
+
+			expectedMatchType: matchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "rewrite no match",
+			mappingDir: "rewrite-to-no-match",
+			imageName:  "mycoolmirror.org/library/alpine",
+
+			expectedMatchType: matchTypeNoMatch,
+			expectedImageName: "badredirect.org/alpine",
+		},
+		{
+			name:       "rewrite to match, no policy",
+			mappingDir: "rewrite-to-local",
+			imageName:  "mycoolmirror.org/library/alpine",
+
+			expectedMatchType: matchTypeMatchNoPolicy,
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "multiple rewrites",
+			mappingDir: "rewrite-multiple",
+			imageName:  "myevencoolermirror.org/library/alpine",
+
+			expectedMatchType: matchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "invalid rewrites",
+			mappingDir: "rewrite-invalid",
+			imageName:  "mycoolmirror.org/library/alpine",
+
+			expectError:       true,
+			expectedMatchType: matchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "rewrite loop",
+			mappingDir: "rewrite-loop",
+			imageName:  "yin/alpine",
+
+			expectError: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mappings, err := config.LoadLocalMappings(filepath.Join("testdata", "mappings", tc.mappingDir))
+			require.NoError(t, err)
+			match, err := findPolicyMatch(tc.imageName, mappings)
+			if tc.expectError {
+				require.Error(t, err)
+				// TODO: check error matches expected error message
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tc.expectedMatchType, match.matchType)
+			if match.matchType == matchTypePolicy {
+				if assert.NotNil(t, match.policy) {
+					assert.Equal(t, tc.expectedPolicyID, match.policy.Id)
+				}
+			}
+			assert.Equal(t, tc.expectedImageName, match.matchedName)
+		})
+	}
+}
--- a/pkg/policy/policy_test.go
+++ b/pkg/policy/policy_test.go
@@ -0,0 +1,118 @@
+package policy_test
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/config"
+	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/pkg/tuf"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func loadAttestation(t *testing.T, path string) *attestation.Envelope {
+	ex, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var env = new(attestation.Envelope)
+	err = json.Unmarshal(ex, env)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return env
+}
+
+func TestRegoEvaluator_Evaluate(t *testing.T) {
+	ctx, _ := test.Setup(t)
+	errorStr := "failed to resolve policy by id: policy with id non-existent-policy-id not found"
+	TestDataPath := filepath.Join("..", "..", "test", "testdata")
+	ExampleAttestation := filepath.Join(TestDataPath, "example_attestation.json")
+
+	re := policy.NewRegoEvaluator(true)
+
+	defaultResolver := test.MockResolver{
+		Envs: []*attestation.Envelope{loadAttestation(t, ExampleAttestation)},
+	}
+
+	testCases := []struct {
+		repo          string
+		expectSuccess bool
+		isCanonical   bool
+		resolver      oci.AttestationResolver
+		policy        *policy.PolicyOptions
+		policyId      string
+		errorStr      string
+	}{
+		{repo: "testdata/mock-tuf-allow", expectSuccess: true, isCanonical: false, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-allow", expectSuccess: true, isCanonical: false, resolver: defaultResolver, policyId: "docker-official-images"},
+		{repo: "testdata/mock-tuf-allow", expectSuccess: false, isCanonical: false, resolver: defaultResolver, policyId: "non-existent-policy-id", errorStr: errorStr},
+		{repo: "testdata/mock-tuf-deny", expectSuccess: false, isCanonical: false, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-verify-sig", expectSuccess: true, isCanonical: false, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-wrong-key", expectSuccess: false, isCanonical: false, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-allow-canonical", expectSuccess: true, isCanonical: true, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-allow-canonical", expectSuccess: false, isCanonical: false, resolver: defaultResolver},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.repo, func(t *testing.T) {
+			input := &policy.PolicyInput{
+				Digest:      "sha256:test-digest",
+				Purl:        "test-purl",
+				IsCanonical: tc.isCanonical,
+			}
+
+			tufClient := tuf.NewMockTufClient(tc.repo, test.CreateTempDir(t, "", "tuf-dest"))
+			if tc.policy == nil {
+				tc.policy = &policy.PolicyOptions{
+					TufClient:       tufClient,
+					LocalTargetsDir: test.CreateTempDir(t, "", "tuf-targets"),
+					PolicyId:        tc.policyId,
+				}
+			}
+			imageName, err := tc.resolver.ImageName(ctx)
+			require.NoError(t, err)
+			platform, err := tc.resolver.ImagePlatform(ctx)
+			require.NoError(t, err)
+			src, err := oci.ParseImageSpec(imageName, oci.WithPlatform(platform.String()))
+			require.NoError(t, err)
+			resolver, err := policy.CreateImageDetailsResolver(src)
+			require.NoError(t, err)
+			policy, err := policy.ResolvePolicy(ctx, resolver, tc.policy)
+			if tc.errorStr != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.errorStr)
+				return
+			}
+			require.NoErrorf(t, err, "failed to resolve policy")
+			require.NotNil(t, policy, "policy should not be nil")
+			result, err := re.Evaluate(ctx, tc.resolver, policy, input)
+			require.NoErrorf(t, err, "Evaluate failed")
+
+			if tc.expectSuccess {
+				assert.True(t, result.Success, "Evaluate should have succeeded")
+			} else {
+				assert.False(t, result.Success, "Evaluate should have failed")
+			}
+		})
+	}
+
+}
+
+func TestLoadingMappings(t *testing.T) {
+	policyMappings, err := config.LoadLocalMappings(filepath.Join("testdata", "mock-tuf-allow"))
+	require.NoError(t, err)
+	assert.Equal(t, len(policyMappings.Rules), 3)
+	for _, mirror := range policyMappings.Rules {
+		if mirror.PolicyId != "" {
+			assert.Equal(t, "docker-official-images", mirror.PolicyId)
+		}
+	}
+}
--- a/pkg/policy/rego.go
+++ b/pkg/policy/rego.go
@@ -0,0 +1,277 @@
+package policy
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	att "github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/oci"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/open-policy-agent/opa/ast"
+	"github.com/open-policy-agent/opa/rego"
+	"github.com/open-policy-agent/opa/storage"
+	"github.com/open-policy-agent/opa/storage/inmem"
+	"github.com/open-policy-agent/opa/tester"
+	"github.com/open-policy-agent/opa/topdown"
+	"github.com/open-policy-agent/opa/types"
+	opa "github.com/open-policy-agent/opa/util"
+	"sigs.k8s.io/yaml"
+)
+
+type regoEvaluator struct {
+	debug bool
+}
+
+const (
+	DefaultQuery  = "result := data.attest.result"
+	resultBinding = "result"
+)
+
+func NewRegoEvaluator(debug bool) PolicyEvaluator {
+	return &regoEvaluator{
+		debug: debug,
+	}
+}
+
+func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationResolver, pctx *Policy, input *PolicyInput) (*Result, error) {
+	var regoOpts []func(*rego.Rego)
+
+	// Create a new in-memory store
+	store := inmem.New()
+	params := storage.TransactionParams{}
+	params.Write = true
+	txn, err := store.NewTransaction(ctx, params)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, target := range pctx.InputFiles {
+		// load yaml as data (no rego opt for this!?)
+		if filepath.Ext(target.Path) == ".yaml" {
+			yamlData, err := loadYAML(target.Path, target.Content)
+			if err != nil {
+				return nil, err
+			}
+			err = store.Write(ctx, txn, storage.AddOp, storage.Path{}, yamlData)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			regoOpts = append(regoOpts, rego.Module(target.Path, string(target.Content)))
+		}
+	}
+
+	err = store.Commit(ctx, txn)
+	if err != nil {
+		store.Abort(ctx, txn)
+		return nil, err
+	}
+
+	if re.debug {
+		regoOpts = append(regoOpts,
+			rego.EnablePrintStatements(true),
+			rego.PrintHook(topdown.NewPrintHook(os.Stderr)),
+			rego.Dump(os.Stderr),
+		)
+	}
+	query := DefaultQuery
+	if pctx.Query != "" {
+		query = pctx.Query
+	}
+	regoOpts = append(regoOpts,
+		rego.Query(query),
+		rego.Input(input),
+		rego.Store(store),
+		rego.GenerateJSON(jsonGenerator[Result]()),
+	)
+	for _, custom := range RegoFunctions(resolver) {
+		regoOpts = append(regoOpts, custom.Func)
+	}
+
+	r := rego.New(regoOpts...)
+	rs, err := r.Eval(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(rs) == 0 {
+		return nil, fmt.Errorf("no policy evaluation result")
+	}
+	binding, ok := rs[0].Bindings[resultBinding]
+	if !ok {
+		return nil, fmt.Errorf("failed to extract verification result")
+	}
+	result, ok := binding.(Result)
+	if !ok {
+		return nil, fmt.Errorf("failed to extract verification result")
+	}
+
+	return &result, nil
+}
+
+func jsonGenerator[T any]() func(t *ast.Term, ec *rego.EvalContext) (any, error) {
+	return func(t *ast.Term, ec *rego.EvalContext) (any, error) {
+		// TODO: this is horrible - we're converting the AST to JSON and then back to AST, then using ast.As to convert it to a struct
+		// We can't use ast.As directly because it fails if the AST contains a set
+		json, err := ast.JSON(t.Value)
+		if err != nil {
+			return nil, err
+		}
+		v, err := ast.InterfaceToValue(json)
+		if err != nil {
+			return nil, err
+		}
+		var result T
+		err = ast.As(v, &result)
+		if err != nil {
+			return nil, err
+		}
+		return result, nil
+	}
+}
+
+var dynamicObj = types.NewObject(nil, types.NewDynamicProperty(types.A, types.A))
+
+var verifyDecl = &ast.Builtin{
+	Name:             "attest.verify",
+	Decl:             types.NewFunction(types.Args(dynamicObj, dynamicObj), dynamicObj),
+	Nondeterministic: true,
+}
+var attestDecl = &ast.Builtin{
+	Name:             "attest.fetch",
+	Decl:             types.NewFunction(types.Args(types.S), dynamicObj),
+	Nondeterministic: true,
+}
+
+func wrapFunctionResult(value *ast.Term, err error) (*ast.Term, error) {
+	var terms [][2]*ast.Term
+	if err != nil {
+		terms = append(terms, [2]*ast.Term{ast.StringTerm("error"), ast.StringTerm(err.Error())})
+	}
+	if value != nil {
+		terms = append(terms, [2]*ast.Term{ast.StringTerm("value"), value})
+	}
+	return ast.ObjectTerm(terms...), nil
+}
+
+func handleErrors1(f func(rCtx rego.BuiltinContext, a *ast.Term) (*ast.Term, error)) rego.Builtin1 {
+	return func(rCtx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
+		return wrapFunctionResult(f(rCtx, a))
+	}
+}
+
+func handleErrors2(f func(rCtx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error)) rego.Builtin2 {
+	return func(rCtx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {
+		return wrapFunctionResult(f(rCtx, a, b))
+	}
+}
+
+func RegoFunctions(resolver oci.AttestationResolver) []*tester.Builtin {
+	return []*tester.Builtin{
+		{
+			Decl: verifyDecl,
+			Func: rego.Function2(
+				&rego.Function{
+					Name:             verifyDecl.Name,
+					Decl:             verifyDecl.Decl,
+					Memoize:          true,
+					Nondeterministic: verifyDecl.Nondeterministic,
+				},
+				handleErrors2(verifyIntotoEnvelope)),
+		},
+		{
+			Decl: attestDecl,
+			Func: rego.Function1(
+				&rego.Function{
+					Name:             attestDecl.Name,
+					Decl:             attestDecl.Decl,
+					Memoize:          true,
+					Nondeterministic: attestDecl.Nondeterministic,
+				},
+				handleErrors1(fetchIntotoAttestations(resolver))),
+		},
+	}
+}
+
+func fetchIntotoAttestations(resolver oci.AttestationResolver) rego.Builtin1 {
+	return func(rCtx rego.BuiltinContext, predicateTypeTerm *ast.Term) (*ast.Term, error) {
+		predicateTypeStr, ok := predicateTypeTerm.Value.(ast.String)
+		if !ok {
+			return nil, fmt.Errorf("predicateTypeTerm is not a string")
+		}
+		predicateType := string(predicateTypeStr)
+
+		envelopes, err := resolver.Attestations(rCtx.Context, predicateType)
+		if err != nil {
+			return nil, err
+		}
+
+		// Convert each envelope to an ast.Value.
+		values := make([]*ast.Term, len(envelopes))
+		for i, envelope := range envelopes {
+			value, err := ast.InterfaceToValue(envelope)
+			if err != nil {
+				return nil, err
+			}
+			values[i] = ast.NewTerm(value)
+		}
+
+		// Wrap the values in an ast.Set and convert it to an ast.Term.
+		set := ast.NewTerm(ast.NewSet(values...))
+
+		return set, nil
+	}
+}
+
+func verifyIntotoEnvelope(rCtx rego.BuiltinContext, envTerm, optsTerm *ast.Term) (*ast.Term, error) {
+	env := new(att.Envelope)
+	opts := new(att.VerifyOptions)
+	err := ast.As(envTerm.Value, env)
+	if err != nil {
+		return nil, fmt.Errorf("failed to cast envelope: %w", err)
+	}
+	err = ast.As(optsTerm.Value, &opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to cast verifier options: %w", err)
+	}
+
+	payload, err := att.VerifyDSSE(rCtx.Context, env, opts)
+	if err != nil {
+		return nil, err
+	}
+
+	statement := new(intoto.Statement)
+
+	switch env.PayloadType {
+	case intoto.PayloadType:
+		err = json.Unmarshal(payload, statement)
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal statement: %w", err)
+		}
+		// TODO: implement other types of envelope
+	default:
+		return nil, fmt.Errorf("unsupported payload type: %s", env.PayloadType)
+	}
+
+	value, err := ast.InterfaceToValue(statement)
+	if err != nil {
+		return nil, err
+	}
+	return ast.NewTerm(value), nil
+}
+
+func loadYAML(path string, bs []byte) (interface{}, error) {
+	var x interface{}
+	bs, err := yaml.YAMLToJSON(bs)
+	if err != nil {
+		return nil, fmt.Errorf("%v: error converting YAML to JSON: %v", path, err)
+	}
+	err = opa.UnmarshalJSON(bs, &x)
+	if err != nil {
+		return nil, fmt.Errorf("%s: %w", path, err)
+	}
+	return x, nil
+}
--- a/pkg/policy/testdata/mappings/doi/mapping.yaml
+++ b/pkg/policy/testdata/mappings/doi/mapping.yaml
@@ -0,0 +1,10 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
--- a/pkg/policy/testdata/mappings/local/mapping.yaml
+++ b/pkg/policy/testdata/mappings/local/mapping.yaml
@@ -0,0 +1,10 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: local-policy
+    description: Local Policy
+    files:
+      - path: local-policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images # note this policy does not exist in this file
--- a/pkg/policy/testdata/mappings/rewrite-invalid/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-invalid/mapping.yaml
@@ -0,0 +1,13 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
+  - pattern: "^mycoolmirror[.]org/library/(.*)$"
+    rewrite: "docker.io/library/$1"
+    policy-id: docker-official-images # invalid to specify both rewrite and policy-id
--- a/pkg/policy/testdata/mappings/rewrite-loop/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-loop/mapping.yaml
@@ -0,0 +1,14 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
+  - pattern: "^yin/(.*)$"
+    rewrite: "yang/$1"
+  - pattern: "^yang/(.*)$"
+    rewrite: "yin/$1"
--- a/pkg/policy/testdata/mappings/rewrite-multiple/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-multiple/mapping.yaml
@@ -0,0 +1,14 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
+  - pattern: "^mycoolmirror[.]org/library/(.*)$"
+    rewrite: "docker.io/library/$1"
+  - pattern: "^myevencoolermirror[.]org/library/(.*)$"
+    rewrite: "mycoolmirror.org/library/$1"
--- a/pkg/policy/testdata/mappings/rewrite-to-local/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-to-local/mapping.yaml
@@ -0,0 +1,12 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: local-policy
+    description: Local Policy
+    files:
+      - path: local-policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images # note this policy does not exist in this file
+  - pattern: "^mycoolmirror[.]org/library/(.*)$"
+    rewrite: "docker.io/library/$1"
--- a/pkg/policy/testdata/mappings/rewrite-to-no-match/mapping.yaml
+++ b/pkg/policy/testdata/mappings/rewrite-to-no-match/mapping.yaml
@@ -0,0 +1,12 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
+  - pattern: "^mycoolmirror[.]org/library/(.*)$"
+    rewrite: "badredirect.org/$1" # no matching rule for this rewrite
--- a/pkg/policy/testdata/mappings/simple-rewrite/mapping.yaml
+++ b/pkg/policy/testdata/mappings/simple-rewrite/mapping.yaml
@@ -0,0 +1,12 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
+  - pattern: "^mycoolmirror[.]org/library/(.*)$"
+    rewrite: "docker.io/library/$1"
--- a/pkg/policy/testdata/mock-tuf-allow-canonical/doi/policy.rego
+++ b/pkg/policy/testdata/mock-tuf-allow-canonical/doi/policy.rego
@@ -0,0 +1,7 @@
+package attest
+
+import rego.v1
+
+result := {
+  "success": input.isCanonical,
+}
--- a/pkg/policy/testdata/mock-tuf-allow-canonical/mapping.yaml
+++ b/pkg/policy/testdata/mock-tuf-allow-canonical/mapping.yaml
@@ -0,0 +1,17 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    attestations:
+      repo: "localhost:5001/library-refs"
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
+  - pattern: ^localhost:5001/(.*)$
+    rewrite: docker.io/library/$1
+  - pattern: ^registry[.]local:5000/(.*)$
+    rewrite: docker.io/library/$1
--- a/pkg/policy/testdata/mock-tuf-allow/doi/policy.rego
+++ b/pkg/policy/testdata/mock-tuf-allow/doi/policy.rego
@@ -0,0 +1,7 @@
+package attest
+
+import rego.v1
+
+result := {
+  "success": true,
+}
--- a/pkg/policy/testdata/mock-tuf-allow/mapping.yaml
+++ b/pkg/policy/testdata/mock-tuf-allow/mapping.yaml
@@ -0,0 +1,17 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    attestations:
+      repo: "localhost:5001/library-refs"
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
+  - pattern: ^localhost:5001/(.*)$
+    rewrite: docker.io/library/$1
+  - pattern: ^registry[.]local:5000/(.*)$
+    rewrite: docker.io/library/$1
--- a/pkg/policy/testdata/mock-tuf-deny/doi/policy.rego
+++ b/pkg/policy/testdata/mock-tuf-deny/doi/policy.rego
@@ -0,0 +1,7 @@
+package attest
+
+import rego.v1
+
+result := {
+  "success": false,
+}
--- a/pkg/policy/testdata/mock-tuf-deny/mapping.yaml
+++ b/pkg/policy/testdata/mock-tuf-deny/mapping.yaml
@@ -0,0 +1,11 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
--- a/pkg/policy/testdata/mock-tuf-verify-sig/doi/policy.rego
+++ b/pkg/policy/testdata/mock-tuf-verify-sig/doi/policy.rego
@@ -0,0 +1,19 @@
+package attest
+
+import rego.v1
+
+keys := [{
+	"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
+	"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
+	"from": "2023-12-15T14:00:00Z",
+	"to": null,
+}]
+
+opts := {"keys": keys}
+
+success if {
+	some env in attest.fetch("foo")
+	statement := attest.verify(env, opts)
+}
+
+result := {"success": success}
--- a/pkg/policy/testdata/mock-tuf-verify-sig/mapping.yaml
+++ b/pkg/policy/testdata/mock-tuf-verify-sig/mapping.yaml
@@ -0,0 +1,11 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
--- a/pkg/policy/testdata/mock-tuf-wrong-key/doi/policy.rego
+++ b/pkg/policy/testdata/mock-tuf-wrong-key/doi/policy.rego
@@ -0,0 +1,30 @@
+package attest
+
+import rego.v1
+
+keys := [{
+	"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
+	"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHyZpSgzvqFqNv7f3x7865OS38rAb\nQMcff55zM2UH/KR3Pr84a8QsGDNgaNGzJQJWjtMSgfV8WnNoffNK+svFNg==\n-----END PUBLIC KEY-----",
+	"from": "2023-12-15T14:00:00Z",
+	"to": null,
+}]
+
+default success := false
+
+provs(pred) := p if {
+	res := attest.fetch(pred)
+	not res.error
+	p := res.value
+}
+
+atts := union({provs("foo")})
+
+opts := {"keys": keys}
+
+success if {
+	some env in atts
+	res := attest.verify(env, opts)
+	not res.error
+}
+
+result := {"success": success}
--- a/pkg/policy/testdata/mock-tuf-wrong-key/mapping.yaml
+++ b/pkg/policy/testdata/mock-tuf-wrong-key/mapping.yaml
@@ -0,0 +1,11 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images
--- a/pkg/policy/types.go
+++ b/pkg/policy/types.go
@@ -0,0 +1,54 @@
+package policy
+
+import (
+	"github.com/docker/attest/pkg/config"
+	"github.com/docker/attest/pkg/tuf"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+)
+
+type Summary struct {
+	Subjects   []intoto.Subject `json:"subjects"`
+	SLSALevels []string         `json:"slsa_levels"`
+	Verifier   string           `json:"verifier"`
+	PolicyURI  string           `json:"policy_uri"`
+}
+
+type Violation struct {
+	Type        string            `json:"type"`
+	Description string            `json:"description"`
+	Attestation *intoto.Statement `json:"attestation"`
+	Details     map[string]any    `json:"details"`
+}
+
+type Result struct {
+	Success    bool        `json:"success"`
+	Violations []Violation `json:"violations"`
+	Summary    Summary     `json:"summary"`
+}
+
+type PolicyOptions struct {
+	TufClient        tuf.TUFClient
+	LocalTargetsDir  string
+	LocalPolicyDir   string
+	PolicyId         string
+	ReferrersRepo    string
+	AttestationStyle config.AttestationStyle
+}
+
+type Policy struct {
+	InputFiles   []*PolicyFile
+	Query        string
+	Mapping      *config.PolicyMapping
+	ResolvedName string
+}
+
+type PolicyInput struct {
+	Digest      string `json:"digest"`
+	Purl        string `json:"purl"`
+	IsCanonical bool   `json:"isCanonical"`
+}
+
+type PolicyFile struct {
+	Path    string
+	Content []byte
+}
--- a/pkg/signerverifier/aws.go
+++ b/pkg/signerverifier/aws.go
@@ -0,0 +1,27 @@
+package signerverifier
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	awssigner "github.com/sigstore/sigstore/pkg/signature/kms/aws"
+)
+
+// using AWS KMS
+func GetAWSSigner(ctx context.Context, keyArn string, region string) (dsse.SignerVerifier, error) {
+	keypath := fmt.Sprintf("awskms:///%s", keyArn)
+	sv, err := awssigner.LoadSignerVerifier(ctx, keypath, config.WithRegion(region))
+	if err != nil {
+		return nil, fmt.Errorf("error loading aws signer verifier: %w", err)
+	}
+	cs, _, err := sv.CryptoSigner(context.Background(), func(err error) {})
+	if err != nil {
+		return nil, fmt.Errorf("error getting aws crypto signer: %w", err)
+	}
+	signer := &ECDSA256_SignerVerifier{
+		Signer: cs,
+	}
+	return signer, nil
+}
--- a/pkg/signerverifier/common.go
+++ b/pkg/signerverifier/common.go
@@ -0,0 +1,84 @@
+package signerverifier
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/docker/attest/internal/util"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+type ECDSA256_SignerVerifier struct {
+	crypto.Signer
+}
+
+// implement keyid function
+func (s *ECDSA256_SignerVerifier) KeyID() (string, error) {
+	keyid, err := KeyID(s.Signer.Public())
+	if err != nil {
+		return "", fmt.Errorf("error getting keyid: %w", err)
+	}
+	return keyid, nil
+}
+
+func (s *ECDSA256_SignerVerifier) Public() crypto.PublicKey {
+	return s.Signer.Public()
+}
+
+func (s *ECDSA256_SignerVerifier) Sign(ctx context.Context, data []byte) ([]byte, error) {
+	return s.Signer.Sign(rand.Reader, data, crypto.SHA256)
+}
+
+func (s *ECDSA256_SignerVerifier) Verify(ctx context.Context, data []byte, sig []byte) error {
+	pub, ok := s.Signer.Public().(*ecdsa.PublicKey)
+	if !ok {
+		return fmt.Errorf("public key is not ecdsa")
+	}
+	ok = ecdsa.VerifyASN1(pub, util.SHA256(data), sig)
+	if !ok {
+		return fmt.Errorf("payload signature is not valid")
+	}
+	return nil
+}
+
+func LoadKeyPair(priv []byte) (dsse.SignerVerifier, error) {
+	privateKey, err := parsePriv(priv)
+	if err != nil {
+		return nil, err
+	}
+	return &ECDSA256_SignerVerifier{
+		Signer: privateKey,
+	}, nil
+}
+
+func parsePriv(privkeyBytes []byte) (*ecdsa.PrivateKey, error) {
+	p, _ := pem.Decode(privkeyBytes)
+	if p == nil {
+		return nil, fmt.Errorf("privkey file does not contain any PEM data")
+	}
+	if p.Type != "EC PRIVATE KEY" {
+		return nil, fmt.Errorf("privkey file does not contain a priavte key")
+	}
+	privKey, err := x509.ParseECPrivateKey(p.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("error failed to parse public key: %w", err)
+	}
+
+	return privKey, nil
+}
+
+func GenKeyPair() (dsse.SignerVerifier, error) {
+	signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return &ECDSA256_SignerVerifier{
+		Signer: signer,
+	}, nil
+}
--- a/pkg/signerverifier/gcp.go
+++ b/pkg/signerverifier/gcp.go
@@ -0,0 +1,28 @@
+package signerverifier
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	gcpsigner "github.com/sigstore/sigstore/pkg/signature/kms/gcp"
+	"google.golang.org/api/option"
+)
+
+// using GCP KMS
+// reference should be in the format projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]
+func GetGCPSigner(ctx context.Context, reference string, opts ...option.ClientOption) (dsse.SignerVerifier, error) {
+	reference = fmt.Sprintf("gcpkms://%s", reference)
+	sv, err := gcpsigner.LoadSignerVerifier(ctx, reference, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("error loading gcp signer verifier: %w", err)
+	}
+	cs, _, err := sv.CryptoSigner(ctx, func(err error) {})
+	if err != nil {
+		return nil, fmt.Errorf("error getting gcp crypto signer: %w", err)
+	}
+	signer := &ECDSA256_SignerVerifier{
+		Signer: cs,
+	}
+	return signer, nil
+}
--- a/pkg/signerverifier/gcp_test.go
+++ b/pkg/signerverifier/gcp_test.go
@@ -0,0 +1,45 @@
+//go:build e2e
+
+package signerverifier
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"testing"
+
+	"github.com/docker/attest/internal/util"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const publicKeyPEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuMswW3iu7PR/rWTQjlhVmUsPK7rF
+k2s4SO3XbQ2GG2alm289SUUpmBAuVxvT8muYQ8HC/QzixzyTACTXsBDjQg==
+-----END PUBLIC KEY-----`
+
+// to run locally, we need to impersonate the GCP service account
+// gcloud auth application-default login --impersonate-service-account attest-kms-test@attest-kms-test.iam.gserviceaccount.com
+
+func TestGCPKMS_Signer(t *testing.T) {
+	// create a new signer
+	ctx := context.TODO()
+	ref := "projects/attest-kms-test/locations/us-west1/keyRings/attest-kms-test/cryptoKeys/test-signing-key/cryptoKeyVersions/1"
+	signer, err := GetGCPSigner(ctx, ref)
+	require.NoError(t, err)
+	msg := []byte("hello world")
+	hash := util.SHA256(msg)
+
+	// sign message digest
+	sig, err := signer.Sign(ctx, hash)
+	require.NoError(t, err)
+	assert.NotEmpty(t, sig)
+	// get Key ID from signer
+	keyId, err := signer.KeyID()
+	require.NoError(t, err)
+	assert.NotEmpty(t, keyId)
+	publicKey, err := Parse([]byte(publicKeyPEM))
+	require.NoError(t, err)
+	// verify payload ecdsa signature
+	ok := ecdsa.VerifyASN1(publicKey, hash, sig)
+	assert.True(t, ok)
+}
--- a/pkg/signerverifier/keyid.go
+++ b/pkg/signerverifier/keyid.go
@@ -0,0 +1,17 @@
+package signerverifier
+
+import (
+	"crypto"
+	"crypto/x509"
+	"fmt"
+
+	"github.com/docker/attest/internal/util"
+)
+
+func KeyID(pubKey crypto.PublicKey) (string, error) {
+	pub, err := x509.MarshalPKIXPublicKey(pubKey)
+	if err != nil {
+		return "", fmt.Errorf("error marshalling public key: %w", err)
+	}
+	return util.SHA256Hex(pub), nil
+}
--- a/pkg/signerverifier/parse.go
+++ b/pkg/signerverifier/parse.go
@@ -0,0 +1,39 @@
+package signerverifier
+
+import (
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+const pemType = "PUBLIC KEY"
+
+func Parse(pubkeyBytes []byte) (*ecdsa.PublicKey, error) {
+	p, _ := pem.Decode(pubkeyBytes)
+	if p == nil {
+		return nil, fmt.Errorf("pubkey file does not contain any PEM data")
+	}
+	if p.Type != pemType {
+		return nil, fmt.Errorf("pubkey file does not contain a public key")
+	}
+	pubKey, err := x509.ParsePKIXPublicKey(p.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("error failed to parse public key: %w", err)
+	}
+
+	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("error public key is not an ecdsa key: %w", err)
+	}
+	return ecdsaPubKey, nil
+}
+
+func ToPEM(ecdsaPubKey *ecdsa.PublicKey) ([]byte, error) {
+	pubKeyBytes, err := x509.MarshalPKIXPublicKey(ecdsaPubKey)
+	if err != nil {
+		return nil, fmt.Errorf("error failed to marshal public key: %w", err)
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: pemType, Bytes: pubKeyBytes}), nil
+}
--- a/pkg/tlog/mock.go
+++ b/pkg/tlog/mock.go
@@ -0,0 +1,50 @@
+package tlog
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"github.com/sigstore/rekor/pkg/generated/models"
+)
+
+const (
+	USE_MOCK_TL = true
+
+	TestEntry = `{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5Zjg2ZDA4MTg4NGM3ZDY1OWEyZmVhYTBjNTVhZDAxNWEzYmY0ZjFiMmIwYjgyMmNkMTVkNmMxNWIwZjAwYTA4In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQUlyVUZGUzBIYmNzZjc5L08yajVXdHl2R2Vvd1NVSXpZcDlBM2IwWnREVUFpQVQxZU42ZjFyVmVWa011REFlN3dxWkJ2bE5LY2VsajNVVDNmaWhyQjZSY2c9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVSlZla05DSzJGQlJFRm5SVU5CWjBWQ1RVRnZSME5EY1VkVFRUUTVRa0ZOUTAxQk9IaEVWRUZNUW1kT1ZrSkJUVlJDU0ZKc1l6TlJkMGhvWTA0S1RXcE5lRTFxU1ROTlZHdDVUWHBWTlZkb1kwNU5hbEY0VFdwSk1rMVVhM2xOZWxVMVYycEJVRTFSTUhkRGQxbEVWbEZSUkVWM1VqQmFXRTR3VFVacmR3cEZkMWxJUzI5YVNYcHFNRU5CVVZsSlMyOWFTWHBxTUVSQlVXTkVVV2RCUlVRMFZpdFNSV2g0SzJGeFYwZzNlV3hOVFVSSVlXaE9UVzVOVEZOUFNsQXZDamxyUVcwNWJIQXJNMjF4V1ZSQmFGVlNjbUUyVDBRMVVYZzRXbUprSzJWMVVIbFFhemw1SzNjdloxZEhSRUk1ZW00dlNXd3hTMDVIVFVWUmQwUm5XVVFLVmxJd1VFRlJTQzlDUVZGRVFXZGxRVTFDVFVkQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOUVhkSFFURlZaRVYzUlVJdmQxRkRUVUZCZHdwRWQxbEVWbEl3VWtKQlozZENiMGxGWkVkV2VtUkVRVXRDWjJkeGFHdHFUMUJSVVVSQlowNUtRVVJDUjBGcFJVRTNOMjFFTDFSbVJtRlJVemxrWlhRMENqbFhaRk41YURKT1VTOUZiMVJtYVVGdFFtaHVWblpEVTNSUVowTkpVVU1yZDNSdllpOU9iMUp4T0c5cU4wZDNibTVKYUZKVGRDOVJNbmtyVXpoUkwzSUthRkpVYW5GaE9HZExRVDA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=","integratedTime":1703705039,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d","logIndex":59674396,"verification":{"inclusionProof":{"checkpoint":"rekor.sigstore.dev - 2605736670972794746\n55510966\nJCi1O53Xmdi9lXnui4Q5SQ+MJSMnWr1Bxn+Q2Qf22tU=\nTimestamp: 1703705040158839214\n\n— rekor.sigstore.dev wNI9ajBFAiAXgtjFDVqCSgiSP04TQzELrz4+EyBwyYVL2EEULTCy0AIhAI9peLU76ZUD1tvU8qvzBJBo77IYD1rc+A1MPc35AeVK\n","hashes":["fb77ee213b48f4b18dc81c6e634c570abf99b257713561f174f2e0f4c039af67","6cb113bbefadecbbb8b89b1c08232438a6125071790b6a062cff8c1ccfdcb91e","6fbe1424e264e4590ca502d671b7a036c87f7a90d1f57534b98eb781144160bf","077b606720a6478200f6c3ed08a68e9b01b1cae192cb120888ddcc95521601bd","b6f8e8bc21ae0cde82b92422a4b4f37b28a43185821e468a4e65b6c79ed8f5b7","89332533fac54e9bc68c7353c42f6ebb9fe38039f67910332ff95082072068d4","0814d6f707a75fb3334bab14ab5466bd8b9a64ae7be7cd4d53a428c64932bc66","e883e826f10329c63a4a2ed21156037a050df43b9d74079296beac6968ed4150","d79230703257b7e4a8a61b032b6980d1a0bdbc7ae96ca838b525b3751785fe48","2f4a77e5288462cd3b75084d37f1502dcbe0943d18dd95cb247fc1ebbabc0aad","38562c253d3536d0d00e3547c880b6b0251a25ac69605b50c9eaa1a27186cc7a","9dea192350ff8b3c0f5ccda38261cb38ebd61869281c3928912332d1144e0a04","2c4d25ba59aa573ab2c79c2d3cd9e1d74789b10632432724d63112ce50b44874","98c486feb5d87092a78a46c4b5be04868654900affc2e86ffb20074dc73a883a","6969c49bd73f19bf28a5eaeabd331ddd60502defb2cd3d96e17b741c80adec6c"],"logIndex":55510965,"rootHash":"2428b53b9dd799d8bd9579ee8b8439490f8c2523275abd41c67f90d907f6dad5","treeSize":55510966},"signedEntryTimestamp":"MEUCIQCG9PRI8PcvtJyE9pbcculZipze6NEWR1Nk8EYocto3BwIgYu5gqgjW80HMjSjUxUNJLp0wlVTesnJCeByUBySc59w="}}`
+)
+
+func GetMockTL() TL {
+	unmarshalEntry := func(entry []byte) (*models.LogEntryAnon, error) {
+		le := new(models.LogEntryAnon)
+		err := le.UnmarshalBinary(entry)
+		if err != nil {
+			return nil, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
+		}
+		return le, nil
+	}
+
+	return &MockTL{
+		UploadLogEntryFunc: func(ctx context.Context, subject string, payload []byte, signature []byte, signer dsse.SignerVerifier) ([]byte, error) {
+			return []byte(TestEntry), nil
+		},
+		VerifyLogEntryFunc: func(ctx context.Context, entryBytes []byte) (time.Time, error) {
+			// return the integrated time in the log entry without any checking
+			le, err := unmarshalEntry(entryBytes)
+			if err != nil {
+				return time.Time{}, err
+			}
+			if le.IntegratedTime == nil {
+				return time.Time{}, fmt.Errorf("error missing integrated time in TL entry")
+			}
+			return time.Unix(*le.IntegratedTime, 0), nil
+		},
+		VerifyEntryPayloadFunc: func(entryBytes, payload, pkToken []byte) error {
+			return nil
+		},
+		UnmarshalEntryFunc: func(entry []byte) (any, error) {
+			return unmarshalEntry(entry)
+		},
+	}
+}
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`{"signatures":[{"keyid":"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3","sig":"3044022039b56cd2e3597df74e57d200a652ba020cdc9a8cd050bd65b5f8e2640d50691d02205e073e4b6fc260acc64327a331e4440601af5b1cbff594ea91cf7b70d5828fb1"}],"signed":{"_type":"snapshot","expires":"2034-04-03T15:59:47Z","meta":{"targets.json":{"version":5},"test-role.json":{"version":3}},"spec_version":"1.0.31","version":6}}`
				`@@ -1 +0,0 @@`
				{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:ad4cacc170229608305ffccd8d09eeb59578fcb72ae394763cf7ef492175b1ee"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2607,"digest":"sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2200,"digest":"sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":410,"digest":"sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","annotations":{"tuf.io/filename":"6.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1683,"digest":"sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","annotations":{"tuf.io/filename":"5.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950","annotations":{"tuf.io/filename":"timestamp.json"}}]}
				`@@ -1 +0,0 @@`
				{"signatures":[{"keyid":"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","sig":"3066023100e99acc5f74777ebf40376b60f0216e8fe1829c1a49a5f6a6899126c15de1df7a56533baf493b2b53159c50843a289102023100b6a006b24da62ea0b743fbe38e1497ff485bf3a0833894985fc27a0305ad0693eeb968a7b52723ed3c49af8bef2027b6"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"30440220136debcc2f60dd1d63c9c2704f9b13c2cb2f5d2df58ea93f07f7c10f54f36742022059d7f8c6620e33506c6f1766394a32f86c9b008328f6398831ba7ebcf4ce0838"}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-04-03T08:45:50Z","keys":{"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":{"root":{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"snapshot":{"keyids":["198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"timestamp":{"keyids":["198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
				`@@ -1 +0,0 @@`
				{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950"]},"config":{}}
				`@@ -1 +0,0 @@`
				`{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:9edf24c022c2cd6796e87f49ec6a6ea2fad3e7c939c32a8219aaa4726792457c"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":764,"digest":"sha256:2b2d4fba192ec164e05e6d90399c5cf4a45e4fe2ddebb9066c55aa2bcf0a73d3","annotations":{"tuf.io/filename":"3.test-role.json"}}]}`