feat: roll out updates on release (#100 )

* feat: roll out updates on release * Use app token. Fix repo
feat(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 (#98 )
2024-07-25 16:15:35 +01:00 · 2024-07-24 13:30:56 +01:00 · 2024-07-23 19:08:01 +00:00 · 2024-07-23 19:03:53 +00:00 · 2024-07-23 08:03:03 -05:00 · 2024-07-22 16:03:23 -05:00
77 changed files with 1085 additions and 478 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,24 @@
+name: release
+on:
+  release:
+    types: [published]
+jobs:
+  trigger_attest_update:
+    name: Update attest lib - ALL
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        with:
+            app-id: ${{ vars.ATTEST_RELEASE_APP_ID }}
+            private-key: ${{ secrets.ATTEST_RELEASE_APP_PRIVATE_KEY }}
+            repositories: "attest-actions"
+      - name: Send repository_dispatch event
+        uses: peter-evans/repository-dispatch@v3.0.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          event-type: update_attest_all
+          repository: docker/attest-actions
+          client-payload: '{"attest_version": "${{ github.ref_name }}"}'
--- a/go.mod
+++ b/go.mod
@@ -1,16 +1,16 @@
 module github.com/docker/attest

-go 1.22.1
+go 1.22.5

 require (
 	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/aws/aws-sdk-go-v2/config v1.27.26
+	github.com/aws/aws-sdk-go-v2/config v1.27.27
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8
-	github.com/containerd/containerd v1.7.19
+	github.com/containerd/platforms v0.2.1
 	github.com/distribution/reference v0.6.0
 	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
-	github.com/google/go-containerregistry v0.20.0
+	github.com/google/go-containerregistry v0.20.1
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/open-policy-agent/opa v0.66.0
@@ -18,27 +18,26 @@ require (
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/pkg/errors v0.9.1
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
-	github.com/sigstore/cosign/v2 v2.2.4
+	github.com/sigstore/cosign/v2 v2.3.0
 	github.com/sigstore/rekor v1.3.6
-	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.6
-	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.6
+	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7
+	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.7
 	github.com/stretchr/testify v1.9.0
-	github.com/testcontainers/testcontainers-go v0.32.0
 	github.com/testcontainers/testcontainers-go/modules/registry v0.32.0
-	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240504210453-5a634eb214ae // for https://github.com/theupdateframework/go-tuf/pull/632
-	google.golang.org/api v0.188.0
+	github.com/theupdateframework/go-tuf/v2 v2.0.0
+	google.golang.org/api v0.189.0
 	gopkg.in/yaml.v3 v3.0.1
 	sigs.k8s.io/yaml v1.4.0
 )

 // fork of a fork (in case it goes away) with changes to support ArtifactType (https://github.com/google/go-containerregistry/pull/1931)
-replace github.com/google/go-containerregistry v0.20.0 => github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2
+replace github.com/google/go-containerregistry => github.com/kipz/go-containerregistry v0.0.0-20240722163910-ebe90246535d

 require (
 	cloud.google.com/go v0.115.0 // indirect
-	cloud.google.com/go/auth v0.7.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
-	cloud.google.com/go/compute/metadata v0.4.0 // indirect
+	cloud.google.com/go/auth v0.7.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.5.0 // indirect
 	cloud.google.com/go/iam v1.1.10 // indirect
 	cloud.google.com/go/kms v1.18.2 // indirect
 	cloud.google.com/go/longrunning v0.5.9 // indirect
@@ -51,7 +50,7 @@ require (
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.26 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
@@ -60,8 +59,8 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.35.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
 	github.com/aws/smithy-go v1.20.3 // indirect
@@ -70,8 +69,8 @@ require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
+	github.com/containerd/containerd v1.7.19 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
@@ -89,7 +88,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -106,13 +105,13 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/certificate-transparency-go v1.1.8 // indirect
+	github.com/google/certificate-transparency-go v1.2.1 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.5 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.6 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
@@ -132,6 +131,7 @@ require (
 	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
@@ -141,8 +141,8 @@ require (
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.53.0 // indirect
-	github.com/prometheus/procfs v0.15.0 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
@@ -150,7 +150,7 @@ require (
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shirou/gopsutil/v3 v3.24.4 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
-	github.com/sigstore/sigstore v1.8.6 // indirect
+	github.com/sigstore/sigstore v1.8.7 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -158,10 +158,11 @@ require (
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.18.2 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/testcontainers/testcontainers-go v0.32.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tklauser/go-sysconf v0.3.14 // indirect
@@ -176,10 +177,10 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
-	go.opentelemetry.io/otel v1.27.0 // indirect
-	go.opentelemetry.io/otel/metric v1.27.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.27.0 // indirect
-	go.opentelemetry.io/otel/trace v1.27.0 // indirect
+	go.opentelemetry.io/otel v1.28.0 // indirect
+	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.25.0 // indirect
@@ -192,10 +193,10 @@ require (
 	golang.org/x/term v0.22.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	google.golang.org/genproto v0.0.0-20240708141625-4ad9e859172b // indirect
+	google.golang.org/genproto v0.0.0-20240722135656-d784300faade // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect
-	google.golang.org/grpc v1.64.1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade // indirect
+	google.golang.org/grpc v1.65.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,22 +1,22 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.115.0 h1:CnFSK6Xo3lDYRoBKEcAtia6VSC837/ZkJuRduSFnr14=
 cloud.google.com/go v0.115.0/go.mod h1:8jIM5vVgoAEoiVxQ/O4BFTfHqulPZgs/ufEzMcFMdWU=
-cloud.google.com/go/auth v0.7.0 h1:kf/x9B3WTbBUHkC+1VS8wwwli9TzhSt0vSTVBmMR8Ts=
-cloud.google.com/go/auth v0.7.0/go.mod h1:D+WqdrpcjmiCgWrXmLLxOVq1GACoE36chW6KXoEvuIw=
-cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
-cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q=
-cloud.google.com/go/compute/metadata v0.4.0 h1:vHzJCWaM4g8XIcm8kopr3XmDA4Gy/lblD3EhhSux05c=
-cloud.google.com/go/compute/metadata v0.4.0/go.mod h1:SIQh1Kkb4ZJ8zJ874fqVkslA29PRXuleyj6vOzlbK7M=
+cloud.google.com/go/auth v0.7.2 h1:uiha352VrCDMXg+yoBtaD0tUF4Kv9vrtrWPYXwutnDE=
+cloud.google.com/go/auth v0.7.2/go.mod h1:VEc4p5NNxycWQTMQEDQF0bd6aTMb6VgYDXEwiJJQAbs=
+cloud.google.com/go/auth/oauth2adapt v0.2.3 h1:MlxF+Pd3OmSudg/b1yZ5lJwoXCEaeedAguodky1PcKI=
+cloud.google.com/go/auth/oauth2adapt v0.2.3/go.mod h1:tMQXOfZzFuNuUxOypHlQEXgdfX5cuhwU+ffUuXRJE8I=
+cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
+cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
 cloud.google.com/go/iam v1.1.10 h1:ZSAr64oEhQSClwBL670MsJAW5/RLiC6kfw3Bqmd5ZDI=
 cloud.google.com/go/iam v1.1.10/go.mod h1:iEgMq62sg8zx446GCaijmA2Miwg5o3UbO+nI47WHJps=
 cloud.google.com/go/kms v1.18.2 h1:EGgD0B9k9tOOkbPhYW1PHo2W0teamAUYMOUIcDRMfPk=
 cloud.google.com/go/kms v1.18.2/go.mod h1:YFz1LYrnGsXARuRePL729oINmN5J/5e7nYijgvfiIeY=
 cloud.google.com/go/longrunning v0.5.9 h1:haH9pAuXdPAMqHvzX0zlWQigXT7B0+CL4/2nXXdBo5k=
 cloud.google.com/go/longrunning v0.5.9/go.mod h1:HD+0l9/OOW0za6UWdKJtXoFAX/BGg/3Wj8p10NeWF7c=
-cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e h1:GwCVItFUPxwdsEYnlUcJ6PJxOjTeFFCKOh6QWg4oAzQ=
-cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e/go.mod h1:ApHceQLLwcOkCEXM1+DyCXTHEJhNGDpJ2kmV6axsx24=
-cuelang.org/go v0.8.1 h1:VFYsxIFSPY5KgSaH1jQ2GxHOrbu6Ga3kEI70yCZwnOg=
-cuelang.org/go v0.8.1/go.mod h1:CoDbYolfMms4BhWUlhD+t5ORnihR7wvjcfgyO9lL5FI=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 h1:BnG6pr9TTr6CYlrJznYUDj6V7xldD1W+1iXPum0wT/w=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2/go.mod h1:pK23AUVXuNzzTpfMCA06sxZGeVQ/75FdVtW249de9Uo=
+cuelang.org/go v0.9.2 h1:pfNiry2PdRBr02G/aKm5k2vhzmqbAOoaB4WurmEbWvs=
+cuelang.org/go v0.9.2/go.mod h1:qpAYsLOf7gTM1YdEg6cxh553uZ4q9ZDWlPbtZr9q1Wk=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
@@ -29,12 +29,12 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo
 github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 h1:n1DH8TPV4qqPTje2RcUBYwtrTWlabVp4n46+74X2pn4=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0/go.mod h1:HDcZnuGbiyppErN6lB+idp4CKhjbc8gwjto6OPpyggM=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 h1:1nGuui+4POelzDwI7RG56yfQJHCnKvwfMoU7VsEp+Zg=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0/go.mod h1:99EvauvlcJ1U06amZiksfYz/3aFGyIhWGHVyiZXtBAI=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 h1:H+U3Gk9zY56G3u872L82bk4thcsy2Gghb9ExT4Zvm1o=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0/go.mod h1:mgrmMSgaLp9hmax62XQTd0N4aAqSE5E0DulSpVYK7vc=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
@@ -102,14 +102,14 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g=
-github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go v1.54.19 h1:tyWV+07jagrNiCcGRzRhdtVjQs7Vy41NwsuOcl0IbVI=
+github.com/aws/aws-sdk-go v1.54.19/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY=
 github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc=
-github.com/aws/aws-sdk-go-v2/config v1.27.26 h1:T1kAefbKuNum/AbShMsZEro6eRkeOT8YILfE9wyjAYQ=
-github.com/aws/aws-sdk-go-v2/config v1.27.26/go.mod h1:ivWHkAWFrw/nxty5Fku7soTIVdqZaZ7dw+tc5iGW3GA=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.26 h1:tsm8g/nJxi8+/7XyJJcP2dLrnK/5rkFp6+i2nhmz5fk=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.26/go.mod h1:3vAM49zkIa3q8WT6o9Ve5Z0vdByDMwmdScO0zvThTgI=
+github.com/aws/aws-sdk-go-v2/config v1.27.27 h1:HdqgGt1OAP0HkEDDShEl0oSYa9ZZBSOmKpdpsDMdO90=
+github.com/aws/aws-sdk-go-v2/config v1.27.27/go.mod h1:MVYamCg76dFNINkZFu4n4RjDixhVr51HLj4ErWzrVwg=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.27 h1:2raNba6gr2IfA0eqqiP2XiQ0UVOpGPgDSi0I9iAP+UI=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.27/go.mod h1:gniiwbGahQByxan6YjQUMcW4Aov6bLC3m+evgcoN4r4=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 h1:KreluoV8FZDEtI6Co2xuNk/UqI9iwMrOx/87PBNIKqw=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11/go.mod h1:SeSUYBLsMYFoRvHE0Tjvn7kbxaUhl75CJi1sbfhMxkU=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 h1:SoNJ4RlFEQEbtDcCEt+QG56MY4fm4W8rYirAmq+/DdU=
@@ -126,10 +126,10 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvG
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 h1:HGErhhrxZlQ044RiM+WdoZxp0p+EGM62y3L6pwA4olE=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17/go.mod h1:RkZEx4l0EHYDJpWppMJ3nD9wZJAa8/0lq9aVC+r2UII=
-github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 h1:VsKBn6WADI3Nn3WjBMzeRww9WHXeVLi7zyuSrqjRCBQ=
-github.com/aws/aws-sdk-go-v2/service/kms v1.34.1/go.mod h1:5F6kXrPBxv0l1t8EO44GuG4W82jGJwaRE0B+suEGnNY=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.3 h1:Fv1vD2L65Jnp5QRsdiM64JvUM4Xe+E0JyVsRQKv6IeA=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.3/go.mod h1:ooyCOXjvJEsUw7x+ZDHeISPMhtwI3ZCB7ggFMcFfWLU=
+github.com/aws/aws-sdk-go-v2/service/kms v1.35.1 h1:0gP2OJJT6HM2BYltZ9x+A87OE8LJL96DXeAAdLv3t1M=
+github.com/aws/aws-sdk-go-v2/service/kms v1.35.1/go.mod h1:hGONorZkQCfR5DW6l2xdy7zC8vfO0r9pJlwyg6gmGeo=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 h1:BXx0ZIxvrJdSgSvKTZ+yRBeSqqgPM89VPlulEcl37tM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.4/go.mod h1:ooyCOXjvJEsUw7x+ZDHeISPMhtwI3ZCB7ggFMcFfWLU=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 h1:yiwVzJW2ZxZTurVbYWA7QOrAaCYQR72t0wrSBfoesUE=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4/go.mod h1:0oxfLkpz3rQ/CHlx5hB7H69YUpFiI1tql6Q6Ne+1bCw=
 github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 h1:ZsDKRLXGWHk8WdtyYMoGNO7bTudrvuKpDKgMVRlepGE=
@@ -142,12 +142,14 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/buildkite/agent/v3 v3.62.0 h1:yvzSjI8Lgifw883I8m9u8/L/Thxt4cLFd5aWPn3gg70=
-github.com/buildkite/agent/v3 v3.62.0/go.mod h1:jN6SokGXrVNNIpI0BGQ+j5aWeI3gin8F+3zwA5Q6gqM=
-github.com/buildkite/go-pipeline v0.3.2 h1:SW4EaXNwfjow7xDRPGgX0Rcx+dPj5C1kV9LKCLjWGtM=
-github.com/buildkite/go-pipeline v0.3.2/go.mod h1:iY5jzs3Afc8yHg6KDUcu3EJVkfaUkd9x/v/OH98qyUA=
-github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 h1:k6UDF1uPYOs0iy1HPeotNa155qXRWrzKnqAaGXHLZCE=
-github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251/go.mod h1:gbPR1gPu9dB96mucYIR7T3B7p/78hRVSOuzIWLHK2Y4=
+github.com/buildkite/agent/v3 v3.75.1 h1:FJg1gss9nUESExTsfx6yWqs/g20Vyd4pHSEB9iuT4pI=
+github.com/buildkite/agent/v3 v3.75.1/go.mod h1:UXCAEaqJnw5UsoZjJ9NxMvdSGc4oMHBnQFQqzGPDM0Y=
+github.com/buildkite/go-pipeline v0.10.0 h1:EDffu+LfMY2k5u+iEdo6Jn3obGKsrL5wicc1O/yFeRs=
+github.com/buildkite/go-pipeline v0.10.0/go.mod h1:eMH1kiav5VeiTiu0Mk2/M7nZhKyFeL4iGj7Y7rj4f3w=
+github.com/buildkite/interpolate v0.1.3 h1:OFEhqji1rNTRg0u9DsSodg63sjJQEb1uWbENq9fUOBM=
+github.com/buildkite/interpolate v0.1.3/go.mod h1:UNVe6A+UfiBNKbhAySrBbZFZFxQ+DXr9nWen6WVt/A8=
+github.com/buildkite/roko v1.2.0 h1:hbNURz//dQqNl6Eo9awjQOVOZwSDJ8VEbBDxSfT9rGQ=
+github.com/buildkite/roko v1.2.0/go.mod h1:23R9e6nHxgedznkwwfmqZ6+0VJZJZ2Sg/uVcp2cP46I=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA=
 github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q=
@@ -186,8 +188,8 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
 github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
-github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
-github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
+github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
+github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/cpuguy83/dockercfg v0.3.1 h1:/FpZ+JaygUR/lZP2NlFI2DVfrOEMAIKP5wWEJdoYe9E=
 github.com/cpuguy83/dockercfg v0.3.1/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -259,8 +261,8 @@ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
-github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
-github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -305,8 +307,8 @@ github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68=
-github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
+github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -327,8 +329,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to=
-github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8=
+github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbBXbLqMpq3CifMyOnDUME=
+github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE=
 github.com/google/flatbuffers v2.0.8+incompatible h1:ivUb1cGomAB101ZM1T0nOiWz9pSrTMoa9+EiY7igmkM=
 github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=
@@ -377,8 +379,8 @@ github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB1
 github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.6 h1:TwRYfx2z2C4cLbXmT8I5PgP/xmuqASDyiVuGYfs9GZM=
-github.com/hashicorp/go-retryablehttp v0.7.6/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
@@ -389,8 +391,8 @@ github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2w
 github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI=
 github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
 github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.12.2 h1:7YkCTE5Ni90TcmYHDBExdt4WGJxhpzaHqR6uGbQb/rE=
-github.com/hashicorp/vault/api v1.12.2/go.mod h1:LSGf1NGT1BnvFFnKVtnvcaLBM2Lz+gJdpL6HUYed8KE=
+github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
+github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk=
 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM=
 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
@@ -415,8 +417,8 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2 h1:Q8a+lW1mDc5ta1kelfIVqXl/DC+KQg6PG/F33kCC9TA=
-github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/kipz/go-containerregistry v0.0.0-20240722163910-ebe90246535d h1:5QaWAwKhslfqxEyMZY0ofvsbMJkMLcx5E30JFufMVj8=
+github.com/kipz/go-containerregistry v0.0.0-20240722163910-ebe90246535d/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
@@ -520,10 +522,10 @@ github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJL
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE=
-github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
-github.com/prometheus/procfs v0.15.0 h1:A82kmvXJq2jTu5YUhSGNlYoxh85zLnKgPz4bMZgI5Ek=
-github.com/prometheus/procfs v0.15.0/go.mod h1:Y0RJ/Y5g5wJpkTisOtqwDSo4HwhGmLB4VQSw2sQJLHk=
+github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
+github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62zIzQwvoD7Ekj3ePDF5bv9Xxy0w6AZk0qYbjUk=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
@@ -553,22 +555,22 @@ github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFt
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
 github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
-github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDFJro=
-github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y=
-github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc=
-github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8=
+github.com/sigstore/cosign/v2 v2.3.0 h1:rBLVdKMYuER0blmaKMfMNkvawBdK1lTMz2L5PtTPrI8=
+github.com/sigstore/cosign/v2 v2.3.0/go.mod h1:tjACBZS6LoH3bap5hU8MxyGC4DIJiatqhZxuJWFcIJ0=
+github.com/sigstore/fulcio v1.5.1 h1:Iasy1zfNjaq8BV4S8o6pXspLDU28PQC2z07GmOu9zpM=
+github.com/sigstore/fulcio v1.5.1/go.mod h1:W1A/UHrTopy1IBZPMtHmxg7GPYAu+vt5dRXM3W6yjPo=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
-github.com/sigstore/sigstore v1.8.6 h1:g066b/Nw5r5oxhNv4XqJUUzVcyf1b07itUueiQe7rZM=
-github.com/sigstore/sigstore v1.8.6/go.mod h1:UOBrJd9JBQ81DrkpGljzsIFXEtfC30raHvLWFWG857U=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.6 h1:uVcT1JT4lLkmBQII25PvgP/nyvi4HvTMNXzoHqQqEHE=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.6/go.mod h1:VJ/745ojKNQKbZ1ykO5Vebtnq9vGt8zcgKemQIibBIE=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3/go.mod h1:G4+I83FILPX6MtnoaUdmv/bRGEVtR3JdLeJa/kXdk/0=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.6 h1:CFtW7RIQ4fOtBzl+1YAnAmcACL4B+Qr/S7PXPdJ+54s=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.6/go.mod h1:rhX2eca5kAqUTwQxQLMnOLmvSxbqF9JZ3rFOoDpQX5w=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3 h1:h9G8j+Ds21zqqulDbA/R/ft64oQQIyp8S7wJYABYSlg=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3/go.mod h1:zgCeHOuqF6k7A7TTEvftcA9V3FRzB7mrPtHOhXAQBnc=
+github.com/sigstore/sigstore v1.8.7 h1:L7/zKauHTg0d0Hukx7qlR4nifh6T6O6UIt9JBwAmTIg=
+github.com/sigstore/sigstore v1.8.7/go.mod h1:MPiQ/NIV034Fc3Kk2IX9/XmBQdK60wfmpvgK9Z1UjRA=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7 h1:SoahswHQm2JhO8h3KTAeX8IZeE7mSR2Lc53ay5choes=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7/go.mod h1:TOVOPOqldrrz4dP7x4/0DFQTs9QSXZUoHu21+JHmixA=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.7 h1:jcdKxc5bvwfL7+ZbeCszaN/qsBd6180fGAHxeX5Ckm0=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.7/go.mod h1:gakVcpRiN+aFdLhPXXP8ubOCWiedM1YJ/gR74ez/tT0=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.7 h1:zYg1XlbKpQkmE7FpWTkLuUn7RttLAq4FcZ1G9JcqhoY=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.7/go.mod h1:VmUsO1R4OHuyHBEgI4bbSUn0z2nojszrDMvlDxyX/dE=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.7 h1:dbcB9VEddYrvK+y4rHeES5OZ/pMQuucfJ0qCNWQmnp0=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.7/go.mod h1:96MrPJBkHiAvqFyqviuYbwPAdbPCj8CR3V0RJ9bKjrE=
 github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE=
 github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -585,10 +587,10 @@ github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
-github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
-github.com/spiffe/go-spiffe/v2 v2.2.0 h1:9Vf06UsvsDbLYK/zJ4sYsIsHmMFknUD+feA7IYoWMQY=
-github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/PiUe6iXC0XxU=
+github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
+github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
+github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8=
+github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -617,8 +619,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240504210453-5a634eb214ae h1:Cb5/8rY0k9oB+SigleRtEP5BeQ3PZQGX051cFIyBNaM=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240504210453-5a634eb214ae/go.mod h1:LJo5jrV0LYV0jVSbCjPem6+0zrkPz8FnimzIECzsFDY=
+github.com/theupdateframework/go-tuf/v2 v2.0.0 h1:rD8d9RotYBprZVgC+9oyTZ5MmawepnTSTqoDuxjWgbs=
+github.com/theupdateframework/go-tuf/v2 v2.0.0/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
@@ -633,8 +635,8 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG
 github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
 github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
 github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
-github.com/xanzy/go-gitlab v0.102.0 h1:ExHuJ1OTQ2yt25zBMMj0G96ChBirGYv8U7HyUiYkZ+4=
-github.com/xanzy/go-gitlab v0.102.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI=
+github.com/xanzy/go-gitlab v0.107.0 h1:P2CT9Uy9yN9lJo3FLxpMZ4xj6uWcpnigXsjvqJ6nd2Y=
+github.com/xanzy/go-gitlab v0.107.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
@@ -658,24 +660,24 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4ba9kHbBol3Xin3leYJ+252h0zszDtBwyKe2A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0=
-go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg=
-go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ=
+go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
+go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0/go.mod h1:OQFyQVrDlbe+R7xrEyDr/2Wr67Ol0hRUgsfA+V5A95s=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
-go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik=
-go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak=
-go.opentelemetry.io/otel/sdk v1.27.0 h1:mlk+/Y1gLPLn84U4tI8d3GNJmGT/eXe3ZuOXN9kTWmI=
-go.opentelemetry.io/otel/sdk v1.27.0/go.mod h1:Ha9vbLwJE6W86YstIywK2xFfPjbWlCuwPtMkKdz/Y4A=
-go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw=
-go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4=
+go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
+go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
+go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
+go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
+go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
+go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
 go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94=
 go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A=
-go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk=
-go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ=
+go.step.sm/crypto v0.50.0 h1:BqI9sEgocoHDLLHiZnFqdqXl5FjdMvOWKMm/fKL/lrw=
+go.step.sm/crypto v0.50.0/go.mod h1:NCFMhLS6FJXQ9sD9PP282oHtsBWLrI6wXZY0eOkq7t8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -803,26 +805,26 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-google.golang.org/api v0.188.0 h1:51y8fJ/b1AaaBRJr4yWm96fPcuxSo0JcegXE3DaHQHw=
-google.golang.org/api v0.188.0/go.mod h1:VR0d+2SIiWOYG3r/jdm7adPW9hI2aRv9ETOSCQ9Beag=
+google.golang.org/api v0.189.0 h1:equMo30LypAkdkLMBqfeIqtyAnlyig1JSZArl4XPwdI=
+google.golang.org/api v0.189.0/go.mod h1:FLWGJKb0hb+pU2j+rJqwbnsF+ym+fQs73rbJ+KAUgy8=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20240708141625-4ad9e859172b h1:dSTjko30weBaMj3eERKc0ZVXW4GudCswM3m+P++ukU0=
-google.golang.org/genproto v0.0.0-20240708141625-4ad9e859172b/go.mod h1:FfBgJBJg9GcpPvKIuHSZ/aE1g2ecGL74upMzGZjiGEY=
+google.golang.org/genproto v0.0.0-20240722135656-d784300faade h1:lKFsS7wpngDgSCeFn7MoLy+wBDQZ1UQIJD4UNM1Qvkg=
+google.golang.org/genproto v0.0.0-20240722135656-d784300faade/go.mod h1:FfBgJBJg9GcpPvKIuHSZ/aE1g2ecGL74upMzGZjiGEY=
 google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0=
 google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b h1:04+jVzTs2XBnOZcPsLnmrTGqltqJbZQ1Ey26hjYdQQ0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade h1:oCRSWfwGXQsqlVdErcyTt4A93Y8fo0/9D4b1gnI++qo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA=
-google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0=
+google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
+google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -869,12 +871,12 @@ k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak=
+k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/release-utils v0.7.7 h1:JKDOvhCk6zW8ipEOkpTGDH/mW3TI+XqtPp16aaQ79FU=
-sigs.k8s.io/release-utils v0.7.7/go.mod h1:iU7DGVNi3umZJ8q6aHyUFzsDUIaYwNnNKGHo3YE5E3s=
+sigs.k8s.io/release-utils v0.8.3 h1:KtOtA4qDmzJyeQ2zkDsFVI25+NViwms/o5eL2NftFdA=
+sigs.k8s.io/release-utils v0.8.3/go.mod h1:fp82Fma06OXBhEJ+GUJKqvcplDBomruK1R/1fWJnsrQ=
 sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=
 sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
--- a/internal/embed/embedded-roots/1.root-dev.json
+++ b/internal/embed/embedded-roots/1.root-dev.json
@@ -1,42 +1,42 @@
 {
 "signatures": [
  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": "3064023037bbb03c3472b140572a7d5a2895bd80e74435bbcb7053949731f81b104c6d05a0876590cd6a2e94d7ed619426a2f6fa02303adc8c9006fa5506fdd7ea87d2960074a537ad8bf2459f2863e806b47682cbb2f9b01b7502eaf5437a1a68fdaaeac114"
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": "3065023000f7d0a866576e94eaabc173b9233d4c8fcfa495527088f9022dff5a553f7a457da1015a6d0fc714f84848ec627387360231009fa70b2eebbe15241a2ec9b96a094ebd28661e30b8c3d1eab8d694df2b340bda511c489393630c9a9dacde42c99e9fa1"
  }
 ],
 "signed": {
  "_type": "root",
  "consistent_snapshot": true,
-  "expires": "2034-04-02T17:00:22Z",
+  "expires": "2034-05-29T20:14:11Z",
  "keys": {
-   "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3": {
-    "keytype": "ecdsa",
-    "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
-    },
-    "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
-   },
-   "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
    "keytype": "ecdsa",
    "keyval": {
     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
    },
    "scheme": "ecdsa-sha2-nistp384",
    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
   }
  },
  "roles": {
   "root": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
    ],
    "threshold": 1
   },
   "snapshot": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
@@ -44,13 +44,13 @@
   },
   "targets": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
    ],
    "threshold": 1
   },
   "timestamp": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
--- a/pkg/attest/example_sign_test.go
+++ b/pkg/attest/example_sign_test.go
@@ -13,7 +13,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 )

-func ExampleSign_remote() {
+func ExampleSignStatements_remote() {
 	// configure signerverifier
 	// local signer (unsafe for production)
 	signer, err := signerverifier.GenKeyPair()
--- a/pkg/attest/sign_test.go
+++ b/pkg/attest/sign_test.go
@@ -220,7 +220,8 @@ func TestSimpleStatementSigning(t *testing.T) {
 			for _, img := range newImgs {
 				mf, err := img.Manifest()
 				require.NoError(t, err)
-				assert.Equal(t, "application/vnd.in-toto+json", mf.ArtifactType)
+				assert.Contains(t, mf.ArtifactType, "application/vnd.in-toto")
+				assert.Contains(t, mf.ArtifactType, "+dsse")
 				assert.Equal(t, subject.MediaType, mf.MediaType)
 				assert.Equal(t, empty, mf.Config.MediaType)
 				assert.Equal(t, int64(2), mf.Config.Size)
--- a/pkg/attestation/attestation.go
+++ b/pkg/attestation/attestation.go
@@ -250,7 +250,9 @@ func (manifest *AttestationManifest) BuildReferringArtifacts() ([]v1.Image, erro
 func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1.Descriptor, opts *AttestationManifestImageOptions) (v1.Image, error) {
 	newImg := empty.Image
 	var err error
-
+	if len(layers) == 0 {
+		return nil, fmt.Errorf("no layers supplied to build image")
+	}
 	// NB: if we add the subject before the layers, it does not end up being computed/serialised in the output for some reason
 	//TODO - recreate this bug and push upstream
 	for _, layer := range layers {
@@ -268,7 +270,11 @@ func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1
 	if opts.laxReferrers {
 		newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.image.config.v1+json")
 	} else {
-		newImg = mutate.ArtifactType(newImg, intoto.PayloadType)
+		dsseMediatType, err := DSSEMediaType(layers[0].Statement.PredicateType)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get DSSE media type: %w", err)
+		}
+		newImg = mutate.ArtifactType(newImg, dsseMediatType)
 		newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.empty.v1+json")
 	}
 	// we need to set this even when we set the artifact type otherwise things break (even the go-container-registry client)
@@ -277,6 +283,7 @@ func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1

 	// see note above - must be added after the layers!
 	if !opts.skipSubject {
+		subject.Platform = nil
 		newImg = mutate.Subject(newImg, *subject).(v1.Image)
 	}
 	if !opts.laxReferrers {
--- a/pkg/attestation/referrers_test.go
+++ b/pkg/attestation/referrers_test.go
@@ -40,7 +40,6 @@ func TestAttestationReferenceTypes(t *testing.T) {
 		name              string
 		server            *httptest.Server
 		referrersServer   *httptest.Server
-		skipSubject       bool
 		useDigest         bool
 		referrersRepo     string
 		attestationSource config.AttestationStyle
@@ -50,16 +49,6 @@ func TestAttestationReferenceTypes(t *testing.T) {
 			name:   "referrers support, defaults",
 			server: httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
 		},
-		{
-			name:   "no referrers support",
-			server: httptest.NewServer(registry.New()),
-		},
-		{
-			name:              "attached attestations",
-			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
-			skipSubject:       true,
-			attestationSource: config.AttestationStyleAttached,
-		},
 		{
 			name:      "use digest",
 			server:    httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
@@ -110,28 +99,27 @@ func TestAttestationReferenceTypes(t *testing.T) {
 			indexName := fmt.Sprintf("%s/repo:root", u.Host)
 			require.NoError(t, err)

+			outputRepo := indexName
 			if tc.referrersServer != nil {
 				ru, err := url.Parse(s.URL)
 				require.NoError(t, err)
-				repo := fmt.Sprintf("%s/referrers", ru.Host)
-				tc.referrersRepo = repo
-				signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
-				require.NoError(t, err)
-				err = mirror.PushIndexToRegistry(attIdx.Index, indexName)
-				require.NoError(t, err)
-				for _, signedManifest := range signedManifests {
-					image, err := signedManifest.BuildAttestationImage(attestation.WithoutSubject(tc.skipSubject), attestation.WithReplacedLayers(true))
-					require.NoError(t, err)
-					err = mirror.PushImageToRegistry(image, fmt.Sprintf("%s:tag-does-not-matter", repo))
-					require.NoError(t, err)
-				}
-			} else {
-				signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
-				require.NoError(t, err)
-				signedIndex := attIdx.Index
-				signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true), attestation.WithoutSubject(tc.skipSubject))
-				require.NoError(t, err)
-				err = mirror.PushIndexToRegistry(signedIndex, indexName)
+				tc.referrersRepo = fmt.Sprintf("%s/referrers", ru.Host)
+				outputRepo = tc.referrersRepo
+			}
+			// sign all the statements in the index
+			signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+			require.NoError(t, err)
+
+			// push subject image so that it can be resolved
+			require.NoError(t, err)
+			err = mirror.PushIndexToRegistry(attIdx.Index, indexName)
+			require.NoError(t, err)
+
+			// upload referrers
+			output, err := oci.ParseImageSpec(outputRepo)
+			require.NoError(t, err)
+			for _, attIdx := range signedManifests {
+				err = mirror.SaveReferrers(attIdx, []*oci.ImageSpec{output})
 				require.NoError(t, err)
 			}

@@ -170,26 +158,23 @@ func TestAttestationReferenceTypes(t *testing.T) {
 				require.NoError(t, err)
 				assert.Equal(t, attest.OutcomeSuccess, results.Outcome)

-				if !tc.skipSubject {
-					// can evaluate policy using referrers
-					if tc.useDigest {
-						p, err := oci.ParsePlatform(platform)
-						require.NoError(t, err)
-						options := oci.WithOptions(ctx, p)
-						subjectRef, err := name.ParseReference(indexName)
-						require.NoError(t, err)
-						desc, err := remote.Image(subjectRef, options...)
-						require.NoError(t, err)
-						subjectDigest, err := desc.Digest()
-						require.NoError(t, err)
-						ref = fmt.Sprintf("%s/repo@%s", u.Host, subjectDigest.String())
-					}
-					src, err := oci.ParseImageSpec(ref, oci.WithPlatform(platform))
+				if tc.useDigest {
+					p, err := oci.ParsePlatform(platform)
 					require.NoError(t, err)
-					results, err = attest.Verify(ctx, src, policyOpts)
+					options := oci.WithOptions(ctx, p)
+					subjectRef, err := name.ParseReference(indexName)
 					require.NoError(t, err)
-					assert.Equal(t, attest.OutcomeSuccess, results.Outcome)
+					desc, err := remote.Image(subjectRef, options...)
+					require.NoError(t, err)
+					subjectDigest, err := desc.Digest()
+					require.NoError(t, err)
+					ref = fmt.Sprintf("%s/repo@%s", u.Host, subjectDigest.String())
 				}
+				src, err = oci.ParseImageSpec(ref, oci.WithPlatform(platform))
+				require.NoError(t, err)
+				results, err = attest.Verify(ctx, src, policyOpts)
+				require.NoError(t, err)
+				assert.Equal(t, attest.OutcomeSuccess, results.Outcome)
 			}
 		})
 	}
@@ -294,3 +279,50 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 		}
 	}
 }
+
+func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	server := httptest.NewServer(registry.New())
+
+	defer server.Close()
+	serverUrl, err := url.Parse(server.URL)
+	require.NoError(t, err)
+
+	repoName := "repo"
+
+	opts := &attestation.SigningOptions{
+		SkipTL: true,
+	}
+	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+	require.NoError(t, err)
+
+	indexName := fmt.Sprintf("%s/%s:latest", serverUrl.Host, repoName)
+	err = mirror.PushIndexToRegistry(attIdx.Index, indexName)
+	require.NoError(t, err)
+
+	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+	require.NoError(t, err)
+
+	// this should create and maintain an index of referrers
+	for _, mf := range signedManifests {
+		imgs, err := mf.BuildReferringArtifacts()
+		require.NoError(t, err)
+		for _, img := range imgs {
+			err = mirror.PushImageToRegistry(img, fmt.Sprintf("%s/%s:tag-does-not-matter", serverUrl.Host, repoName))
+			require.NoError(t, err)
+			mf, err := img.Manifest()
+			require.NoError(t, err)
+			subject := mf.Subject
+			subjectRef, err := name.ParseReference(fmt.Sprintf("%s/%s:sha256-%s", serverUrl.Host, repoName, subject.Digest.Hex))
+			require.NoError(t, err)
+			idx, err := remote.Index(subjectRef)
+			require.NoError(t, err)
+			imf, err := idx.IndexManifest()
+			require.NoError(t, err)
+			for _, m := range imf.Manifests {
+				assert.Contains(t, m.ArtifactType, "application/vnd.in-toto")
+				assert.Contains(t, m.ArtifactType, "+dsse")
+			}
+		}
+	}
+}
--- a/pkg/attestation/types.go
+++ b/pkg/attestation/types.go
@@ -57,7 +57,7 @@ type Envelope struct {
 type Signature struct {
 	KeyID     string    `json:"keyid"`
 	Sig       string    `json:"sig"`
-	Extension Extension `json:"extension"`
+	Extension Extension `json:"extension,omitempty"`
 }
 type Extension struct {
 	Kind string              `json:"kind"`
--- a/pkg/mirror/targets_test.go
+++ b/pkg/mirror/targets_test.go
@@ -50,8 +50,8 @@ func TestGetTufTargetsMirror(t *testing.T) {
 			ann, ok := layer.Annotations[tufFileAnnotation]
 			assert.True(t, ok)
 			parts := strings.Split(ann, ".")
-			// <digest>.filename.json
-			assert.Equal(t, len(parts), 3)
+			// <digest>.filename.<ext|optional>
+			assert.GreaterOrEqual(t, len(parts), 2)
 		}
 	}
 }
@@ -97,8 +97,8 @@ func TestGetDelegatedTargetMirrors(t *testing.T) {
 			ann, ok := layer.Annotations[tufFileAnnotation]
 			assert.True(t, ok)
 			parts := strings.Split(ann, ".")
-			// <subdir>/<digest>.filename.json
-			assert.Equal(t, len(parts), 3)
+			// <subdir>/<digest>.filename.<ext|optional>
+			assert.GreaterOrEqual(t, len(parts), 2)
 		}
 	}
 }
--- a/pkg/oci/layout.go
+++ b/pkg/oci/layout.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"strings"

 	"github.com/docker/attest/pkg/attestation"
 	att "github.com/docker/attest/pkg/attestation"
@@ -44,17 +43,17 @@ func (r *OCILayoutResolver) fetchAttestationManifest() (*attestation.Attestation

 func (r *OCILayoutResolver) Attestations(ctx context.Context, predicateType string) ([]*att.Envelope, error) {
 	var envs []*att.Envelope
+	dsseMediaType, err := attestation.DSSEMediaType(predicateType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
+	}
 	for _, attestationLayer := range r.AttestationManifest.OriginalLayers {
-		if attestationLayer.Annotations[attestation.InTotoPredicateType] != predicateType {
-			continue
-		}
-
 		mt, err := attestationLayer.Layer.MediaType()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get layer media type: %w", err)
 		}
 		mts := string(mt)
-		if !strings.HasSuffix(mts, "+dsse") {
+		if mts != dsseMediaType {
 			continue
 		}
 		var env = new(att.Envelope)
--- a/pkg/oci/oci.go
+++ b/pkg/oci/oci.go
@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"strings"

-	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/attest/pkg/attestation"
 	att "github.com/docker/attest/pkg/attestation"
@@ -49,14 +49,16 @@ func WithOptions(ctx context.Context, platform *v1.Platform) []remote.Option {

 func ExtractEnvelopes(manifest *attestation.AttestationManifest, predicateType string) ([]*att.Envelope, error) {
 	var envs []*att.Envelope
+	dsseMediaType, err := attestation.DSSEMediaType(predicateType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
+	}
 	for _, attestationLayer := range manifest.OriginalLayers {
 		mt, err := attestationLayer.Layer.MediaType()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get layer media type: %w", err)
 		}
-		if (strings.HasPrefix(string(mt), "application/vnd.in-toto.")) &&
-			strings.HasSuffix(string(mt), "+dsse") &&
-			attestationLayer.Annotations[att.InTotoPredicateType] == predicateType {
+		if string(mt) == dsseMediaType {
 			reader, err := attestationLayer.Layer.Uncompressed()
 			if err != nil {
 				return nil, fmt.Errorf("failed to get layer contents: %w", err)
--- a/pkg/oci/referrers.go
+++ b/pkg/oci/referrers.go
@@ -8,13 +8,10 @@ import (
 	att "github.com/docker/attest/pkg/attestation"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/pkg/errors"
 )

 type ReferrersResolver struct {
-	digest        string
 	referrersRepo string
-	manifests     []*attestation.AttestationManifest
 	ImageDetailsResolver
 }

@@ -38,80 +35,86 @@ func WithReferrersRepo(repo string) func(*ReferrersResolver) error {
 	}
 }

-func (r *ReferrersResolver) resolveAttestations(ctx context.Context) error {
-	if r.manifests == nil {
-		imageName, err := r.ImageName(ctx)
-		if err != nil {
-			return fmt.Errorf("failed to get image name: %w", err)
-		}
-		subjectRef, err := name.ParseReference(imageName)
-		if err != nil {
-			return fmt.Errorf("failed to parse reference: %w", err)
-		}
-		desc, err := r.ImageDescriptor(ctx)
-		if err != nil {
-			return fmt.Errorf("failed to get descriptor: %w", err)
-		}
-		subjectDigest := desc.Digest.String()
-		if err != nil {
-			return fmt.Errorf("failed to get digest: %w", err)
-		}
-		var referrersSubjectRef name.Digest
-		if r.referrersRepo != "" {
-			referrersSubjectRef, err = name.NewDigest(fmt.Sprintf("%s@%s", r.referrersRepo, subjectDigest))
-			if err != nil {
-				return fmt.Errorf("failed to create referrers reference: %w", err)
-			}
-		} else {
-			referrersSubjectRef = subjectRef.Context().Digest(subjectDigest)
-		}
-		// TODO - search for in-toto artifact type
-		referrersIndex, err := remote.Referrers(referrersSubjectRef)
-		if err != nil {
-			return fmt.Errorf("failed to get referrers: %w", err)
-		}
-		referrersIndexManifest, err := referrersIndex.IndexManifest()
-		if err != nil {
-			return fmt.Errorf("failed to get index manifest: %w", err)
-		}
-		if len(referrersIndexManifest.Manifests) == 0 {
-			return errors.New("no referrers found")
-		}
-		aManifests := make([]*attestation.AttestationManifest, 0)
-		for _, m := range referrersIndexManifest.Manifests {
-			remoteRef := referrersSubjectRef.Context().Digest(m.Digest.String())
-			attestationImage, err := remote.Image(remoteRef)
-			if err != nil {
-				return fmt.Errorf("failed to get referred image: %w", err)
-			}
-			layers, err := attestation.GetAttestationsFromImage(attestationImage)
-			if err != nil {
-				return fmt.Errorf("failed to get attestations from image: %w", err)
-			}
-			attest := &attestation.AttestationManifest{
-				SubjectName:        imageName,
-				OriginalLayers:     layers,
-				OriginalDescriptor: &m,
-				SubjectDescriptor:  desc,
-			}
-			aManifests = append(aManifests, attest)
-		}
-
-		if len(aManifests) == 0 {
-			return errors.New("no attestation manifests found")
-		}
-		r.manifests = aManifests
+func (r *ReferrersResolver) resolveAttestations(ctx context.Context, predicateType string) ([]*attestation.AttestationManifest,
+	error) {
+	dsseMediaType, err := attestation.DSSEMediaType(predicateType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
 	}
-	return nil
+	imageName, err := r.ImageName(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get image name: %w", err)
+	}
+	subjectRef, err := name.ParseReference(imageName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse reference: %w", err)
+	}
+	desc, err := r.ImageDescriptor(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get descriptor: %w", err)
+	}
+	subjectDigest := desc.Digest.String()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get digest: %w", err)
+	}
+	var referrersSubjectRef name.Digest
+	if r.referrersRepo != "" {
+		referrersSubjectRef, err = name.NewDigest(fmt.Sprintf("%s@%s", r.referrersRepo, subjectDigest))
+		if err != nil {
+			return nil, fmt.Errorf("failed to create referrers reference: %w", err)
+		}
+	} else {
+		referrersSubjectRef = subjectRef.Context().Digest(subjectDigest)
+	}
+	options := WithOptions(ctx, nil)
+	options = append(options, remote.WithFilter("artifactType", dsseMediaType))
+	referrersIndex, err := remote.Referrers(referrersSubjectRef, options...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get referrers: %w", err)
+	}
+	referrersIndexManifest, err := referrersIndex.IndexManifest()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get index manifest: %w", err)
+	}
+	aManifests := make([]*attestation.AttestationManifest, 0)
+	for _, m := range referrersIndexManifest.Manifests {
+		remoteRef := referrersSubjectRef.Context().Digest(m.Digest.String())
+		attestationImage, err := remote.Image(remoteRef)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get referred image: %w", err)
+		}
+		layers, err := attestation.GetAttestationsFromImage(attestationImage)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get attestations from image: %w", err)
+		}
+		if len(layers) != 1 {
+			return nil, fmt.Errorf("expected exactly one layer, got %d", len(layers))
+		}
+		mt, err := layers[0].Layer.MediaType()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get layer media type: %w", err)
+		}
+		if string(mt) != dsseMediaType {
+			return nil, fmt.Errorf("expected layer media type %s, got %s", dsseMediaType, mt)
+		}
+		attest := &attestation.AttestationManifest{
+			SubjectName:        imageName,
+			OriginalLayers:     layers,
+			OriginalDescriptor: &m,
+			SubjectDescriptor:  desc,
+		}
+		aManifests = append(aManifests, attest)
+	}
+	return aManifests, nil
 }

 func (r *ReferrersResolver) Attestations(ctx context.Context, predicateType string) ([]*att.Envelope, error) {
-	err := r.resolveAttestations(ctx)
+	manifests, err := r.resolveAttestations(ctx, predicateType)
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve attestations: %w", err)
 	}
 	var envs []*att.Envelope
-	for _, attest := range r.manifests {
+	for _, attest := range manifests {
 		es, err := ExtractEnvelopes(attest, predicateType)
 		if err != nil {
 			return nil, fmt.Errorf("failed to extract envelopes: %w", err)
--- a/pkg/tuf/registry_test.go
+++ b/pkg/tuf/registry_test.go
@@ -22,7 +22,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/static"
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/stretchr/testify/assert"
-	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/modules/registry"
 	"github.com/theupdateframework/go-tuf/v2/metadata"
 	"github.com/theupdateframework/go-tuf/v2/metadata/config"
@@ -342,7 +341,7 @@ func TestGetManifest(t *testing.T) {

 // RunTestRegistry starts a registry testcontainer for TUF on OCI testdata
 func RunTestRegistry(t *testing.T) (*registry.RegistryContainer, *url.URL) {
-	registryContainer, err := registry.RunContainer(context.Background(), testcontainers.WithImage("registry:2.8.3"))
+	registryContainer, err := registry.Run(context.Background(), "registry:2.8.3")
 	if err != nil {
 		t.Fatalf("failed to start container: %s", err)
 	}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670
@@ -0,0 +1 @@
+{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":"3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":""}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-06-12T17:21:13Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8
@@ -0,0 +1 @@
+{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"}],"signed":{"_type":"timestamp","expires":"2034-06-23T12:47:16Z","meta":{"snapshot.json":{"version":7}},"spec_version":"1.0.31","version":7}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3","sig":"3044022039b56cd2e3597df74e57d200a652ba020cdc9a8cd050bd65b5f8e2640d50691d02205e073e4b6fc260acc64327a331e4440601af5b1cbff594ea91cf7b70d5828fb1"}],"signed":{"_type":"snapshot","expires":"2034-04-03T15:59:47Z","meta":{"targets.json":{"version":5},"test-role.json":{"version":3}},"spec_version":"1.0.31","version":6}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3","sig":"3045022011f2afa9b448fcbbac983c11fc3e264e95d5d7a9c9527b09d83a316ee762635f022100d05197a78ccc7a713ebdb0bccb44844f67a7c5208af8d346e201064b7ce11055"}],"signed":{"_type":"timestamp","expires":"2034-04-03T15:59:47Z","meta":{"snapshot.json":{"version":6}},"spec_version":"1.0.31","version":6}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7
@@ -1,42 +1,42 @@
 {
 "signatures": [
  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": "3064023037bbb03c3472b140572a7d5a2895bd80e74435bbcb7053949731f81b104c6d05a0876590cd6a2e94d7ed619426a2f6fa02303adc8c9006fa5506fdd7ea87d2960074a537ad8bf2459f2863e806b47682cbb2f9b01b7502eaf5437a1a68fdaaeac114"
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": "3065023000f7d0a866576e94eaabc173b9233d4c8fcfa495527088f9022dff5a553f7a457da1015a6d0fc714f84848ec627387360231009fa70b2eebbe15241a2ec9b96a094ebd28661e30b8c3d1eab8d694df2b340bda511c489393630c9a9dacde42c99e9fa1"
  }
 ],
 "signed": {
  "_type": "root",
  "consistent_snapshot": true,
-  "expires": "2034-04-02T17:00:22Z",
+  "expires": "2034-05-29T20:14:11Z",
  "keys": {
-   "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3": {
-    "keytype": "ecdsa",
-    "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
-    },
-    "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
-   },
-   "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
    "keytype": "ecdsa",
    "keyval": {
     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
    },
    "scheme": "ecdsa-sha2-nistp384",
    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
   }
  },
  "roles": {
   "root": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
    ],
    "threshold": 1
   },
   "snapshot": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
@@ -44,13 +44,13 @@
   },
   "targets": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
    ],
    "threshold": 1
   },
   "timestamp": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497
@@ -0,0 +1 @@
+{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"}],"signed":{"_type":"snapshot","expires":"2034-06-23T12:47:16Z","meta":{"targets.json":{"version":8},"test-role.json":{"version":2}},"spec_version":"1.0.31","version":7}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59
@@ -0,0 +1 @@
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a152e59e7b58a3a1ec718192b07fbf630d2fe2d80a6f1a9dc09e1321cbd338a7
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a152e59e7b58a3a1ec718192b07fbf630d2fe2d80a6f1a9dc09e1321cbd338a7
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:ad4cacc170229608305ffccd8d09eeb59578fcb72ae394763cf7ef492175b1ee"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2607,"digest":"sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2200,"digest":"sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":410,"digest":"sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","annotations":{"tuf.io/filename":"6.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1683,"digest":"sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","annotations":{"tuf.io/filename":"5.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950","annotations":{"tuf.io/filename":"timestamp.json"}}]}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","sig":"3066023100e99acc5f74777ebf40376b60f0216e8fe1829c1a49a5f6a6899126c15de1df7a56533baf493b2b53159c50843a289102023100b6a006b24da62ea0b743fbe38e1497ff485bf3a0833894985fc27a0305ad0693eeb968a7b52723ed3c49af8bef2027b6"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"30440220136debcc2f60dd1d63c9c2704f9b13c2cb2f5d2df58ea93f07f7c10f54f36742022059d7f8c6620e33506c6f1766394a32f86c9b008328f6398831ba7ebcf4ce0838"}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-04-03T08:45:50Z","keys":{"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":{"root":{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"snapshot":{"keyids":["198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"timestamp":{"keyids":["198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a744a2f1e62ae4ce410822b5e3f5508dbaf6a76768a9d23741828172bab1dc97
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a744a2f1e62ae4ce410822b5e3f5508dbaf6a76768a9d23741828172bab1dc97
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:c927b30f17fa8c64e3c20b8f92b7e348733f9c1281b5b7e6b6d669a8a74230a7"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2200,"digest":"sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2607,"digest":"sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":410,"digest":"sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","annotations":{"tuf.io/filename":"6.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1683,"digest":"sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","annotations":{"tuf.io/filename":"5.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950","annotations":{"tuf.io/filename":"timestamp.json"}}]}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ad4cacc170229608305ffccd8d09eeb59578fcb72ae394763cf7ef492175b1ee
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ad4cacc170229608305ffccd8d09eeb59578fcb72ae394763cf7ef492175b1ee
@@ -1 +0,0 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/c927b30f17fa8c64e3c20b8f92b7e348733f9c1281b5b7e6b6d669a8a74230a7
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/c927b30f17fa8c64e3c20b8f92b7e348733f9c1281b5b7e6b6d669a8a74230a7
@@ -1 +0,0 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb
@@ -0,0 +1 @@
+{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-06-23T12:42:15Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":8,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1
@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2472,"digest":"sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":412,"digest":"sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","annotations":{"tuf.io/filename":"7.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1746,"digest":"sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","annotations":{"tuf.io/filename":"8.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8","annotations":{"tuf.io/filename":"timestamp.json"}}]}
--- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260
+++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","sig":""},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"3046022100f892a496c9bd96082e3b06d5eae85429355876b8eb455aa04b53ab9051911d90022100a3e89c29b15bccfc2877278c0fb2d3b34500da6351e245ad0b3f8c0ae6b67eff"}],"signed":{"_type":"targets","delegations":{"keys":{"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":[{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-04-03T15:28:29Z","spec_version":"1.0.31","targets":{"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31}},"version":5,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/test/testdata/tuf/test-repo-oci/metadata/index.json
+++ b/test/testdata/tuf/test-repo-oci/metadata/index.json
@@ -5,7 +5,7 @@
      {
         "mediaType": "application/vnd.oci.image.manifest.v1+json",
         "size": 1220,
-         "digest": "sha256:a744a2f1e62ae4ce410822b5e3f5508dbaf6a76768a9d23741828172bab1dc97"
+         "digest": "sha256:e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1"
      }
   ]
 }
--- a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/2b2d4fba192ec164e05e6d90399c5cf4a45e4fe2ddebb9066c55aa2bcf0a73d3
+++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/2b2d4fba192ec164e05e6d90399c5cf4a45e4fe2ddebb9066c55aa2bcf0a73d3
@@ -1 +0,0 @@
-{"signatures":[{"keyid":"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","sig":""},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"3044022015b6ebe9d30895e3be20e707a6738e38460197d90cae3dc37527ddb7c437868602207f85f3d4e068bef4c51a749f5d166cc7fe2cb9483999ea197e72395081c3aa61"}],"signed":{"_type":"targets","expires":"2034-04-03T15:39:02Z","spec_version":"1.0.31","targets":{"test-role/dir1/dir2/dir3/myfile.txt":{"hashes":{"sha256":"ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1"},"length":10},"test-role/test.txt":{"hashes":{"sha256":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"},"length":32}},"version":3,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc
+++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc
@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]}
--- a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/7c8d8f5dfca62068e3a4b18bb41cf85dad23ec9cdc7d7d2e10bc37b86ebffff5
+++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/7c8d8f5dfca62068e3a4b18bb41cf85dad23ec9cdc7d7d2e10bc37b86ebffff5
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:9edf24c022c2cd6796e87f49ec6a6ea2fad3e7c939c32a8219aaa4726792457c"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":764,"digest":"sha256:2b2d4fba192ec164e05e6d90399c5cf4a45e4fe2ddebb9066c55aa2bcf0a73d3","annotations":{"tuf.io/filename":"3.test-role.json"}}]}
--- a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98
+++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98
@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:2b2d4fba192ec164e05e6d90399c5cf4a45e4fe2ddebb9066c55aa2bcf0a73d3"]},"config":{}}
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1
+++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1
@@ -0,0 +1 @@
+{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":"3065023100c37572d6e0608e0501026d99238ee37d26856d93074227410b0748e56775f8369cf7c44553b73d8a30aa94a388148ca602305b46acbb0e8818657725024a39d02589538845ad9fa0c2b6eb18f431f560096045fd825586dce81688c9574b11b975da"}],"signed":{"_type":"targets","expires":"2034-05-29T20:25:01Z","spec_version":"1.0.31","targets":{"test-role/dir1/dir2/dir3/test.txt":{"hashes":{"sha256":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465"},"length":46},"test-role/test.txt":{"hashes":{"sha256":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"},"length":32}},"version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
--- a/test/testdata/tuf/test-repo-oci/metadata/test-role/index.json
+++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/index.json
@@ -5,7 +5,7 @@
      {
         "mediaType": "application/vnd.oci.image.manifest.v1+json",
         "size": 444,
-         "digest": "sha256:7c8d8f5dfca62068e3a4b18bb41cf85dad23ec9cdc7d7d2e10bc37b86ebffff5"
+         "digest": "sha256:6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc"
      }
   ]
 }
--- a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f
+++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f
@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d"},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]}
--- a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d
+++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d
@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1"]},"config":{}}
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1
+++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1
@@ -0,0 +1,12 @@
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: jonnystoten2/
+    id: jonnystoten2
+    description: jonnystoten2 personal images for testing
+    attestations:
+      style: "referrers"
+    files:
+      - path: jonnystoten2.rego
--- a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/index.json
+++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/index.json
@@ -0,0 +1,11 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.index.v1+json",
+   "manifests": [
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 498,
+         "digest": "sha256:08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f"
+      }
+   ]
+}
--- a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/oci-layout
+++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/oci-layout
@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}
--- a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315
+++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315
@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10"},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}
--- a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10
+++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10
@@ -0,0 +1 @@
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1
+++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1
@@ -0,0 +1,200 @@
+package attest
+
+import rego.v1
+
+split_digest := split(input.digest, ":")
+
+digest_type := split_digest[0]
+
+digest := split_digest[1]
+
+keys := [{
+	"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
+	"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
+	"from": "2023-12-15T14:00:00Z",
+	"to": null,
+	"status": "active",
+	"signing-format": "dssev1",
+}]
+
+verify_opts := {"keys": keys}
+
+verify_attestation(att) := attest.verify(att, verify_opts)
+
+attestations contains att if {
+	result := attest.fetch("https://slsa.dev/verification_summary/v1")
+	not result.error
+	some att in result.value
+}
+
+signed_statements contains statement if {
+	some att in attestations
+	result := verify_attestation(att)
+	not result.error
+	statement := result.value
+}
+
+statements_with_subject contains statement if {
+	some statement in signed_statements
+	some subject in statement.subject
+	subject.digest[digest_type] == digest
+	valid_subject_name(input.isCanonical, subject.name, input.purl)
+}
+
+id(statement) := crypto.sha256(json.marshal(statement))
+
+subjects contains subject if {
+	some statement in statements_with_subject
+	some subject in statement.subject
+}
+
+global_violations contains v if {
+	count(attestations) == 0
+	v := {
+		"type": "missing_attestation",
+		"description": "No https://slsa.dev/verification_summary/v1 attestation found",
+		"attestation": null,
+		"details": {},
+	}
+}
+
+# we need to key this by statement_id rather than statement because we can't
+# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736
+statement_violations[statement_id] contains v if {
+	some att in attestations
+	result := verify_attestation(att)
+	err := result.error
+	statement := unsafe_statement_from_attestation(att)
+	statement_id := id(statement)
+	v := {
+		"type": "unsigned_statement",
+		"description": sprintf("Statement is not correctly signed: %v", [err]),
+		"attestation": statement,
+		"details": {"error": err},
+	}
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in signed_statements
+	statement_id := id(statement)
+	not statement in statements_with_subject
+	v := {
+		"type": "bad_subjects",
+		"description": "Statement does not have this image as a subject",
+		"attestation": statement,
+		"details": {"input": input},
+	}
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result")
+}
+
+# TODO: add to statement_violations if there are statements that have an incorrect resource_uri
+# this should match the input.purl, but we really only care about the repo name and the digest
+# we need to receive the input.purl as a parsed object so we can compare only the parts we care about
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier")
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri")
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels")
+}
+
+bad_statements contains statement if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	statement_violations[statement_id]
+}
+
+good_statements := statements_with_subject - bad_statements
+
+all_violations contains v if {
+	some v in global_violations
+}
+
+all_violations contains v if {
+	some violations in statement_violations
+	some v in violations
+}
+
+result := {
+	"success": allow,
+	"violations": all_violations,
+	"summary": {
+		"subjects": subjects,
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "signing-demo-verifier",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}
+
+default allow := false
+
+allow if {
+	count(good_statements) > 0
+}
+
+# TODO: this should take into account the repo name from the purl
+valid_subject_name(true, name, purl)
+
+valid_subject_name(false, name, purl) if {
+	name == purl
+}
+
+field_value_does_not_equal(statement, field, expected, type) := v if {
+	path := split(field, ".")
+	actual := object.get(statement.predicate, path, null)
+	expected != actual
+	v := is_not_violation(statement, field, expected, actual, type)
+}
+
+array_field_does_not_contain(statement, field, expected, type) := v if {
+	path := split(field, ".")
+	actual := object.get(statement.predicate, path, null)
+	not expected in actual
+	v := not_contains_violation(statement, field, expected, actual, type)
+}
+
+is_not_violation(statement, field, expected, actual, type) := {
+	"type": type,
+	"description": sprintf("%v is not %v", [field, expected]),
+	"attestation": statement,
+	"details": {
+		"field": field,
+		"actual": actual,
+		"expected": expected,
+	},
+}
+
+not_contains_violation(statement, field, expected, actual, type) := {
+	"type": type,
+	"description": sprintf("%v does not contain %v", [field, expected]),
+	"attestation": statement,
+	"details": {
+		"field": field,
+		"actual": actual,
+		"expected": expected,
+	},
+}
+
+# This is unsafe because we're not checking the signature on the attestation,
+# do not call this unless you've already verified the attestation or you need the
+# statement for some other reason
+unsafe_statement_from_attestation(att) := statement if {
+	payload := att.payload
+	statement := json.unmarshal(base64.decode(payload))
+}
--- a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/index.json
+++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/index.json
@@ -0,0 +1,11 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.index.v1+json",
+   "manifests": [
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 504,
+         "digest": "sha256:4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315"
+      }
+   ]
+}
--- a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/oci-layout
+++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/oci-layout
@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}
--- a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664
+++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664
@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a"},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]}
--- a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3
+++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3
@@ -0,0 +1 @@
+>= v0.1.4-0
--- a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a
+++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a
@@ -0,0 +1 @@
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/index.json
+++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/index.json
@@ -0,0 +1,11 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.index.v1+json",
+   "manifests": [
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 504,
+         "digest": "sha256:3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664"
+      }
+   ]
+}
--- a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/oci-layout
+++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/oci-layout
@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}
--- a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b
+++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b
@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97"},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}
--- a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97
+++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97
@@ -0,0 +1 @@
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac
+++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac
@@ -0,0 +1,19 @@
+package attest
+
+import rego.v1
+
+violations contains {
+	"type": "always_fail",
+	"description": "This policy always fails",
+}
+
+result := {
+	"success": false,
+	"violations": violations,
+	"summary": {
+		"subjects": set(),
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "docker-official-images",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}
--- a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/index.json
+++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/index.json
@@ -0,0 +1,11 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.index.v1+json",
+   "manifests": [
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 502,
+         "digest": "sha256:1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b"
+      }
+   ]
+}
--- a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/oci-layout
+++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/oci-layout
@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}
--- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa
+++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa
@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0"},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]}
--- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0
+++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0
@@ -0,0 +1 @@
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465"]},"config":{}}
--- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/8d320e9d3f3663613df6e4fca1651604a6c0323011023145a140b38f02105b04
+++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/8d320e9d3f3663613df6e4fca1651604a6c0323011023145a140b38f02105b04
@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:0b6b8fdb10421310b9aca2f1fb6ce51537baa243fb9fccca03f2ff3c15fb52f8"},"layers":[{"mediaType":"application/vnd.tuf.target","size":10,"digest":"sha256:ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1","annotations":{"tuf.io/filename":"ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1.myfile.txt"}}]}
--- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465
+++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465
@@ -0,0 +1 @@
+this is a deeply nested delegated targets file
--- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1
+++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1
@@ -1 +0,0 @@
-hello tuf
--- a/test/testdata/tuf/test-repo-oci/targets/test-role/index.json
+++ b/test/testdata/tuf/test-repo-oci/targets/test-role/index.json
@@ -1 +1 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":495,"digest":"sha256:8d320e9d3f3663613df6e4fca1651604a6c0323011023145a140b38f02105b04","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1.myfile.txt"}},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}
--- a/test/testdata/tuf/test-repo/metadata/1.root.json
+++ b/test/testdata/tuf/test-repo/metadata/1.root.json
@@ -1,42 +1,42 @@
 {
 "signatures": [
  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": "3064023037bbb03c3472b140572a7d5a2895bd80e74435bbcb7053949731f81b104c6d05a0876590cd6a2e94d7ed619426a2f6fa02303adc8c9006fa5506fdd7ea87d2960074a537ad8bf2459f2863e806b47682cbb2f9b01b7502eaf5437a1a68fdaaeac114"
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": "3065023000f7d0a866576e94eaabc173b9233d4c8fcfa495527088f9022dff5a553f7a457da1015a6d0fc714f84848ec627387360231009fa70b2eebbe15241a2ec9b96a094ebd28661e30b8c3d1eab8d694df2b340bda511c489393630c9a9dacde42c99e9fa1"
  }
 ],
 "signed": {
  "_type": "root",
  "consistent_snapshot": true,
-  "expires": "2034-04-02T17:00:22Z",
+  "expires": "2034-05-29T20:14:11Z",
  "keys": {
-   "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3": {
-    "keytype": "ecdsa",
-    "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
-    },
-    "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
-   },
-   "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
    "keytype": "ecdsa",
    "keyval": {
     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
    },
    "scheme": "ecdsa-sha2-nistp384",
    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
   }
  },
  "roles": {
   "root": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
    ],
    "threshold": 1
   },
   "snapshot": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
@@ -44,13 +44,13 @@
   },
   "targets": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
    ],
    "threshold": 1
   },
   "timestamp": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
--- a/test/testdata/tuf/test-repo/metadata/2.root.json
+++ b/test/testdata/tuf/test-repo/metadata/2.root.json
@@ -1,20 +1,28 @@
 {
 "signatures": [
  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": "3066023100e99acc5f74777ebf40376b60f0216e8fe1829c1a49a5f6a6899126c15de1df7a56533baf493b2b53159c50843a289102023100b6a006b24da62ea0b743fbe38e1497ff485bf3a0833894985fc27a0305ad0693eeb968a7b52723ed3c49af8bef2027b6"
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": "3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"
  },
  {
-   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
-   "sig": "30440220136debcc2f60dd1d63c9c2704f9b13c2cb2f5d2df58ea93f07f7c10f54f36742022059d7f8c6620e33506c6f1766394a32f86c9b008328f6398831ba7ebcf4ce0838"
+   "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+   "sig": ""
  }
 ],
 "signed": {
  "_type": "root",
  "consistent_snapshot": true,
-  "expires": "2034-04-03T08:45:50Z",
+  "expires": "2034-06-12T17:21:13Z",
  "keys": {
-   "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
    "keytype": "ecdsa",
    "keyval": {
     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
@@ -22,34 +30,26 @@
    "scheme": "ecdsa-sha2-nistp256",
    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
   },
-   "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
+   "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
    "keytype": "ecdsa",
    "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
    },
    "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-keyowner": "@kipz"
-   },
-   "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09": {
-    "keytype": "ecdsa",
-    "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
-    },
-    "scheme": "ecdsa-sha2-nistp384",
-    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+    "x-tuf-on-ci-keyowner": "@jonnystoten"
   }
  },
  "roles": {
   "root": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-     "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
    ],
    "threshold": 1
   },
   "snapshot": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
@@ -57,14 +57,14 @@
   },
   "targets": {
    "keyids": [
-     "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-     "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
    ],
    "threshold": 1
   },
   "timestamp": {
    "keyids": [
-     "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
    ],
    "threshold": 1,
    "x-tuf-on-ci-expiry-period": 3650,
--- a/test/testdata/tuf/test-repo/metadata/2.test-role.json
+++ b/test/testdata/tuf/test-repo/metadata/2.test-role.json
@@ -0,0 +1,30 @@
+{
+ "signatures": [
+  {
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": "3065023100c37572d6e0608e0501026d99238ee37d26856d93074227410b0748e56775f8369cf7c44553b73d8a30aa94a388148ca602305b46acbb0e8818657725024a39d02589538845ad9fa0c2b6eb18f431f560096045fd825586dce81688c9574b11b975da"
+  }
+ ],
+ "signed": {
+  "_type": "targets",
+  "expires": "2034-05-29T20:25:01Z",
+  "spec_version": "1.0.31",
+  "targets": {
+   "test-role/dir1/dir2/dir3/test.txt": {
+    "hashes": {
+     "sha256": "bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465"
+    },
+    "length": 46
+   },
+   "test-role/test.txt": {
+    "hashes": {
+     "sha256": "d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"
+    },
+    "length": 32
+   }
+  },
+  "version": 2,
+  "x-tuf-on-ci-expiry-period": 3650,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}
--- a/test/testdata/tuf/test-repo/metadata/3.test-role.json
+++ b/test/testdata/tuf/test-repo/metadata/3.test-role.json
@@ -1,34 +0,0 @@
-{
- "signatures": [
-  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": ""
-  },
-  {
-   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
-   "sig": "3044022015b6ebe9d30895e3be20e707a6738e38460197d90cae3dc37527ddb7c437868602207f85f3d4e068bef4c51a749f5d166cc7fe2cb9483999ea197e72395081c3aa61"
-  }
- ],
- "signed": {
-  "_type": "targets",
-  "expires": "2034-04-03T15:39:02Z",
-  "spec_version": "1.0.31",
-  "targets": {
-   "test-role/dir1/dir2/dir3/myfile.txt": {
-    "hashes": {
-     "sha256": "ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1"
-    },
-    "length": 10
-   },
-   "test-role/test.txt": {
-    "hashes": {
-     "sha256": "d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"
-    },
-    "length": 32
-   }
-  },
-  "version": 3,
-  "x-tuf-on-ci-expiry-period": 3650,
-  "x-tuf-on-ci-signing-period": 60
- }
-}
--- a/test/testdata/tuf/test-repo/metadata/5.targets.json
+++ b/test/testdata/tuf/test-repo/metadata/5.targets.json
@@ -1,65 +0,0 @@
-{
- "signatures": [
-  {
-   "keyid": "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-   "sig": ""
-  },
-  {
-   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
-   "sig": "3046022100f892a496c9bd96082e3b06d5eae85429355876b8eb455aa04b53ab9051911d90022100a3e89c29b15bccfc2877278c0fb2d3b34500da6351e245ad0b3f8c0ae6b67eff"
-  }
- ],
- "signed": {
-  "_type": "targets",
-  "delegations": {
-   "keys": {
-    "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
-     "keytype": "ecdsa",
-     "keyval": {
-      "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
-     },
-     "scheme": "ecdsa-sha2-nistp256",
-     "x-tuf-on-ci-keyowner": "@kipz"
-    },
-    "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09": {
-     "keytype": "ecdsa",
-     "keyval": {
-      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
-     },
-     "scheme": "ecdsa-sha2-nistp384",
-     "x-tuf-on-ci-keyowner": "@mrjoelkamp"
-    }
-   },
-   "roles": [
-    {
-     "keyids": [
-      "b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09",
-      "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
-     ],
-     "name": "test-role",
-     "paths": [
-      "test-role/*",
-      "test-role/*/*",
-      "test-role/*/*/*",
-      "test-role/*/*/*/*"
-     ],
-     "terminating": true,
-     "threshold": 1
-    }
-   ]
-  },
-  "expires": "2034-04-03T15:28:29Z",
-  "spec_version": "1.0.31",
-  "targets": {
-   "test.txt": {
-    "hashes": {
-     "sha256": "02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"
-    },
-    "length": 31
-   }
-  },
-  "version": 5,
-  "x-tuf-on-ci-expiry-period": 3650,
-  "x-tuf-on-ci-signing-period": 60
- }
-}
--- a/test/testdata/tuf/test-repo/metadata/6.snapshot.json
+++ b/test/testdata/tuf/test-repo/metadata/6.snapshot.json
@@ -1,22 +0,0 @@
-{
- "signatures": [
-  {
-   "keyid": "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3",
-   "sig": "3044022039b56cd2e3597df74e57d200a652ba020cdc9a8cd050bd65b5f8e2640d50691d02205e073e4b6fc260acc64327a331e4440601af5b1cbff594ea91cf7b70d5828fb1"
-  }
- ],
- "signed": {
-  "_type": "snapshot",
-  "expires": "2034-04-03T15:59:47Z",
-  "meta": {
-   "targets.json": {
-    "version": 5
-   },
-   "test-role.json": {
-    "version": 3
-   }
-  },
-  "spec_version": "1.0.31",
-  "version": 6
- }
-}
--- a/test/testdata/tuf/test-repo/metadata/7.snapshot.json
+++ b/test/testdata/tuf/test-repo/metadata/7.snapshot.json
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
+   "sig": "3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"
+  }
+ ],
+ "signed": {
+  "_type": "snapshot",
+  "expires": "2034-06-23T12:47:16Z",
+  "meta": {
+   "targets.json": {
+    "version": 8
+   },
+   "test-role.json": {
+    "version": 2
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 7
+ }
+}
--- a/test/testdata/tuf/test-repo/metadata/8.targets.json
+++ b/test/testdata/tuf/test-repo/metadata/8.targets.json
@@ -0,0 +1,80 @@
+{
+ "signatures": [
+  {
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": ""
+  },
+  {
+   "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+   "sig": "304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"
+  }
+ ],
+ "signed": {
+  "_type": "targets",
+  "delegations": {
+   "keys": {
+    "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
+     "keytype": "ecdsa",
+     "keyval": {
+      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
+     },
+     "scheme": "ecdsa-sha2-nistp384",
+     "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+    }
+   },
+   "roles": [
+    {
+     "keyids": [
+      "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"
+     ],
+     "name": "test-role",
+     "paths": [
+      "test-role/*",
+      "test-role/*/*",
+      "test-role/*/*/*",
+      "test-role/*/*/*/*"
+     ],
+     "terminating": true,
+     "threshold": 1
+    }
+   ]
+  },
+  "expires": "2034-06-23T12:42:15Z",
+  "spec_version": "1.0.31",
+  "targets": {
+   "always-fail.rego": {
+    "hashes": {
+     "sha256": "e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"
+    },
+    "length": 364
+   },
+   "jonnystoten2.rego": {
+    "hashes": {
+     "sha256": "bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"
+    },
+    "length": 5857
+   },
+   "mapping.yaml": {
+    "hashes": {
+     "sha256": "baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"
+    },
+    "length": 272
+   },
+   "test.txt": {
+    "hashes": {
+     "sha256": "02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"
+    },
+    "length": 31
+   },
+   "version-constraints": {
+    "hashes": {
+     "sha256": "bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"
+    },
+    "length": 12
+   }
+  },
+  "version": 8,
+  "x-tuf-on-ci-expiry-period": 3650,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}
--- a/test/testdata/tuf/test-repo/metadata/timestamp.json
+++ b/test/testdata/tuf/test-repo/metadata/timestamp.json
@@ -1,19 +1,19 @@
 {
 "signatures": [
  {
-   "keyid": "198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3",
-   "sig": "3045022011f2afa9b448fcbbac983c11fc3e264e95d5d7a9c9527b09d83a316ee762635f022100d05197a78ccc7a713ebdb0bccb44844f67a7c5208af8d346e201064b7ce11055"
+   "keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
+   "sig": "304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"
  }
 ],
 "signed": {
  "_type": "timestamp",
-  "expires": "2034-04-03T15:59:47Z",
+  "expires": "2034-06-23T12:47:16Z",
  "meta": {
   "snapshot.json": {
-    "version": 6
+    "version": 7
   }
  },
  "spec_version": "1.0.31",
-  "version": 6
+  "version": 7
 }
 }
--- a/test/testdata/tuf/test-repo/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml
+++ b/test/testdata/tuf/test-repo/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml
@@ -0,0 +1,12 @@
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: jonnystoten2/
+    id: jonnystoten2
+    description: jonnystoten2 personal images for testing
+    attestations:
+      style: "referrers"
+    files:
+      - path: jonnystoten2.rego
--- a/test/testdata/tuf/test-repo/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego
+++ b/test/testdata/tuf/test-repo/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego
@@ -0,0 +1,200 @@
+package attest
+
+import rego.v1
+
+split_digest := split(input.digest, ":")
+
+digest_type := split_digest[0]
+
+digest := split_digest[1]
+
+keys := [{
+	"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
+	"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
+	"from": "2023-12-15T14:00:00Z",
+	"to": null,
+	"status": "active",
+	"signing-format": "dssev1",
+}]
+
+verify_opts := {"keys": keys}
+
+verify_attestation(att) := attest.verify(att, verify_opts)
+
+attestations contains att if {
+	result := attest.fetch("https://slsa.dev/verification_summary/v1")
+	not result.error
+	some att in result.value
+}
+
+signed_statements contains statement if {
+	some att in attestations
+	result := verify_attestation(att)
+	not result.error
+	statement := result.value
+}
+
+statements_with_subject contains statement if {
+	some statement in signed_statements
+	some subject in statement.subject
+	subject.digest[digest_type] == digest
+	valid_subject_name(input.isCanonical, subject.name, input.purl)
+}
+
+id(statement) := crypto.sha256(json.marshal(statement))
+
+subjects contains subject if {
+	some statement in statements_with_subject
+	some subject in statement.subject
+}
+
+global_violations contains v if {
+	count(attestations) == 0
+	v := {
+		"type": "missing_attestation",
+		"description": "No https://slsa.dev/verification_summary/v1 attestation found",
+		"attestation": null,
+		"details": {},
+	}
+}
+
+# we need to key this by statement_id rather than statement because we can't
+# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736
+statement_violations[statement_id] contains v if {
+	some att in attestations
+	result := verify_attestation(att)
+	err := result.error
+	statement := unsafe_statement_from_attestation(att)
+	statement_id := id(statement)
+	v := {
+		"type": "unsigned_statement",
+		"description": sprintf("Statement is not correctly signed: %v", [err]),
+		"attestation": statement,
+		"details": {"error": err},
+	}
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in signed_statements
+	statement_id := id(statement)
+	not statement in statements_with_subject
+	v := {
+		"type": "bad_subjects",
+		"description": "Statement does not have this image as a subject",
+		"attestation": statement,
+		"details": {"input": input},
+	}
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result")
+}
+
+# TODO: add to statement_violations if there are statements that have an incorrect resource_uri
+# this should match the input.purl, but we really only care about the repo name and the digest
+# we need to receive the input.purl as a parsed object so we can compare only the parts we care about
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier")
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri")
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels")
+}
+
+bad_statements contains statement if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	statement_violations[statement_id]
+}
+
+good_statements := statements_with_subject - bad_statements
+
+all_violations contains v if {
+	some v in global_violations
+}
+
+all_violations contains v if {
+	some violations in statement_violations
+	some v in violations
+}
+
+result := {
+	"success": allow,
+	"violations": all_violations,
+	"summary": {
+		"subjects": subjects,
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "signing-demo-verifier",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}
+
+default allow := false
+
+allow if {
+	count(good_statements) > 0
+}
+
+# TODO: this should take into account the repo name from the purl
+valid_subject_name(true, name, purl)
+
+valid_subject_name(false, name, purl) if {
+	name == purl
+}
+
+field_value_does_not_equal(statement, field, expected, type) := v if {
+	path := split(field, ".")
+	actual := object.get(statement.predicate, path, null)
+	expected != actual
+	v := is_not_violation(statement, field, expected, actual, type)
+}
+
+array_field_does_not_contain(statement, field, expected, type) := v if {
+	path := split(field, ".")
+	actual := object.get(statement.predicate, path, null)
+	not expected in actual
+	v := not_contains_violation(statement, field, expected, actual, type)
+}
+
+is_not_violation(statement, field, expected, actual, type) := {
+	"type": type,
+	"description": sprintf("%v is not %v", [field, expected]),
+	"attestation": statement,
+	"details": {
+		"field": field,
+		"actual": actual,
+		"expected": expected,
+	},
+}
+
+not_contains_violation(statement, field, expected, actual, type) := {
+	"type": type,
+	"description": sprintf("%v does not contain %v", [field, expected]),
+	"attestation": statement,
+	"details": {
+		"field": field,
+		"actual": actual,
+		"expected": expected,
+	},
+}
+
+# This is unsafe because we're not checking the signature on the attestation,
+# do not call this unless you've already verified the attestation or you need the
+# statement for some other reason
+unsafe_statement_from_attestation(att) := statement if {
+	payload := att.payload
+	statement := json.unmarshal(base64.decode(payload))
+}
--- a/test/testdata/tuf/test-repo/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints
+++ b/test/testdata/tuf/test-repo/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints
@@ -0,0 +1 @@
+>= v0.1.4-0
--- a/test/testdata/tuf/test-repo/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego
+++ b/test/testdata/tuf/test-repo/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego
@@ -0,0 +1,19 @@
+package attest
+
+import rego.v1
+
+violations contains {
+	"type": "always_fail",
+	"description": "This policy always fails",
+}
+
+result := {
+	"success": false,
+	"violations": violations,
+	"summary": {
+		"subjects": set(),
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "docker-official-images",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}
--- a/test/testdata/tuf/test-repo/targets/test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt
+++ b/test/testdata/tuf/test-repo/targets/test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt
@@ -0,0 +1 @@
+this is a deeply nested delegated targets file
--- a/test/testdata/tuf/test-repo/targets/test-role/dir1/dir2/dir3/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1.myfile.txt
+++ b/test/testdata/tuf/test-repo/targets/test-role/dir1/dir2/dir3/ea230621c53e0bb858ea5526125414f8957fb29c08350528d50a162c620f36b1.myfile.txt
@@ -1 +0,0 @@
-hello tuf
Author	SHA1	Message	Date
James Carnegie	c735bb0d3f	feat: roll out updates on release (#100 ) * feat: roll out updates on release * Use app token. Fix repo	2024-07-25 16:15:35 +01:00
dependabot[bot]	bd2c4d7d8a	feat(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 (#98 ) * feat(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.2.4 to 2.3.0. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/cosign/compare/v2.2.4...v2.3.0) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * update to go 1.22.5 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mrjoelkamp <joel.kamp@docker.com>	2024-07-24 13:30:56 +01:00
dependabot[bot]	03ba59c6b9	feat(deps): bump google.golang.org/api from 0.188.0 to 0.189.0 (#97 )	2024-07-23 19:08:01 +00:00
dependabot[bot]	ac82c65d7c	feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#93 )	2024-07-23 19:03:53 +00:00
Joel Kamp	24a81bbfe1	Merge pull request #96 from docker/chore-update-dev-root chore: update dev root	2024-07-23 08:03:03 -05:00
mrjoelkamp	1e3c120272	fix: test targets file no ext	2024-07-22 16:03:23 -05:00
mrjoelkamp	d252a7f4d7	chore: update oci test data	2024-07-22 15:57:35 -05:00
mrjoelkamp	02421f8cf5	chore: update http test data	2024-07-22 15:52:14 -05:00
mrjoelkamp	a6cd978bc0	chore: update dev root	2024-07-22 15:23:28 -05:00
James Carnegie	efb73f4cae	Use DSSE artifactType in referrers (#95 ) * bug: Use DSSE media types for artifactType * Don't serialize DSSE extension if not present * Update pkg/attestation/types.go Co-authored-by: Joel Kamp <joel.kamp@docker.com> * Don't error on no referrers --------- Co-authored-by: Joel Kamp <joel.kamp@docker.com>	2024-07-22 18:17:12 +01:00
James Carnegie	5e68d94ad4	set artifactType correctly for referrers fallback (#94 ) * set artifactType correctly for referrers fallback	2024-07-19 16:39:35 +01:00
dependabot[bot]	10d4f129b5	feat(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.0.0-20240504210453-5a634eb214ae to 2.0.0 (#92 ) * feat(deps): bump github.com/theupdateframework/go-tuf/v2 Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.0.0-20240504210453-5a634eb214ae to 2.0.0. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml) - [Commits](https://github.com/theupdateframework/go-tuf/commits/v2.0.0) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Tidy go.mod --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jonny Stoten <jonny.stoten@docker.com>	2024-07-17 17:01:09 +01:00
James Carnegie	de5668aca2	chore: fix linting errors (#91 )	2024-07-16 12:52:33 +01:00
dependabot[bot]	79566ff70a	feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#88 ) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.6 to 1.8.7. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-07-16 11:46:03 +01:00
dependabot[bot]	d01395144b	feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#89 ) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.6 to 1.8.7. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-07-16 11:32:17 +01:00
James Carnegie	065b354d3c	Make referrers attestations OCI compliant (#80 ) * Single attestation when creating VSA * Create single layer images for referrers attestations * Move mock to test package. Add artifacts test * Add test for envelope detection * Add tests for image/index saving * Add mirror tests * Remove AttestationImage field from AttestationManifest * Update naming. strictReferers != laxReferrers * Add specific test for SaveReferrers	2024-07-16 10:05:17 +01:00
				`@@ -0,0 +1 @@`
				{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":"3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":""}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-06-12T17:21:13Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
				`@@ -0,0 +1 @@`
				`{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"}],"signed":{"_type":"timestamp","expires":"2034-06-23T12:47:16Z","meta":{"snapshot.json":{"version":7}},"spec_version":"1.0.31","version":7}}`
				`@@ -1 +0,0 @@`
				`{"signatures":[{"keyid":"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3","sig":"3044022039b56cd2e3597df74e57d200a652ba020cdc9a8cd050bd65b5f8e2640d50691d02205e073e4b6fc260acc64327a331e4440601af5b1cbff594ea91cf7b70d5828fb1"}],"signed":{"_type":"snapshot","expires":"2034-04-03T15:59:47Z","meta":{"targets.json":{"version":5},"test-role.json":{"version":3}},"spec_version":"1.0.31","version":6}}`
				`@@ -0,0 +1 @@`
				{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8"]},"config":{}}
				`@@ -1 +0,0 @@`
				{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:ad4cacc170229608305ffccd8d09eeb59578fcb72ae394763cf7ef492175b1ee"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2607,"digest":"sha256:a2e026ce65c198ee68a7ed2df6978ed0287bb38342f6ddb7bf934a456f1d6f87","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2200,"digest":"sha256:61a98e1e86ae279e59415d927e38beae430d7e6d2bd6207054179429ea9b6763","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":410,"digest":"sha256:1fd0d9781f02486718fcbd7724db0e4c4ba47b649930cec22a3e7e6b6077ba38","annotations":{"tuf.io/filename":"6.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1683,"digest":"sha256:ea7713eb649ca1a33d79ebdccda9f7f066595b1b2c6e37e52dbfd250f5287260","annotations":{"tuf.io/filename":"5.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:4c1054844dba3241525cbd71ff9e58becca652fb1ce4a0e6ea55a01c4ec41950","annotations":{"tuf.io/filename":"timestamp.json"}}]}
				`@@ -1 +0,0 @@`
				{"signatures":[{"keyid":"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","sig":"3066023100e99acc5f74777ebf40376b60f0216e8fe1829c1a49a5f6a6899126c15de1df7a56533baf493b2b53159c50843a289102023100b6a006b24da62ea0b743fbe38e1497ff485bf3a0833894985fc27a0305ad0693eeb968a7b52723ed3c49af8bef2027b6"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"30440220136debcc2f60dd1d63c9c2704f9b13c2cb2f5d2df58ea93f07f7c10f54f36742022059d7f8c6620e33506c6f1766394a32f86c9b008328f6398831ba7ebcf4ce0838"}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-04-03T08:45:50Z","keys":{"198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":{"root":{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"snapshot":{"keyids":["198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["b7474a42f2588fa92ed4a2ebea6047a7b1b2f7351f1cfe0912732c0d0fb0fc09","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"timestamp":{"keyids":["198f00ff96ea7cbfa7eac480cc9bfc43ce13bb434b901011ab777856533997d3"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
				`@@ -0,0 +1 @@`
				`{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]}`
				`@@ -0,0 +1 @@`
				`{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"]},"config":{}}`
				`@@ -0,0 +1 @@`
				`this is a deeply nested delegated targets file`