Suppress logs from ecr credential helper (#163)

This gets rid of those annoying logs like:

```
time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000"
time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000"
time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000"
time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000"
```

.github/release-drafter-config.yml

@@ -41,31 +41,19 @@ autolabeler:
   - label: "chore"
     files:
       - "*.md"
-    branch:
-      - '/docs{0,1}\/.+/'
-      - '/tests{0,1}\/.+/'
-      - '/chore\/.+/'
-      - '/refactor\/.+/'
     title:
-      - "/docs/i"
-      - "/test/i"
-      - "/chore/i"
-      - "/refactor/i"
+      - "/^docs!?:/i"
+      - "/^test!?:/i"
+      - "/^chore!?:/i"
+      - "/^refactor!?:/i"
   - label: "bug"
-    branch:
-      - '/fix\/.+/'
-      - '/revert\/.+/'
     title:
-      - "/fix/i"
-      - "/revert/i"
+      - "/^fix!?:/i"
+      - "/^revert!?:/i"
   - label: "feature"
-    branch:
-      - '/feature\/.+/'
-      - '/feat\/.+/'
-      - '/add\/.+/'
     title:
-      - "/feat/i"
-      - "/add/i"
+      - "/^feat!?:/i"
+      - "/^add!?:/i"
   - label: "breaking"
     title:
       - "/^[a-zA-Z]+!:/i"

.github/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
       id-token: write
     strategy:
       matrix:
-        go-version: [1.22.x]
+        go-version: [1.22.x, 1.23.x]
         # temp disable windows tests see https://github.com/docker/image-signer-verifier/pull/154
         # os: [ubuntu-latest, macos-latest, windows-latest]
         os: [ubuntu-latest, macos-latest]

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.9
 	github.com/stretchr/testify v1.9.0
 	github.com/theupdateframework/go-tuf/v2 v2.0.0
-	google.golang.org/api v0.196.0
+	google.golang.org/api v0.197.0
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -91,7 +91,7 @@ require (
 	github.com/google/certificate-transparency-go v1.2.1 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.3 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -155,20 +155,20 @@ require (
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.28.0 // indirect
-	golang.org/x/oauth2 v0.22.0 // indirect
+	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
-	golang.org/x/term v0.23.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/term v0.24.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
-	google.golang.org/grpc v1.66.0 // indirect
+	google.golang.org/grpc v1.66.1 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

go.sum

@@ -340,8 +340,8 @@ github.com/google/trillian v1.6.0/go.mod h1:Yu3nIMITzNhhMJEHjAtp6xKiu+H/iHu2Oq5F
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.3 h1:QRje2j5GZimBzlbhGA2V2QlGNgL8G6e+wGo/+/2bWI0=
-github.com/googleapis/enterprise-certificate-proxy v0.3.3/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA=
+github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw=
+github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA=
 github.com/googleapis/gax-go/v2 v2.13.0 h1:yitjD5f7jQHhyDsnhKEBU52NdvvdSeGzlAnDPT0hH1s=
 github.com/googleapis/gax-go/v2 v2.13.0/go.mod h1:Z/fvTZXF8/uw7Xu5GuslPw+bplx6SS338j1Is2S+B7A=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
@@ -629,8 +629,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
+golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
@@ -660,11 +660,11 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
+golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
-golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -696,15 +696,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
-golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
+golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
+golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -712,8 +712,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
 golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -732,8 +732,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-google.golang.org/api v0.196.0 h1:k/RafYqebaIJBO3+SMnfEGtFVlvp5vSgqTUF54UN/zg=
-google.golang.org/api v0.196.0/go.mod h1:g9IL21uGkYgvQ5BZg6BAtoGJQIm8r6EgaAbpNey5wBE=
+google.golang.org/api v0.197.0 h1:x6CwqQLsFiA5JKAiGyGBjc2bNtHtLddhJCE2IKuhhcQ=
+google.golang.org/api v0.197.0/go.mod h1:AuOuo20GoQ331nq7DquGHlU6d+2wN2fZ8O0ta60nRNw=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -750,8 +750,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c=
-google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM=
+google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

internal/test/test.go

@@ -16,9 +16,9 @@ import (
 	"time"
 
 	"github.com/docker/attest/attestation"
-	"github.com/docker/attest/internal/useragent"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/tlog"
+	"github.com/docker/attest/useragent"
 	"github.com/google/go-containerregistry/pkg/registry"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )

mirror/mirror.go

@@ -11,7 +11,7 @@ func NewTUFMirror(ctx context.Context, root []byte, tufPath, metadataURL, target
 	if root == nil {
 		root = tuf.DockerTUFRootDefault.Data
 	}
-	tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, Path: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker})
+	tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, LocalStorageDir: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create TUF client: %w", err)
 	}

oci/authn.go

@@ -1,6 +1,8 @@
 package oci
 
 import (
+	"io"
+
 	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/v1/google"
@@ -16,6 +18,6 @@ func MultiKeychainAll() authn.Keychain {
 	return authn.NewMultiKeychain(
 		authn.DefaultKeychain,
 		google.Keychain,
-		authn.NewKeychainFromHelper(ecr.NewECRHelper()),
+		authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))),
 	)
 }

oci/oci.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/containerd/platforms"
 	"github.com/distribution/reference"
-	"github.com/docker/attest/internal/useragent"
+	"github.com/docker/attest/useragent"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670

@@ -1 +0,0 @@
-{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":"3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":""}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-06-12T17:21:13Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8

@@ -1 +0,0 @@
-{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"}],"signed":{"_type":"timestamp","expires":"2034-06-23T12:47:16Z","meta":{"snapshot.json":{"version":7}},"spec_version":"1.0.31","version":7}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/3debf3f541b67760dc37ac1f82a7e0fc86cb5fc3d4f4f9c45ca7d38e55beca7b

@@ -0,0 +1 @@
+{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"3046022100a474191d8cf56aa84453b2bb9365db31e8d01cbb19026677f2bf70ace72a9ee002210089277a98e2a3792e864378d270e5861c72e5944a95a15bb03aef5963142edd0c"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"3046022100c828959aa78fcabf565207a204e5033bf1266a2574cad62431f9c83283c1f1b4022100d6ac4850924c78e27a41c9d94b66bb3e076e69615dd981ac9612b9748ea90428"}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-09-04T13:55:23Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":4,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/4f2b6b008a82518eace3f053d04bd5fbd2059453df992bfda9e5caa46e095502

@@ -0,0 +1,92 @@
+{
+ "signatures": [
+  {
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": ""
+  },
+  {
+   "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+   "sig": "304402202e636803c93298a350f2528d7e67394e0f12f94a1dfbb28794b65a77d85fe2a50220027570e8005a8ea9e3b78e579f4fda99a0adfeefd824de15d8aef29b29e493eb"
+  },
+  {
+   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
+   "sig": "304502207167ef72bd1ca241b8f62e69f8d2e1bec2b129ce534c4884a2ac620aa607f307022100dd49ca6bc5715af869932629d68fff4cf74879000cfc60a31374118f901c04ce"
+  }
+ ],
+ "signed": {
+  "_type": "root",
+  "consistent_snapshot": true,
+  "expires": "2034-09-04T13:40:46Z",
+  "keys": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@kipz"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
+   },
+   "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@jonnystoten"
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+     "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
+    ],
+    "threshold": 1
+   },
+   "snapshot": {
+    "keyids": [
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 60
+   },
+   "targets": {
+    "keyids": [
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
+    ],
+    "threshold": 1
+   },
+   "timestamp": {
+    "keyids": [
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 60
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 3,
+  "x-tuf-on-ci-expiry-period": 3650,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5556a0398a04564261ccc7b548d670792f2086c496322c4e95d898686e8b4811

@@ -0,0 +1 @@
+{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022042bb3075239d8d3676fe0990b9cfbb6c1629204d599d61e8805b5057cfecd20c022100da3e16fe5c2259c8a4847f3be8b5d8686f444cdffb2d94da83d71c9707b1cad3"}],"signed":{"_type":"timestamp","expires":"2034-09-07T14:41:18Z","meta":{"snapshot.json":{"version":11}},"spec_version":"1.0.31","version":11}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497

@@ -1 +0,0 @@
-{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"}],"signed":{"_type":"snapshot","expires":"2034-06-23T12:47:16Z","meta":{"targets.json":{"version":8},"test-role.json":{"version":2}},"spec_version":"1.0.31","version":7}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/640c0d21bbc7c99717feee6c74ff65e7099e4dc21a30f985f18d6e5bd205502d

@@ -0,0 +1 @@
+{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3046022100aeac20924d8a674836e298773a4bb728559cf0acfbae5b6bf1b9c8e29b1a1d1c022100a00c2d981a6ae8b530d213433946216604bcab34bb85435beed63a0e8b0f837c"}],"signed":{"_type":"snapshot","expires":"2034-09-07T14:41:18Z","meta":{"policy.json":{"version":1},"targets.json":{"version":11},"test-role.json":{"version":2},"testing.json":{"version":2}},"spec_version":"1.0.31","version":11}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59

@@ -1 +0,0 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8"]},"config":{}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/832485119c0195acdcd2c7d555f55565be54e658c2e8de3adccf4e2d0c92e536

@@ -0,0 +1,79 @@
+{
+ "signatures": [
+  {
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": "3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"
+  },
+  {
+   "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+   "sig": ""
+  }
+ ],
+ "signed": {
+  "_type": "root",
+  "consistent_snapshot": true,
+  "expires": "2034-06-12T17:21:13Z",
+  "keys": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
+   },
+   "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@jonnystoten"
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
+    ],
+    "threshold": 1
+   },
+   "snapshot": {
+    "keyids": [
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 60
+   },
+   "targets": {
+    "keyids": [
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
+    ],
+    "threshold": 1
+   },
+   "timestamp": {
+    "keyids": [
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 60
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 2,
+  "x-tuf-on-ci-expiry-period": 3650,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a00c1b266ea6b992a8b6fa87ab8a67232f4319d9e3dd0e63365e73114a2c7869

@@ -0,0 +1 @@
+{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304402200ea43fe1e416994188eb928b097a2cdf4760de5ce1a5803ccd7f032fb043d5f00220201b346fbe41c44422426a5715eff90b09dfcc8a2b791f3b0471376a43c22889"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":""}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1},{"keyids":["beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"name":"testing","paths":["testing/*","testing/*/*","testing/*/*/*","testing/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-09-07T14:32:09Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":11,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb

@@ -1 +0,0 @@
-{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-06-23T12:42:15Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":8,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2472,"digest":"sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":412,"digest":"sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","annotations":{"tuf.io/filename":"7.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1746,"digest":"sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","annotations":{"tuf.io/filename":"8.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8","annotations":{"tuf.io/filename":"timestamp.json"}}]}

test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e83d550964be04addfc119b45b8dd80914babd5e5f0529b3106d6f18f74afc3a

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2856,"digest":"sha256:832485119c0195acdcd2c7d555f55565be54e658c2e8de3adccf4e2d0c92e536","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":3506,"digest":"sha256:4f2b6b008a82518eace3f053d04bd5fbd2059453df992bfda9e5caa46e095502","annotations":{"tuf.io/filename":"3.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":3128,"digest":"sha256:3debf3f541b67760dc37ac1f82a7e0fc86cb5fc3d4f4f9c45ca7d38e55beca7b","annotations":{"tuf.io/filename":"4.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":473,"digest":"sha256:640c0d21bbc7c99717feee6c74ff65e7099e4dc21a30f985f18d6e5bd205502d","annotations":{"tuf.io/filename":"11.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2390,"digest":"sha256:a00c1b266ea6b992a8b6fa87ab8a67232f4319d9e3dd0e63365e73114a2c7869","annotations":{"tuf.io/filename":"11.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":385,"digest":"sha256:5556a0398a04564261ccc7b548d670792f2086c496322c4e95d898686e8b4811","annotations":{"tuf.io/filename":"timestamp.json"}}]}

test/testdata/tuf/test-repo-oci/metadata/index.json

@@ -4,8 +4,9 @@
    "manifests": [
       {
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
-         "size": 1220,
-         "digest": "sha256:e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1"
+         "size": 1608,
+         "digest": "sha256:e83d550964be04addfc119b45b8dd80914babd5e5f0529b3106d6f18f74afc3a",
+         "artifactType": "application/vnd.oci.empty.v1+json"
       }
    ]
 }

test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]}

test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98

@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1"]},"config":{}}
+{}

test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/e4f3fbc9692b9f500fecd97d33c58bd00e120cecbcdff2279f864dd2832c10e3

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]}

test/testdata/tuf/test-repo-oci/metadata/test-role/index.json

@@ -5,7 +5,8 @@
       {
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "size": 444,
-         "digest": "sha256:6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc"
+         "digest": "sha256:e4f3fbc9692b9f500fecd97d33c58bd00e120cecbcdff2279f864dd2832c10e3",
+         "artifactType": "application/vnd.oci.empty.v1+json"
       }
    ]
 }

test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/243420d72b0472394a29ad86a06a05f9b1f6270000ccabfeeba7680e8d27840b

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/a70a4b054774f728a66a22b05008b505573d850cc942552276a1faec79a6d6a5

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":930,"digest":"sha256:f06ffb8527f121fa950570349ed57f77498ca4ac9a590fb15a0ec97a67a70ea6","annotations":{"tuf.io/filename":"2.testing.json"}}]}

test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/f06ffb8527f121fa950570349ed57f77498ca4ac9a590fb15a0ec97a67a70ea6

@@ -0,0 +1 @@
+{"signatures":[{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304502207ffc26ed83118f9aa0e0c7d6cad1cbcca7ffedc1cdfa7d1c5d6bc589ee1586c502210091bf85dfbe58b300af02922e28878a135767a07a7ed93e3f169d418e5b03dcd0"}],"signed":{"_type":"targets","expires":"2025-09-09T14:38:32Z","spec_version":"1.0.31","targets":{"testing/always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"testing/jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"testing/mapping.yaml":{"hashes":{"sha256":"d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090"},"length":269},"testing/test-only.rego":{"hashes":{"sha256":"93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374"},"length":467}},"version":2,"x-tuf-on-ci-expiry-period":365,"x-tuf-on-ci-signing-period":60}}

test/testdata/tuf/test-repo-oci/metadata/testing/index.json

@@ -0,0 +1,12 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.index.v1+json",
+   "manifests": [
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 442,
+         "digest": "sha256:a70a4b054774f728a66a22b05008b505573d850cc942552276a1faec79a6d6a5",
+         "artifactType": "application/vnd.oci.empty.v1+json"
+      }
+   ]
+}

test/testdata/tuf/test-repo-oci/metadata/testing/oci-layout

@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}

test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/4b0cc6119d25a34299b24d86095f21f667378aadf3c493c2d92f134869fd2c73

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":31,"digest":"sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b","annotations":{"tuf.io/filename":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt"}}]}

test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7

@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"]},"config":{}}
+{}

test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf70a3b91fd7dfaa30952dfa9f094809e6cd9bd7364942c7f067c747bc535f94

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7"},"layers":[{"mediaType":"application/vnd.tuf.target","size":31,"digest":"sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b","annotations":{"tuf.io/filename":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt"}}]}

test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/index.json

@@ -5,7 +5,8 @@
       {
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "size": 493,
-         "digest": "sha256:cf70a3b91fd7dfaa30952dfa9f094809e6cd9bd7364942c7f067c747bc535f94"
+         "digest": "sha256:4b0cc6119d25a34299b24d86095f21f667378aadf3c493c2d92f134869fd2c73",
+         "artifactType": "application/vnd.oci.empty.v1+json"
       }
    ]
 }

test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d"},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]}

test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d

@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"]},"config":{}}
+{}

test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/f6c752a7909493c7aaee73c51f174a2ca9b2edd2dc3868c8306b80b0e7f489e1

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]}

test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/index.json

@@ -5,7 +5,8 @@
       {
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "size": 498,
-         "digest": "sha256:08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f"
+         "digest": "sha256:f6c752a7909493c7aaee73c51f174a2ca9b2edd2dc3868c8306b80b0e7f489e1",
+         "artifactType": "application/vnd.oci.empty.v1+json"
       }
    ]
 }

test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}

test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10"},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}

test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10

@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"]},"config":{}}
+{}

test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/index.json

@@ -5,7 +5,8 @@
       {
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "size": 504,
-         "digest": "sha256:4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315"
+         "digest": "sha256:39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48",
+         "artifactType": "application/vnd.oci.empty.v1+json"
       }
    ]
 }

test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a"},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]}

test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/b197e563dc2e6961628f2d9543da7555b50fdd78877ef34917d642a60e6bd73f

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]}

test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a

@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"]},"config":{}}
+{}

test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/index.json

@@ -5,7 +5,8 @@
       {
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "size": 504,
-         "digest": "sha256:3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664"
+         "digest": "sha256:b197e563dc2e6961628f2d9543da7555b50fdd78877ef34917d642a60e6bd73f",
+         "artifactType": "application/vnd.oci.empty.v1+json"
       }
    ]
 }

test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}

test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97"},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}

test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97

@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"]},"config":{}}
+{}

test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/index.json

@@ -5,7 +5,8 @@
       {
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "size": 502,
-         "digest": "sha256:1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b"
+         "digest": "sha256:0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac",
+         "artifactType": "application/vnd.oci.empty.v1+json"
       }
    ]
 }

test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055"},"layers":[{"mediaType":"application/vnd.tuf.target","size":32,"digest":"sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2","annotations":{"tuf.io/filename":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}

test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa

@@ -1 +0,0 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0"},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]}

test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0

@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465"]},"config":{}}
+{}

test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/46ad77c669b6b5b015e4b164ad66624d0c7704dfae8752e7844a632d8e3df640

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]}

test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055

@@ -1 +1 @@
-{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"]},"config":{}}
+{}

test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/f1558403107419b9a79ce371bba1425c123daf3f77437ba42c77b9dd0f26d6f8

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":32,"digest":"sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2","annotations":{"tuf.io/filename":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}

test/testdata/tuf/test-repo-oci/targets/test-role/index.json

@@ -1 +1 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:46ad77c669b6b5b015e4b164ad66624d0c7704dfae8752e7844a632d8e3df640","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:f1558403107419b9a79ce371bba1425c123daf3f77437ba42c77b9dd0f26d6f8","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"},"artifactType":"application/vnd.oci.empty.v1+json"}]}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/0ee29b1aba4bf2259b76066c170aeeb923b2d96db3c46a8fe3d1475e9ccf320b

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374

@@ -0,0 +1,21 @@
+package attest
+
+import rego.v1
+
+# this file only exists in the testing delegation
+
+violations contains {
+	"type": "testing_delegation",
+	"description": "This policy always fails. We'd better not promote this to production.",
+}
+
+result := {
+	"success": false,
+	"violations": violations,
+	"summary": {
+		"subjects": set(),
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "docker-official-images",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/b846de84908dbf583e3b7e7fbd95cf2c5ffc3c0c92e19ef7be6859df3c5397a3

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":269,"digest":"sha256:d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090","annotations":{"tuf.io/filename":"d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml"}}]}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1

@@ -0,0 +1,200 @@
+package attest
+
+import rego.v1
+
+split_digest := split(input.digest, ":")
+
+digest_type := split_digest[0]
+
+digest := split_digest[1]
+
+keys := [{
+	"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
+	"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
+	"from": "2023-12-15T14:00:00Z",
+	"to": null,
+	"status": "active",
+	"signing-format": "dssev1",
+}]
+
+verify_opts := {"keys": keys}
+
+verify_attestation(att) := attest.verify(att, verify_opts)
+
+attestations contains att if {
+	result := attest.fetch("https://slsa.dev/verification_summary/v1")
+	not result.error
+	some att in result.value
+}
+
+signed_statements contains statement if {
+	some att in attestations
+	result := verify_attestation(att)
+	not result.error
+	statement := result.value
+}
+
+statements_with_subject contains statement if {
+	some statement in signed_statements
+	some subject in statement.subject
+	subject.digest[digest_type] == digest
+	valid_subject_name(input.isCanonical, subject.name, input.purl)
+}
+
+id(statement) := crypto.sha256(json.marshal(statement))
+
+subjects contains subject if {
+	some statement in statements_with_subject
+	some subject in statement.subject
+}
+
+global_violations contains v if {
+	count(attestations) == 0
+	v := {
+		"type": "missing_attestation",
+		"description": "No https://slsa.dev/verification_summary/v1 attestation found",
+		"attestation": null,
+		"details": {},
+	}
+}
+
+# we need to key this by statement_id rather than statement because we can't
+# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736
+statement_violations[statement_id] contains v if {
+	some att in attestations
+	result := verify_attestation(att)
+	err := result.error
+	statement := unsafe_statement_from_attestation(att)
+	statement_id := id(statement)
+	v := {
+		"type": "unsigned_statement",
+		"description": sprintf("Statement is not correctly signed: %v", [err]),
+		"attestation": statement,
+		"details": {"error": err},
+	}
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in signed_statements
+	statement_id := id(statement)
+	not statement in statements_with_subject
+	v := {
+		"type": "bad_subjects",
+		"description": "Statement does not have this image as a subject",
+		"attestation": statement,
+		"details": {"input": input},
+	}
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result")
+}
+
+# TODO: add to statement_violations if there are statements that have an incorrect resource_uri
+# this should match the input.purl, but we really only care about the repo name and the digest
+# we need to receive the input.purl as a parsed object so we can compare only the parts we care about
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier")
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri")
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels")
+}
+
+bad_statements contains statement if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	statement_violations[statement_id]
+}
+
+good_statements := statements_with_subject - bad_statements
+
+all_violations contains v if {
+	some v in global_violations
+}
+
+all_violations contains v if {
+	some violations in statement_violations
+	some v in violations
+}
+
+result := {
+	"success": allow,
+	"violations": all_violations,
+	"summary": {
+		"subjects": subjects,
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "signing-demo-verifier",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}
+
+default allow := false
+
+allow if {
+	count(good_statements) > 0
+}
+
+# TODO: this should take into account the repo name from the purl
+valid_subject_name(true, name, purl)
+
+valid_subject_name(false, name, purl) if {
+	name == purl
+}
+
+field_value_does_not_equal(statement, field, expected, type) := v if {
+	path := split(field, ".")
+	actual := object.get(statement.predicate, path, null)
+	expected != actual
+	v := is_not_violation(statement, field, expected, actual, type)
+}
+
+array_field_does_not_contain(statement, field, expected, type) := v if {
+	path := split(field, ".")
+	actual := object.get(statement.predicate, path, null)
+	not expected in actual
+	v := not_contains_violation(statement, field, expected, actual, type)
+}
+
+is_not_violation(statement, field, expected, actual, type) := {
+	"type": type,
+	"description": sprintf("%v is not %v", [field, expected]),
+	"attestation": statement,
+	"details": {
+		"field": field,
+		"actual": actual,
+		"expected": expected,
+	},
+}
+
+not_contains_violation(statement, field, expected, actual, type) := {
+	"type": type,
+	"description": sprintf("%v does not contain %v", [field, expected]),
+	"attestation": statement,
+	"details": {
+		"field": field,
+		"actual": actual,
+		"expected": expected,
+	},
+}
+
+# This is unsafe because we're not checking the signature on the attestation,
+# do not call this unless you've already verified the attestation or you need the
+# statement for some other reason
+unsafe_statement_from_attestation(att) := statement if {
+	payload := att.payload
+	statement := json.unmarshal(base64.decode(payload))
+}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090

@@ -0,0 +1,12 @@
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: jonnystoten2/
+    id: jonnystoten2
+    description: jonnystoten2 personal images for testing
+    attestations:
+      style: "referrers"
+    files:
+      - path: test-only.rego

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/db3d6f0ce76f0fa388b83f4928620a7d532ab386a954dd997bdf9318aa5d0b79

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":467,"digest":"sha256:93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374","annotations":{"tuf.io/filename":"93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego"}}]}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac

@@ -0,0 +1,19 @@
+package attest
+
+import rego.v1
+
+violations contains {
+	"type": "always_fail",
+	"description": "This policy always fails",
+}
+
+result := {
+	"success": false,
+	"violations": violations,
+	"summary": {
+		"subjects": set(),
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "docker-official-images",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}

test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/f7c51ae1304af943cc66cf88fb043c1e463fe245793752c463312581dd4a1f9a

@@ -0,0 +1 @@
+{}

test/testdata/tuf/test-repo-oci/targets/testing/index.json

@@ -0,0 +1 @@
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":502,"digest":"sha256:0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac","annotations":{"tuf.io/filename":"testing/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":504,"digest":"sha256:39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48","annotations":{"tuf.io/filename":"testing/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":498,"digest":"sha256:b846de84908dbf583e3b7e7fbd95cf2c5ffc3c0c92e19ef7be6859df3c5397a3","annotations":{"tuf.io/filename":"testing/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":500,"digest":"sha256:db3d6f0ce76f0fa388b83f4928620a7d532ab386a954dd997bdf9318aa5d0b79","annotations":{"tuf.io/filename":"testing/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego"},"artifactType":"application/vnd.oci.empty.v1+json"}]}

test/testdata/tuf/test-repo-oci/targets/testing/oci-layout

@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}

test/testdata/tuf/test-repo/metadata/11.snapshot.json

@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
+   "sig": "3046022100aeac20924d8a674836e298773a4bb728559cf0acfbae5b6bf1b9c8e29b1a1d1c022100a00c2d981a6ae8b530d213433946216604bcab34bb85435beed63a0e8b0f837c"
+  }
+ ],
+ "signed": {
+  "_type": "snapshot",
+  "expires": "2034-09-07T14:41:18Z",
+  "meta": {
+   "policy.json": {
+    "version": 1
+   },
+   "targets.json": {
+    "version": 11
+   },
+   "test-role.json": {
+    "version": 2
+   },
+   "testing.json": {
+    "version": 2
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 11
+ }
+}

test/testdata/tuf/test-repo/metadata/11.targets.json

@@ -6,7 +6,11 @@
   },
   {
    "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
-   "sig": "304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"
+   "sig": "304402200ea43fe1e416994188eb928b097a2cdf4760de5ce1a5803ccd7f032fb043d5f00220201b346fbe41c44422426a5715eff90b09dfcc8a2b791f3b0471376a43c22889"
+  },
+  {
+   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
+   "sig": ""
   }
  ],
  "signed": {
@@ -20,6 +24,14 @@
      },
      "scheme": "ecdsa-sha2-nistp384",
      "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+    },
+    "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
+     "keytype": "ecdsa",
+     "keyval": {
+      "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
+     },
+     "scheme": "ecdsa-sha2-nistp256",
+     "x-tuf-on-ci-keyowner": "@jonnystoten"
     }
    },
    "roles": [
@@ -36,10 +48,24 @@
      ],
      "terminating": true,
      "threshold": 1
+    },
+    {
+     "keyids": [
+      "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
+     ],
+     "name": "testing",
+     "paths": [
+      "testing/*",
+      "testing/*/*",
+      "testing/*/*/*",
+      "testing/*/*/*/*"
+     ],
+     "terminating": true,
+     "threshold": 1
     }
    ]
   },
-  "expires": "2034-06-23T12:42:15Z",
+  "expires": "2034-09-07T14:32:09Z",
   "spec_version": "1.0.31",
   "targets": {
    "always-fail.rego": {
@@ -73,7 +99,7 @@
     "length": 12
    }
   },
-  "version": 8,
+  "version": 11,
   "x-tuf-on-ci-expiry-period": 3650,
   "x-tuf-on-ci-signing-period": 60
  }

test/testdata/tuf/test-repo/metadata/2.testing.json

@@ -0,0 +1,42 @@
+{
+ "signatures": [
+  {
+   "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+   "sig": "304502207ffc26ed83118f9aa0e0c7d6cad1cbcca7ffedc1cdfa7d1c5d6bc589ee1586c502210091bf85dfbe58b300af02922e28878a135767a07a7ed93e3f169d418e5b03dcd0"
+  }
+ ],
+ "signed": {
+  "_type": "targets",
+  "expires": "2025-09-09T14:38:32Z",
+  "spec_version": "1.0.31",
+  "targets": {
+   "testing/always-fail.rego": {
+    "hashes": {
+     "sha256": "e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"
+    },
+    "length": 364
+   },
+   "testing/jonnystoten2.rego": {
+    "hashes": {
+     "sha256": "bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"
+    },
+    "length": 5857
+   },
+   "testing/mapping.yaml": {
+    "hashes": {
+     "sha256": "d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090"
+    },
+    "length": 269
+   },
+   "testing/test-only.rego": {
+    "hashes": {
+     "sha256": "93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374"
+    },
+    "length": 467
+   }
+  },
+  "version": 2,
+  "x-tuf-on-ci-expiry-period": 365,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}

test/testdata/tuf/test-repo/metadata/3.root.json

@@ -0,0 +1,92 @@
+{
+ "signatures": [
+  {
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": ""
+  },
+  {
+   "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+   "sig": "304402202e636803c93298a350f2528d7e67394e0f12f94a1dfbb28794b65a77d85fe2a50220027570e8005a8ea9e3b78e579f4fda99a0adfeefd824de15d8aef29b29e493eb"
+  },
+  {
+   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
+   "sig": "304502207167ef72bd1ca241b8f62e69f8d2e1bec2b129ce534c4884a2ac620aa607f307022100dd49ca6bc5715af869932629d68fff4cf74879000cfc60a31374118f901c04ce"
+  }
+ ],
+ "signed": {
+  "_type": "root",
+  "consistent_snapshot": true,
+  "expires": "2034-09-04T13:40:46Z",
+  "keys": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@kipz"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
+   },
+   "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@jonnystoten"
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+     "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
+    ],
+    "threshold": 1
+   },
+   "snapshot": {
+    "keyids": [
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 60
+   },
+   "targets": {
+    "keyids": [
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
+    ],
+    "threshold": 1
+   },
+   "timestamp": {
+    "keyids": [
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 60
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 3,
+  "x-tuf-on-ci-expiry-period": 3650,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}

test/testdata/tuf/test-repo/metadata/4.root.json

@@ -0,0 +1,93 @@
+{
+ "signatures": [
+  {
+   "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+   "sig": ""
+  },
+  {
+   "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+   "sig": "3046022100a474191d8cf56aa84453b2bb9365db31e8d01cbb19026677f2bf70ace72a9ee002210089277a98e2a3792e864378d270e5861c72e5944a95a15bb03aef5963142edd0c"
+  },
+  {
+   "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
+   "sig": "3046022100c828959aa78fcabf565207a204e5033bf1266a2574cad62431f9c83283c1f1b4022100d6ac4850924c78e27a41c9d94b66bb3e076e69615dd981ac9612b9748ea90428"
+  }
+ ],
+ "signed": {
+  "_type": "root",
+  "consistent_snapshot": true,
+  "expires": "2034-09-04T13:55:23Z",
+  "keys": {
+   "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@mrjoelkamp"
+   },
+   "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@kipz"
+   },
+   "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
+   },
+   "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@jonnystoten"
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+     "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
+    ],
+    "threshold": 1
+   },
+   "snapshot": {
+    "keyids": [
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 60
+   },
+   "targets": {
+    "keyids": [
+     "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
+     "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
+     "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
+    ],
+    "threshold": 1
+   },
+   "timestamp": {
+    "keyids": [
+     "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 60
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 4,
+  "x-tuf-on-ci-expiry-period": 3650,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}

test/testdata/tuf/test-repo/metadata/7.snapshot.json

@@ -1,22 +0,0 @@
-{
- "signatures": [
-  {
-   "keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
-   "sig": "3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"
-  }
- ],
- "signed": {
-  "_type": "snapshot",
-  "expires": "2034-06-23T12:47:16Z",
-  "meta": {
-   "targets.json": {
-    "version": 8
-   },
-   "test-role.json": {
-    "version": 2
-   }
-  },
-  "spec_version": "1.0.31",
-  "version": 7
- }
-}

test/testdata/tuf/test-repo/metadata/timestamp.json

@@ -2,18 +2,18 @@
  "signatures": [
   {
    "keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
-   "sig": "304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"
+   "sig": "3045022042bb3075239d8d3676fe0990b9cfbb6c1629204d599d61e8805b5057cfecd20c022100da3e16fe5c2259c8a4847f3be8b5d8686f444cdffb2d94da83d71c9707b1cad3"
   }
  ],
  "signed": {
   "_type": "timestamp",
-  "expires": "2034-06-23T12:47:16Z",
+  "expires": "2034-09-07T14:41:18Z",
   "meta": {
    "snapshot.json": {
-    "version": 7
+    "version": 11
    }
   },
   "spec_version": "1.0.31",
-  "version": 7
+  "version": 11
  }
 }

test/testdata/tuf/test-repo/targets/testing/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego

@@ -0,0 +1,21 @@
+package attest
+
+import rego.v1
+
+# this file only exists in the testing delegation
+
+violations contains {
+	"type": "testing_delegation",
+	"description": "This policy always fails. We'd better not promote this to production.",
+}
+
+result := {
+	"success": false,
+	"violations": violations,
+	"summary": {
+		"subjects": set(),
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "docker-official-images",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}

test/testdata/tuf/test-repo/targets/testing/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego

@@ -0,0 +1,200 @@
+package attest
+
+import rego.v1
+
+split_digest := split(input.digest, ":")
+
+digest_type := split_digest[0]
+
+digest := split_digest[1]
+
+keys := [{
+	"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
+	"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
+	"from": "2023-12-15T14:00:00Z",
+	"to": null,
+	"status": "active",
+	"signing-format": "dssev1",
+}]
+
+verify_opts := {"keys": keys}
+
+verify_attestation(att) := attest.verify(att, verify_opts)
+
+attestations contains att if {
+	result := attest.fetch("https://slsa.dev/verification_summary/v1")
+	not result.error
+	some att in result.value
+}
+
+signed_statements contains statement if {
+	some att in attestations
+	result := verify_attestation(att)
+	not result.error
+	statement := result.value
+}
+
+statements_with_subject contains statement if {
+	some statement in signed_statements
+	some subject in statement.subject
+	subject.digest[digest_type] == digest
+	valid_subject_name(input.isCanonical, subject.name, input.purl)
+}
+
+id(statement) := crypto.sha256(json.marshal(statement))
+
+subjects contains subject if {
+	some statement in statements_with_subject
+	some subject in statement.subject
+}
+
+global_violations contains v if {
+	count(attestations) == 0
+	v := {
+		"type": "missing_attestation",
+		"description": "No https://slsa.dev/verification_summary/v1 attestation found",
+		"attestation": null,
+		"details": {},
+	}
+}
+
+# we need to key this by statement_id rather than statement because we can't
+# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736
+statement_violations[statement_id] contains v if {
+	some att in attestations
+	result := verify_attestation(att)
+	err := result.error
+	statement := unsafe_statement_from_attestation(att)
+	statement_id := id(statement)
+	v := {
+		"type": "unsigned_statement",
+		"description": sprintf("Statement is not correctly signed: %v", [err]),
+		"attestation": statement,
+		"details": {"error": err},
+	}
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in signed_statements
+	statement_id := id(statement)
+	not statement in statements_with_subject
+	v := {
+		"type": "bad_subjects",
+		"description": "Statement does not have this image as a subject",
+		"attestation": statement,
+		"details": {"input": input},
+	}
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result")
+}
+
+# TODO: add to statement_violations if there are statements that have an incorrect resource_uri
+# this should match the input.purl, but we really only care about the repo name and the digest
+# we need to receive the input.purl as a parsed object so we can compare only the parts we care about
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier")
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri")
+}
+
+statement_violations[statement_id] contains v if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels")
+}
+
+bad_statements contains statement if {
+	some statement in statements_with_subject
+	statement_id := id(statement)
+	statement_violations[statement_id]
+}
+
+good_statements := statements_with_subject - bad_statements
+
+all_violations contains v if {
+	some v in global_violations
+}
+
+all_violations contains v if {
+	some violations in statement_violations
+	some v in violations
+}
+
+result := {
+	"success": allow,
+	"violations": all_violations,
+	"summary": {
+		"subjects": subjects,
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "signing-demo-verifier",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}
+
+default allow := false
+
+allow if {
+	count(good_statements) > 0
+}
+
+# TODO: this should take into account the repo name from the purl
+valid_subject_name(true, name, purl)
+
+valid_subject_name(false, name, purl) if {
+	name == purl
+}
+
+field_value_does_not_equal(statement, field, expected, type) := v if {
+	path := split(field, ".")
+	actual := object.get(statement.predicate, path, null)
+	expected != actual
+	v := is_not_violation(statement, field, expected, actual, type)
+}
+
+array_field_does_not_contain(statement, field, expected, type) := v if {
+	path := split(field, ".")
+	actual := object.get(statement.predicate, path, null)
+	not expected in actual
+	v := not_contains_violation(statement, field, expected, actual, type)
+}
+
+is_not_violation(statement, field, expected, actual, type) := {
+	"type": type,
+	"description": sprintf("%v is not %v", [field, expected]),
+	"attestation": statement,
+	"details": {
+		"field": field,
+		"actual": actual,
+		"expected": expected,
+	},
+}
+
+not_contains_violation(statement, field, expected, actual, type) := {
+	"type": type,
+	"description": sprintf("%v does not contain %v", [field, expected]),
+	"attestation": statement,
+	"details": {
+		"field": field,
+		"actual": actual,
+		"expected": expected,
+	},
+}
+
+# This is unsafe because we're not checking the signature on the attestation,
+# do not call this unless you've already verified the attestation or you need the
+# statement for some other reason
+unsafe_statement_from_attestation(att) := statement if {
+	payload := att.payload
+	statement := json.unmarshal(base64.decode(payload))
+}

test/testdata/tuf/test-repo/targets/testing/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml

@@ -0,0 +1,12 @@
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: jonnystoten2/
+    id: jonnystoten2
+    description: jonnystoten2 personal images for testing
+    attestations:
+      style: "referrers"
+    files:
+      - path: test-only.rego

test/testdata/tuf/test-repo/targets/testing/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego

@@ -0,0 +1,19 @@
+package attest
+
+import rego.v1
+
+violations contains {
+	"type": "always_fail",
+	"description": "This policy always fails",
+}
+
+result := {
+	"success": false,
+	"violations": violations,
+	"summary": {
+		"subjects": set(),
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "docker-official-images",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}

tlog/tl.go

@@ -14,9 +14,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/attest/internal/useragent"
 	"github.com/docker/attest/internal/util"
 	"github.com/docker/attest/signerverifier"
+	"github.com/docker/attest/useragent"
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/strfmt"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"

tuf/example_registry_test.go

@@ -17,11 +17,8 @@ func ExampleNewClient_registry() {
 	}
 	tufOutputPath := filepath.Join(home, ".docker", "tuf")
 
-	// using oci tuf metadata and targets
-	metadataURI := "registry-1.docker.io/docker/tuf-metadata:latest"
-	targetsURI := "registry-1.docker.io/docker/tuf-targets"
-
-	registryClient, err := tuf.NewClient(context.Background(), &tuf.ClientOptions{tuf.DockerTUFRootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker()})
+	opts := tuf.NewDockerDefaultClientOptions(tufOutputPath)
+	registryClient, err := tuf.NewClient(context.Background(), opts)
 	if err != nil {
 		panic(err)
 	}

tuf/registry.go

@@ -12,8 +12,8 @@ import (
 	"time"
 
 	"github.com/distribution/reference"
-	"github.com/docker/attest/internal/useragent"
 	"github.com/docker/attest/oci"
+	"github.com/docker/attest/useragent"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/crane"
 	v1 "github.com/google/go-containerregistry/pkg/v1"

tuf/registry_test.go

@@ -10,9 +10,9 @@ import (
 	"testing"
 
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/internal/useragent"
 	"github.com/docker/attest/internal/util"
 	"github.com/docker/attest/oci"
+	"github.com/docker/attest/useragent"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -419,8 +419,8 @@ func LoadRegistryTestData(ctx context.Context, t *testing.T, registry *url.URL,
 		if err != nil {
 			t.Fatal(err)
 		}
-		switch len(mf.Manifests) {
-		case 1:
+		switch {
+		case len(mf.Manifests) == 1:
 			// top-level target
 			img, err := tIdx.Image(mf.Manifests[0].Digest)
 			if err != nil {
@@ -430,7 +430,7 @@ func LoadRegistryTestData(ctx context.Context, t *testing.T, registry *url.URL,
 			if err != nil {
 				t.Fatal(err)
 			}
-		case 2:
+		case len(mf.Manifests) > 1:
 			// delegated target
 			err = remote.WriteIndex(ref, tIdx, oci.WithOptions(ctx, nil)...)
 			if err != nil {

tuf/tuf.go

@@ -7,7 +7,9 @@ import (
 	"io/fs"
 	"net/url"
 	"os"
+	"path"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -46,8 +48,9 @@ type Downloader interface {
 }
 
 type Client struct {
-	updater *updater.Updater
-	cfg     *config.UpdaterConfig
+	updater    *updater.Updater
+	cfg        *config.UpdaterConfig
+	pathPrefix string
 }
 
 type TargetFile struct {
@@ -57,26 +60,41 @@ type TargetFile struct {
 	Data           []byte
 }
 
+// ClientOptions contains the options for creating a new TUF client.
 type ClientOptions struct {
-	InitialRoot    []byte
-	Path           string
+	// InitialRoot is the initial root.json file to use for the TUF client.
+	InitialRoot []byte
+	// LocalStorageDir is the directory where the TUF client will cache any downloaded metadata and target files.
+	LocalStorageDir string
+	// MetadataSource is the source of the metadata files.
 	MetadataSource string
-	TargetsSource  string
+	// TargetsSource is the source of the target files.
+	TargetsSource string
+	// VersionChecker checks if the current version of this library meets the constraints from the TUF repo.
 	VersionChecker VersionChecker
+	// PathPrefix is the prefix to prepend to all target paths before downloading.
+	PathPrefix string
 }
 
 func NewDockerDefaultClientOptions(tufPath string) *ClientOptions {
 	return &ClientOptions{
-		InitialRoot:    DockerTUFRootDefault.Data,
-		Path:           tufPath,
-		MetadataSource: defaultMetadataSource,
-		TargetsSource:  defaultTargetsSource,
-		VersionChecker: NewDefaultVersionChecker(),
+		InitialRoot:     DockerTUFRootDefault.Data,
+		LocalStorageDir: tufPath,
+		MetadataSource:  defaultMetadataSource,
+		TargetsSource:   defaultTargetsSource,
+		VersionChecker:  NewDefaultVersionChecker(),
 	}
 }
 
+var validPathPrefix = regexp.MustCompile("^[a-z0-9_-]*$")
+
 // NewClient creates a new TUF client.
 func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
+	pathPrefix := opts.PathPrefix
+	if !validPathPrefix.MatchString(pathPrefix) {
+		return nil, fmt.Errorf("invalid path prefix: %s", pathPrefix)
+	}
+
 	var tufSource Source
 	if strings.HasPrefix(opts.MetadataSource, "https://") || strings.HasPrefix(opts.MetadataSource, "http://") {
 		tufSource = HTTPSource
@@ -87,7 +105,7 @@ func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
 	tufRootDigest := util.SHA256Hex(opts.InitialRoot)
 
 	// create a directory for each initial root.json
-	metadataPath := filepath.Join(opts.Path, tufRootDigest)
+	metadataPath := filepath.Join(opts.LocalStorageDir, tufRootDigest)
 	err := os.MkdirAll(metadataPath, os.ModePerm)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create directory '%s': %w", metadataPath, err)
@@ -139,8 +157,9 @@ func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
 	}
 
 	client := &Client{
-		updater: up,
-		cfg:     cfg,
+		pathPrefix: pathPrefix,
+		updater:    up,
+		cfg:        cfg,
 	}
 
 	err = opts.VersionChecker.CheckVersion(client)
@@ -181,6 +200,9 @@ func (t *Client) generateTargetURI(target *metadata.TargetFiles, digest string)
 // information, verifies if the target is already cached, and if it is not cached,
 // downloads the target file.
 func (t *Client) DownloadTarget(target string, filePath string) (file *TargetFile, err error) {
+	// before we do anything, prepend the path prefix to the target
+	target = path.Join(t.pathPrefix, target)
+
 	// search if the desired target is available
 	targetInfo, err := t.updater.GetTargetInfo(target)
 	if err != nil {

tuf/tuf_test.go

@@ -8,6 +8,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/docker/attest/internal/test"
@@ -65,18 +66,21 @@ func TestRootInit(t *testing.T) {
 		{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"},
 	}
 	for _, tc := range testCases {
-		_, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
+		_, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
 		assert.NoErrorf(t, err, "Failed to create TUF client: %v", err)
 
 		// recreation should work with same root
-		_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
+		_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
 		assert.NoErrorf(t, err, "Failed to recreate TUF client: %v", err)
 
-		_, err = NewClient(ctx, &ClientOptions{[]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
+		_, err = NewClient(ctx, &ClientOptions{[]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
 		assert.Errorf(t, err, "Expected error recreating TUF client with broken root: %v", err)
 
-		_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker})
+		_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker, ""})
 		assert.Errorf(t, err, "Expected error recreating TUF client with bad version checker")
+
+		_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, "../.."})
+		assert.Errorf(t, err, "Expected error recreating TUF client with bad path prefix")
 	}
 }
 
@@ -104,15 +108,17 @@ func TestDownloadTarget(t *testing.T) {
 		name           string
 		metadataSource string
 		targetsSource  string
+		pathPrefix     string
 	}{
-		{"http", server.URL + "/metadata", server.URL + "/targets"},
-		{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"},
-		{"http, download before init", server.URL + "/metadata", server.URL + "/targets"},
+		{"http", server.URL + "/metadata", server.URL + "/targets", ""},
+		{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets", ""},
+		{"http, with path prefix", server.URL + "/metadata", server.URL + "/targets", "testing"},
+		{"oci, with path prefix", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets", "testing"},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			tufClient, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
+			tufClient, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, tc.pathPrefix})
 			require.NoErrorf(t, err, "Failed to create TUF client: %v", err)
 			require.NotNil(t, tufClient.updater, "Failed to create updater")
 
@@ -121,18 +127,30 @@ func TestDownloadTarget(t *testing.T) {
 			assert.NotNil(t, trustedMetadata, "Failed to get trusted metadata")
 
 			// download top-level target files
-			targets := trustedMetadata.Targets[metadata.TARGETS].Signed.Targets
+			var roleName string
+			if tc.pathPrefix != "" {
+				// get target info for non-existent target, just to trigger a load of the delegated targets metadata
+				_, err = tufClient.updater.GetTargetInfo(tc.pathPrefix + "/fakefile")
+				assert.Error(t, err) // expect error for non-existent target
+				roleName = tc.pathPrefix
+			} else {
+				roleName = metadata.TARGETS
+			}
+			targets := trustedMetadata.Targets[roleName].Signed.Targets
 			for _, target := range targets {
+				path := strings.TrimPrefix(target.Path, tufClient.pathPrefix)
 				// download target files
-				_, err := tufClient.DownloadTarget(target.Path, filepath.Join(tufPath, "download"))
+				_, err := tufClient.DownloadTarget(path, filepath.Join(tufPath, "download"))
 				assert.NoErrorf(t, err, "Failed to download target: %v", err)
 			}
 
-			// download delegated target
-			targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
-			require.NoError(t, err)
-			_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
-			assert.NoError(t, err)
+			if tc.pathPrefix == "" {
+				// download delegated target, only if not using a path prefix
+				targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
+				require.NoError(t, err)
+				_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
+				assert.NoError(t, err)
+			}
 		})
 	}
 }

tuf/version.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 
 	"github.com/Masterminds/semver/v3"
-	"github.com/docker/attest/internal/version"
+	"github.com/docker/attest/version"
 )
 
 const ThisModulePath = "github.com/docker/attest"

useragent/useragent.go

@@ -3,7 +3,7 @@ package useragent
 import (
 	"context"
 
-	"github.com/docker/attest/internal/version"
+	"github.com/docker/attest/version"
 )
 
 type userAgentKeyType string