feat(deps): bump google.golang.org/api from 0.198.0 to 0.199.0 (#181 )

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.198.0 to 0.199.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.198.0...v0.199.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#180 )
2024-09-27 15:11:28 +01:00 · 2024-09-27 15:05:53 +01:00 · 2024-09-27 12:32:24 +01:00 · 2024-09-26 10:02:41 -05:00 · 2024-09-24 15:12:46 -05:00 · 2024-09-20 09:06:02 -05:00
79 changed files with 1862 additions and 944 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ jobs:
    steps:
      - name: Generate GitHub App Token
        id: app-token
-        uses: actions/create-github-app-token@3378cda945da322a8db4b193e19d46352ebe2de5 # v1.10.4
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
        with:
            app-id: ${{ vars.ATTEST_RELEASE_APP_ID }}
            private-key: ${{ secrets.ATTEST_RELEASE_APP_PRIVATE_KEY }}
--- a/README.md
+++ b/README.md
@@ -40,9 +40,6 @@ Examples of attestations include statements about the provenance and SBOM of an
 This library can be used to verify these attestations using Rego policy.
 Policy can be used to check whether an attestation is correctly signed, and that the contents of the attestation are correct.
 Our overall goal with this project is adoption of the ideas into other open-source projects, rather than to create another standalone tool.
 It would be a great outcome if this library was no longer needed because the functionality was built into other tools.
 # Features
 - Sign in-toto attestations
@@ -203,8 +200,14 @@ rules:
  - pattern: "^docker[.]io/library/(.*)$"
    policy-id: docker-official-images
  - pattern: "^public[.]ecr[.]aws/docker/library/(.*)$"
    platforms: ["linux/amd64"] # optional: restrict image platforms for matching policies (default: all)
    rewrite: docker.io/library/$1
 ```
 `platforms` in the second rule above is optional and can be used to restrict the platforms for which the policy
 is evaluated. If the `platforms` field is not present, the policy will be applied to all platforms.
 It's important to note that the `platforms` field is a filter, and is applied before the `pattern`
 field is processed, so both `platforms` and `pattern` need to match in order for the policy to be selected
 (or the rewrite to be processed if present).
 As before, any repository in the `docker.io/library` namespace will be evaluated against the policy in `doi/policy.rego`.
 The second rule will rewrite any repository in the `public.ecr.aws/docker/library` namespace to `docker.io/library`.
--- a/attestation/attestation.go
+++ b/attestation/attestation.go
@@ -96,8 +96,9 @@ func layersFromImage(image v1.Image) ([]*Layer, error) {
 		// copy original annotations
 		ann := maps.Clone(layerDesc.Annotations)
 		// only decode intoto statements
-		stmt := new(intoto.Statement)
+		var stmt *intoto.Statement
 		if mt == types.MediaType(intoto.PayloadType) {
 			stmt = new(intoto.Statement)
 			err = json.NewDecoder(r).Decode(&stmt)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode statement layer contents: %w", err)
--- a/attestation/example_attestation_manifest_test.go
+++ b/attestation/example_attestation_manifest_test.go
@@ -26,7 +26,7 @@ func ExampleManifest() {
 	// configure signing options
 	opts := &attestation.SigningOptions{
-		SkipTL: true, // skip trust logging to a transparency log
+		TransparencyLog: nil, // set this to log to a transparency log
 	}
 	ref := "docker/image-signer-verifier:latest"
--- a/attestation/layout.go
+++ b/attestation/layout.go
@@ -5,9 +5,12 @@ import (
 	"encoding/json"
 	"fmt"
 	containerd "github.com/containerd/containerd/v2/core/images"
 	"github.com/distribution/reference"
 	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 // implementation of Resolver that closes over attestations from an oci layout.
@@ -95,6 +98,14 @@ func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error
 	idxDescriptor := idxm.Manifests[0]
 	idxDigest := idxDescriptor.Digest
 	subjectName := idxDescriptor.Annotations[ocispec.AnnotationRefName]
 	if _, err := reference.ParseNamed(subjectName); err != nil {
 		// try the containerd annotation if the org.opencontainers.image.ref.name is not a full name
 		subjectName = idxDescriptor.Annotations[containerd.AnnotationImageName]
 		if _, err := reference.ParseNamed(subjectName); err != nil {
 			return nil, fmt.Errorf("failed to find subject name in annotations")
 		}
 	}
 	mfs, err := idx.ImageIndex(idxDigest)
 	if err != nil {
@@ -138,7 +149,7 @@ func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error
 		attest := &Manifest{
 			OriginalLayers:     layers,
 			OriginalDescriptor: mf,
-			SubjectName:        idxDescriptor.Annotations["org.opencontainers.image.ref.name"],
+			SubjectName:        subjectName,
 			SubjectDescriptor:  subjectDescriptor,
 		}
 		return attest, nil
--- a/attestation/layout_test.go
+++ b/attestation/layout_test.go
@@ -1,6 +1,7 @@
 package attestation_test
 import (
 	"path/filepath"
 	"strings"
 	"testing"
@@ -33,7 +34,7 @@ func TestAttestationFromOCILayout(t *testing.T) {
 	require.NoError(t, err)
 	spec, err := oci.ParseImageSpec(oci.LocalPrefix + outputLayout)
 	require.NoError(t, err)
-	err = oci.SaveIndex(ctx, []*oci.ImageSpec{spec}, signedIndex, outputLayout)
+	err = oci.SaveIndex(ctx, []*oci.ImageSpec{spec}, signedIndex, "docker.io/library/test-image:test")
 	require.NoError(t, err)
 	testCases := []struct {
@@ -66,3 +67,29 @@ func TestAttestationFromOCILayout(t *testing.T) {
 		})
 	}
 }
 func TestSubjectNameAnnotations(t *testing.T) {
 	testCases := []struct {
 		name          string
 		ociLayoutPath string
 		errorStr      string
 	}{
 		{name: "oci annotation", ociLayoutPath: test.UnsignedTestImage("..")},
 		{name: "containerd annotation", ociLayoutPath: filepath.Join("..", "test", "testdata", "containerd-subject-layout")},
 		{name: "missing subject name", ociLayoutPath: filepath.Join("..", "test", "testdata", "missing-subject-layout"), errorStr: "failed to find subject name in annotations"},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			spec, err := oci.ParseImageSpec(oci.LocalPrefix+tc.ociLayoutPath, oci.WithPlatform("linux/arm64"))
 			require.NoError(t, err)
 			_, err = policy.CreateImageDetailsResolver(spec)
 			if tc.errorStr != "" {
 				require.Error(t, err)
 				assert.Contains(t, err.Error(), tc.errorStr)
 				return
 			}
 			require.NoError(t, err)
 		})
 	}
 }
--- a/attestation/referrers_test.go
+++ b/attestation/referrers_test.go
@@ -9,8 +9,8 @@ import (
 	"github.com/docker/attest"
 	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/config"
 	"github.com/docker/attest/internal/test"
 	"github.com/docker/attest/mapping"
 	"github.com/docker/attest/oci"
 	"github.com/docker/attest/policy"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -39,7 +39,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 		referrersServer   *httptest.Server
 		useDigest         bool
 		referrersRepo     string
-		attestationSource config.AttestationStyle
+		attestationSource mapping.AttestationStyle
 		expectFailure     bool
 	}{
 		{
@@ -55,26 +55,26 @@ func TestAttestationReferenceTypes(t *testing.T) {
 			name:              "attached attestations, referrers repo (mismatched args)",
 			server:            test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 			expectFailure:     true, // mismatched args
-			attestationSource: config.AttestationStyleAttached,
+			attestationSource: mapping.AttestationStyleAttached,
 			referrersRepo:     "referrers",
 		},
 		{
 			name:              "referrers attestations, referrers repo (no policy)",
 			server:            test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 			expectFailure:     true, // no policy
-			attestationSource: config.AttestationStyleReferrers,
+			attestationSource: mapping.AttestationStyleReferrers,
 			referrersRepo:     "referrers",
 		},
 		{
 			name:              "referrers attestations",
 			server:            test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
-			attestationSource: config.AttestationStyleReferrers,
+			attestationSource: mapping.AttestationStyleReferrers,
 		},
 		{
 			name:   "referrers attestations, no referrers support on server",
 			server: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(false)),
-			attestationSource: config.AttestationStyleReferrers,
+			attestationSource: mapping.AttestationStyleReferrers,
 			referrersServer:   test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 		},
 	} {
@@ -88,9 +88,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 			u, err := url.Parse(s.URL)
 			require.NoError(t, err)
-			opts := &attestation.SigningOptions{
+			opts := &attestation.SigningOptions{}
 				SkipTL: true,
 			}
 			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 			require.NoError(t, err)
@@ -210,9 +208,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 		refServerURL, err := url.Parse(refServer.URL)
 		require.NoError(t, err)
-		opts := &attestation.SigningOptions{
+		opts := &attestation.SigningOptions{}
 			SkipTL: true,
 		}
 		attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 		require.NoError(t, err)
@@ -236,9 +232,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 			refServerURL, err := url.Parse(refServer.URL)
 			require.NoError(t, err)
-			opts := &attestation.SigningOptions{
+			opts := &attestation.SigningOptions{}
 				SkipTL: true,
 			}
 			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 			require.NoError(t, err)
@@ -291,9 +285,7 @@ func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
 	repoName := "repo"
-	opts := &attestation.SigningOptions{
+	opts := &attestation.SigningOptions{}
 		SkipTL: true,
 	}
 	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
 	require.NoError(t, err)
--- a/attestation/sign.go
+++ b/attestation/sign.go
@@ -37,10 +37,10 @@ func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, o
 		KeyID: keyID,
 		Sig:   base64Encoding.EncodeToString(sig),
 	}
-	if !opts.SkipTL {
+	if opts.TransparencyLog != nil {
-		ext, err := logSignature(ctx, tlog.GetTL(ctx), &sig, &encPayload, signer)
+		ext, err := logSignature(ctx, opts.TransparencyLog, sig, encPayload, signer)
 		if err != nil {
-			return nil, fmt.Errorf("failed to log to rekor: %w", err)
+			return nil, fmt.Errorf("failed to log signature: %w", err)
 		}
 		dsseSig.Extension = ext
 	}
@@ -51,27 +51,21 @@ func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, o
 }
 // returns a new envelope with the transparency log entry added to the signature extension.
-func logSignature(ctx context.Context, t tlog.TL, sig *[]byte, encPayload *[]byte, signer dsse.SignerVerifier) (*Extension, error) {
+func logSignature(ctx context.Context, t tlog.TransparencyLog, sig []byte, encPayload []byte, signer dsse.SignerVerifier) (*Extension, error) {
 	// get Key ID from signer
 	keyID, err := signer.KeyID()
 	if err != nil {
 		return nil, fmt.Errorf("error getting public key ID: %w", err)
 	}
-	entry, err := t.UploadLogEntry(ctx, keyID, *encPayload, *sig, signer)
+	entry, err := t.UploadEntry(ctx, keyID, encPayload, sig, signer)
 	if err != nil {
 		return nil, fmt.Errorf("error uploading TL entry: %w", err)
 	}
-	entryObj, err := t.UnmarshalEntry(entry)
+
 	if err != nil {
 		return nil, fmt.Errorf("error unmarshaling tl entry: %w", err)
 	}
 	return &Extension{
 		Kind: DockerDSSEExtKind,
 		Ext: &DockerDSSEExtension{
-			TL: &DockerTLExtension{
+			TL: entry,
 				Kind: RekorTLExtKind,
 				Data: entryObj, // transparency log entry metadata
 			},
 		},
 	}, nil
 }
--- a/attestation/sign_test.go
+++ b/attestation/sign_test.go
@@ -1,6 +1,7 @@
 package attestation_test
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -14,6 +15,7 @@ import (
 	"github.com/docker/attest/internal/test"
 	"github.com/docker/attest/oci"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/tlog"
 	"github.com/google/go-containerregistry/pkg/registry"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/static"
@@ -35,7 +37,10 @@ func TestSignVerifyAttestation(t *testing.T) {
 	payload, err := json.Marshal(stmt)
 	require.NoError(t, err)
-	opts := &attestation.SigningOptions{}
+	tl := tlog.GetMockTL()
 	opts := &attestation.SigningOptions{
 		TransparencyLog: tl,
 	}
 	env, err := attestation.SignDSSE(ctx, payload, signer, opts)
 	require.NoError(t, err)
@@ -146,8 +151,17 @@ func TestSignVerifyAttestation(t *testing.T) {
 			opts := &attestation.VerifyOptions{
 				Keys: attestation.Keys{keyMeta},
 			}
-			_, err = attestation.VerifyDSSE(ctx, deserializedEnv, opts)
+			getTL := func(_ context.Context, opts *attestation.VerifyOptions) (tlog.TransparencyLog, error) {
 				if opts.SkipTL {
 					return nil, nil
 				}
 				return tl, nil
 			}
 			verifier, err := attestation.NewVerfier(attestation.WithLogVerifierFactory(getTL))
 			require.NoError(t, err)
 			_, err = attestation.VerifyDSSE(ctx, verifier, deserializedEnv, opts)
 			if tc.expectedError != "" {
 				require.Error(t, err)
 				assert.Contains(t, err.Error(), tc.expectedError)
 			} else {
 				assert.NoError(t, err)
@@ -222,7 +236,6 @@ func TestSimpleStatementSigning(t *testing.T) {
 		{"replaced", true},
 		{"not replaced", false},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			opts := &attestation.SigningOptions{}
--- a/attestation/types.go
+++ b/attestation/types.go
@@ -1,9 +1,12 @@
 package attestation
 import (
 	"crypto"
 	"encoding/base64"
 	"fmt"
 	"time"
 	"github.com/docker/attest/tlog"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
@@ -17,7 +20,6 @@ const (
 	InTotoPredicateType           = "in-toto.io/predicate-type"
 	DockerReferenceDigest         = "vnd.docker.reference.digest"
 	DockerDSSEExtKind             = "application/vnd.docker.attestation-verification.v1+json"
 	RekorTLExtKind                = "Rekor"
 	OCIDescriptorDSSEMediaType    = ociv1.MediaTypeDescriptor + "+dsse"
 	InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
 	LifecycleStageExperimental    = "experimental"
@@ -72,22 +74,40 @@ type AnnotatedStatement struct {
 }
 type DockerDSSEExtension struct {
-	TL *DockerTLExtension `json:"tl"`
+	TL *tlog.DockerTLExtension `json:"tl"`
 }
-type DockerTLExtension struct {
+type TransparencyLogKind string
-	Kind string `json:"kind"`
+
-	Data any    `json:"data"`
+const (
-}
+	RekorTransparencyLogKind = "rekor"
 )
 type VerifyOptions struct {
-	Keys   []*KeyMetadata `json:"keys"`
+	Keys            []*KeyMetadata      `json:"keys"`
-	SkipTL bool           `json:"skip_tl"`
+	SkipTL          bool                `json:"skip_tl"`
 	TransparencyLog TransparencyLogKind `json:"tl"`
 }
 type KeyMetadata struct {
 	ID            string     `json:"id"`
 	PEM           string     `json:"key"`
 	From          time.Time  `json:"from"`
 	To            *time.Time `json:"to"`
 	Status        string     `json:"status"`
 	SigningFormat string     `json:"signing-format"`
 	Distrust      bool       `json:"distrust,omitempty"`
 	publicKey     crypto.PublicKey
 }
 type (
 	Keys    []*KeyMetadata
 	KeysMap map[string]*KeyMetadata
 )
 type SigningOptions struct {
-	// don't log to the configured transparency log
+	// set this in order to log to a transparency log
-	SkipTL bool
+	TransparencyLog tlog.TransparencyLog
 }
 type Options struct {
--- a/attestation/verifier.go
+++ b/attestation/verifier.go
@@ -0,0 +1,143 @@
 package attestation
 import (
 	"context"
 	"crypto"
 	"crypto/x509"
 	"fmt"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/tlog"
 	"github.com/docker/attest/tuf"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
 func WithTUFDownloader(tufDownloader tuf.Downloader) func(*verifier) {
 	return func(r *verifier) {
 		r.tufDownloader = tufDownloader
 	}
 }
 type SignatureVerifierFactory func(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error)
 func WithSignatureVerifierFactory(factory SignatureVerifierFactory) func(*verifier) {
 	return func(r *verifier) {
 		r.signatureVerifierFactory = factory
 	}
 }
 func WithLogVerifierFactory(factory LogVerifierFactory) func(*verifier) {
 	return func(r *verifier) {
 		r.logVerifierFactory = factory
 	}
 }
 type LogVerifierFactory func(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error)
 func NewVerfier(options ...func(*verifier)) (Verifier, error) {
 	verifier := &verifier{}
 	for _, opt := range options {
 		opt(verifier)
 	}
 	return verifier, nil
 }
 type Verifier interface {
 	GetSignatureVerifier(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error)
 	GetLogVerifier(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error)
 	VerifySignature(ctx context.Context, publicKey crypto.PublicKey, data []byte, signature []byte, opts *VerifyOptions) error
 	VerifyLog(ctx context.Context, keyMeta *KeyMetadata, data []byte, sig *Signature, opts *VerifyOptions) error
 }
 // ensure it has all the necessary methods.
 var _ Verifier = (*verifier)(nil)
 type verifier struct {
 	tufDownloader            tuf.Downloader
 	signatureVerifierFactory SignatureVerifierFactory
 	logVerifierFactory       LogVerifierFactory
 }
 // GetLogVerifier implements Verifier.
 func (v *verifier) GetLogVerifier(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error) {
 	if v.logVerifierFactory != nil {
 		return v.logVerifierFactory(ctx, opts)
 	}
 	if opts.SkipTL {
 		return nil, nil
 	}
 	// TODO support other transparency logs
 	var transparencyLog tlog.TransparencyLog
 	switch opts.TransparencyLog {
 	case "", RekorTransparencyLogKind:
 		var err error
 		transparencyLog, err = tlog.NewRekorLog(tlog.WithTUFDownloader(v.tufDownloader))
 		if err != nil {
 			return nil, fmt.Errorf("error failed to create rekor verifier: %w", err)
 		}
 	default:
 		return nil, fmt.Errorf("unsupported transparency log: %s", opts.TransparencyLog)
 	}
 	return transparencyLog, nil
 }
 // GetSignatureVerifier implements Verifier.
 func (v *verifier) GetSignatureVerifier(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error) {
 	if v.signatureVerifierFactory != nil {
 		return v.signatureVerifierFactory(ctx, publicKey, opts)
 	}
 	// TODO: use details from opts to decide which algorithm to use here
 	ecdsaVerifier, err := signerverifier.NewECDSAVerifier(publicKey)
 	if err != nil {
 		return nil, fmt.Errorf("error failed to create ecdsa verifier: %w", err)
 	}
 	return ecdsaVerifier, nil
 }
 func (v *verifier) VerifySignature(ctx context.Context, publicKey crypto.PublicKey, data []byte, signature []byte, opts *VerifyOptions) error {
 	sigVerifier, err := v.GetSignatureVerifier(ctx, publicKey, opts)
 	if err != nil {
 		return fmt.Errorf("error failed to get verifier: %w", err)
 	}
 	return sigVerifier.Verify(ctx, data, signature)
 }
 func (v *verifier) VerifyLog(ctx context.Context, keyMeta *KeyMetadata, encPayload []byte, sig *Signature, opts *VerifyOptions) error {
 	if opts.SkipTL {
 		return nil
 	}
 	if sig.Extension == nil || sig.Extension.Kind == "" {
 		return fmt.Errorf("error missing signature extension")
 	}
 	if sig.Extension.Kind != DockerDSSEExtKind {
 		return fmt.Errorf("error unsupported signature extension kind: %s", sig.Extension.Kind)
 	}
 	transparencyLog, err := v.GetLogVerifier(ctx, opts)
 	if err != nil {
 		return fmt.Errorf("error failed to get transparency log verifier: %w", err)
 	}
 	if transparencyLog == nil {
 		return fmt.Errorf("error missing transparency log verifier")
 	}
 	// verify TL entry payload
 	publicKey, err := keyMeta.ParsedKey()
 	if err != nil {
 		return fmt.Errorf("error failed to parse public key: %w", err)
 	}
 	encodedPub, err := x509.MarshalPKIXPublicKey(publicKey)
 	if err != nil {
 		return fmt.Errorf("error failed to marshal public key: %w", err)
 	}
 	integratedTime, err := transparencyLog.VerifyEntry(ctx, sig.Extension.Ext.TL, encPayload, encodedPub)
 	if err != nil {
 		return fmt.Errorf("TL entry failed verification: %w", err)
 	}
 	if integratedTime.Before(keyMeta.From) {
 		return fmt.Errorf("key %s was not yet valid at TL log time %s (key valid from %s)", keyMeta.ID, integratedTime, keyMeta.From)
 	}
 	if keyMeta.To != nil && !integratedTime.Before(*keyMeta.To) {
 		return fmt.Errorf("key %s was already %s at TL log time %s (key %s at %s)", keyMeta.ID, keyMeta.Status, integratedTime, keyMeta.Status, *keyMeta.To)
 	}
 	return nil
 }
--- a/attestation/verifier_test.go
+++ b/attestation/verifier_test.go
@@ -0,0 +1,55 @@
 package attestation
 import (
 	"context"
 	"reflect"
 	"testing"
 	"github.com/docker/attest/tlog"
 	"github.com/docker/attest/tuf"
 	"github.com/stretchr/testify/require"
 )
 func Test_verifier_GetLogVerifier(t *testing.T) {
 	type fields struct {
 		tufDownloader            tuf.Downloader
 		signatureVerifierFactory SignatureVerifierFactory
 		logVerifierFactory       LogVerifierFactory
 	}
 	type args struct {
 		ctx  context.Context
 		opts *VerifyOptions
 	}
 	rekor, err := tlog.NewRekorLog()
 	require.NoError(t, err)
 	tests := []struct {
 		name    string
 		fields  fields
 		args    args
 		want    tlog.TransparencyLog
 		wantErr bool
 	}{
 		{name: "skip_tl true", fields: fields{}, args: args{ctx: context.Background(), opts: &VerifyOptions{SkipTL: true}}},
 		{name: "skip_tl false", fields: fields{}, args: args{ctx: context.Background(), opts: &VerifyOptions{SkipTL: false}}, want: rekor},
 		{name: "tl: rekor", fields: fields{logVerifierFactory: func(_ context.Context, _ *VerifyOptions) (tlog.TransparencyLog, error) {
 			return &tlog.Rekor{}, nil
 		}}, args: args{ctx: context.Background(), opts: &VerifyOptions{}}, want: &tlog.Rekor{}},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			v := &verifier{
 				tufDownloader:            tt.fields.tufDownloader,
 				signatureVerifierFactory: tt.fields.signatureVerifierFactory,
 				logVerifierFactory:       tt.fields.logVerifierFactory,
 			}
 			got, err := v.GetLogVerifier(tt.args.ctx, tt.args.opts)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("verifier.GetLogVerifier() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("verifier.GetLogVerifier() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
--- a/attestation/verify.go
+++ b/attestation/verify.go
@@ -2,37 +2,17 @@ package attestation
 import (
 	"context"
-	"crypto/ecdsa"
+	"crypto"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"time"
 	"github.com/docker/attest/internal/util"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/tlog"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
-type KeyMetadata struct {
+func VerifyDSSE(ctx context.Context, verifier Verifier, env *Envelope, opts *VerifyOptions) ([]byte, error) {
 	ID            string     `json:"id"`
 	PEM           string     `json:"key"`
 	From          time.Time  `json:"from"`
 	To            *time.Time `json:"to"`
 	Status        string     `json:"status"`
 	SigningFormat string     `json:"signing-format"`
 	Distrust      bool       `json:"distrust,omitempty"`
 }
 type (
 	Keys    []*KeyMetadata
 	KeysMap map[string]*KeyMetadata
 )
 func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error) {
 	// enforce payload type
 	if !ValidPayloadType(env.PayloadType) {
 		return nil, fmt.Errorf("unsupported payload type %s", env.PayloadType)
@@ -42,97 +22,62 @@ func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte
 		return nil, fmt.Errorf("no signatures found")
 	}
 	keys := make(map[string]*KeyMetadata, len(opts.Keys))
 	for _, key := range opts.Keys {
 		keys[key.ID] = key
 	}
 	payload, err := base64Encoding.DecodeString(env.Payload)
 	if err != nil {
 		return nil, fmt.Errorf("error failed to decode payload: %w", err)
 	}
 	encPayload := dsse.PAE(env.PayloadType, payload)
 	// verify signatures and transparency log entry
 	for _, sig := range env.Signatures {
-		err := verifySignature(ctx, sig, encPayload, opts)
+		// resolve public key used to sign
 		keyMeta, ok := keys[sig.KeyID]
 		if !ok {
 			return nil, fmt.Errorf("error key not found: %s", sig.KeyID)
 		}
 		if keyMeta.Distrust {
 			return nil, fmt.Errorf("key %s is distrusted", keyMeta.ID)
 		}
 		publicKey, err := keyMeta.ParsedKey()
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to parse public key: %w", err)
 		}
 		// decode signature
 		signature, err := base64.StdEncoding.Strict().DecodeString(sig.Sig)
 		if err != nil {
 			return nil, fmt.Errorf("error failed to decode signature: %w", err)
 		}
 		err = verifier.VerifySignature(ctx, publicKey, encPayload, signature, opts)
 		if err != nil {
 			return nil, fmt.Errorf("error failed to verify signature: %w", err)
 		}
 		if err := verifier.VerifyLog(ctx, keyMeta, encPayload, sig, opts); err != nil {
 			return nil, fmt.Errorf("error failed to verify transparency log entry: %w", err)
 		}
 	}
 	return payload, nil
 }
 func verifySignature(ctx context.Context, sig *Signature, payload []byte, opts *VerifyOptions) error {
 	keys := make(map[string]*KeyMetadata, len(opts.Keys))
 	for _, key := range opts.Keys {
 		keys[key.ID] = key
 	}
 	keyMeta, ok := keys[sig.KeyID]
 	if !ok {
 		return fmt.Errorf("error key not found: %s", sig.KeyID)
 	}
 	if keyMeta.Distrust {
 		return fmt.Errorf("key %s is distrusted", keyMeta.ID)
 	}
 	// TODO: this is unmarshalling with MarshalPKIXPublicKey only for us to marshal it again
 	publicKey, err := signerverifier.ParsePublicKey([]byte(keyMeta.PEM))
 	if err != nil {
 		return fmt.Errorf("failed to parse public key: %w", err)
 	}
 	if !opts.SkipTL {
 		t := tlog.GetTL(ctx)
 		if sig.Extension == nil || sig.Extension.Kind == "" {
 			return fmt.Errorf("error missing signature extension")
 		}
 		if sig.Extension.Kind != DockerDSSEExtKind {
 			return fmt.Errorf("error unsupported signature extension kind: %s", sig.Extension.Kind)
 		}
 		// verify TL entry
 		if sig.Extension.Ext.TL.Kind != RekorTLExtKind {
 			return fmt.Errorf("error unsupported TL extension kind: %s", sig.Extension.Ext.TL.Kind)
 		}
 		entry := sig.Extension.Ext.TL.Data
 		entryBytes, err := json.Marshal(entry)
 		if err != nil {
 			return fmt.Errorf("failed to marshal TL entry: %w", err)
 		}
 		integratedTime, err := t.VerifyLogEntry(ctx, entryBytes)
 		if err != nil {
 			return fmt.Errorf("TL entry failed verification: %w", err)
 		}
 		if integratedTime.Before(keyMeta.From) {
 			return fmt.Errorf("key %s was not yet valid at TL log time %s (key valid from %s)", keyMeta.ID, integratedTime, keyMeta.From)
 		}
 		if keyMeta.To != nil && !integratedTime.Before(*keyMeta.To) {
 			return fmt.Errorf("key %s was already %s at TL log time %s (key %s at %s)", keyMeta.ID, keyMeta.Status, integratedTime, keyMeta.Status, *keyMeta.To)
 		}
 		// verify TL entry payload
 		encodedPub, err := x509.MarshalPKIXPublicKey(publicKey)
 		if err != nil {
 			return fmt.Errorf("error failed to marshal public key: %w", err)
 		}
 		err = t.VerifyEntryPayload(entryBytes, payload, encodedPub)
 		if err != nil {
 			return fmt.Errorf("TL entry failed payload verification: %w", err)
 		}
 	}
 	// decode signature
 	signature, err := base64.StdEncoding.Strict().DecodeString(sig.Sig)
 	if err != nil {
 		return fmt.Errorf("error failed to decode signature: %w", err)
 	}
 	// verify payload ecdsa signature
 	ok = ecdsa.VerifyASN1(publicKey, util.SHA256(payload), signature)
 	if !ok {
 		return fmt.Errorf("payload signature is not valid")
 	}
 	return nil
 }
 func ValidPayloadType(payloadType string) bool {
 	return payloadType == intoto.PayloadType || payloadType == ociv1.MediaTypeDescriptor
 }
 func (km *KeyMetadata) ParsedKey() (crypto.PublicKey, error) {
 	if km.publicKey != nil {
 		return km.publicKey, nil
 	}
 	publicKey, err := signerverifier.ParsePublicKey([]byte(km.PEM))
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse public key: %w", err)
 	}
 	km.publicKey = publicKey
 	return publicKey, nil
 }
--- a/attestation/verify_test.go
+++ b/attestation/verify_test.go
@@ -42,8 +42,7 @@ func TestVerifyUnsignedAttestation(t *testing.T) {
 	opts := &attestation.VerifyOptions{
 		Keys: attestation.Keys{},
 	}
-
+	_, err := attestation.VerifyDSSE(ctx, nil, env, opts)
 	_, err := attestation.VerifyDSSE(ctx, env, opts)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "no signatures")
 }
--- a/example_sign_test.go
+++ b/example_sign_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/oci"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/tlog"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
@@ -25,8 +26,14 @@ func ExampleSignStatements_remote() {
 	// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)
 	// configure signing options
 	// use rekor transparency log wit static rekor public key (see options to use dynamic rekor public key)
 	rekor, err := tlog.NewRekorLog()
 	if err != nil {
 		panic(err)
 	}
 	opts := &attestation.SigningOptions{
-		SkipTL: true, // skip trust logging to a transparency log
+		TransparencyLog: rekor, // unset this to disable signature transparency logging
 	}
 	// load image index with unsigned attestation-manifests
--- a/go.mod
+++ b/go.mod
@@ -4,10 +4,12 @@ go 1.22.5
 require (
 	github.com/Masterminds/semver/v3 v3.3.0
-	github.com/aws/aws-sdk-go-v2/config v1.27.33
+	github.com/aws/aws-sdk-go-v2/config v1.27.38
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8
 	github.com/containerd/containerd/v2 v2.0.0-rc.4
 	github.com/containerd/platforms v0.2.1
 	github.com/distribution/reference v0.6.0
 	github.com/docker-library/bashbrew v0.1.12
 	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/google/go-containerregistry v0.20.2
@@ -18,11 +20,12 @@ require (
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
 	github.com/sigstore/cosign/v2 v2.4.0
 	github.com/sigstore/rekor v1.3.6
 	github.com/sigstore/sigstore v1.8.9
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.9
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.9
 	github.com/stretchr/testify v1.9.0
 	github.com/theupdateframework/go-tuf/v2 v2.0.0
-	google.golang.org/api v0.197.0
+	google.golang.org/api v0.199.0
 	sigs.k8s.io/yaml v1.4.0
 )
@@ -31,35 +34,38 @@ replace github.com/google/go-containerregistry => github.com/docker/go-container
 require (
 	cloud.google.com/go v0.115.1 // indirect
-	cloud.google.com/go/auth v0.9.3 // indirect
+	cloud.google.com/go/auth v0.9.5 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
-	cloud.google.com/go/compute/metadata v0.5.0 // indirect
+	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	cloud.google.com/go/iam v1.2.0 // indirect
 	cloud.google.com/go/kms v1.19.0 // indirect
 	cloud.google.com/go/longrunning v0.6.0 // indirect
 	github.com/Microsoft/hcsshim v0.12.6 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.31.0 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.36 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.35.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.23.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.31.2 // indirect
-	github.com/aws/smithy-go v1.20.4 // indirect
+	github.com/aws/smithy-go v1.21.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
 	github.com/containerd/containerd v1.7.21 // indirect
 	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
@@ -113,7 +119,7 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.20.2 // indirect
@@ -126,7 +132,6 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/sigstore/protobuf-specs v0.3.2 // indirect
 	github.com/sigstore/sigstore v1.8.8 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -157,7 +162,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
-	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/net v0.29.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
@@ -168,11 +173,13 @@ require (
 	google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
-	google.golang.org/grpc v1.66.1 // indirect
+	google.golang.org/grpc v1.67.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
 	pault.ag/go/debian v0.12.0 // indirect
 	pault.ag/go/topsort v0.1.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,12 +1,12 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.115.1 h1:Jo0SM9cQnSkYfp44+v+NQXHpcHqlnRJk2qxh6yvxxxQ=
 cloud.google.com/go v0.115.1/go.mod h1:DuujITeaufu3gL68/lOFIirVNJwQeyf5UXyi+Wbgknc=
-cloud.google.com/go/auth v0.9.3 h1:VOEUIAADkkLtyfr3BLa3R8Ed/j6w1jTBmARx+wb5w5U=
+cloud.google.com/go/auth v0.9.5 h1:4CTn43Eynw40aFVr3GpPqsQponx2jv0BQpjvajsbbzw=
-cloud.google.com/go/auth v0.9.3/go.mod h1:7z6VY+7h3KUdRov5F1i8NDP5ZzWKYmEPO842BgCsmTk=
+cloud.google.com/go/auth v0.9.5/go.mod h1:Xo0n7n66eHyOWWCnitop6870Ilwo3PiZyodVkkH1xWM=
 cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy19DBn6B6bY=
 cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc=
-cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
+cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo=
-cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
+cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
 cloud.google.com/go/iam v1.2.0 h1:kZKMKVNk/IsSSc/udOb83K0hL/Yh/Gcqpz+oAkoIFN8=
 cloud.google.com/go/iam v1.2.0/go.mod h1:zITGuWgsLZxd8OwAlX+eMFgZDXzBm7icj1PVTYG766Q=
 cloud.google.com/go/kms v1.19.0 h1:x0OVJDl6UH1BSX4THKlMfdcFWoE4ruh90ZHuilZekrU=
@@ -54,10 +54,13 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/DataDog/zstd v1.4.8/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
 github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
 github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.12.6 h1:qEnZjoHXv+4/s0LmKZWE0/AiZmMWEIkFfWBSf1a0wlU=
 github.com/Microsoft/hcsshim v0.12.6/go.mod h1:ZABCLVcvLMjIkzr9rUGcQ1QA0p0P3Ps+d3N1g2DsFfk=
 github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
 github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
 github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
@@ -96,38 +99,38 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
 github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g=
+github.com/aws/aws-sdk-go-v2 v1.31.0 h1:3V05LbxTSItI5kUqNwhJrrrY1BAXxXt0sN0l72QmG5U=
-github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
+github.com/aws/aws-sdk-go-v2 v1.31.0/go.mod h1:ztolYtaEUtdpf9Wftr31CJfLVjOnD/CVRkKOOYgF8hA=
-github.com/aws/aws-sdk-go-v2/config v1.27.33 h1:Nof9o/MsmH4oa0s2q9a0k7tMz5x/Yj5k06lDODWz3BU=
+github.com/aws/aws-sdk-go-v2/config v1.27.38 h1:mMVyJJuSUdbD4zKXoxDgWrgM60QwlFEg+JhihCq6wCw=
-github.com/aws/aws-sdk-go-v2/config v1.27.33/go.mod h1:kEqdYzRb8dd8Sy2pOdEbExTTF5v7ozEXX0McgPE7xks=
+github.com/aws/aws-sdk-go-v2/config v1.27.38/go.mod h1:6xOiNEn58bj/64MPKx89r6G/el9JZn8pvVbquSqTKK4=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.32 h1:7Cxhp/BnT2RcGy4VisJ9miUPecY+lyE9I8JvcZofn9I=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.36 h1:zwI5WrT+oWWfzSKoTNmSyeBKQhsFRJRv+PGW/UZW+Yk=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.32/go.mod h1:P5/QMF3/DCHbXGEGkdbilXHsyTBX5D3HSwcrSc9p20I=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.36/go.mod h1:3AG/sY1rc9NJrNWcN/3KPU4SIDPGTrd/qegKB0TnFdE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 h1:C/d03NAmh8C4BZXhuRNboF/DqhBkBCeDiJDcaqIT5pA=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14/go.mod h1:7I0Ju7p9mCIdlrfS+JCgqcYD0VXz/N4yozsox+0o078=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 h1:kYQ3H1u0ANr9KEKlGs/jTLrBFPo8P8NaH/w7A01NeeM=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17/go.mod h1:Dh5zzJYMtxfIjYW+/evjQ8uj2OyR/ve2KROHGHlSFqE=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18/go.mod h1:r506HmK5JDUh9+Mw4CfGJGSSoqIiLCndAuqXuhbv67Y=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 h1:Mqr/V5gvrhA2gvgnF42Zh5iMiQNcOYthFYwCyrnuWlc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 h1:Z7IdFUONvTcvS7YuhtVxN99v2cCoHRXOS4mTr0B/pUc=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17/go.mod h1:aLJpZlCmjE+V+KtN1q1uyZkfnUWpQGpbsn89XPKyzfU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18/go.mod h1:DkKMmksZVVyat+Y+r1dEOgJEfUeA7UngIHWeKsi0yNc=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1 h1:ywNLJrn/Qn4enDsz/XnKlvpnLqvJxFGQV2BltWltbis=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1/go.mod h1:WadVIk+UrTvWuAsCp6BKGX4i2snurpz8mPWhJQnS7Dg=
 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1 h1:Eq9i/mvOlGghiKe9NtsmeD9Wlwg8p4fbsqrMb3nWirM=
 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1/go.mod h1:VtOgEoLEPV1YADuq+Z2XOK6/wKkGW2YK6DjChZ/GvDs=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbLPPHEmf9DgMGw51jMj77VfGPAN2Kv4cfhlfgI=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 h1:QFASJGfT8wMXtuP3D5CRmMjARHv9ZmzFUMJznHDOY3w=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5/go.mod h1:QdZ3OmoIjSX+8D1OPAzPxDfjXASbBMDsz9qvtyIhtik=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 h1:Xbwbmk44URTiHNx6PNo0ujDE6ERlsCKJD3u1zfnzAPg=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20/go.mod h1:oAfOFzUB14ltPZj1rWwRc3d/6OgD76R8KlvU3EqM9Fg=
 github.com/aws/aws-sdk-go-v2/service/kms v1.35.5 h1:XUomV7SiclZl1QuXORdGcfFqHxEHET7rmNGtxTfNB+M=
 github.com/aws/aws-sdk-go-v2/service/kms v1.35.5/go.mod h1:A5CS0VRmxxj2YKYLCY08l/Zzbd01m6JZn0WzxgT1OCA=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 h1:pIaGg+08llrP7Q5aiz9ICWbY8cqhTkyy+0SHvfzQpTc=
+github.com/aws/aws-sdk-go-v2/service/sso v1.23.2 h1:yzi/y/vKlLyzOfG7pSu5ONNGRxHIgLeDrV4w2AMRCo0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.7/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ=
+github.com/aws/aws-sdk-go-v2/service/sso v1.23.2/go.mod h1:XRlMvmad0ZNL+75C5FYdMvbbLkd6qiqz6foR1nA1PXY=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 h1:/Cfdu0XV3mONYKaOt1Gr0k1KvQzkzPyiKUdlWJqy+J4=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.2 h1:3gb6pYhYLjo8rB1h2Tqs61wpjRd3rQymYcVq/pp0yxI=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.2/go.mod h1:FnvDM4sfa+isJ3kDXIzAB9GAwVSzFzSy97uZ3IsHo4E=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 h1:NKTa1eqZYw8tiHSRGpP0VtTdub/8KNk8sDkNPFaOKDE=
+github.com/aws/aws-sdk-go-v2/service/sts v1.31.2 h1:O6tyji8mXmBGsHvTCB0VIhrDw19lGTUSbKIyjnw79s8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.7/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o=
+github.com/aws/aws-sdk-go-v2/service/sts v1.31.2/go.mod h1:yMWe0F+XG0DkRZK5ODZhG7BEFYhLXi2dqGsv6tX0cgI=
-github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4=
+github.com/aws/smithy-go v1.21.0 h1:H7L8dtDRk0P1Qm6y0ji7MCYMQObJ5R9CRpyPhRUkLYA=
-github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/smithy-go v1.21.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -172,6 +175,12 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUo
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
 github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=
 github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
 github.com/containerd/containerd v1.7.21 h1:USGXRK1eOC/SX0L195YgxTHb0a00anxajOzgfN0qrCA=
 github.com/containerd/containerd v1.7.21/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g=
 github.com/containerd/containerd/v2 v2.0.0-rc.4 h1:Bvto4h5i2VZkQ+L5SrGupg5ilQ+zkVPILdjf9RWMego=
 github.com/containerd/containerd/v2 v2.0.0-rc.4/go.mod h1:p35nJi4Pl9ibzuoVOPc3MputVh6Gbp9xoDg9VHz6/YI=
 github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM=
 github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
@@ -204,6 +213,8 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker-library/bashbrew v0.1.12 h1:qykd2fxTMiudN/70XItEQqgk/7LeVoDiBTEnKTpkst8=
 github.com/docker-library/bashbrew v0.1.12/go.mod h1:6fyRRSm4vgBAgTw87EsfOT7wXKsc4JA9I5cdQJmwOm8=
 github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
 github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
@@ -237,6 +248,8 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
 github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
@@ -286,8 +299,8 @@ github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
+github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
-github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -395,6 +408,7 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kjk/lzma v0.0.0-20161016003348-3fd93898850d/go.mod h1:phT/jsRPBAEqjAibu1BurrabCBNTYiVI+zbmyCZJY6Q=
 github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
 github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -464,8 +478,8 @@ github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoX
 github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -513,8 +527,8 @@ github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWw
 github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
-github.com/sigstore/sigstore v1.8.8 h1:B6ZQPBKK7Z7tO3bjLNnlCMG+H66tO4E/+qAphX8T/hg=
+github.com/sigstore/sigstore v1.8.9 h1:NiUZIVWywgYuVTxXmRoTT4O4QAGiTEKup4N1wdxFadk=
-github.com/sigstore/sigstore v1.8.8/go.mod h1:GW0GgJSCTBJY3fUOuGDHeFWcD++c4G8Y9K015pwcpDI=
+github.com/sigstore/sigstore v1.8.9/go.mod h1:d9ZAbNDs8JJfxJrYmulaTazU3Pwr8uLL9+mii4BNR3w=
 github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
 github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.9 h1:tgpdvjyoEgYFeTBFe4MHvBKsG+J4E7NVtstChIExVT8=
@@ -548,7 +562,6 @@ github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -556,7 +569,6 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
@@ -579,12 +591,15 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG
 github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
 github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
 github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/go-gitlab v0.107.0 h1:P2CT9Uy9yN9lJo3FLxpMZ4xj6uWcpnigXsjvqJ6nd2Y=
 github.com/xanzy/go-gitlab v0.107.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=
 github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -626,6 +641,7 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
@@ -640,8 +656,8 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
+golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -732,8 +748,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-google.golang.org/api v0.197.0 h1:x6CwqQLsFiA5JKAiGyGBjc2bNtHtLddhJCE2IKuhhcQ=
+google.golang.org/api v0.199.0 h1:aWUXClp+VFJmqE0JPvpZOK3LDQMyFKYIow4etYd9qxs=
-google.golang.org/api v0.197.0/go.mod h1:AuOuo20GoQ331nq7DquGHlU6d+2wN2fZ8O0ta60nRNw=
+google.golang.org/api v0.199.0/go.mod h1:ohG4qSztDJmZdjK/Ar6MhbAmb/Rpi4JHOqagsh90K28=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -750,8 +766,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM=
+google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw=
-google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -788,24 +804,29 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM=
+k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo=
-k8s.io/api v0.28.3/go.mod h1:MRCV/jr1dW87/qJnZ57U5Pak65LGmQVkKTzf3AtKFHc=
+k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE=
-k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A=
+k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc=
-k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8=
+k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
-k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4=
+k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8=
-k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo=
+k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU=
-k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
-k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
-k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 pault.ag/go/debian v0.12.0 h1:b8ctSdBSGJ98NE1VLn06aSx70EUpczlP2qqSHEiYYJA=
 pault.ag/go/debian v0.12.0/go.mod h1:UbnMr3z/KZepjq7VzbYgBEfz8j4+Pyrm2L5X1fzhy/k=
 pault.ag/go/topsort v0.0.0-20160530003732-f98d2ad46e1a/go.mod h1:INqx0ClF7kmPAMk2zVTX8DRnhZ/yaA/Mg52g8KFKE7k=
 pault.ag/go/topsort v0.1.1 h1:L0QnhUly6LmTv0e3DEzbN2q6/FGgAcQvaEw65S53Bg4=
 pault.ag/go/topsort v0.1.1/go.mod h1:r1kc/L0/FZ3HhjezBIPaNVhkqv8L0UJ9bxRuHRVZ0q4=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw=
 sigs.k8s.io/release-utils v0.8.4/go.mod h1:m1bHfscTemQp+z+pLCZnkXih9n0+WukIUU70n6nFnU0=
-sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
-sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
--- a/internal/test/test.go
+++ b/internal/test/test.go
@@ -7,24 +7,22 @@ import (
 	_ "embed"
 	"encoding/pem"
 	"fmt"
 	"io"
 	"log"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/tlog"
 	"github.com/docker/attest/useragent"
 	"github.com/google/go-containerregistry/pkg/registry"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
 const (
 	UseMockTL  = true
 	UseMockKMS = true
 	AWSRegion    = "us-east-1"
@@ -60,15 +58,7 @@ func GetMockSigner(_ context.Context) (dsse.SignerVerifier, error) {
 }
 func Setup(t *testing.T) (context.Context, dsse.SignerVerifier) {
-	var tl tlog.TL
+	ctx := context.Background()
 	if UseMockTL {
 		tl = tlog.GetMockTL()
 	} else {
 		tl = &tlog.RekorTL{}
 	}
 	ctx := tlog.WithTL(context.Background(), tl)
 	var signer dsse.SignerVerifier
 	var err error
 	if UseMockKMS {
@@ -87,6 +77,7 @@ func Setup(t *testing.T) (context.Context, dsse.SignerVerifier) {
 }
 func NewLocalRegistry(ctx context.Context, options ...registry.Option) *httptest.Server {
 	options = append(options, registry.Logger(log.New(io.Discard, "", log.LstdFlags)))
 	regHandler := registry.New(options...)
 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Check the user agent
@@ -99,7 +90,7 @@ func NewLocalRegistry(ctx context.Context, options ...registry.Option) *httptest
 	}))
 }
-func publicKeyToPEM(pubKey crypto.PublicKey) (string, error) {
+func PublicKeyToPEM(pubKey crypto.PublicKey) (string, error) {
 	derBytes, err := x509.MarshalPKIXPublicKey(pubKey)
 	if err != nil {
 		return "", err
@@ -112,24 +103,3 @@ func publicKeyToPEM(pubKey crypto.PublicKey) (string, error) {
 	return string(pem.EncodeToMemory(pemBlock)), nil
 }
 // LoadKeyMetadata loads the key metadata for the given signer verifier.
 func GenKeyMetadata(sv dsse.SignerVerifier) (*attestation.KeyMetadata, error) {
 	pub := sv.Public()
 	pem, err := publicKeyToPEM(pub)
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert public key to PEM: %w", err)
 	}
 	id, err := sv.KeyID()
 	if err != nil {
 		return nil, err
 	}
 	return &attestation.KeyMetadata{
 		ID:            id,
 		Status:        "active",
 		SigningFormat: "dssev1",
 		From:          time.Now(),
 		PEM:           pem,
 	}, nil
 }
--- a/mapping/mapping.go
+++ b/mapping/mapping.go
@@ -1,4 +1,4 @@
-package config
+package mapping
 import (
 	"errors"
@@ -8,6 +8,7 @@ import (
 	"regexp"
 	"github.com/docker/attest/tuf"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"sigs.k8s.io/yaml"
 )
@@ -33,6 +34,13 @@ func validateMappingsFile(mappings *policyMappingsFile) error {
 		if rule.PolicyID != "" && rule.Replacement != "" {
 			validationErrors = append(validationErrors, fmt.Errorf("rule cannot have both policy-id and replacement: %s", rule))
 		}
 		if rule.Platforms != nil {
 			for _, platform := range rule.Platforms {
 				if platform == "" {
 					validationErrors = append(validationErrors, fmt.Errorf("rule has empty platform: %s", rule))
 				}
 			}
 		}
 	}
 	for _, policy := range mappings.Policies {
 		if policy.ID == "" {
@@ -100,14 +108,24 @@ func expandMappingFile(mappingFile *policyMappingsFile) (*PolicyMappings, error)
 	var rules []*PolicyRule
 	for _, rule := range mappingFile.Rules {
-		r, err := regexp.Compile(rule.Pattern)
+		patternRegex, err := regexp.Compile(rule.Pattern)
 		if err != nil {
 			return nil, err
 		}
 		platforms := make([]*v1.Platform, 0, len(rule.Platforms))
 		for _, platform := range rule.Platforms {
 			parsedPlatform, err := v1.ParsePlatform(platform)
 			if err != nil {
 				return nil, fmt.Errorf("failed to parse platform %s: %w", platform, err)
 			}
 			platforms = append(platforms, parsedPlatform)
 		}
 		rules = append(rules, &PolicyRule{
-			Pattern:     r,
+			Pattern:     patternRegex,
 			PolicyID:    rule.PolicyID,
 			Replacement: rule.Replacement,
 			Platforms:   platforms,
 		})
 	}
--- a/mapping/mapping_test.go
+++ b/mapping/mapping_test.go
@@ -1,4 +1,4 @@
-package config
+package mapping
 import (
 	"testing"
--- a/mapping/match.go
+++ b/mapping/match.go
@@ -0,0 +1,80 @@
 package mapping
 import (
 	"fmt"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
 type matchType string
 const (
 	MatchTypePolicy        matchType = "policy"
 	MatchTypeMatchNoPolicy matchType = "match_no_policy"
 	MatchTypeNoMatch       matchType = "no_match"
 )
 type PolicyMatch struct {
 	MatchType   matchType
 	Policy      *PolicyMapping
 	Rule        *PolicyRule
 	MatchedName string
 }
 func (mappings *PolicyMappings) FindPolicyMatch(imageName string, platform *v1.Platform) (*PolicyMatch, error) {
 	if mappings == nil {
 		return &PolicyMatch{MatchType: MatchTypeNoMatch, MatchedName: imageName}, nil
 	}
 	return mappings.findPolicyMatchImpl(imageName, platform, make(map[*PolicyRule]bool))
 }
 func (mappings *PolicyMappings) findPolicyMatchImpl(imageName string, platform *v1.Platform, matched map[*PolicyRule]bool) (*PolicyMatch, error) {
 	for _, rule := range mappings.Rules {
 		if !rule.matchesPlatform(platform) {
 			continue
 		}
 		if rule.Pattern.MatchString(imageName) {
 			switch {
 			case rule.PolicyID == "" && rule.Replacement == "":
 				return nil, fmt.Errorf("rule %s has neither policy-id nor rewrite", rule.Pattern)
 			case rule.PolicyID != "" && rule.Replacement != "":
 				return nil, fmt.Errorf("rule %s has both policy-id and rewrite", rule.Pattern)
 			case rule.PolicyID != "":
 				policy := mappings.Policies[rule.PolicyID]
 				if policy != nil {
 					return &PolicyMatch{
 						MatchType:   MatchTypePolicy,
 						Policy:      policy,
 						Rule:        rule,
 						MatchedName: imageName,
 					}, nil
 				}
 				return &PolicyMatch{
 					MatchType:   MatchTypeMatchNoPolicy,
 					Rule:        rule,
 					MatchedName: imageName,
 				}, nil
 			case rule.Replacement != "":
 				if matched[rule] {
 					return nil, fmt.Errorf("rewrite loop detected")
 				}
 				matched[rule] = true
 				imageName = rule.Pattern.ReplaceAllString(imageName, rule.Replacement)
 				return mappings.findPolicyMatchImpl(imageName, platform, matched)
 			}
 		}
 	}
 	return &PolicyMatch{MatchType: MatchTypeNoMatch}, nil
 }
 func (rule *PolicyRule) matchesPlatform(platform *v1.Platform) bool {
 	if len(rule.Platforms) == 0 {
 		return true
 	}
 	for i := range rule.Platforms {
 		if rule.Platforms[i].Equals(*platform) {
 			return true
 		}
 	}
 	return false
 }
--- a/mapping/match_test.go
+++ b/mapping/match_test.go
@@ -0,0 +1,200 @@
 package mapping
 import (
 	"path/filepath"
 	"testing"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestFindPolicyMatch(t *testing.T) {
 	defaultPlatform, err := v1.ParsePlatform("linux/amd64")
 	require.NoError(t, err)
 	testCases := []struct {
 		name               string
 		imageName          string
 		mappingDir         string
 		expectError        bool
 		expectLoadingError bool
 		expectedMatchType  matchType
 		expectedPolicyID   string
 		expectedImageName  string
 		platform           string
 	}{
 		{
 			name:       "alpine",
 			mappingDir: "doi",
 			imageName:  "docker.io/library/alpine",
 			expectedMatchType: MatchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "no match",
 			mappingDir: "doi",
 			imageName:  "docker.io/something/else",
 			expectedMatchType: MatchTypeNoMatch,
 		},
 		{
 			name:       "match, no policy",
 			mappingDir: "local",
 			imageName:  "docker.io/library/alpine",
 			expectedMatchType: MatchTypeMatchNoPolicy,
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "simple rewrite",
 			mappingDir: "simple-rewrite",
 			imageName:  "mycoolmirror.org/library/alpine",
 			expectedMatchType: MatchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "rewrite no match",
 			mappingDir: "rewrite-to-no-match",
 			imageName:  "mycoolmirror.org/library/alpine",
 			expectedMatchType: MatchTypeNoMatch,
 		},
 		{
 			name:       "rewrite to match, no policy",
 			mappingDir: "rewrite-to-local",
 			imageName:  "mycoolmirror.org/library/alpine",
 			expectedMatchType: MatchTypeMatchNoPolicy,
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "multiple rewrites",
 			mappingDir: "rewrite-multiple",
 			imageName:  "myevencoolermirror.org/library/alpine",
 			expectedMatchType: MatchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "rewrite loop",
 			mappingDir: "rewrite-loop",
 			imageName:  "yin/alpine",
 			expectError: true,
 		},
 		{
 			name:              "alpine with platform",
 			mappingDir:        "doi",
 			imageName:         "docker.io/library/alpine",
 			platform:          "linux/amd64",
 			expectedMatchType: MatchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:              "alpine with platform",
 			mappingDir:        "doi-platform",
 			imageName:         "docker.io/library/alpine",
 			platform:          "linux/amd64",
 			expectedMatchType: MatchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:              "alpine with no matching platform",
 			mappingDir:        "doi-platform",
 			imageName:         "docker.io/library/alpine",
 			platform:          "linux/arm64",
 			expectedMatchType: MatchTypeNoMatch,
 			expectedPolicyID:  "docker-official-images",
 		},
 		{
 			name:              "alpine with platform",
 			mappingDir:        "doi-platform",
 			imageName:         "docker.io/library/alpine",
 			platform:          "linux/amd64",
 			expectedMatchType: MatchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:               "alpine with invalid platform in mapping",
 			mappingDir:         "doi-platform-broken",
 			imageName:          "docker.io/library/alpine",
 			platform:           "linux/amd64",
 			expectLoadingError: true,
 		},
 		{
 			name:              "firefox with > 1 platforms in policy",
 			mappingDir:        "doi-platform",
 			imageName:         "docker.io/mozilla/firefox",
 			platform:          "linux/arm64",
 			expectedMatchType: MatchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/mozilla/firefox",
 		},
 		{
 			name:              "firefox with > 1 platforms in policy (no match)",
 			mappingDir:        "doi-platform",
 			imageName:         "docker.io/mozilla/firefox",
 			platform:          "macOs/arm64",
 			expectedMatchType: MatchTypeNoMatch,
 			expectedPolicyID:  "docker-official-images",
 		},
 		{
 			name:              "rewrite and platform",
 			mappingDir:        "doi-platform",
 			imageName:         "mycoolmirror.org/library/alpine",
 			platform:          "linux/amd64",
 			expectedMatchType: MatchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:              "rewrite and platform mismatch",
 			mappingDir:        "doi-platform",
 			imageName:         "mycoolmirror.org/library/alpine",
 			platform:          "macOs/amd64",
 			expectedMatchType: MatchTypeNoMatch,
 			expectedPolicyID:  "docker-official-images",
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			mappings, err := LoadLocalMappings(filepath.Join("testdata", "mappings", tc.mappingDir))
 			if tc.expectLoadingError {
 				require.Error(t, err)
 				return
 			}
 			require.NoError(t, err)
 			platform := defaultPlatform
 			if tc.platform != "" {
 				platform, err = v1.ParsePlatform(tc.platform)
 				require.NoError(t, err)
 			}
 			match, err := mappings.FindPolicyMatch(tc.imageName, platform)
 			if tc.expectError {
 				require.Error(t, err)
 				// TODO: check error matches expected error message
 				return
 			}
 			require.NoError(t, err)
 			assert.Equal(t, tc.expectedMatchType, match.MatchType)
 			if match.MatchType == MatchTypePolicy {
 				if assert.NotNil(t, match.Policy) {
 					assert.Equal(t, tc.expectedPolicyID, match.Policy.ID)
 				}
 			}
 			if match.MatchType == MatchTypeMatchNoPolicy || match.MatchType == MatchTypePolicy {
 				assert.Equal(t, tc.expectedImageName, match.MatchedName)
 			}
 		})
 	}
 }
--- a/mapping/testdata/mappings/doi-platform-broken/mapping.yaml
+++ b/mapping/testdata/mappings/doi-platform-broken/mapping.yaml
@@ -0,0 +1,11 @@
 version: v1
 kind: policy-mapping
 policies:
  - id: docker-official-images
    description: Docker Official Images
    files:
      - path: doi/policy.rego
 rules:
  - pattern: "^docker[.]io/library/(.*)$"
    platforms: ["linux/amd64/broken/platform/spec/1.0:foobar"]
    policy-id: docker-official-images
--- a/mapping/testdata/mappings/doi-platform/mapping.yaml
+++ b/mapping/testdata/mappings/doi-platform/mapping.yaml
@@ -0,0 +1,17 @@
 version: v1
 kind: policy-mapping
 policies:
  - id: docker-official-images
    description: Docker Official Images
    files:
      - path: doi/policy.rego
 rules:
  - pattern: "^docker[.]io/library/(.*)$"
    platforms: ["linux/amd64"]
    policy-id: docker-official-images
  - pattern: "^docker.io/mozilla/(.*)$"
    platforms: ["linux/amd64", "linux/arm64"]
    policy-id: docker-official-images
  - pattern: "^mycoolmirror[.]org/library/(.*)$"
    platforms: ["linux/amd64"]
    rewrite: "docker.io/library/$1"
--- a/mapping/testdata/mappings/doi/mapping.yaml
+++ b/mapping/testdata/mappings/doi/mapping.yaml
--- a/mapping/testdata/mappings/local/mapping.yaml
+++ b/mapping/testdata/mappings/local/mapping.yaml
--- a/mapping/testdata/mappings/rewrite-invalid/mapping.yaml
+++ b/mapping/testdata/mappings/rewrite-invalid/mapping.yaml
--- a/mapping/testdata/mappings/rewrite-loop/mapping.yaml
+++ b/mapping/testdata/mappings/rewrite-loop/mapping.yaml
--- a/mapping/testdata/mappings/rewrite-multiple/mapping.yaml
+++ b/mapping/testdata/mappings/rewrite-multiple/mapping.yaml
--- a/mapping/testdata/mappings/rewrite-to-local/mapping.yaml
+++ b/mapping/testdata/mappings/rewrite-to-local/mapping.yaml
--- a/mapping/testdata/mappings/rewrite-to-no-match/mapping.yaml
+++ b/mapping/testdata/mappings/rewrite-to-no-match/mapping.yaml
--- a/mapping/testdata/mappings/simple-rewrite/mapping.yaml
+++ b/mapping/testdata/mappings/simple-rewrite/mapping.yaml
--- a/mapping/types.go
+++ b/mapping/types.go
@@ -1,7 +1,9 @@
-package config
+package mapping
 import (
 	"regexp"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
 type policyMappingsFile struct {
@@ -12,9 +14,10 @@ type policyMappingsFile struct {
 }
 type policyRuleFile struct {
-	Pattern     string `json:"pattern"`
+	Pattern     string   `json:"pattern"`
-	PolicyID    string `json:"policy-id"`
+	Platforms   []string `json:"platforms"`
-	Replacement string `json:"rewrite"`
+	PolicyID    string   `json:"policy-id"`
 	Replacement string   `json:"rewrite"`
 }
 type PolicyMappings struct {
@@ -51,4 +54,5 @@ type PolicyRule struct {
 	Pattern     *regexp.Regexp
 	PolicyID    string
 	Replacement string
 	Platforms   []*v1.Platform
 }
--- a/policy/match.go
+++ b/policy/match.go
@@ -1,65 +0,0 @@
 package policy
 import (
 	"fmt"
 	"github.com/docker/attest/config"
 )
 type matchType string
 const (
 	matchTypePolicy        matchType = "policy"
 	matchTypeMatchNoPolicy matchType = "match_no_policy"
 	matchTypeNoMatch       matchType = "no_match"
 )
 type policyMatch struct {
 	matchType   matchType
 	policy      *config.PolicyMapping
 	rule        *config.PolicyRule
 	matchedName string
 }
 func findPolicyMatch(imageName string, mappings *config.PolicyMappings) (*policyMatch, error) {
 	if mappings == nil {
 		return &policyMatch{matchType: matchTypeNoMatch, matchedName: imageName}, nil
 	}
 	return findPolicyMatchImpl(imageName, mappings, make(map[*config.PolicyRule]bool))
 }
 func findPolicyMatchImpl(imageName string, mappings *config.PolicyMappings, matched map[*config.PolicyRule]bool) (*policyMatch, error) {
 	for _, rule := range mappings.Rules {
 		if rule.Pattern.MatchString(imageName) {
 			switch {
 			case rule.PolicyID == "" && rule.Replacement == "":
 				return nil, fmt.Errorf("rule %s has neither policy-id nor rewrite", rule.Pattern)
 			case rule.PolicyID != "" && rule.Replacement != "":
 				return nil, fmt.Errorf("rule %s has both policy-id and rewrite", rule.Pattern)
 			case rule.PolicyID != "":
 				policy := mappings.Policies[rule.PolicyID]
 				if policy != nil {
 					return &policyMatch{
 						matchType:   matchTypePolicy,
 						policy:      policy,
 						rule:        rule,
 						matchedName: imageName,
 					}, nil
 				}
 				return &policyMatch{
 					matchType:   matchTypeMatchNoPolicy,
 					rule:        rule,
 					matchedName: imageName,
 				}, nil
 			case rule.Replacement != "":
 				if matched[rule] {
 					return nil, fmt.Errorf("rewrite loop detected")
 				}
 				matched[rule] = true
 				imageName = rule.Pattern.ReplaceAllString(imageName, rule.Replacement)
 				return findPolicyMatchImpl(imageName, mappings, matched)
 			}
 		}
 	}
 	return &policyMatch{matchType: matchTypeNoMatch, matchedName: imageName}, nil
 }
--- a/policy/match_test.go
+++ b/policy/match_test.go
@@ -1,112 +0,0 @@
 package policy
 import (
 	"path/filepath"
 	"testing"
 	"github.com/docker/attest/config"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestFindPolicyMatch(t *testing.T) {
 	testCases := []struct {
 		name       string
 		imageName  string
 		mappingDir string
 		expectError        bool
 		expectLoadingError bool
 		expectedMatchType  matchType
 		expectedPolicyID   string
 		expectedImageName  string
 	}{
 		{
 			name:       "alpine",
 			mappingDir: "doi",
 			imageName:  "docker.io/library/alpine",
 			expectedMatchType: matchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "no match",
 			mappingDir: "doi",
 			imageName:  "docker.io/something/else",
 			expectedMatchType: matchTypeNoMatch,
 			expectedImageName: "docker.io/something/else",
 		},
 		{
 			name:       "match, no policy",
 			mappingDir: "local",
 			imageName:  "docker.io/library/alpine",
 			expectedMatchType: matchTypeMatchNoPolicy,
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "simple rewrite",
 			mappingDir: "simple-rewrite",
 			imageName:  "mycoolmirror.org/library/alpine",
 			expectedMatchType: matchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "rewrite no match",
 			mappingDir: "rewrite-to-no-match",
 			imageName:  "mycoolmirror.org/library/alpine",
 			expectedMatchType: matchTypeNoMatch,
 			expectedImageName: "badredirect.org/alpine",
 		},
 		{
 			name:       "rewrite to match, no policy",
 			mappingDir: "rewrite-to-local",
 			imageName:  "mycoolmirror.org/library/alpine",
 			expectedMatchType: matchTypeMatchNoPolicy,
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "multiple rewrites",
 			mappingDir: "rewrite-multiple",
 			imageName:  "myevencoolermirror.org/library/alpine",
 			expectedMatchType: matchTypePolicy,
 			expectedPolicyID:  "docker-official-images",
 			expectedImageName: "docker.io/library/alpine",
 		},
 		{
 			name:       "rewrite loop",
 			mappingDir: "rewrite-loop",
 			imageName:  "yin/alpine",
 			expectError: true,
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			mappings, err := config.LoadLocalMappings(filepath.Join("testdata", "mappings", tc.mappingDir))
 			require.NoError(t, err)
 			match, err := findPolicyMatch(tc.imageName, mappings)
 			if tc.expectError {
 				require.Error(t, err)
 				// TODO: check error matches expected error message
 				return
 			}
 			require.NoError(t, err)
 			assert.Equal(t, tc.expectedMatchType, match.matchType)
 			if match.matchType == matchTypePolicy {
 				if assert.NotNil(t, match.policy) {
 					assert.Equal(t, tc.expectedPolicyID, match.policy.ID)
 				}
 			}
 			assert.Equal(t, tc.expectedImageName, match.matchedName)
 		})
 	}
 }
--- a/policy/policy.go
+++ b/policy/policy.go
@@ -6,7 +6,7 @@ import (
 	"github.com/distribution/reference"
 	"github.com/docker/attest/attestation"
-	"github.com/docker/attest/config"
+	"github.com/docker/attest/mapping"
 	"github.com/docker/attest/oci"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/package-url/packageurl-go"
@@ -22,9 +22,9 @@ func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsRes
 	return nil, fmt.Errorf("unsupported image source type: %s", imageSource.Type)
 }
-func CreateAttestationResolver(resolver oci.ImageDetailsResolver, mapping *config.PolicyMapping) (attestation.Resolver, error) {
+func CreateAttestationResolver(resolver oci.ImageDetailsResolver, policyMapping *mapping.PolicyMapping) (attestation.Resolver, error) {
-	if mapping.Attestations != nil {
+	if policyMapping.Attestations != nil {
-		if mapping.Attestations.Style == config.AttestationStyleAttached {
+		if policyMapping.Attestations.Style == mapping.AttestationStyleAttached {
 			switch resolver := resolver.(type) {
 			case *oci.RegistryImageDetailsResolver:
 				return attestation.NewRegistryResolver(resolver)
@@ -34,8 +34,8 @@ func CreateAttestationResolver(resolver oci.ImageDetailsResolver, mapping *confi
 				return nil, fmt.Errorf("unsupported image details resolver type: %T", resolver)
 			}
 		}
-		if mapping.Attestations.Repo != "" {
+		if policyMapping.Attestations.Repo != "" {
-			return attestation.NewReferrersResolver(resolver, attestation.WithReferrersRepo(mapping.Attestations.Repo))
+			return attestation.NewReferrersResolver(resolver, attestation.WithReferrersRepo(policyMapping.Attestations.Repo))
 		}
 	}
 	return attestation.NewReferrersResolver(resolver)
--- a/policy/policy_test.go
+++ b/policy/policy_test.go
@@ -8,8 +8,8 @@ import (
 	"testing"
 	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/config"
 	"github.com/docker/attest/internal/test"
 	"github.com/docker/attest/mapping"
 	"github.com/docker/attest/oci"
 	"github.com/docker/attest/policy"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -39,12 +39,14 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
 	TestDataPath := filepath.Join("..", "test", "testdata")
 	ExampleAttestation := filepath.Join(TestDataPath, "example_attestation.json")
-	re := policy.NewRegoEvaluator(true)
+	verifier, err := attestation.NewVerfier()
-
+	require.NoError(t, err)
 	re := policy.NewRegoEvaluator(true, verifier)
 	defaultResolver := attestation.MockResolver{
 		Envs: []*attestation.Envelope{loadAttestation(t, ExampleAttestation)},
 	}
-
+	defaultPlatform, err := v1.ParsePlatform("linux/amd64")
 	require.NoError(t, err)
 	testCases := []struct {
 		policyPath      string
 		expectSuccess   bool
@@ -86,7 +88,7 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
 			imageName, err := tc.resolver.ImageName(ctx)
 			require.NoError(t, err)
 			resolver := policy.NewResolver(nil, tc.opts)
-			policy, err := resolver.ResolvePolicy(ctx, imageName)
+			policy, err := resolver.ResolvePolicy(ctx, imageName, defaultPlatform)
 			if tc.resolveErrorStr != "" {
 				require.Error(t, err)
 				assert.Contains(t, err.Error(), tc.resolveErrorStr)
@@ -107,7 +109,7 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
 }
 func TestLoadingMappings(t *testing.T) {
-	policyMappings, err := config.LoadLocalMappings(filepath.Join("testdata", "policies", "allow"))
+	policyMappings, err := mapping.LoadLocalMappings(filepath.Join("testdata", "policies", "allow"))
 	require.NoError(t, err)
 	assert.Equal(t, len(policyMappings.Rules), 3)
 	for _, mirror := range policyMappings.Rules {
@@ -124,32 +126,32 @@ func TestCreateAttestationResolver(t *testing.T) {
 	layoutResolver := &attestation.LayoutResolver{}
 	registryResolver := &oci.RegistryImageDetailsResolver{}
-	nilRepoReferrers := &config.PolicyMapping{
+	nilRepoReferrers := &mapping.PolicyMapping{
-		Attestations: &config.AttestationConfig{
+		Attestations: &mapping.AttestationConfig{
-			Style: config.AttestationStyleReferrers,
+			Style: mapping.AttestationStyleReferrers,
 		},
 	}
-	referrers := &config.PolicyMapping{
+	referrers := &mapping.PolicyMapping{
-		Attestations: &config.AttestationConfig{
+		Attestations: &mapping.AttestationConfig{
 			Repo:  "localhost:5000/repo",
-			Style: config.AttestationStyleReferrers,
+			Style: mapping.AttestationStyleReferrers,
 		},
 	}
-	attached := &config.PolicyMapping{
+	attached := &mapping.PolicyMapping{
-		Attestations: &config.AttestationConfig{
+		Attestations: &mapping.AttestationConfig{
-			Style: config.AttestationStyleAttached,
+			Style: mapping.AttestationStyleAttached,
 		},
 	}
 	testCases := []struct {
 		name     string
 		resolver oci.ImageDetailsResolver
-		mapping  *config.PolicyMapping
+		mapping  *mapping.PolicyMapping
 		errorStr string
 	}{
 		{name: "referrers", resolver: layoutResolver, mapping: referrers},
 		{name: "referrers (no mapped repo)", resolver: layoutResolver, mapping: nilRepoReferrers},
-		{name: "referrers (no mapping)", resolver: layoutResolver, mapping: &config.PolicyMapping{Attestations: nil}},
+		{name: "referrers (no mapping)", resolver: layoutResolver, mapping: &mapping.PolicyMapping{Attestations: nil}},
 		{name: "attached (registry)", resolver: registryResolver, mapping: attached},
 		{name: "attached (layout)", resolver: layoutResolver, mapping: attached},
 		{name: "attached (unsupported)", resolver: mockResolver, mapping: attached, errorStr: "unsupported image details resolver type"},
@@ -168,11 +170,11 @@ func TestCreateAttestationResolver(t *testing.T) {
 			}
 			switch resolver.(type) {
 			case *attestation.ReferrersResolver:
-				assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleReferrers)
+				assert.Equal(t, tc.mapping.Attestations.Style, mapping.AttestationStyleReferrers)
 			case *attestation.RegistryResolver:
-				assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleAttached)
+				assert.Equal(t, tc.mapping.Attestations.Style, mapping.AttestationStyleAttached)
 			case *attestation.LayoutResolver:
-				assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleAttached)
+				assert.Equal(t, tc.mapping.Attestations.Style, mapping.AttestationStyleAttached)
 			}
 		})
 	}
--- a/policy/rego.go
+++ b/policy/rego.go
@@ -1,12 +1,14 @@
 package policy
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/docker-library/bashbrew/manifest"
 	"github.com/docker/attest/attestation"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/open-policy-agent/opa/ast"
@@ -21,7 +23,8 @@ import (
 )
 type regoEvaluator struct {
-	debug bool
+	debug               bool
 	attestationVerifier attestation.Verifier
 }
 const (
@@ -29,9 +32,10 @@ const (
 	resultBinding = "result"
 )
-func NewRegoEvaluator(debug bool) Evaluator {
+func NewRegoEvaluator(debug bool, attestationVerifier attestation.Verifier) Evaluator {
 	return &regoEvaluator{
-		debug: debug,
+		debug:               debug,
 		attestationVerifier: attestationVerifier,
 	}
 }
@@ -86,7 +90,8 @@ func (re *regoEvaluator) Evaluate(ctx context.Context, resolver attestation.Reso
 		rego.Store(store),
 		rego.GenerateJSON(jsonGenerator[Result]()),
 	)
-	for _, custom := range RegoFunctions(resolver) {
+	regoFnOpts := NewRegoFunctionOptions(resolver, re.attestationVerifier)
 	for _, custom := range RegoFunctions(regoFnOpts) {
 		regoOpts = append(regoOpts, custom.Func)
 	}
@@ -146,6 +151,12 @@ var attestDecl = &ast.Builtin{
 	Nondeterministic: true,
 }
 var internalParseLibraryDefinitionDecl = &ast.Builtin{
 	Name:             "attest.internals.parse_library_definition",
 	Decl:             types.NewFunction(types.Args(types.S), dynamicObj),
 	Nondeterministic: false,
 }
 func wrapFunctionResult(value *ast.Term, err error) (*ast.Term, error) {
 	var terms [][2]*ast.Term
 	if err != nil {
@@ -169,105 +180,146 @@ func handleErrors2(f func(rCtx rego.BuiltinContext, a, b *ast.Term) (*ast.Term,
 	}
 }
-func RegoFunctions(resolver attestation.Resolver) []*tester.Builtin {
+func RegoFunctions(regoOpts *RegoFnOpts) []*tester.Builtin {
 	return []*tester.Builtin{
-		{
+		builtin2(verifyDecl, regoOpts.verifyInTotoEnvelope),
-			Decl: verifyDecl,
+		builtin1(attestDecl, regoOpts.fetchInTotoAttestations),
-			Func: rego.Function2(
+		builtin1(internalParseLibraryDefinitionDecl, regoOpts.internalParseLibraryDefinition),
 				&rego.Function{
 					Name:             verifyDecl.Name,
 					Decl:             verifyDecl.Decl,
 					Memoize:          true,
 					Nondeterministic: verifyDecl.Nondeterministic,
 				},
 				handleErrors2(verifyInTotoEnvelope(resolver))),
 		},
 		{
 			Decl: attestDecl,
 			Func: rego.Function1(
 				&rego.Function{
 					Name:             attestDecl.Name,
 					Decl:             attestDecl.Decl,
 					Memoize:          true,
 					Nondeterministic: attestDecl.Nondeterministic,
 				},
 				handleErrors1(fetchInTotoAttestations(resolver))),
 		},
 	}
 }
-func fetchInTotoAttestations(resolver attestation.Resolver) rego.Builtin1 {
+func builtin1(decl *ast.Builtin, f rego.Builtin1) *tester.Builtin {
-	return func(rCtx rego.BuiltinContext, predicateTypeTerm *ast.Term) (*ast.Term, error) {
+	return &tester.Builtin{
-		predicateTypeStr, ok := predicateTypeTerm.Value.(ast.String)
+		Decl: decl,
-		if !ok {
+		Func: rego.Function1(
-			return nil, fmt.Errorf("predicateTypeTerm is not a string")
+			&rego.Function{
-		}
+				Name:             decl.Name,
-		predicateType := string(predicateTypeStr)
+				Decl:             decl.Decl,
-
+				Memoize:          true,
-		envelopes, err := resolver.Attestations(rCtx.Context, predicateType)
+				Nondeterministic: decl.Nondeterministic,
-		if err != nil {
+			},
-			return nil, err
+			handleErrors1(f)),
 		}
 		// Convert each envelope to an ast.Value.
 		values := make([]*ast.Term, len(envelopes))
 		for i, envelope := range envelopes {
 			value, err := ast.InterfaceToValue(envelope)
 			if err != nil {
 				return nil, err
 			}
 			values[i] = ast.NewTerm(value)
 		}
 		// Wrap the values in an ast.Set and convert it to an ast.Term.
 		set := ast.NewTerm(ast.NewSet(values...))
 		return set, nil
 	}
 }
-func verifyInTotoEnvelope(resolver attestation.Resolver) rego.Builtin2 {
+func builtin2(decl *ast.Builtin, f rego.Builtin2) *tester.Builtin {
-	return func(rCtx rego.BuiltinContext, envTerm, optsTerm *ast.Term) (*ast.Term, error) {
+	return &tester.Builtin{
-		env := new(attestation.Envelope)
+		Decl: decl,
-		opts := new(attestation.VerifyOptions)
+		Func: rego.Function2(
-		err := ast.As(envTerm.Value, env)
+			&rego.Function{
-		if err != nil {
+				Name:             decl.Name,
-			return nil, fmt.Errorf("failed to cast envelope: %w", err)
+				Decl:             decl.Decl,
-		}
+				Memoize:          true,
-		err = ast.As(optsTerm.Value, &opts)
+				Nondeterministic: decl.Nondeterministic,
-		if err != nil {
+			},
-			return nil, fmt.Errorf("failed to cast verifier options: %w", err)
+			handleErrors2(f)),
-		}
+	}
 }
-		payload, err := attestation.VerifyDSSE(rCtx.Context, env, opts)
+type RegoFnOpts struct {
-		if err != nil {
+	attestationResolver attestation.Resolver
-			return nil, fmt.Errorf("failed to verify envelope: %w", err)
+	attestationVerifier attestation.Verifier
-		}
+}
-		statement := new(intoto.Statement)
+// this is exported for testing here and in clients of the library.
 func NewRegoFunctionOptions(resolver attestation.Resolver, verifier attestation.Verifier) *RegoFnOpts {
 	return &RegoFnOpts{
 		attestationResolver: resolver,
 		attestationVerifier: verifier,
 	}
 }
-		switch env.PayloadType {
+// because we don't control the signature here (blame rego)
-		case intoto.PayloadType:
+// nolint:gocritic
-			err = json.Unmarshal(payload, statement)
+func (regoOpts *RegoFnOpts) fetchInTotoAttestations(rCtx rego.BuiltinContext, predicateTypeTerm *ast.Term) (*ast.Term, error) {
-			if err != nil {
+	predicateTypeStr, ok := predicateTypeTerm.Value.(ast.String)
-				return nil, fmt.Errorf("failed to unmarshal statement: %w", err)
+	if !ok {
-			}
+		return nil, fmt.Errorf("predicateTypeTerm is not a string")
-			// TODO: implement other types of envelope
+	}
-		default:
+	predicateType := string(predicateTypeStr)
 			return nil, fmt.Errorf("unsupported payload type: %s", env.PayloadType)
 		}
-		err = VerifySubject(rCtx.Context, statement.Subject, resolver)
+	envelopes, err := regoOpts.attestationResolver.Attestations(rCtx.Context, predicateType)
-		if err != nil {
+	if err != nil {
-			return nil, fmt.Errorf("failed to verify subject: %w", err)
+		return nil, err
-		}
+	}
-		value, err := ast.InterfaceToValue(statement)
+	// Convert each envelope to an ast.Value.
 	values := make([]*ast.Term, len(envelopes))
 	for i, envelope := range envelopes {
 		value, err := ast.InterfaceToValue(envelope)
 		if err != nil {
 			return nil, err
 		}
-		return ast.NewTerm(value), nil
+		values[i] = ast.NewTerm(value)
 	}
 	// Wrap the values in an ast.Set and convert it to an ast.Term.
 	set := ast.NewTerm(ast.NewSet(values...))
 	return set, nil
 }
 // because we don't control the signature here (blame rego)
 // nolint:gocritic
 func (regoOpts *RegoFnOpts) verifyInTotoEnvelope(rCtx rego.BuiltinContext, envTerm, optsTerm *ast.Term) (*ast.Term, error) {
 	env := new(attestation.Envelope)
 	opts := new(attestation.VerifyOptions)
 	err := ast.As(envTerm.Value, env)
 	if err != nil {
 		return nil, fmt.Errorf("failed to cast envelope: %w", err)
 	}
 	err = ast.As(optsTerm.Value, &opts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to cast verifier options: %w", err)
 	}
 	payload, err := attestation.VerifyDSSE(rCtx.Context, regoOpts.attestationVerifier, env, opts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to verify envelope: %w", err)
 	}
 	statement := new(intoto.Statement)
 	switch env.PayloadType {
 	case intoto.PayloadType:
 		err = json.Unmarshal(payload, statement)
 		if err != nil {
 			return nil, fmt.Errorf("failed to unmarshal statement: %w", err)
 		}
 		// TODO: implement other types of envelope
 	default:
 		return nil, fmt.Errorf("unsupported payload type: %s", env.PayloadType)
 	}
 	err = VerifySubject(rCtx.Context, statement.Subject, regoOpts.attestationResolver)
 	if err != nil {
 		return nil, fmt.Errorf("failed to verify subject: %w", err)
 	}
 	value, err := ast.InterfaceToValue(statement)
 	if err != nil {
 		return nil, err
 	}
 	return ast.NewTerm(value), nil
 }
 // because we don't control the signature here (blame rego)
 // nolint:gocritic
 func (regoOpts *RegoFnOpts) internalParseLibraryDefinition(_ rego.BuiltinContext, definitionTerm *ast.Term) (*ast.Term, error) {
 	definitionStr, ok := definitionTerm.Value.(ast.String)
 	if !ok {
 		return nil, fmt.Errorf("predicateTypeTerm is not a string")
 	}
 	definition := string(definitionStr)
 	defBuffer := bytes.NewBufferString(definition)
 	parsed, err := manifest.Parse2822(defBuffer)
 	if err != nil {
 		return nil, err
 	}
 	value, err := ast.InterfaceToValue(parsed)
 	if err != nil {
 		return nil, err
 	}
 	return ast.NewTerm(value), nil
 }
 func loadYAML(path string, bs []byte) (interface{}, error) {
--- a/policy/rego_test.go
+++ b/policy/rego_test.go
@@ -0,0 +1,89 @@
 package policy
 import (
 	"context"
 	"testing"
 	"github.com/docker/attest/attestation"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/open-policy-agent/opa/tester"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestPolicy(t *testing.T) {
 	paths := []string{"testdata/policies/test/fetch"}
 	modules, store, err := tester.Load(paths, nil)
 	require.NoError(t, err)
 	resolver := &NullAttestationResolver{}
 	opts := NewRegoFunctionOptions(resolver, nil)
 	ctx := context.Background()
 	ch, err := tester.NewRunner().
 		SetStore(store).
 		AddCustomBuiltins(RegoFunctions(opts)).
 		CapturePrintOutput(true).
 		RaiseBuiltinErrors(true).
 		EnableTracing(true).
 		SetModules(modules).
 		RunTests(ctx, nil)
 	require.NoError(t, err)
 	require.NoError(t, err)
 	results := buffer(ch)
 	assert.Equalf(t, 1, len(results), "expected 1 results, got %d", len(results))
 	assert.Truef(t, results[0].Pass(), "expected result 1 to pass, got %v", results[0])
 	assert.True(t, resolver.called)
 }
 func TestPolicyDefParse(t *testing.T) {
 	paths := []string{"testdata/policies/test/def_parse"}
 	modules, store, err := tester.Load(paths, nil)
 	require.NoError(t, err)
 	resolver := &NullAttestationResolver{}
 	opts := NewRegoFunctionOptions(resolver, nil)
 	ctx := context.Background()
 	ch, err := tester.NewRunner().
 		SetStore(store).
 		AddCustomBuiltins(RegoFunctions(opts)).
 		CapturePrintOutput(true).
 		RaiseBuiltinErrors(true).
 		EnableTracing(true).
 		SetModules(modules).
 		RunTests(ctx, nil)
 	require.NoError(t, err)
 	require.NoError(t, err)
 	results := buffer(ch)
 	t.Log(string(results[0].Output))
 	assert.Equalf(t, 1, len(results), "expected 1 results, got %d", len(results))
 	assert.Truef(t, results[0].Pass(), "expected result 1 to pass, got %v", results[0].Location)
 }
 func buffer[T any](ch chan T) []T {
 	var out []T
 	for v := range ch {
 		out = append(out, v)
 	}
 	return out
 }
 type NullAttestationResolver struct {
 	called bool
 }
 func (r *NullAttestationResolver) ImageName(_ context.Context) (string, error) {
 	return "", nil
 }
 func (r *NullAttestationResolver) ImagePlatform(_ context.Context) (*v1.Platform, error) {
 	return v1.ParsePlatform("")
 }
 func (r *NullAttestationResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error) {
 	return nil, nil
 }
 func (r *NullAttestationResolver) Attestations(_ context.Context, _ string) ([]*attestation.Envelope, error) {
 	r.called = true
 	return nil, nil
 }
--- a/policy/resolver.go
+++ b/policy/resolver.go
@@ -8,9 +8,10 @@ import (
 	"path/filepath"
 	"github.com/distribution/reference"
 	"github.com/docker/attest/config"
 	"github.com/docker/attest/internal/util"
 	"github.com/docker/attest/mapping"
 	"github.com/docker/attest/tuf"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
 type Resolver struct {
@@ -25,7 +26,7 @@ func NewResolver(tufClient tuf.Downloader, opts *Options) *Resolver {
 	}
 }
-func (r *Resolver) ResolvePolicy(_ context.Context, imageName string) (*Policy, error) {
+func (r *Resolver) ResolvePolicy(_ context.Context, imageName string, platform *v1.Platform) (*Policy, error) {
 	p, err := r.resolvePolicyByID()
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve policy by id: %w", err)
@@ -37,45 +38,45 @@ func (r *Resolver) ResolvePolicy(_ context.Context, imageName string) (*Policy,
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse image name: %w", err)
 	}
-	localMappings, err := config.LoadLocalMappings(r.opts.LocalPolicyDir)
+	localMappings, err := mapping.LoadLocalMappings(r.opts.LocalPolicyDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load local policy mappings: %w", err)
 	}
-	match, err := findPolicyMatch(imageName, localMappings)
+	match, err := localMappings.FindPolicyMatch(imageName, platform)
 	if err != nil {
 		return nil, err
 	}
-	if match.matchType == matchTypePolicy {
+	if match.MatchType == mapping.MatchTypePolicy {
-		return r.resolveLocalPolicy(match.policy, imageName, match.matchedName)
+		return r.resolveLocalPolicy(match.Policy, imageName, match.MatchedName)
 	}
 	if !r.opts.DisableTUF {
-		tufMappings, err := config.LoadTUFMappings(r.tufClient, r.opts.LocalTargetsDir)
+		tufMappings, err := mapping.LoadTUFMappings(r.tufClient, r.opts.LocalTargetsDir)
 		if err != nil {
 			return nil, fmt.Errorf("failed to load tuf policy mappings as fallback: %w", err)
 		}
 		// it's a mirror of a tuf policy
-		if match.matchType == matchTypeMatchNoPolicy {
+		if match.MatchType == mapping.MatchTypeMatchNoPolicy {
 			for _, mapping := range tufMappings.Policies {
-				if mapping.ID == match.rule.PolicyID {
+				if mapping.ID == match.Rule.PolicyID {
-					return r.resolveTUFPolicy(mapping, imageName, match.matchedName)
+					return r.resolveTUFPolicy(mapping, imageName, match.MatchedName)
 				}
 			}
 		}
 		// try to resolve a tuf policy directly
-		match, err = findPolicyMatch(imageName, tufMappings)
+		match, err = tufMappings.FindPolicyMatch(imageName, platform)
 		if err != nil {
 			return nil, err
 		}
-		if match.matchType == matchTypePolicy {
+		if match.MatchType == mapping.MatchTypePolicy {
-			return r.resolveTUFPolicy(match.policy, imageName, match.matchedName)
+			return r.resolveTUFPolicy(match.Policy, imageName, match.MatchedName)
 		}
 	}
 	return nil, nil
 }
-func (r *Resolver) resolveLocalPolicy(mapping *config.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
+func (r *Resolver) resolveLocalPolicy(mapping *mapping.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
 	if r.opts.LocalPolicyDir == "" {
 		return nil, fmt.Errorf("local policy dir not set")
 	}
@@ -118,7 +119,7 @@ func (r *Resolver) resolveLocalPolicy(mapping *config.PolicyMapping, imageName s
 	return policy, nil
 }
-func (r *Resolver) resolveTUFPolicy(mapping *config.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
+func (r *Resolver) resolveTUFPolicy(mapping *mapping.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
 	var URI string
 	var digest map[string]string
 	files := make([]*File, 0, len(mapping.Files))
@@ -159,7 +160,7 @@ func (r *Resolver) resolveTUFPolicy(mapping *config.PolicyMapping, imageName str
 func (r *Resolver) resolvePolicyByID() (*Policy, error) {
 	if r.opts.PolicyID != "" {
-		localMappings, err := config.LoadLocalMappings(r.opts.LocalPolicyDir)
+		localMappings, err := mapping.LoadLocalMappings(r.opts.LocalPolicyDir)
 		if err != nil {
 			return nil, fmt.Errorf("failed to load local policy mappings: %w", err)
 		}
@@ -171,7 +172,7 @@ func (r *Resolver) resolvePolicyByID() (*Policy, error) {
 		}
 		if !r.opts.DisableTUF {
-			tufMappings, err := config.LoadTUFMappings(r.tufClient, r.opts.LocalTargetsDir)
+			tufMappings, err := mapping.LoadTUFMappings(r.tufClient, r.opts.LocalTargetsDir)
 			if err != nil {
 				return nil, fmt.Errorf("failed to load tuf policy mappings by id: %w", err)
 			}
--- a/policy/resolver_test.go
+++ b/policy/resolver_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/docker/attest/internal/test"
 	"github.com/docker/attest/policy"
 	"github.com/docker/attest/tuf"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -17,7 +18,8 @@ func TestResolvePolicy(t *testing.T) {
 	noLocalPolicyPath := "testdata/policies/no-policy"
 	testPolicyID := "docker-official-images"
 	testImageName := "localhost:5001/test/repo:tag"
-
+	defaultPlatform, err := v1.ParsePlatform("linux/amd64")
 	require.NoError(t, err)
 	testCases := []struct {
 		name              string
 		policyPath        string
@@ -52,7 +54,7 @@ func TestResolvePolicy(t *testing.T) {
 			opts.DisableTUF = tc.DisableTUF
 			opts.LocalTargetsDir = tempDir
 			resolver := policy.NewResolver(tufClient, opts)
-			policy, err := resolver.ResolvePolicy(context.Background(), testImageName)
+			policy, err := resolver.ResolvePolicy(context.Background(), testImageName, defaultPlatform)
 			require.NoError(t, err)
 			assert.NotNil(t, policy)
 			if tc.DisableTUF || tc.localOverridesTUF {
--- a/policy/testdata/policies/test/def_parse/def_parse_test.rego
+++ b/policy/testdata/policies/test/def_parse/def_parse_test.rego
@@ -0,0 +1,18 @@
 package def_parse_test
 import rego.v1
 test_parse_library_definition if {
 	def := `Maintainers: me <me@example.com> (@me)
 GitRepo: blah
 Tags: 1, 2, 3
 GitCommit: fa105cb3c26c8f0e87d7dbb1bf5293691ac2f688
 File: Dockerfile.foo`
 	result := attest.internals.parse_library_definition(def)
 	definition := result.value
 	definition.Entries[0].GitRepo == "blah"
 	definition.Entries[0].GitCommit == "fa105cb3c26c8f0e87d7dbb1bf5293691ac2f688"
 	definition.Entries[0].Tags == ["1", "2", "3"]
 	definition.Entries[0].File == "Dockerfile.foo"
 }
--- a/policy/testdata/policies/test/fetch/fetch.rego
+++ b/policy/testdata/policies/test/fetch/fetch.rego
@@ -0,0 +1,7 @@
 package attest
 import rego.v1
 success if {
 	some env in attest.fetch("foo")
 }
--- a/policy/testdata/policies/test/fetch/fetch_test.rego
+++ b/policy/testdata/policies/test/fetch/fetch_test.rego
@@ -0,0 +1,9 @@
 package attest_test
 import rego.v1
 import data.attest
 test_sucess if {
 	attest.success
 }
--- a/policy/types.go
+++ b/policy/types.go
@@ -1,7 +1,8 @@
 package policy
 import (
-	"github.com/docker/attest/config"
+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/mapping"
 	"github.com/docker/attest/tuf"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 )
@@ -27,20 +28,21 @@ type Result struct {
 }
 type Options struct {
-	TUFClientOptions *tuf.ClientOptions
+	TUFClientOptions    *tuf.ClientOptions
-	DisableTUF       bool
+	DisableTUF          bool
-	LocalTargetsDir  string
+	LocalTargetsDir     string
-	LocalPolicyDir   string
+	LocalPolicyDir      string
-	PolicyID         string
+	PolicyID            string
-	ReferrersRepo    string
+	ReferrersRepo       string
-	AttestationStyle config.AttestationStyle
+	AttestationStyle    mapping.AttestationStyle
-	Debug            bool
+	Debug               bool
 	AttestationVerifier attestation.Verifier
 }
 type Policy struct {
 	InputFiles   []*File
 	Query        string
-	Mapping      *config.PolicyMapping
+	Mapping      *mapping.PolicyMapping
 	ResolvedName string
 	URI          string
 	Digest       map[string]string
--- a/sign.go
+++ b/sign.go
@@ -19,9 +19,12 @@ func SignStatements(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVe
 	// sign every attestation layer in each manifest
 	for _, manifest := range attestationManifests {
 		for _, layer := range manifest.OriginalLayers {
-			err = manifest.Add(ctx, signer, layer.Statement, opts)
+			// skip layers without statements
-			if err != nil {
+			if layer.Statement != nil {
-				return nil, fmt.Errorf("failed to sign attestation layer %w", err)
+				err = manifest.Add(ctx, signer, layer.Statement, opts)
 				if err != nil {
 					return nil, fmt.Errorf("failed to sign attestation layer %w", err)
 				}
 			}
 		}
 	}
--- a/signerverifier/aws.go
+++ b/signerverifier/aws.go
@@ -20,8 +20,5 @@ func GetAWSSigner(ctx context.Context, keyARN string, region string) (dsse.Signe
 	if err != nil {
 		return nil, fmt.Errorf("error getting aws crypto signer: %w", err)
 	}
-	signer := &ECDSA256SignerVerifier{
+	return NewECDSASignerVerifier(cs)
 		Signer: cs,
 	}
 	return signer, nil
 }
--- a/signerverifier/common.go
+++ b/signerverifier/common.go
@@ -9,52 +9,17 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"io"
 	"github.com/docker/attest/internal/util"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
 type ECDSA256SignerVerifier struct {
 	crypto.Signer
 }
 // implement keyid function.
 func (s *ECDSA256SignerVerifier) KeyID() (string, error) {
 	keyid, err := KeyID(s.Signer.Public())
 	if err != nil {
 		return "", fmt.Errorf("error getting keyid: %w", err)
 	}
 	return keyid, nil
 }
 func (s *ECDSA256SignerVerifier) Public() crypto.PublicKey {
 	return s.Signer.Public()
 }
 func (s *ECDSA256SignerVerifier) Sign(_ context.Context, data []byte) ([]byte, error) {
 	return s.Signer.Sign(rand.Reader, data, crypto.SHA256)
 }
 func (s *ECDSA256SignerVerifier) Verify(_ context.Context, data []byte, sig []byte) error {
 	pub, ok := s.Signer.Public().(*ecdsa.PublicKey)
 	if !ok {
 		return fmt.Errorf("public key is not ecdsa")
 	}
 	ok = ecdsa.VerifyASN1(pub, util.SHA256(data), sig)
 	if !ok {
 		return fmt.Errorf("payload signature is not valid")
 	}
 	return nil
 }
 func LoadKeyPair(priv []byte) (dsse.SignerVerifier, error) {
 	privateKey, err := parsePriv(priv)
 	if err != nil {
 		return nil, err
 	}
-	return &ECDSA256SignerVerifier{
+	return NewECDSASignerVerifier(privateKey)
 		Signer: privateKey,
 	}, nil
 }
 func parsePriv(privkeyBytes []byte) (*ecdsa.PrivateKey, error) {
@@ -78,7 +43,26 @@ func GenKeyPair() (dsse.SignerVerifier, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &ECDSA256SignerVerifier{
+	return NewECDSASignerVerifier(signer)
-		Signer: signer,
+}
-	}, nil
+
 // ensure it implements crypto.Signer.
 var _ crypto.Signer = (*cryptoSignerWrapper)(nil)
 type cryptoSignerWrapper struct {
 	sv dsse.SignerVerifier
 }
 // Public implements crypto.Signer.
 func (c *cryptoSignerWrapper) Public() crypto.PublicKey {
 	return c.sv.Public()
 }
 // Sign implements crypto.Signer.
 func (c *cryptoSignerWrapper) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) (signature []byte, err error) {
 	return c.sv.Sign(context.Background(), digest)
 }
 func AsCryptoSigner(signer dsse.SignerVerifier) (crypto.Signer, error) {
 	return &cryptoSignerWrapper{sv: signer}, nil
 }
--- a/signerverifier/ecdsa.go
+++ b/signerverifier/ecdsa.go
@@ -0,0 +1,80 @@
 package signerverifier
 import (
 	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/rand"
 	"fmt"
 	"github.com/docker/attest/internal/util"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
 type ecdsaVerifier struct {
 	publicKey *ecdsa.PublicKey
 	keyID     string
 }
 // ensure ECDSAVerifier implements dsse.Verifier.
 var _ dsse.Verifier = (*ecdsaVerifier)(nil)
 func NewECDSAVerifier(publicKey crypto.PublicKey) (dsse.Verifier, error) {
 	ecdsaPublicKey, ok := (publicKey).(*ecdsa.PublicKey)
 	if !ok {
 		return nil, fmt.Errorf("public key is not an ECDSA public key")
 	}
 	return &ecdsaVerifier{
 		publicKey: ecdsaPublicKey,
 	}, nil
 }
 func (v *ecdsaVerifier) Verify(_ context.Context, data, signature []byte) error {
 	// verify payload ecdsa signature
 	ok := ecdsa.VerifyASN1(v.publicKey, util.SHA256(data), signature)
 	if !ok {
 		return fmt.Errorf("payload signature is not valid")
 	}
 	return nil
 }
 func (v *ecdsaVerifier) Public() crypto.PublicKey {
 	return v.publicKey
 }
 func (v *ecdsaVerifier) KeyID() (string, error) {
 	if v.keyID != "" {
 		return v.keyID, nil
 	}
 	keyID, err := KeyID(v.publicKey)
 	if err != nil {
 		return "", fmt.Errorf("failed to get key ID: %w", err)
 	}
 	v.keyID = keyID
 	return v.keyID, nil
 }
 // must implement dsse.SignerVerifier interface.
 var _ dsse.SignerVerifier = (*ecdsa256SignerVerifier)(nil)
 type ecdsa256SignerVerifier struct {
 	signer crypto.Signer
 	dsse.Verifier
 }
 func NewECDSASignerVerifier(signer crypto.Signer) (dsse.SignerVerifier, error) {
 	verifier, err := NewECDSAVerifier(signer.Public())
 	if err != nil {
 		return nil, fmt.Errorf("failed to create verifier: %w", err)
 	}
 	sv := &ecdsa256SignerVerifier{
 		signer:   signer,
 		Verifier: verifier,
 	}
 	return sv, nil
 }
 func (s *ecdsa256SignerVerifier) Sign(_ context.Context, data []byte) ([]byte, error) {
 	return s.signer.Sign(rand.Reader, data, crypto.SHA256)
 }
--- a/signerverifier/gcp.go
+++ b/signerverifier/gcp.go
@@ -21,8 +21,5 @@ func GetGCPSigner(ctx context.Context, reference string, opts ...option.ClientOp
 	if err != nil {
 		return nil, fmt.Errorf("error getting gcp crypto signer: %w", err)
 	}
-	signer := &ECDSA256SignerVerifier{
+	return NewECDSASignerVerifier(cs)
 		Signer: cs,
 	}
 	return signer, nil
 }
--- a/signerverifier/gcp_test.go
+++ b/signerverifier/gcp_test.go
@@ -40,6 +40,14 @@ func TestGCPKMS_Signer(t *testing.T) {
 	publicKey, err := ParsePublicKey([]byte(publicKeyPEM))
 	require.NoError(t, err)
 	// verify payload ecdsa signature
-	ok := ecdsa.VerifyASN1(publicKey, hash, sig)
+
 	ecdsaPublicKey, ok := publicKey.(*ecdsa.PublicKey)
 	if !ok {
 		t.Fatal("Failed to convert publicKey to *ecdsa.PublicKey")
 	}
 	ok = ecdsa.VerifyASN1(ecdsaPublicKey, hash, sig)
 	assert.True(t, ok)
 	err = signer.Verify(ctx, msg, sig)
 	require.NoError(t, err)
 }
--- a/signerverifier/parse.go
+++ b/signerverifier/parse.go
@@ -1,6 +1,7 @@
 package signerverifier
 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/x509"
 	"encoding/pem"
@@ -9,7 +10,7 @@ import (
 const pemType = "PUBLIC KEY"
-func ParsePublicKey(pubkeyBytes []byte) (*ecdsa.PublicKey, error) {
+func ParsePublicKey(pubkeyBytes []byte) (crypto.PublicKey, error) {
 	p, _ := pem.Decode(pubkeyBytes)
 	if p == nil {
 		return nil, fmt.Errorf("pubkey file does not contain any PEM data")
@@ -17,12 +18,15 @@ func ParsePublicKey(pubkeyBytes []byte) (*ecdsa.PublicKey, error) {
 	if p.Type != pemType {
 		return nil, fmt.Errorf("pubkey file does not contain a public key")
 	}
-	pubKey, err := x509.ParsePKIXPublicKey(p.Bytes)
+	return x509.ParsePKIXPublicKey(p.Bytes)
-	if err != nil {
+}
 		return nil, fmt.Errorf("error failed to parse public key: %w", err)
 	}
-	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
+func ParseECDSAPublicKey(pubkeyBytes []byte) (*ecdsa.PublicKey, error) {
 	pk, err := ParsePublicKey(pubkeyBytes)
 	if err != nil {
 		return nil, err
 	}
 	ecdsaPubKey, ok := pk.(*ecdsa.PublicKey)
 	if !ok {
 		return nil, fmt.Errorf("error public key is not an ecdsa key: %w", err)
 	}
@@ -34,6 +38,5 @@ func ConvertToPEM(ecdsaPubKey *ecdsa.PublicKey) ([]byte, error) {
 	if err != nil {
 		return nil, fmt.Errorf("error failed to marshal public key: %w", err)
 	}
 	return pem.EncodeToMemory(&pem.Block{Type: pemType, Bytes: pubKeyBytes}), nil
 }
--- a/test/testdata/containerd-subject-layout/blobs/sha256/5049b0fd8de6fc8937065a0b26214e5a1e620e98488de6bac72c0284b1a5242f
+++ b/test/testdata/containerd-subject-layout/blobs/sha256/5049b0fd8de6fc8937065a0b26214e5a1e620e98488de6bac72c0284b1a5242f
@@ -0,0 +1 @@
 {"architecture":"unknown","os":"unknown","config":{},"rootfs":{"type":"layers","diff_ids":["sha256:e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064"]}}
--- a/test/testdata/containerd-subject-layout/blobs/sha256/a051db630f91aae4fc649b455724f2c5c60ae0c508e87d88937e862524f488b5
+++ b/test/testdata/containerd-subject-layout/blobs/sha256/a051db630f91aae4fc649b455724f2c5c60ae0c508e87d88937e862524f488b5
@@ -0,0 +1,19 @@
 {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:5049b0fd8de6fc8937065a0b26214e5a1e620e98488de6bac72c0284b1a5242f",
    "size": 167
  },
  "layers": [
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064",
      "size": 917,
      "annotations": {
        "in-toto.io/predicate-type": "https://spdx.dev/Document"
      }
    }
  ]
 }
--- a/test/testdata/containerd-subject-layout/blobs/sha256/bba371330d0124ce45f669c5d73092a3f2078ed1491e2bc52189a82e279074a1
+++ b/test/testdata/containerd-subject-layout/blobs/sha256/bba371330d0124ce45f669c5d73092a3f2078ed1491e2bc52189a82e279074a1
@@ -0,0 +1,28 @@
 {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec",
      "size": 288,
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:a051db630f91aae4fc649b455724f2c5c60ae0c508e87d88937e862524f488b5",
      "size": 558,
      "annotations": {
        "vnd.docker.reference.digest": "sha256:e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec",
        "vnd.docker.reference.type": "attestation-manifest"
      },
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    }
  ]
 }
--- a/test/testdata/containerd-subject-layout/blobs/sha256/cbeaa84fb2fdfc8fd5e437555e94a323ac8acc69e68278d127cb4adf595f9d46
+++ b/test/testdata/containerd-subject-layout/blobs/sha256/cbeaa84fb2fdfc8fd5e437555e94a323ac8acc69e68278d127cb4adf595f9d46
@@ -0,0 +1 @@
 {"architecture":"arm64","config":{"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"WorkingDir":"/","ArgsEscaped":true},"created":null,"history":[{"created_by":"CMD []","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":null}}
--- a/test/testdata/containerd-subject-layout/blobs/sha256/e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064
+++ b/test/testdata/containerd-subject-layout/blobs/sha256/e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064
@@ -0,0 +1 @@
 {"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://spdx.dev/Document","subject":[{"name":"pkg:docker/test@latest?platform=linux%2Farm64","digest":{"sha256":"e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec"}}],"predicate":{"SPDXID":"SPDXRef-DOCUMENT","creationInfo":{"created":"2024-09-19T20:28:48Z","creators":["Organization: Anchore, Inc","Tool: syft-v0.105.0"],"licenseListVersion":"3.23"},"dataLicense":"CC0-1.0","documentNamespace":"https://anchore.com/syft/dir/sbom-4d662591-02b0-4448-8cdc-c8b539bbe1a0","name":"sbom","packages":[{"SPDXID":"SPDXRef-DocumentRoot-Directory-sbom","downloadLocation":"NOASSERTION","filesAnalyzed":false,"name":"sbom","primaryPackagePurpose":"FILE","supplier":"NOASSERTION"}],"relationships":[{"relatedSpdxElement":"SPDXRef-DocumentRoot-Directory-sbom","relationshipType":"DESCRIBES","spdxElementId":"SPDXRef-DOCUMENT"}],"spdxVersion":"SPDX-2.3"}}
--- a/test/testdata/containerd-subject-layout/blobs/sha256/e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec
+++ b/test/testdata/containerd-subject-layout/blobs/sha256/e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec
@@ -0,0 +1,10 @@
 {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:cbeaa84fb2fdfc8fd5e437555e94a323ac8acc69e68278d127cb4adf595f9d46",
    "size": 308
  },
  "layers": null
 }
--- a/test/testdata/containerd-subject-layout/index.json
+++ b/test/testdata/containerd-subject-layout/index.json
@@ -0,0 +1,15 @@
 {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.index.v1+json",
      "digest": "sha256:bba371330d0124ce45f669c5d73092a3f2078ed1491e2bc52189a82e279074a1",
      "size": 855,
      "annotations": {
        "io.containerd.image.name": "docker.io/library/test-image:test",
        "org.opencontainers.image.ref.name": "test"
      }
    }
  ]
 }
--- a/test/testdata/containerd-subject-layout/oci-layout
+++ b/test/testdata/containerd-subject-layout/oci-layout
@@ -0,0 +1 @@
 {"imageLayoutVersion":"1.0.0"}
--- a/test/testdata/local-policy-fail/policy.rego
+++ b/test/testdata/local-policy-fail/policy.rego
@@ -23,7 +23,7 @@ atts := union({
 	provs("https://spdx.dev/Document"),
 })
-opts := {"keys": keys}
+opts := {"keys": keys, "skip_tl": true}
 statements contains s if {
 	some att in atts
--- a/test/testdata/local-policy-pass/policy.rego
+++ b/test/testdata/local-policy-pass/policy.rego
@@ -23,7 +23,7 @@ atts := union({
 	provs("https://spdx.dev/Document"),
 })
-opts := {"keys": keys}
+opts := {"keys": keys, "skip_tl": true}
 statements contains s if {
 	some att in atts
--- a/test/testdata/local-policy/doi/policy.rego
+++ b/test/testdata/local-policy/doi/policy.rego
@@ -22,7 +22,7 @@ atts := union({
 	provs("https://spdx.dev/Document"),
 })
-opts := {"keys": keys}
+opts := {"keys": keys, "skip_tl": false}
 statements contains s if {
 	some att in atts
--- a/test/testdata/missing-subject-layout/blobs/sha256/5049b0fd8de6fc8937065a0b26214e5a1e620e98488de6bac72c0284b1a5242f
+++ b/test/testdata/missing-subject-layout/blobs/sha256/5049b0fd8de6fc8937065a0b26214e5a1e620e98488de6bac72c0284b1a5242f
@@ -0,0 +1 @@
 {"architecture":"unknown","os":"unknown","config":{},"rootfs":{"type":"layers","diff_ids":["sha256:e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064"]}}
--- a/test/testdata/missing-subject-layout/blobs/sha256/a051db630f91aae4fc649b455724f2c5c60ae0c508e87d88937e862524f488b5
+++ b/test/testdata/missing-subject-layout/blobs/sha256/a051db630f91aae4fc649b455724f2c5c60ae0c508e87d88937e862524f488b5
@@ -0,0 +1,19 @@
 {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:5049b0fd8de6fc8937065a0b26214e5a1e620e98488de6bac72c0284b1a5242f",
    "size": 167
  },
  "layers": [
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064",
      "size": 917,
      "annotations": {
        "in-toto.io/predicate-type": "https://spdx.dev/Document"
      }
    }
  ]
 }
--- a/test/testdata/missing-subject-layout/blobs/sha256/bba371330d0124ce45f669c5d73092a3f2078ed1491e2bc52189a82e279074a1
+++ b/test/testdata/missing-subject-layout/blobs/sha256/bba371330d0124ce45f669c5d73092a3f2078ed1491e2bc52189a82e279074a1
@@ -0,0 +1,28 @@
 {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec",
      "size": 288,
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:a051db630f91aae4fc649b455724f2c5c60ae0c508e87d88937e862524f488b5",
      "size": 558,
      "annotations": {
        "vnd.docker.reference.digest": "sha256:e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec",
        "vnd.docker.reference.type": "attestation-manifest"
      },
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    }
  ]
 }
--- a/test/testdata/missing-subject-layout/blobs/sha256/cbeaa84fb2fdfc8fd5e437555e94a323ac8acc69e68278d127cb4adf595f9d46
+++ b/test/testdata/missing-subject-layout/blobs/sha256/cbeaa84fb2fdfc8fd5e437555e94a323ac8acc69e68278d127cb4adf595f9d46
@@ -0,0 +1 @@
 {"architecture":"arm64","config":{"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"WorkingDir":"/","ArgsEscaped":true},"created":null,"history":[{"created_by":"CMD []","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":null}}
--- a/test/testdata/missing-subject-layout/blobs/sha256/e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064
+++ b/test/testdata/missing-subject-layout/blobs/sha256/e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064
@@ -0,0 +1 @@
 {"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://spdx.dev/Document","subject":[{"name":"pkg:docker/test@latest?platform=linux%2Farm64","digest":{"sha256":"e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec"}}],"predicate":{"SPDXID":"SPDXRef-DOCUMENT","creationInfo":{"created":"2024-09-19T20:28:48Z","creators":["Organization: Anchore, Inc","Tool: syft-v0.105.0"],"licenseListVersion":"3.23"},"dataLicense":"CC0-1.0","documentNamespace":"https://anchore.com/syft/dir/sbom-4d662591-02b0-4448-8cdc-c8b539bbe1a0","name":"sbom","packages":[{"SPDXID":"SPDXRef-DocumentRoot-Directory-sbom","downloadLocation":"NOASSERTION","filesAnalyzed":false,"name":"sbom","primaryPackagePurpose":"FILE","supplier":"NOASSERTION"}],"relationships":[{"relatedSpdxElement":"SPDXRef-DocumentRoot-Directory-sbom","relationshipType":"DESCRIBES","spdxElementId":"SPDXRef-DOCUMENT"}],"spdxVersion":"SPDX-2.3"}}
--- a/test/testdata/missing-subject-layout/blobs/sha256/e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec
+++ b/test/testdata/missing-subject-layout/blobs/sha256/e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec
@@ -0,0 +1,10 @@
 {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:cbeaa84fb2fdfc8fd5e437555e94a323ac8acc69e68278d127cb4adf595f9d46",
    "size": 308
  },
  "layers": null
 }
--- a/test/testdata/missing-subject-layout/index.json
+++ b/test/testdata/missing-subject-layout/index.json
@@ -0,0 +1,14 @@
 {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.index.v1+json",
      "digest": "sha256:bba371330d0124ce45f669c5d73092a3f2078ed1491e2bc52189a82e279074a1",
      "size": 855,
      "annotations": {
        "org.opencontainers.image.ref.name": "test"
      }
    }
  ]
 }
--- a/test/testdata/missing-subject-layout/oci-layout
+++ b/test/testdata/missing-subject-layout/oci-layout
@@ -0,0 +1 @@
 {"imageLayoutVersion":"1.0.0"}
--- a/tlog/keys/c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d.pem
+++ b/tlog/keys/c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d.pem
@@ -0,0 +1,4 @@
 -----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr
 kBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==
 -----END PUBLIC KEY-----
--- a/tlog/mock.go
+++ b/tlog/mock.go
@@ -2,6 +2,7 @@ package tlog
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"time"
@@ -15,36 +16,48 @@ const (
 	TestEntry = `{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5Zjg2ZDA4MTg4NGM3ZDY1OWEyZmVhYTBjNTVhZDAxNWEzYmY0ZjFiMmIwYjgyMmNkMTVkNmMxNWIwZjAwYTA4In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQUlyVUZGUzBIYmNzZjc5L08yajVXdHl2R2Vvd1NVSXpZcDlBM2IwWnREVUFpQVQxZU42ZjFyVmVWa011REFlN3dxWkJ2bE5LY2VsajNVVDNmaWhyQjZSY2c9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVSlZla05DSzJGQlJFRm5SVU5CWjBWQ1RVRnZSME5EY1VkVFRUUTVRa0ZOUTAxQk9IaEVWRUZNUW1kT1ZrSkJUVlJDU0ZKc1l6TlJkMGhvWTA0S1RXcE5lRTFxU1ROTlZHdDVUWHBWTlZkb1kwNU5hbEY0VFdwSk1rMVVhM2xOZWxVMVYycEJVRTFSTUhkRGQxbEVWbEZSUkVWM1VqQmFXRTR3VFVacmR3cEZkMWxJUzI5YVNYcHFNRU5CVVZsSlMyOWFTWHBxTUVSQlVXTkVVV2RCUlVRMFZpdFNSV2g0SzJGeFYwZzNlV3hOVFVSSVlXaE9UVzVOVEZOUFNsQXZDamxyUVcwNWJIQXJNMjF4V1ZSQmFGVlNjbUUyVDBRMVVYZzRXbUprSzJWMVVIbFFhemw1SzNjdloxZEhSRUk1ZW00dlNXd3hTMDVIVFVWUmQwUm5XVVFLVmxJd1VFRlJTQzlDUVZGRVFXZGxRVTFDVFVkQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOUVhkSFFURlZaRVYzUlVJdmQxRkRUVUZCZHdwRWQxbEVWbEl3VWtKQlozZENiMGxGWkVkV2VtUkVRVXRDWjJkeGFHdHFUMUJSVVVSQlowNUtRVVJDUjBGcFJVRTNOMjFFTDFSbVJtRlJVemxrWlhRMENqbFhaRk41YURKT1VTOUZiMVJtYVVGdFFtaHVWblpEVTNSUVowTkpVVU1yZDNSdllpOU9iMUp4T0c5cU4wZDNibTVKYUZKVGRDOVJNbmtyVXpoUkwzSUthRkpVYW5GaE9HZExRVDA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=","integratedTime":1703705039,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d","logIndex":59674396,"verification":{"inclusionProof":{"checkpoint":"rekor.sigstore.dev - 2605736670972794746\n55510966\nJCi1O53Xmdi9lXnui4Q5SQ+MJSMnWr1Bxn+Q2Qf22tU=\nTimestamp: 1703705040158839214\n\n— rekor.sigstore.dev wNI9ajBFAiAXgtjFDVqCSgiSP04TQzELrz4+EyBwyYVL2EEULTCy0AIhAI9peLU76ZUD1tvU8qvzBJBo77IYD1rc+A1MPc35AeVK\n","hashes":["fb77ee213b48f4b18dc81c6e634c570abf99b257713561f174f2e0f4c039af67","6cb113bbefadecbbb8b89b1c08232438a6125071790b6a062cff8c1ccfdcb91e","6fbe1424e264e4590ca502d671b7a036c87f7a90d1f57534b98eb781144160bf","077b606720a6478200f6c3ed08a68e9b01b1cae192cb120888ddcc95521601bd","b6f8e8bc21ae0cde82b92422a4b4f37b28a43185821e468a4e65b6c79ed8f5b7","89332533fac54e9bc68c7353c42f6ebb9fe38039f67910332ff95082072068d4","0814d6f707a75fb3334bab14ab5466bd8b9a64ae7be7cd4d53a428c64932bc66","e883e826f10329c63a4a2ed21156037a050df43b9d74079296beac6968ed4150","d79230703257b7e4a8a61b032b6980d1a0bdbc7ae96ca838b525b3751785fe48","2f4a77e5288462cd3b75084d37f1502dcbe0943d18dd95cb247fc1ebbabc0aad","38562c253d3536d0d00e3547c880b6b0251a25ac69605b50c9eaa1a27186cc7a","9dea192350ff8b3c0f5ccda38261cb38ebd61869281c3928912332d1144e0a04","2c4d25ba59aa573ab2c79c2d3cd9e1d74789b10632432724d63112ce50b44874","98c486feb5d87092a78a46c4b5be04868654900affc2e86ffb20074dc73a883a","6969c49bd73f19bf28a5eaeabd331ddd60502defb2cd3d96e17b741c80adec6c"],"logIndex":55510965,"rootHash":"2428b53b9dd799d8bd9579ee8b8439490f8c2523275abd41c67f90d907f6dad5","treeSize":55510966},"signedEntryTimestamp":"MEUCIQCG9PRI8PcvtJyE9pbcculZipze6NEWR1Nk8EYocto3BwIgYu5gqgjW80HMjSjUxUNJLp0wlVTesnJCeByUBySc59w="}}`
 )
-func GetMockTL() TL {
+func GetMockTL() TransparencyLog {
-	unmarshalEntry := func(entry []byte) (*models.LogEntryAnon, error) {
+	return &MockTransparencyLog{
-		le := new(models.LogEntryAnon)
+		UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) (*DockerTLExtension, error) {
-		err := le.UnmarshalBinary(entry)
+			return &DockerTLExtension{
-		if err != nil {
+				Kind: "Mock",
-			return nil, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
+				Data: json.RawMessage(TestEntry),
-		}
+			}, nil
 		return le, nil
 	}
 	return &MockTL{
 		UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) ([]byte, error) {
 			return []byte(TestEntry), nil
 		},
-		VerifyLogEntryFunc: func(_ context.Context, entryBytes []byte) (time.Time, error) {
+		VerifyLogEntryFunc: func(_ context.Context, ext *DockerTLExtension, _, _ []byte) (time.Time, error) {
 			// return the integrated time in the log entry without any checking
-			le, err := unmarshalEntry(entryBytes)
+			entry := new(models.LogEntryAnon)
 			entryBytes, err := json.Marshal(ext.Data)
 			if err != nil {
-				return time.Time{}, err
+				return time.Time{}, fmt.Errorf("error failed to marshal TL entry: %w", err)
 			}
-			if le.IntegratedTime == nil {
+			err = entry.UnmarshalBinary(entryBytes)
 			if err != nil {
 				return time.Time{}, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
 			}
 			if entry.IntegratedTime == nil {
 				return time.Time{}, fmt.Errorf("error missing integrated time in TL entry")
 			}
-			return time.Unix(*le.IntegratedTime, 0), nil
+			return time.Unix(*entry.IntegratedTime, 0), nil
 		},
 		VerifyEntryPayloadFunc: func(_, _, _ []byte) error {
 			return nil
 		},
 		UnmarshalEntryFunc: func(entry []byte) (any, error) {
 			return unmarshalEntry(entry)
 		},
 	}
 }
 type MockTransparencyLog struct {
 	UploadLogEntryFunc func(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) (*DockerTLExtension, error)
 	VerifyLogEntryFunc func(ctx context.Context, ext *DockerTLExtension, payload, publicKey []byte) (time.Time, error)
 }
 func (tl *MockTransparencyLog) UploadEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) (*DockerTLExtension, error) {
 	if tl.UploadLogEntryFunc != nil {
 		return tl.UploadLogEntryFunc(ctx, subject, payload, signature, signer)
 	}
 	return nil, nil
 }
 func (tl *MockTransparencyLog) VerifyEntry(ctx context.Context, ext *DockerTLExtension, payload, publicKey []byte) (time.Time, error) {
 	if tl.VerifyLogEntryFunc != nil {
 		return tl.VerifyLogEntryFunc(ctx, ext, payload, publicKey)
 	}
 	return time.Time{}, nil
 }
--- a/tlog/rekor.go
+++ b/tlog/rekor.go
@@ -0,0 +1,229 @@
 package tlog
 import (
 	"bytes"
 	"context"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/docker/attest/internal/util"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/tuf"
 	"github.com/docker/attest/useragent"
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/strfmt"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	rclient "github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/types"
 	hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	stuf "github.com/sigstore/sigstore/pkg/tuf"
 	_ "embed"
 )
 const RekorTLExtKind = "Rekor"
 // ensure it has all the necessary methods.
 var _ TransparencyLog = (*Rekor)(nil)
 const defaultPublicKeysDir = "rekor"
 type Rekor struct {
 	publicKeys    *cosign.TrustedTransparencyLogPubKeys
 	tufDownloader tuf.Downloader
 	publicKeysDir string
 }
 //go:embed keys/c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d.pem
 var rekorPublicKey []byte
 func WithTUFDownloader(tufDownloader tuf.Downloader) func(*Rekor) {
 	return func(r *Rekor) {
 		r.tufDownloader = tufDownloader
 	}
 }
 func WithTUFPublicKeysDir(dir string) func(*Rekor) {
 	return func(r *Rekor) {
 		r.publicKeysDir = dir
 	}
 }
 func NewRekorLog(options ...func(*Rekor)) (*Rekor, error) {
 	pk, err := signerverifier.ParsePublicKey(rekorPublicKey)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing rekor public key: %w", err)
 	}
 	kid, err := signerverifier.KeyID(pk)
 	if err != nil {
 		return nil, fmt.Errorf("error getting keyid: %w", err)
 	}
 	keys := map[string]cosign.TransparencyLogPubKey{
 		kid: {
 			PubKey: pk,
 			Status: stuf.Active,
 		},
 	}
 	rekor := &Rekor{
 		publicKeys: &cosign.TrustedTransparencyLogPubKeys{
 			Keys: keys,
 		},
 		publicKeysDir: defaultPublicKeysDir,
 	}
 	for _, opt := range options {
 		opt(rekor)
 	}
 	return rekor, nil
 }
 // UploadEntry submits a PK token signature to the transparency log.
 func (tl *Rekor) UploadEntry(ctx context.Context, subject string, encPayload, signature []byte, signer dsse.SignerVerifier) (*DockerTLExtension, error) {
 	// generate self-signed x509 cert
 	pubCert, err := CreateX509Cert(subject, signer)
 	if err != nil {
 		return nil, fmt.Errorf("Error creating x509 cert: %w", err)
 	}
 	// generate hash of payload
 	hasher := sha256.New()
 	hasher.Write(encPayload)
 	// upload entry
 	rekorClient, err := rclient.GetRekorClient(DefaultRekorURL, rclient.WithUserAgent(useragent.Get(ctx)))
 	if err != nil {
 		return nil, fmt.Errorf("Error creating rekor client: %w", err)
 	}
 	entry, err := cosign.TLogUpload(ctx, rekorClient, signature, hasher, pubCert)
 	if err != nil {
 		return nil, fmt.Errorf("Error uploading tlog: %w", err)
 	}
 	return &DockerTLExtension{
 		Kind: RekorTLExtKind,
 		Data: entry, // transparency log entry metadata
 	}, nil
 }
 // VerifyEntry verifies a transparency log entry.
 func (tl *Rekor) VerifyEntry(ctx context.Context, ext *DockerTLExtension, encPayload, publicKey []byte) (time.Time, error) {
 	zeroTime := time.Time{}
 	// because the Data field has been unmarsalled into a map[string]interface{} we need to marshal it back to bytes
 	// for the unmarshaler to work correctly
 	entryBytes, err := json.Marshal(ext.Data)
 	if err != nil {
 		return time.Time{}, fmt.Errorf("error failed to marshal TL entry: %w", err)
 	}
 	entry, err := tl.UnmarshalEntry(entryBytes)
 	if err != nil {
 		return zeroTime, fmt.Errorf("error unmarshaling TL entry: %w", err)
 	}
 	err = entry.Validate(strfmt.Default)
 	if err != nil {
 		return zeroTime, fmt.Errorf("TL entry failed validation: %w", err)
 	}
 	// check if tl.publicKeys containers le.LogId
 	_, ok := tl.publicKeys.Keys[*entry.LogID]
 	if !ok {
 		// otherwise check TUF
 		pkTarget, err := tl.tufDownloader.DownloadTarget(filepath.Join(tl.publicKeysDir, fmt.Sprintf("%s.pem", *entry.LogID)), "")
 		if err != nil {
 			return zeroTime, fmt.Errorf("error downloading rekor public key %s: %w", *entry.LogID, err)
 		}
 		pk, err := signerverifier.ParsePublicKey(pkTarget.Data)
 		if err != nil {
 			return zeroTime, fmt.Errorf("error parsing public key: %w", err)
 		}
 		tl.publicKeys.Keys[*entry.LogID] = cosign.TransparencyLogPubKey{
 			PubKey: pk,
 			Status: stuf.Active,
 		}
 	}
 	err = cosign.VerifyTLogEntryOffline(ctx, entry, tl.publicKeys)
 	if err != nil {
 		return zeroTime, fmt.Errorf("TL entry failed verification: %w", err)
 	}
 	integratedTime := time.Unix(*entry.IntegratedTime, 0)
 	err = tl.VerifyEntryPayload(entry, encPayload, publicKey)
 	if err != nil {
 		return zeroTime, fmt.Errorf("error verifying TL entry payload: %w", err)
 	}
 	return integratedTime, nil
 }
 // VerifyEntryPayload checks that the TL entry payload matches envelope payload.
 func (tl *Rekor) VerifyEntryPayload(entry *models.LogEntryAnon, payload, publicKey []byte) error {
 	tlBody, ok := entry.Body.(string)
 	if !ok {
 		return fmt.Errorf("expected tl body to be of type string, got %T", entry)
 	}
 	rekord, err := extractHashedRekord(tlBody)
 	if err != nil {
 		return fmt.Errorf("error extract HashedRekord from TL entry: %w", err)
 	}
 	// compare payload hashes
 	payloadHash := util.SHA256Hex(payload)
 	if rekord.Hash != payloadHash {
 		return fmt.Errorf("error payload and tl entry hash mismatch")
 	}
 	// compare public keys
 	cert, err := base64.StdEncoding.Strict().DecodeString(rekord.PublicKey)
 	if err != nil {
 		return fmt.Errorf("failed to decode public key: %w", err)
 	}
 	p, _ := pem.Decode(cert)
 	result, err := x509.ParseCertificate(p.Bytes)
 	if err != nil {
 		return fmt.Errorf("failed to parse certificate: %w", err)
 	}
 	if !bytes.Equal(result.RawSubjectPublicKeyInfo, publicKey) {
 		return fmt.Errorf("error payload and tl entry public key mismatch")
 	}
 	return nil
 }
 func (tl *Rekor) UnmarshalEntry(entry []byte) (*models.LogEntryAnon, error) {
 	le := new(models.LogEntryAnon)
 	err := le.UnmarshalBinary(entry)
 	if err != nil {
 		return nil, fmt.Errorf("error failed to unmarshal Rekor entry: %w", err)
 	}
 	return le, nil
 }
 func extractHashedRekord(body string) (*Payload, error) {
 	sig := new(Payload)
 	pe, err := models.UnmarshalProposedEntry(base64.NewDecoder(base64.StdEncoding, strings.NewReader(body)), runtime.JSONConsumer())
 	if err != nil {
 		return nil, err
 	}
 	impl, err := types.UnmarshalEntry(pe)
 	if err != nil {
 		return nil, err
 	}
 	switch entry := impl.(type) {
 	case *hashedrekord_v001.V001Entry:
 		sig.Algorithm = *entry.HashedRekordObj.Data.Hash.Algorithm
 		sig.Hash = *entry.HashedRekordObj.Data.Hash.Value
 		sig.Signature = entry.HashedRekordObj.Signature.Content.String()
 		sig.PublicKey = entry.HashedRekordObj.Signature.PublicKey.Content.String()
 		return sig, nil
 	default:
 		return nil, fmt.Errorf("failed to extract haskedrekord, unsupported type: %T", entry)
 	}
 }
--- a/tlog/rekor_test.go
+++ b/tlog/rekor_test.go
@@ -0,0 +1,74 @@
 //go:build e2e
 package tlog
 import (
 	"context"
 	"crypto/x509"
 	_ "embed"
 	"testing"
 	"time"
 	"github.com/docker/attest/internal/test"
 	"github.com/docker/attest/internal/util"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/tuf"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // NOTE: these are only run on CI to protect Rekor, but work just fine locally.
 func TestRekor(t *testing.T) {
 	// message digest
 	payload := []byte("test")
 	hash := util.SHA256(payload)
 	// generate ephemeral keys to sign message digest
 	signer, err := signerverifier.GenKeyPair()
 	assert.NoError(t, err)
 	sig, err := signer.Sign(context.Background(), hash)
 	assert.NoError(t, err)
 	opts := tuf.NewDockerDefaultClientOptions(t.TempDir())
 	// use testing prefix in prod TUF
 	opts.PathPrefix = "testing"
 	real, err := tuf.NewClient(context.Background(), opts)
 	require.NoError(t, err)
 	tests := []struct {
 		name          string
 		tufDownloader tuf.Downloader
 		pubKeysDir    string
 	}{
 		{name: "TestRekor (no tuf)"},
 		{name: "TestRekor (with mock tuf)", tufDownloader: tuf.NewMockTufClient("."), pubKeysDir: "keys"},
 		{name: "TestRekor (with real tuf)", tufDownloader: real},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			pk := signer.Public()
 			publicKey, err := x509.MarshalPKIXPublicKey(pk)
 			if tt.tufDownloader != nil {
 				// set to incorrect public key to test TUF flow
 				keyStr, err := test.PublicKeyToPEM(pk)
 				require.NoError(t, err)
 				rekorPublicKey = []byte(keyStr)
 			}
 			if tt.pubKeysDir == "" {
 				tt.pubKeysDir = defaultPublicKeysDir
 			}
 			rekor, err := NewRekorLog(WithTUFDownloader(tt.tufDownloader), WithTUFPublicKeysDir(tt.pubKeysDir))
 			require.NoError(t, err)
 			require.NotNil(t, rekor)
 			ext, err := rekor.UploadEntry(context.Background(), "test", payload, sig, signer)
 			require.NoError(t, err)
 			require.NotNil(t, ext)
 			assert.Equal(t, RekorTLExtKind, ext.Kind)
 			assert.NotEmpty(t, ext.Data)
 			when, err := rekor.VerifyEntry(context.Background(), ext, payload, publicKey)
 			require.NoError(t, err)
 			assert.WithinDuration(t, time.Now(), when, 5*time.Second)
 		})
 	}
 }
--- a/tlog/tl.go
+++ b/tlog/tl.go
@@ -1,162 +1,38 @@
 package tlog
 import (
 	"bytes"
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 	"strings"
 	"time"
 	"github.com/docker/attest/internal/util"
 	"github.com/docker/attest/signerverifier"
 	"github.com/docker/attest/useragent"
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/strfmt"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	rclient "github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/types"
 	hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 )
 const (
 	DefaultRekorURL = "https://rekor.sigstore.dev"
 )
-type tlCtxKeyType struct{}
+type TransparencyLog interface {
-
+	UploadEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) (*DockerTLExtension, error)
-var TLCtxKey tlCtxKeyType
+	VerifyEntry(ctx context.Context, entry *DockerTLExtension, payload, publicKey []byte) (time.Time, error)
 // sets TL in context.
 func WithTL(ctx context.Context, tl TL) context.Context {
 	return context.WithValue(ctx, TLCtxKey, tl)
 }
-// gets TL from context, defaults to Rekor TL if not set.
+type Payload struct {
 func GetTL(ctx context.Context) TL {
 	t, ok := ctx.Value(TLCtxKey).(TL)
 	if !ok {
 		t = &RekorTL{}
 	}
 	return t
 }
 type TLPayload struct {
 	Algorithm string
 	Hash      string
 	Signature string
 	PublicKey string
 }
-type TL interface {
+type DockerTLExtension struct {
-	UploadLogEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) ([]byte, error)
+	Kind string `json:"kind"`
-	VerifyLogEntry(ctx context.Context, entryBytes []byte) (time.Time, error)
+	Data any    `json:"data"`
 	VerifyEntryPayload(entryBytes, payload, publicKey []byte) error
 	UnmarshalEntry(entryBytes []byte) (any, error)
 }
 type MockTL struct {
 	UploadLogEntryFunc     func(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) ([]byte, error)
 	VerifyLogEntryFunc     func(ctx context.Context, entryBytes []byte) (time.Time, error)
 	VerifyEntryPayloadFunc func(entryBytes, payload, publicKey []byte) error
 	UnmarshalEntryFunc     func(entryBytes []byte) (any, error)
 }
 func (tl *MockTL) UploadLogEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) ([]byte, error) {
 	if tl.UploadLogEntryFunc != nil {
 		return tl.UploadLogEntryFunc(ctx, subject, payload, signature, signer)
 	}
 	return nil, nil
 }
 func (tl *MockTL) VerifyLogEntry(ctx context.Context, entryBytes []byte) (time.Time, error) {
 	if tl.VerifyLogEntryFunc != nil {
 		return tl.VerifyLogEntryFunc(ctx, entryBytes)
 	}
 	return time.Time{}, nil
 }
 func (tl *MockTL) VerifyEntryPayload(entryBytes, payload, publicKey []byte) error {
 	if tl.VerifyEntryPayloadFunc != nil {
 		return tl.VerifyEntryPayloadFunc(entryBytes, payload, publicKey)
 	}
 	return nil
 }
 func (tl *MockTL) UnmarshalEntry(entryBytes []byte) (any, error) {
 	if tl.UnmarshalEntryFunc != nil {
 		return tl.UnmarshalEntryFunc(entryBytes)
 	}
 	return nil, nil
 }
 type RekorTL struct{}
 // UploadLogEntry submits a PK token signature to the transparency log.
 func (tl *RekorTL) UploadLogEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) ([]byte, error) {
 	// generate self-signed x509 cert
 	pubCert, err := CreateX509Cert(subject, signer)
 	if err != nil {
 		return nil, fmt.Errorf("Error creating x509 cert: %w", err)
 	}
 	// generate hash of payload
 	hasher := sha256.New()
 	hasher.Write(payload)
 	// upload entry
 	rekorClient, err := rclient.GetRekorClient(DefaultRekorURL, rclient.WithUserAgent(useragent.Get(ctx)))
 	if err != nil {
 		return nil, fmt.Errorf("Error creating rekor client: %w", err)
 	}
 	entry, err := cosign.TLogUpload(ctx, rekorClient, signature, hasher, pubCert)
 	if err != nil {
 		return nil, fmt.Errorf("Error uploading tlog: %w", err)
 	}
 	entryBytes, err := entry.MarshalBinary()
 	if err != nil {
 		return nil, fmt.Errorf("error marshaling TL entry: %w", err)
 	}
 	return entryBytes, nil
 }
 // VerifyLogEntry verifies a transparency log entry.
 func (tl *RekorTL) VerifyLogEntry(ctx context.Context, entryBytes []byte) (time.Time, error) {
 	zeroTime := time.Time{}
 	entry, err := tl.UnmarshalEntry(entryBytes)
 	if err != nil {
 		return zeroTime, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
 	}
 	le, ok := entry.(*models.LogEntryAnon)
 	if !ok {
 		return zeroTime, fmt.Errorf("expected entry to be of type *models.LogEntryAnon, got %T", entry)
 	}
 	err = le.Validate(strfmt.Default)
 	if err != nil {
 		return zeroTime, fmt.Errorf("TL entry failed validation: %w", err)
 	}
 	// TODO: get rekor public keys from TUF (ours or theirs?), and/or embed the public key in the binary
 	rekorPubKeys, err := cosign.GetRekorPubs(ctx)
 	if err != nil {
 		return zeroTime, fmt.Errorf("error failed to get rekor public keys: %w", err)
 	}
 	err = cosign.VerifyTLogEntryOffline(ctx, le, rekorPubKeys)
 	if err != nil {
 		return zeroTime, fmt.Errorf("TL entry failed verification: %w", err)
 	}
 	integratedTime := time.Unix(*le.IntegratedTime, 0)
 	return integratedTime, nil
 }
 // CreateX509Cert generates a self-signed x509 cert for TL submission.
@@ -182,87 +58,15 @@ func CreateX509Cert(subject string, signer dsse.SignerVerifier) ([]byte, error)
 	// dsse.SignerVerifier doesn't implement cypto.Signer exactly
-	csigner, ok := signer.(*signerverifier.ECDSA256SignerVerifier)
+	csigner, err := signerverifier.AsCryptoSigner(signer)
-	if !ok {
+	if err != nil {
-		return nil, fmt.Errorf("expected signer to be of type *signerverifier.ECDSA_SignerVerifier, got %T", signer)
+		return nil, fmt.Errorf("error converting signer to crypto.Signer: %w", err)
 	}
 	// create a self-signed X.509 certificate
-	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, signer.Public(), csigner.Signer)
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, signer.Public(), csigner)
 	if err != nil {
 		return nil, fmt.Errorf("error creating X.509 certificate: %w", err)
 	}
 	certBlock := &pem.Block{Type: "CERTIFICATE", Bytes: certDER}
 	return pem.EncodeToMemory(certBlock), nil
 }
 // VerifyEntryPayload checks that the TL entry payload matches envelope payload.
 func (tl *RekorTL) VerifyEntryPayload(entryBytes, payload, publicKey []byte) error {
 	entry, err := tl.UnmarshalEntry(entryBytes)
 	if err != nil {
 		return fmt.Errorf("error failed to unmarshal TL entry: %w", err)
 	}
 	le, ok := entry.(*models.LogEntryAnon)
 	if !ok {
 		return fmt.Errorf("expected tl entry to be of type *models.LogEntryAnon, got %T", entry)
 	}
 	tlBody, ok := le.Body.(string)
 	if !ok {
 		return fmt.Errorf("expected tl body to be of type string, got %T", entry)
 	}
 	rekord, err := extractHashedRekord(tlBody)
 	if err != nil {
 		return fmt.Errorf("error extract HashedRekord from TL entry: %w", err)
 	}
 	// compare payload hashes
 	payloadHash := util.SHA256Hex(payload)
 	if rekord.Hash != payloadHash {
 		return fmt.Errorf("error payload and tl entry hash mismatch")
 	}
 	// compare public keys
 	cert, err := base64.StdEncoding.Strict().DecodeString(rekord.PublicKey)
 	if err != nil {
 		return fmt.Errorf("failed to decode public key: %w", err)
 	}
 	p, _ := pem.Decode(cert)
 	result, err := x509.ParseCertificate(p.Bytes)
 	if err != nil {
 		return fmt.Errorf("failed to parse certificate: %w", err)
 	}
 	if !bytes.Equal(result.RawSubjectPublicKeyInfo, publicKey) {
 		return fmt.Errorf("error payload and tl entry public key mismatch")
 	}
 	return nil
 }
 func (tl *RekorTL) UnmarshalEntry(entry []byte) (any, error) {
 	le := new(models.LogEntryAnon)
 	err := le.UnmarshalBinary(entry)
 	if err != nil {
 		return nil, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
 	}
 	return le, nil
 }
 func extractHashedRekord(body string) (*TLPayload, error) {
 	sig := new(TLPayload)
 	pe, err := models.UnmarshalProposedEntry(base64.NewDecoder(base64.StdEncoding, strings.NewReader(body)), runtime.JSONConsumer())
 	if err != nil {
 		return nil, err
 	}
 	impl, err := types.UnmarshalEntry(pe)
 	if err != nil {
 		return nil, err
 	}
 	switch entry := impl.(type) {
 	case *hashedrekord_v001.V001Entry:
 		sig.Algorithm = *entry.HashedRekordObj.Data.Hash.Algorithm
 		sig.Hash = *entry.HashedRekordObj.Data.Hash.Value
 		sig.Signature = entry.HashedRekordObj.Signature.Content.String()
 		sig.PublicKey = entry.HashedRekordObj.Signature.PublicKey.Content.String()
 		return sig, nil
 	default:
 		return nil, fmt.Errorf("failed to extract haskedrekord, unsupported type: %T", entry)
 	}
 }
--- a/tlog/tl_test.go
+++ b/tlog/tl_test.go
@@ -52,42 +52,31 @@ func TestUploadAndVerifyLogEntry(t *testing.T) {
 	sig, err := signer.Sign(context.Background(), hash)
 	assert.NoError(t, err)
-	var tl TL
+	var tl TransparencyLog
 	if UseMockTL {
-		tl = &MockTL{
+		tl = &MockTransparencyLog{
-			UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) ([]byte, error) {
+			UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) (*DockerTLExtension, error) {
-				return []byte(TestEntry), nil
+				return &DockerTLExtension{
 					Kind: RekorTLExtKind,
 					Data: []byte(TestEntry),
 				}, nil
 			},
-			VerifyLogEntryFunc: func(_ context.Context, _ []byte) (time.Time, error) {
+			VerifyLogEntryFunc: func(_ context.Context, _ *DockerTLExtension, _, _ []byte) (time.Time, error) {
 				return time.Time{}, nil
 			},
 			VerifyEntryPayloadFunc: func(_, _, _ []byte) error {
 				return nil
 			},
 		}
 	} else {
-		tl = &RekorTL{}
+		assert.NoError(t, err)
 	}
 	// test upload log entry
-	ctx := WithTL(context.Background(), tl)
+	ctx := context.Background()
-	entry, err := tl.UploadLogEntry(ctx, "test", payload, sig, signer)
+	entry, err := tl.UploadEntry(ctx, "test", payload, sig, signer)
 	assert.NoError(t, err)
-	// test verify log entry
+	// verify TL entry
 	_, err = tl.VerifyLogEntry(ctx, entry)
 	assert.NoError(t, err)
 	// verify TL entry payload
 	ecPub, err := x509.MarshalPKIXPublicKey(signer.Public())
 	assert.NoError(t, err)
-	err = tl.VerifyEntryPayload(entry, payload, ecPub)
+	_, err = tl.VerifyEntry(ctx, entry, payload, ecPub)
 	assert.NoError(t, err)
 }
 func TestVerifyEntryPayload(t *testing.T) {
 	tl := &RekorTL{}
 	p, _ := pem.Decode([]byte(TestPublicKey))
 	err := tl.VerifyEntryPayload([]byte(TestEntry), []byte(TestPayload), p.Bytes)
 	assert.NoError(t, err)
 }
--- a/verify.go
+++ b/verify.go
@@ -10,23 +10,20 @@ import (
 	"github.com/distribution/reference"
 	"github.com/docker/attest/attestation"
-	"github.com/docker/attest/config"
+	"github.com/docker/attest/mapping"
 	"github.com/docker/attest/oci"
 	"github.com/docker/attest/policy"
 	"github.com/docker/attest/tuf"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 )
-type Verifier interface {
+type ImageVerifier struct {
-	Verify(ctx context.Context, src *oci.ImageSpec) (result *VerificationResult, err error)
+	opts                *policy.Options
 	tufClient           tuf.Downloader
 	attestationVerifier attestation.Verifier
 }
-type tufVerifier struct {
+func NewImageVerifier(ctx context.Context, opts *policy.Options) (*ImageVerifier, error) {
 	opts      *policy.Options
 	tufClient tuf.Downloader
 }
 func NewVerifier(ctx context.Context, opts *policy.Options) (Verifier, error) {
 	err := populateDefaultOptions(opts)
 	if err != nil {
 		return nil, err
@@ -38,13 +35,21 @@ func NewVerifier(ctx context.Context, opts *policy.Options) (Verifier, error) {
 			return nil, fmt.Errorf("failed to create TUF client: %w", err)
 		}
 	}
-	return &tufVerifier{
+	attestationVerifier := opts.AttestationVerifier
-		opts:      opts,
+	if attestationVerifier == nil {
-		tufClient: tufClient,
+		attestationVerifier, err = attestation.NewVerfier(attestation.WithTUFDownloader(tufClient))
 		if err != nil {
 			return nil, fmt.Errorf("failed to create attestation verifier: %w", err)
 		}
 	}
 	return &ImageVerifier{
 		opts:                opts,
 		tufClient:           tufClient,
 		attestationVerifier: attestationVerifier,
 	}, nil
 }
-func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (result *VerificationResult, err error) {
+func (verifier *ImageVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (result *VerificationResult, err error) {
 	// so that we can resolve mapping from the image name earlier
 	detailsResolver, err := policy.CreateImageDetailsResolver(src)
 	if err != nil {
@@ -55,7 +60,12 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re
 		return nil, fmt.Errorf("failed to resolve image name: %w", err)
 	}
 	policyResolver := policy.NewResolver(verifier.tufClient, verifier.opts)
-	resolvedPolicy, err := policyResolver.ResolvePolicy(ctx, imageName)
+
 	platform, err := detailsResolver.ImagePlatform(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get image platform: %w", err)
 	}
 	resolvedPolicy, err := policyResolver.ResolvePolicy(ctx, imageName, platform)
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve policy: %w", err)
 	}
@@ -67,14 +77,14 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re
 	}
 	// this is overriding the mapping with a referrers config. Useful for testing if nothing else
 	if verifier.opts.ReferrersRepo != "" {
-		resolvedPolicy.Mapping.Attestations = &config.AttestationConfig{
+		resolvedPolicy.Mapping.Attestations = &mapping.AttestationConfig{
 			Repo:  verifier.opts.ReferrersRepo,
-			Style: config.AttestationStyleReferrers,
+			Style: mapping.AttestationStyleReferrers,
 		}
-	} else if verifier.opts.AttestationStyle == config.AttestationStyleAttached {
+	} else if verifier.opts.AttestationStyle == mapping.AttestationStyleAttached {
-		resolvedPolicy.Mapping.Attestations = &config.AttestationConfig{
+		resolvedPolicy.Mapping.Attestations = &mapping.AttestationConfig{
 			Repo:  verifier.opts.ReferrersRepo,
-			Style: config.AttestationStyleAttached,
+			Style: mapping.AttestationStyleAttached,
 		}
 	}
 	// because we have a mapping now, we can select a resolver based on its contents (ie. referrers or attached)
@@ -82,7 +92,7 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re
 	if err != nil {
 		return nil, fmt.Errorf("failed to create attestation resolver: %w", err)
 	}
-	evaluator := policy.NewRegoEvaluator(verifier.opts.Debug)
+	evaluator := policy.NewRegoEvaluator(verifier.opts.Debug, verifier.attestationVerifier)
 	result, err = VerifyAttestations(ctx, resolver, evaluator, resolvedPolicy)
 	if err != nil {
 		return nil, fmt.Errorf("failed to evaluate policy: %w", err)
@@ -91,7 +101,7 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re
 }
 func Verify(ctx context.Context, src *oci.ImageSpec, opts *policy.Options) (result *VerificationResult, err error) {
-	verifier, err := NewVerifier(ctx, opts)
+	verifier, err := NewImageVerifier(ctx, opts)
 	if err != nil {
 		return nil, err
 	}
@@ -115,9 +125,9 @@ func populateDefaultOptions(opts *policy.Options) (err error) {
 	}
 	if opts.AttestationStyle == "" {
-		opts.AttestationStyle = config.AttestationStyleReferrers
+		opts.AttestationStyle = mapping.AttestationStyleReferrers
 	}
-	if opts.ReferrersRepo != "" && opts.AttestationStyle != config.AttestationStyleReferrers {
+	if opts.ReferrersRepo != "" && opts.AttestationStyle != mapping.AttestationStyleReferrers {
 		return fmt.Errorf("referrers repo specified but attestation source not set to referrers")
 	}
 	return nil
--- a/verify_test.go
+++ b/verify_test.go
@@ -7,15 +7,18 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 	"github.com/distribution/reference"
 	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/config"
 	"github.com/docker/attest/internal/test"
 	"github.com/docker/attest/mapping"
 	"github.com/docker/attest/oci"
 	"github.com/docker/attest/policy"
 	"github.com/docker/attest/tlog"
 	"github.com/docker/attest/tuf"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/yaml"
@@ -74,7 +77,9 @@ func TestVSA(t *testing.T) {
 	// setup an image with signed attestations
 	outputLayout := test.CreateTempDir(t, "", TestTempDir)
-	opts := &attestation.SigningOptions{}
+	opts := &attestation.SigningOptions{
 		TransparencyLog: tlog.GetMockTL(),
 	}
 	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage())
 	assert.NoError(t, err)
 	signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
@@ -92,7 +97,7 @@ func TestVSA(t *testing.T) {
 	// mocked vsa query should pass
 	policyOpts := &policy.Options{
 		LocalPolicyDir:   PassPolicyDir,
-		AttestationStyle: config.AttestationStyleAttached,
+		AttestationStyle: mapping.AttestationStyleAttached,
 		DisableTUF:       true,
 	}
 	results, err := Verify(ctx, spec, policyOpts)
@@ -118,7 +123,8 @@ func TestVSA(t *testing.T) {
 	assert.Equal(t, []string{"SLSA_BUILD_LEVEL_3"}, attestationPredicate.VerifiedLevels)
 	assert.Equal(t, PassPolicyDir+"/policy.rego", attestationPredicate.Policy.DownloadLocation)
 	assert.Equal(t, "https://docker.com/official/policy/v0.1", attestationPredicate.Policy.URI)
-	assert.Equal(t, map[string]string{"sha256": "d71d6b8f49fcba1295b16f5394dd5863a14e4277eb663d66d8c48e392509afe0"}, attestationPredicate.Policy.Digest)
+	// this is the digest of the policy file
 	assert.Equal(t, map[string]string{"sha256": "ae71defe3b9ecebdf4f939a396b68884d0cba3c2c9d78ce5e64146d9487b0ade"}, attestationPredicate.Policy.Digest)
 }
 func TestVerificationFailure(t *testing.T) {
@@ -126,7 +132,9 @@ func TestVerificationFailure(t *testing.T) {
 	// setup an image with signed attestations
 	outputLayout := test.CreateTempDir(t, "", TestTempDir)
-	opts := &attestation.SigningOptions{}
+	opts := &attestation.SigningOptions{
 		TransparencyLog: tlog.GetMockTL(),
 	}
 	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage())
 	assert.NoError(t, err)
 	signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
@@ -144,7 +152,7 @@ func TestVerificationFailure(t *testing.T) {
 	// mocked vsa query should fail
 	policyOpts := &policy.Options{
 		LocalPolicyDir:   FailPolicyDir,
-		AttestationStyle: config.AttestationStyleAttached,
+		AttestationStyle: mapping.AttestationStyleAttached,
 		DisableTUF:       true,
 	}
 	results, err := Verify(ctx, spec, policyOpts)
@@ -170,7 +178,7 @@ func TestVerificationFailure(t *testing.T) {
 	assert.Equal(t, []string{"SLSA_BUILD_LEVEL_3"}, attestationPredicate.VerifiedLevels)
 	assert.Equal(t, FailPolicyDir+"/policy.rego", attestationPredicate.Policy.DownloadLocation)
 	assert.Equal(t, "https://docker.com/official/policy/v0.1", attestationPredicate.Policy.URI)
-	assert.Equal(t, map[string]string{"sha256": "ad045e1bd7cd602d90196acf68f2c57d7b51565d59e6e30e30d94ae86aa16201"}, attestationPredicate.Policy.Digest)
+	assert.Equal(t, map[string]string{"sha256": "4345a4f5db3ce02664bd83f8e4aad03bd9a26d4edb334338c762d9648e16bed1"}, attestationPredicate.Policy.Digest)
 }
 func TestSignVerify(t *testing.T) {
@@ -178,7 +186,7 @@ func TestSignVerify(t *testing.T) {
 	// setup an image with signed attestations
 	outputLayout := test.CreateTempDir(t, "", TestTempDir)
-	keys, err := test.GenKeyMetadata(signer)
+	keys, err := GenKeyMetadata(signer)
 	require.NoError(t, err)
 	config := struct {
 		Keys []*attestation.KeyMetadata `json:"keys"`
@@ -210,11 +218,11 @@ func TestSignVerify(t *testing.T) {
 	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage())
 	assert.NoError(t, err)
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			opts := &attestation.SigningOptions{
+			opts := &attestation.SigningOptions{}
-				SkipTL: !tc.signTL,
+			if tc.signTL {
 				opts.TransparencyLog = tlog.GetMockTL()
 			}
 			signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
@@ -265,7 +273,7 @@ func TestDefaultOptions(t *testing.T) {
 		name             string
 		tufOpts          *tuf.ClientOptions
 		localTargetsDir  string
-		attestationStyle config.AttestationStyle
+		attestationStyle mapping.AttestationStyle
 		referrersRepo    string
 		expectedError    string
 		disableTuf       bool
@@ -274,9 +282,9 @@ func TestDefaultOptions(t *testing.T) {
 		{name: "empty"},
 		{name: "tufClient provided", tufOpts: &tuf.ClientOptions{MetadataSource: "a", TargetsSource: "b"}},
 		{name: "localTargetsDir provided", localTargetsDir: test.CreateTempDir(t, "", TestTempDir)},
-		{name: "attestationStyle provided", attestationStyle: config.AttestationStyleAttached},
+		{name: "attestationStyle provided", attestationStyle: mapping.AttestationStyleAttached},
 		{name: "referrersRepo provided", referrersRepo: "referrers"},
-		{name: "referrersRepo provided with attached", referrersRepo: "referrers", attestationStyle: config.AttestationStyleAttached, expectedError: "referrers repo specified but attestation source not set to referrers"},
+		{name: "referrersRepo provided with attached", referrersRepo: "referrers", attestationStyle: mapping.AttestationStyleAttached, expectedError: "referrers repo specified but attestation source not set to referrers"},
 		{name: "tuf disabled and no local-policy-dir", disableTuf: true, expectedError: "local policy dir must be set if not using TUF"},
 		{name: "tuf disabled but options set", disableTuf: true, tufOpts: &tuf.ClientOptions{MetadataSource: "a", TargetsSource: "b"}, localPolicyDir: "foo", expectedError: "TUF client options set but TUF disabled"},
 	}
@@ -312,7 +320,7 @@ func TestDefaultOptions(t *testing.T) {
 			if tc.attestationStyle != "" {
 				assert.Equal(t, tc.attestationStyle, opts.AttestationStyle)
 			} else {
-				assert.Equal(t, config.AttestationStyleReferrers, opts.AttestationStyle)
+				assert.Equal(t, mapping.AttestationStyleReferrers, opts.AttestationStyle)
 			}
 			if tc.tufOpts != nil {
@@ -329,3 +337,24 @@ func TestDefaultOptions(t *testing.T) {
 		})
 	}
 }
 // LoadKeyMetadata loads the key metadata for the given signer verifier.
 func GenKeyMetadata(sv dsse.SignerVerifier) (*attestation.KeyMetadata, error) {
 	pub := sv.Public()
 	pem, err := test.PublicKeyToPEM(pub)
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert public key to PEM: %w", err)
 	}
 	id, err := sv.KeyID()
 	if err != nil {
 		return nil, err
 	}
 	return &attestation.KeyMetadata{
 		ID:            id,
 		Status:        "active",
 		SigningFormat: "dssev1",
 		From:          time.Now(),
 		PEM:           pem,
 	}, nil
 }
Author	SHA1	Message	Date
dependabot[bot]	5e16b97e02	feat(deps): bump google.golang.org/api from 0.198.0 to 0.199.0 (#181 ) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.198.0 to 0.199.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.198.0...v0.199.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-27 15:11:28 +01:00
dependabot[bot]	0ff28b2deb	feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#180 ) Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.35 to 1.27.38. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.35...config/v1.27.38) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-27 15:05:53 +01:00
Jonny Stoten	4ca962b70c	Add function for parsing DOI definition files (#172 ) Add a Rego builtin called `attest.internals.parse_library_definition` for parsing the DOI definition files in https://github.com/docker-library/official-images/tree/master/library. This will allow us to verify DOI provenance fields against these files which are the source of truth for DOI images. This function just defers to https://github.com/docker-library/bashbrew/blob/master/manifest/rfc2822.go.	2024-09-27 12:32:24 +01:00
Joel Kamp	2a4bef091e	Merge pull request #179 from docker/fix-sign-unsigned-statements fix: only sign statements	2024-09-26 10:02:41 -05:00
mrjoelkamp	bb0843cd51	fix: only sign statements	2024-09-24 15:12:46 -05:00
David Dooling	203577e965	Remove long-term aspiration from README (#174 )	2024-09-20 09:06:02 -05:00
James Carnegie	a98604bdd5	chore: add rekor prod TUF system test (#176 )	2024-09-20 11:02:36 +01:00
dependabot[bot]	02b8063d71	feat(deps): bump google.golang.org/api from 0.197.0 to 0.198.0 (#175 ) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.197.0 to 0.198.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.197.0...v0.198.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-20 10:01:47 +01:00
Joel Kamp	dcf5c578dd	Merge pull request #173 from docker/feat-support-containerd-subject-annotations feat: support containerd subject annotations	2024-09-19 16:03:32 -05:00
mrjoelkamp	0378c94226	test: make test layouts smaller	2024-09-19 15:36:20 -05:00
mrjoelkamp	fd4e741a1f	feat: support containerd subject annotations	2024-09-19 15:10:56 -05:00
James Carnegie	2ace988b1c	chore: add test for RegoFnOpts (#171 )	2024-09-19 13:54:10 +01:00
dependabot[bot]	be7a17f214	feat(deps): bump github.com/sigstore/sigstore from 1.8.8 to 1.8.9 (#169 ) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.8 to 1.8.9. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.8...v1.8.9) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-19 11:24:30 +01:00
dependabot[bot]	1a49b5c068	chore(deps): bump actions/create-github-app-token from 1.10.4 to 1.11.0 (#164 ) Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 1.10.4 to 1.11.0. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](`3378cda945...5d869da34e`) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-19 11:18:57 +01:00
James Carnegie	3e82338649	refactor: remove explicit closures. expose rego fns (#170 )	2024-09-19 11:04:00 +01:00
James Carnegie	4a70e5ae36	Add platform filtering support to mapping.yml (#167 ) * chore!: rename package config -> mapping * feat: add platform filtering support to mapping.yml	2024-09-18 21:11:55 +01:00
James Carnegie	05caa959c4	Use a Factory to create signature verifiers at policy evaluation time (#165 ) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier	2024-09-18 13:34:10 +01:00
dependabot[bot]	5335a56da1	feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#168 ) Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.33 to 1.27.35. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.33...config/v1.27.35) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-18 09:43:50 +01:00
		`@@ -0,0 +1 @@`
							`{"architecture":"unknown","os":"unknown","config":{},"rootfs":{"type":"layers","diff_ids":["sha256:e2c3b7df754e062b0c6b17c5262ea237fc86d68432e86e68724c57f04be3d064"]}}`
		`@@ -0,0 +1 @@`
							`{"architecture":"arm64","config":{"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"WorkingDir":"/","ArgsEscaped":true},"created":null,"history":[{"created_by":"CMD []","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":null}}`
		`@@ -0,0 +1 @@`
							{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://spdx.dev/Document","subject":[{"name":"pkg:docker/test@latest?platform=linux%2Farm64","digest":{"sha256":"e44a73ec811b0442dfcdd13a0eb035746d0569662684dafe2f3e8abe644871ec"}}],"predicate":{"SPDXID":"SPDXRef-DOCUMENT","creationInfo":{"created":"2024-09-19T20:28:48Z","creators":["Organization: Anchore, Inc","Tool: syft-v0.105.0"],"licenseListVersion":"3.23"},"dataLicense":"CC0-1.0","documentNamespace":"https://anchore.com/syft/dir/sbom-4d662591-02b0-4448-8cdc-c8b539bbe1a0","name":"sbom","packages":[{"SPDXID":"SPDXRef-DocumentRoot-Directory-sbom","downloadLocation":"NOASSERTION","filesAnalyzed":false,"name":"sbom","primaryPackagePurpose":"FILE","supplier":"NOASSERTION"}],"relationships":[{"relatedSpdxElement":"SPDXRef-DocumentRoot-Directory-sbom","relationshipType":"DESCRIBES","spdxElementId":"SPDXRef-DOCUMENT"}],"spdxVersion":"SPDX-2.3"}}