Commit 2a23a13
committed
doc/plans: Update OCI sealing spec (kernel sigs, flattened layers)
Two big goals:
- Support for kernel-native fsverity signatures to be associated with a digest
- Generalize the "flattened vs per-layer digest"; any layer can now
have either.
However, after some iteration I eventually realized that it's really
best to create a new OCI artifact type for this that is dedicated
to carrying fsverity signatures.
The huge advantage of this is one can composefs-sign existing unmodified
OCI container images.
We continue to retain though the option to have a per-layer annotation
in the manifest with the same digest information, because it
allows replacing diff_id *always*. It's not the default for tooling
to copy OCI referrers around necessarily, and it's very convenient
to ensure that the tar stream can be efficiently verified online
even if just the manifest is stored.
Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>1 parent a5e8205 commit 2a23a13
2 files changed
Lines changed: 326 additions & 256 deletions
0 commit comments