Support Cosign media types in the GitLab Container Registry
Why are we doing this work
In order to support Sigstore Cosign signatures in attestations in the GitLab container registry, we need to add their media types to the list of supported types.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
Write a migration to add the following media types to the media_types
table.
Signatures
application/vnd.dev.cosign.artifact.sig.v1+json
SBOM
application/vnd.dev.cosign.artifact.sbom.v1+json
Additionally, the SBOM formats supported by cosign are SPDX, CycloneDX, and syft:
application/vnd.cyclonedx[+xml|+json]
-
text/spdx[+xml|+json]
(text/spdx
is already supported) application/vnd.syft+json
Verification steps
Edited by Jaime Martinez