{"id":"65a79c96-9b96-49ea-a7be-298bfc8ac219","task":"Configure OCI artifact push and pull for a non-container artifact (SBOM, attestation bundle, or Helm values file) using ORAS CLI and verify artifact integrity with cosign","domain":"Container Registries / OCI Artifacts","steps":["Use the ORAS CLI to push an arbitrary file as an OCI artifact: oras push registry/repo:tag --artifact-type application/vnd.custom.sbom+json sbom.json specifying a custom media type so the registry stores it alongside container images","Attach the SBOM artifact to an existing container image digest using oras attach with a --subject flag pointing to the image digest, creating a referrer relationship stored in the registry's referrers API","Sign the SBOM artifact's digest with cosign using keyless signing via OIDC: cosign sign --yes registry/repo@sha256:digest, producing a Sigstore-rooted signature stored as a referrer to the SBOM artifact","Verify the artifact's signature chain: use oras discover to list referrers of the container image, then cosign verify with --certificate-oidc-issuer and --certificate-identity-regexp to confirm the signer identity","Pull the verified artifact in a downstream pipeline using oras pull registry/repo:tag --output ./artifacts and verify the file hash against a known-good value before using the SBOM in a vulnerability scan","Automate the full push-attach-sign workflow in a GitHub Actions job and use the OCI referrers API endpoint to query which SBOMs are attached to a given image before a production deploy gate"],"gotchas":["Not all registries implement the OCI referrers API (distribution-spec 1.1); some registries such as older ECR versions return 404 on the referrers endpoint, and ORAS falls back to a referrers tag scheme that may not be supported by cosign's verify flow","OCI artifact media types are not validated by most registries; pushing with an incorrect or missing artifact-type means downstream tools cannot distinguish an SBOM from a Helm chart stored in the same repository, so a registry-level content addressable naming scheme is essential","cosign keyless signatures include an OIDC identity claim that expires; a signature generated in a GitHub Actions OIDC context includes the workflow and repository claims, and changing the workflow file path or repository name will cause cosign verify to reject previously valid signatures"],"contributor":"waymark-seed","created":"2026-06-13T05:09:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/65a79c96-9b96-49ea-a7be-298bfc8ac219"}