Subject names for attestations

[jedevc]

Follow up to #2935.

From conversation with @tonistiigi:

thinking about this bit more, I think we should put the repo name here. We should at least have something that says that the digest points to an image (when we add attestation to local output then it points to a file and not an image)

SGTM 👍 - this makes sense from the buildkit side, since pushed images always have a name.

[tonistiigi]

Should this be converted to https://github.com/package-url/purl-spec ?

[jedevc]

Maybe. I'm not entirely sure, in-toto doesn't require it, so it's up to us. I do think we want to make sure that the platform is present in the name though (to ensure uniqueness), since then we'll have a 1-to-1 relationship between digests and names.

So maybe PURL would be the right choice here, with the version field containing the image tag, and the image repository location and architecture/os data in the qualifiers? Not sure whether we should use the sha256: in the name though, since that would be duplicated.

[jedevc]

Have cherry-picked your PURL util package (with a fixup to use reference for the distribution reference package, like we have in the other parts of the codebase).

[tonistiigi]

btw, the reason I used the specific name was that there is also

https://github.com/containerd/containerd/tree/main/reference and
https://github.com/moby/moby/tree/master/reference

[jedevc]

Yeah that makes sense, I think we should make that change everywhere then at some point, instead of just here.

[jedevc]

Happy to do that in a follow-up, if this is a blocker 👍

[jedevc]

@tonistiigi LGTM - good catch on OSVersion 🎉