Change attestation annotations to follow OCI recommendations

[imjasonh]

Docs for the new Attestation Manifest Descriptor says:

To assist index traversal, the following annotations will be set on the manifest descriptor descriptor:

• vnd.docker.reference.type

This annotation describes the type of the artifact, and will be set to attestation-manifest. If any other value is specified, the entire manifest should be ignored.

• vnd.docker.reference.digest

This annotation will contain the digest of the object in the image index that the attestation manifest refers to.

When present, this annotation can be used to find the matching attestation manifest for a selected image manifest.

But OCI's rules for annotations says:

• Keys SHOULD be named using a reverse domain notation - e.g. com.example.myKey.

This is only a SHOULD, and there's no annotation police to throw you in OCI jail, but if it's not too late to change it, it might make sense to change the annotations to com.docker.reference.(type|digest), to follow OCI's naming guidance.

[jedevc]

Thanks @imjasonh 🎉 You're right, I missed this, sorry!

Ugh, this is a pain to fix, since we're released. I think we could maybe get away with fixing it by fixing this in the next patch release of buildkit (0.11.1), to produce com.docker.*, and detecting both in the next patch release of buildx (0.10.1)?

That way, images with attestations produced by 0.11.0 buildkit could still be used by any buildx that can process attestations (0.10+), though, flipping it round the other other way would be bad: 0.10.0 buildx wouldn't detect buildkit 0.11.1 attestations - maybe that's a reasonable compromise? The longer it stays as is, the trickier it is to change 👀

@tonistiigi @crazy-max thoughts, would this be worth the possible breakage?

[tonistiigi]

I guess we need to buy that TLD 🙈

This is unfortunate and would have been an easy fix in RC phase but now that it has been released I don't think it is worth the mess to change it. We can update the parts that read the values to also support com, but then we would probably also need to add it to docs and it gets messy quickly.

Maybe after some time, we can move to names that are not Docker-specific. I would rather only go through this rename once then. There is no worry with actual collisions with current annotation keys.