@@ -51,6 +51,11 @@ function createAttestation(
5151 } ;
5252}
5353
54+ function createAttestationWithoutArtifactType ( ) {
55+ const { artifactType : _artifactType , ...attestation } = createAttestation ( ) ;
56+ return attestation ;
57+ }
58+
5459describe ( "verify-docker-attestations" , ( ) => {
5560 it ( "resolves digest refs from tagged image refs" , ( ) => {
5661 expect ( imageRefForDigest ( "ghcr.io/openclaw/openclaw:2026.4.26" , imageDigest ) ) . toBe (
@@ -72,6 +77,17 @@ describe("verify-docker-attestations", () => {
7277 expect ( errors ) . toEqual ( [ ] ) ;
7378 } ) ;
7479
80+ it ( "accepts OCI attestation manifests without artifactType" , ( ) => {
81+ const errors = collectDockerAttestationErrors ( {
82+ imageRef : "ghcr.io/openclaw/openclaw:test" ,
83+ index : createIndex ( ) ,
84+ requiredPlatforms : [ parsePlatform ( "linux/amd64" ) ] ,
85+ inspectAttestation : ( ) => createAttestationWithoutArtifactType ( ) ,
86+ } ) ;
87+
88+ expect ( errors ) . toEqual ( [ ] ) ;
89+ } ) ;
90+
7591 it ( "reports missing attestation manifests" , ( ) => {
7692 const index = createIndex ( ) ;
7793 index . manifests = index . manifests . slice ( 0 , 1 ) ;
@@ -100,4 +116,20 @@ describe("verify-docker-attestations", () => {
100116 "ghcr.io/openclaw/openclaw:test: linux/amd64 missing predicate https://slsa.dev/provenance/v1" ,
101117 ] ) ;
102118 } ) ;
119+
120+ it ( "reports an unexpected attestation manifest shape" , ( ) => {
121+ const errors = collectDockerAttestationErrors ( {
122+ imageRef : "ghcr.io/openclaw/openclaw:test" ,
123+ index : createIndex ( ) ,
124+ requiredPlatforms : [ parsePlatform ( "linux/amd64" ) ] ,
125+ inspectAttestation : ( ) => ( {
126+ ...createAttestation ( ) ,
127+ artifactType : "application/vnd.example.invalid" ,
128+ } ) ,
129+ } ) ;
130+
131+ expect ( errors ) . toEqual ( [
132+ `ghcr.io/openclaw/openclaw:test: linux/amd64 attestation ${ attestationDigest } ,
133+ ] ) ;
134+ } ) ;
103135} ) ;
0 commit comments