Does `gh attestation verify` works with container image stored in Google Artifact Registry?

[capri-xiyue]

Describe the bug

I use gh version 2.49.2.
And I used https://github.com/actions/attest-build-provenance to publish the attestation to the container registry with the push-to-registry option.
How should I verify the integrity and provenance of an container image in google artifact registry using its associated cryptographically signed attestations?
I tried gh attestation verify us-central1-docker.pkg.dev/repoA/imageA:sha256-xxxxx -R github/example. But as the container image is in google artifact registry, it failed with error failed to get open local artifact: open us-central1-docker.pkg.dev/repoA/imageA:sha256-xxxxx. What is the correct way to verify the container image with its associated attestation when I use Google Artifact Registry?

[andyfeller]

cc: @cli/package-security

[bdehamer]

@capri-xiyue when verifying an attestation associated with a published container image, you must prefix the image with oci:// (see https://cli.github.com/manual/gh_attestation_verify).

It's worth noting that the digest of the image is calculated by making a request to the registry, but the attestation itself is pulled from the GH attestation API. This means that verification of attested images will work whether or not you are using the push-to-registry option.

$ gh attestation verify oci://us-west1-docker.pkg.dev/foo/bar:latest  --owner foo

Loaded digest sha256:fa5feadae892be36eeca65fad5e05f71041242adf9cdafb8fa8be930f223777f for oci://us-west1-docker.pkg.dev/foo/bar:latest
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:fa5feadae892be36eeca65fad5e05f71041242adf9cdafb8fa8be930f223777f was attested by:
REPO     PREDICATE_TYPE                  WORKFLOW                                        
foo/bar  https://slsa.dev/provenance/v1  .github/workflows/oci-google.yml@refs/heads/main

[capri-xiyue]

@capri-xiyue when verifying an attestation associated with a published container image, you must prefix the image with oci:// (see https://cli.github.com/manual/gh_attestation_verify).

It's worth noting that the digest of the image is calculated by making a request to the registry, but the attestation itself is pulled from the GH attestation API. This means that verification of attested images will work whether or not you are using the push-to-registry option.

$ gh attestation verify oci://us-west1-docker.pkg.dev/foo/bar:latest  --owner foo

Loaded digest sha256:fa5feadae892be36eeca65fad5e05f71041242adf9cdafb8fa8be930f223777f for oci://us-west1-docker.pkg.dev/foo/bar:latest
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:fa5feadae892be36eeca65fad5e05f71041242adf9cdafb8fa8be930f223777f was attested by:
REPO     PREDICATE_TYPE                  WORKFLOW                                        
foo/bar  https://slsa.dev/provenance/v1  .github/workflows/oci-google.yml@refs/heads/main

Thanks for the clarification!