Mediatype for SPDX should be application/spdx+json

[lumjjb]

Description

According to IANA registered, the mediatype for spdx JSON documents should be application/spdx+json

Currently, it is set to "text/spdx+json" in

• cosign/pkg/types/media.go

  Line 30 in 493e6e2

  SPDXJSONMediaType = "text/spdx+json"

• cosign/specs/SBOM_SPEC.md

  Line 122 in 493e6e2

  * `text/spdx+json`

Version

head

[viveksahu26]

Yes, media type for spdx is text whereas, the media type for spdx+json is application,

[viveksahu26]

WDYT @haydentherapper ?

[haydentherapper]

Seems correct, just want to avoid any breaking changes on the verification path.

[viveksahu26]

No it will not affect verification. Currently we have 2 way to add SBOM, one is cosign attach sbom(it doesn't sign) and cosign attest --type sbom(it sign sbom). On changing media type will only have to do with attach one not with attest one. And for verification process, the attest has a way for verification but not for attach one.

@haydentherapper , One thing I wanted to ask, basically cosign attach sbom will be depreciated on 22/02/2024, so, will change makes sense or not ?

[haydentherapper]

We don't need to continue to support anything that's been deprecated.

[viveksahu26]

Ok, let's close it.