sigstore-bundle manifest should include an annotation pointing to the actual nested predicateType #4563
Description
With the new protobuf bundle format, there is no easy way to distinguish which in-toto attestation actually contains which type of predicate, i.e. if a have an image containing two attestations, a vex and an sbom, and I want to update the vex (sbom should probably be immutable outside of development), I have no easy way to determine which referrer is actually my vex and which is my sbom - apart from downloading both, decoding them and reading the predicate type.
It would be really useful if the manifest of the bundle would contain some kind of identifcation to make it easy to differentiate between the different types. This would also make tasks like clean (#4539) a lot easier.
something like dev.sigstore.bundle.payloadType or such.
Another option would be to add the option to add custom annotations to cosign attest.
BTW: cosign attest --replace=true does not seem to work, either - which would also solve my particular use case.