What happened in your environment?

The index.json being created by oras cp on an OCI-layout is not containing any artifactType, although the root manifest declares one.

Weird enough, it does contain one if a Cosign v3 signature exists. The manifest of a Cosign v3 signature is providing the same "artifact type" (application/vnd.dev.sigstore.bundle.v0.3+json) in both .artifactType and .config.artifactType. It is therefore unclear where it is being taken from.

What did you expect to happen?

According the OCI image specification regarding artifact usage, the "artifact type" should be taken primarily from the manifest's .artifactType. Only as a fallback, the value of .config.mediaType might be taken.

Therefore I'd expect ORAS to look for the "artifact type" value in this order:

1. Manifest's .artifactType
2. Manifest's .config.mediaType

And then enter it in the corresponding manifest entry in the index.json file.

It is underspecified what should happen with artifactType, but since it's being added for Cosign signatures, I expect consistency.

How can we reproduce it?

Push an artifact with an "artifact type": oras push --artifact-type <my-artifact-type> <oci-reference> <my-file>.

Copy artifact to an OCI-layout: oras cp --to-oci-layout <oci-reference> <oci-layout-dir>.

Evaluate the resulting index.json: jq '.' <oci-layout-dir>/index.json

In order to evaluate also the result with Cosign, sign the artifact and evaluate the resulting index.json again. In that case the cosign manifest's entry is showing artifactType: application/vnd.dev.sigstore.bundle.v0.3+json.

What is the version of your ORAS CLI?

Version: 1.3.0+Homebrew
Go version: go1.25.1
OS/Arch: darwin/arm64

What is your OS environment?

MacOS

Are you willing to submit PRs to fix it?

• Yes, I am willing to fix it.