artifact_type in metrics are not relevant about harbor HOT 4 OPEN

In fact given to the above info indicates that this signature is signer by legacy cosign version that haven't support oci-spec 1.1 yet, means can not simply collecting either media_type or manifest_media_type to do differentiation. It actual type is concealed in layers for legacy cosign behavior. It needs query two tables rather than just artifact.
However, In next harbor release it can be easily achieved by using cosign --registry-referrers-mode oci-1-1signing image

from harbor.

Which harbor and cosign version/build you are using?
Current behavior is collecting artifact.type AS artifact_type from db, we do add artifact.artifact_type column in the next release(v2.11) to collect image.Manifest.ArtifactType. So if cosign is using ArtifactType for their signature manifest (adopt oci-spec 1.1), we possibly could do so to differenciate as you expected.

from harbor.

My Harbor version is 2.10.0.
I don't know about the cosign version because my only exemple comes from a replication rule importing image and signature from a remote Harbor registry (I don't have any information about it).

Currently, in database, I have those rows :

 type  |                   media_type                   |                 manifest_media_type                  
-------+------------------------------------------------+------------------------------------------------------
 IMAGE | application/vnd.docker.container.image.v1+json | application/vnd.docker.distribution.manifest.v2+json
 IMAGE | application/vnd.oci.image.config.v1+json       | application/vnd.oci.image.manifest.v1+json

The first rows is about image artifact, the second is about the signature artifact. So if you implement a type based either on media_type or manifest_media_type, it will work indeed.

from harbor.

Ok thanks.
When Harbor 2.11 will be released, I will tell the editor to sign image with the oci-spec 1.1.
I will close the issue after the release if that's ok for you.

from harbor.