Images are now being pushed to OCI registries with more and more metadata, including attestations, signatures, and SBOMs. What is involved with adding your own artifacts? This talk walks through how OCI recently standardized the process, and describes how additional data can be added to an image without modifying its immutable digest. You’ll learn how tooling can ship SBOMs along side images, both for the vendor generating the SBOM and the user searching for it. And this talk will cover many of the gotchas you may encounter when implementing this yourself.