sigstore · SequeI · Mar 18, 2026 · Mar 18, 2026
@@ -10,7 +10,8 @@ All versions prior to 1.0.0 are untracked.
 ## [Unreleased]
 
 ### Added
--Added the `digest` subcommand to compute and print a model's digest. This enables other tools to easily pair the attestations with a model directory.
+- Added the `digest` subcommand to compute and print a model's digest. This enables other tools to easily pair the attestations with a model directory.
+- Added `--oci-manifest` flag to sign and verify OCI image manifests directly (e.g., from `skopeo inspect --raw`), without requiring model files on disk.
 
 ### Changed
 - Standardized CLI flags to use hyphens (e.g., `--trust-config` instead of `--trust_config`). Underscore variants are still accepted for backwards compatibility via token normalization.

@@ -175,6 +175,18 @@ All signing methods support changing the signature name and location via the
 Consult the help for a list of all flags (`model_signing --help`, or directly
 `model_signing` with no arguments)
 
+#### Signing OCI Image Manifests
+
+To sign an OCI image manifest directly (e.g., from `skopeo inspect --raw`),
+use the `--oci-manifest` flag:
+
+```bash
+[...]$ skopeo inspect --raw docker://registry.example.com/model:latest > manifest.json
+[...]$ model_signing sign key manifest.json --oci-manifest --private-key key.priv
+```
+
+This enables signing container images without requiring model files on disk.
+
 On verification we use the `verify` subcommand. To verify a Sigstore signed
 model we use