Add OCI functions fort signing

oci.jq

@@ -87,3 +87,52 @@ def sort_manifests:
 	sort_by(.platform | sort_split_platform)
 	| sort_attestations
 ;
+
+def index_type:
+    if .mediaType != "application/vnd.oci.image.index.v1+json" and .mediaType then # TODO drop the second half of this validation: https://github.com/moby/buildkit/issues/4595
+        error("unsupported index mediaType: " + .mediaType)
+    else . end
+;
+
+def validate_index_type:
+    if .schemaVersion != 2 then
+        error("unsupported schemaVersion: " + .schemaVersion)
+    else . end
+    | index_type
+;
+
+# jq -s 'include "oci"; validate_oci_basic' dir/oci-layout dir/index.json 
+def validate_oci_basic:
+    if length != 2 then
+        error("Unexpected oci-layout. Expecting 'oci-layout' and 'index.json'")
+    else . end
+    | .[0] |= (
+        if .imageLayoutVersion != "1.0.0" then
+            error("unsupported imageLayoutVersion: " + .imageLayoutVersion)
+        else . end
+    )
+    | .[1] |= (
+        . | validate_index_type
+        | if .manifests | length != 1 then
+            error("expected only one manifests entry, not " + (.manifests | length | tostring))
+        else . end
+
+        | .manifests[0] |= (
+            index_type
+            # TODO validate .digest somehow (`crane validate`?) - would also be good to validate all descriptors recursively
+            | if .size < 0 then
+                error("invalid descriptor size: " + .size)
+            else . end
+        )
+    )
+;
+
+def image_digest($os; $arch):
+  if length != 1 then
+    error("unexpected image index document count: " + (length | tostring))
+  else .[0] end
+  | validate_index_type
+  | .manifests[]
+  | select(.platform.os == $os and .platform.architecture == $arch)
+  | .digest
+;