Authentication of the descriptor version
The version field of the descriptor (os package detached signature) looks like it may be unauthenticated. I.e., when we add a version 2, it may be possible for an attacker to change the version field between 1 and 2 without detection. To get detection, the signatures on OS packages ought to in some way include the descriptor version in the data being signed. This maybe a no-issue as long as there's only a single version being detected, but we need to document or keep in mind that this should be taken into account when making the next version. And maybe make clearer that further versions must not add metadata to this descriptor; all metadata should be in the manifest inside the signed archive.