attest: if there is no attestation `--replace` causes empty manifest layer

[Dentrax]

Description

We (@@developer-guy) noticed a strange behavior: If there is no attestation, and we passed --replace flag, it creates new .att but does not attach any layers in the manifest.

1. Clean the image:

$ cosign clean furkanturkal/busybox:0.1.0

2. Attest the image with --replace flag:

$ COSIGN_EXPERIMENTAL=1 cosign attest --replace --predicate scan.json --type https://trivy.aquasec.com/scan/v2 furkanturkal/busybox:0.1.0

3. Expect layers empty

$ crane manifest furkanturkal/busybox:sha256-f1e9b10f3e11f03cc1881415598044364124c838dbc616621403bb88099ba8af.att | jq

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "size": 115,
    "digest": "sha256:5b943e2b943f6c81dbbd4e2eca5121f4fcc39139e3d1219d6d89bd925b77d9fe"
  },
  "layers": []
}

I would expect something like:

• Fail with error (you have to attest first before use --replace / you can not pass --replace flag without attach an attestation)
• Prompt a question (you passed --replace flag but no previous attestation found. do you want to create new one?)

Version

1.9.0

[developer-guy]

We are willing to work on this, if you let us to do that, I can assign to me 🙋🏻‍♂️