`cosign attach` commands support providing a signature or attestation but not certificate

[znewman01]

$ cosign attach -h
Provides utilities for attaching artifacts to other artifacts in a registry

Usage:
  cosign attach [command]

Available Commands:
  attestation Attach attestation to the supplied container image
  sbom        Attach sbom to the supplied container image
  signature   Attach signatures to the supplied container image

[...]

Use "cosign attach [command] --help" for more information about a command.

If you attach a signature:

cosign attach signature -h
Attach signatures to the supplied container image

Usage:
  cosign attach signature [flags]

Examples:
  cosign attach signature <image uri>

Flags:
      --allow-insecure-registry                                                                  whether to allow insecure connections to registries. Don't use this for anything but testing
      --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]   optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
  -h, --help                                                                                     help for signature
      --k8s-keychain                                                                             whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
      --payload string                                                                           path to the payload covered by the signature (if using another format)
      --signature string                                                                         the signature, path to the signature, or {-} for stdin

[...]

There's no way to put a signature and accompanying certificate on the image.