`cosign attest` doesn't work with provenances

[upodroid]

trafficstars

Description

Hi

I'm doing provenance generation for knative and I'm seeing bugs with cosign attest

https://github.com/knative/test-infra/issues/3440

COSIGN_EXPERIMENTAL=1 cosign attest --recursive --identity-token="${ID_TOKEN}" --predicate=kn-attestation.json --type=slsaprovenance --no-tlog-upload --no-upload $(cat pkg/testdata/image-refs.txt)

Generating ephemeral keys...
Retrieving signed certificate...

        Note that there may be personally identifiable information associated with this signed artifact.
        This may include the email address associated with the account with which you authenticate.
        This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
Successfully verified SCT...
Using payload from: kn-attestation.json
Error: signing gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:bac158dfb0c73d13ed42266ba287f1a86192c0ba581e23fbe012d30a1c34837c: provenance predicate: required field builder missing
main.go:62: error during command execution: signing gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:bac158dfb0c73d13ed42266ba287f1a86192c0ba581e23fbe012d30a1c34837c: provenance predicate: required field builder missing

https://prow.knative.dev/view/gs/knative-prow/logs/nightly_net-contour_main_periodic/1582299938572734464 look for "Using payload from: attestation.json"

Builder is definitely there so is this a bug in cosign?

https://github.com/knative/test-infra/blob/main/tools/provenance-generator/kn-attestation.json

I wrote a tool to generate the provenance in the same folder as the sample attestation that I attached.

Version

1.13.0