invalid PEM value error trying to validate an SBOM attestation signed with a local key pair

[rvillane]

Hi, I'm using cosign v2.3.0 to add an SPDX SBOM as an attestation based on locally generated key-value pairs, following the steps described here: https://aquasecurity.github.io/trivy/v0.31.3/docs/attestation/sbom/#sign-with-a-local-key-pair

1. cosign generate-key-pair (generates a fresh key pair using cosign)
2. syft packages docker:IMAGE --output spdx-json -vv > sbom-spdx-syft.json
3. cosign attest --predicate sbom-spdx-syft.json --type spdx --key cosign.key IMAGE
4. cosign tree IMAGE

📦 Supply Chain Security Related artifacts for an image: IMAGE └── 🔐 Signatures for an image tag: index.docker.io/OWNER/CONTAINER:sha256-605350272bedf07cbb4efdb5b31b5c86c907be648fac1a2994f943abf1559fd3.sig └── 🍒 sha256:0b6956fa9c4315ccf2be20fd5c9cd07a64a2a25a69f0d4b0cced59db4dc70a4d └── 💾 Attestations for an image tag: index.docker.io/OWNER/CONTAINER:sha256-605350272bedf07cbb4efdb5b31b5c86c907be648fac1a2994f943abf1559fd3.att └── 🍒 sha256:4b9c3ccef0ca5562b8950e4203879103df43e2ac7a083ebc5a1769c9a5a50aac

6. cosign -d verify-attestation --type spdx --key cosign.pub IMAGE

Error: getting Rekor public keys: unable to initialize client, local cache may be corrupt: tuf: error unmarshalling key: invalid PEM value
main.go:74: error during command execution: getting Rekor public keys: unable to initialize client, local cache may be corrupt: tuf: error unmarshalling key: invalid PEM value

The verification step is failing due to invalid PEM value, which is odd since the public key was generated on step 1 by cosign. I suspect I'm missing some initialization step here, however, cannot find what it is, any ideas as welcome.