`dockerfile verify` command fails when stage names are used in `FROM`

[slmsbrhgn]

Description

When a Dockerfile contains a FROM statement using a stage name instead of image, dockerfile verify fails because cosign tries to pull the stage name as if it was an image.

For example, using this Dockerfile:

FROM cgr.dev/chainguard/static:latest AS base_image
# some customization here
FROM base_image
ENTRYPOINT "/executable"

running cosign dockerfile verify Dockerfile --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main ends with an error:

Extracted image(s): cgr.dev/chainguard/static:latest, base_image
(...)
Error: GET https://index.docker.io/v2/library/base_image/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/base_image Type:repository]]
main.go:69: error during command execution: GET https://index.docker.io/v2/library/base_image/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/base_image Type:repository]]

Commenting out FROM base_image in Dockerfile makes it work.

Version

GitVersion:    v2.4.0
GitCommit:     b5e7dc123a272080f4af4554054797296271e902
GitTreeState:  clean
BuildDate:     2024-08-06T21:39:53Z
GoVersion:     go1.22.5
Compiler:      gc
Platform:      linux/amd64