cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

cosign 3.0.3: cosign attestation download skips new-bundle-format style annotations, if any sort of bundle is found via referrers api

Open tamcore opened this issue 1 month ago • 3 comments

Description

With cosign v3.0.3, new-bundle-format style attestations are correctly detected on an image. It correctly checks the referrers API for artifacts for references.

But it already considers itself to be done, if the referrers api even returns just a simple cosign signature, without an attestation.

In that case, expected behaviour would be, for it to move on and check for an new-bundle-format=false style sha256-xyz.att attestation as well.

If I comment out the line

https://github.com/sigstore/cosign/blob/3f32cea203c59a93323a6bebfebff03417520143/cmd/cosign/cli/download/attestation.go#L75

it works just fine and it detects both old and new-style attestations just fine.

Version

3.0.3

tamcore avatar Dec 10 '25 08:12 tamcore