Sample attestation manifest containing both predicates: https://oci.dag.dev/?image=daha97%2Fopenvex%3Asha256-a97a153152fcd6410bdf4fb64f5622ecf97a753f07dcc89dab14509d059736cf.att
Maybe I'm also doing something wrong, but seemingly cannot get it to work with `vexctl attest --attach --sign`.
Description
When calling
vexctl attest --sign --attach report.vex.json
, the attached attestation seemingly cannot be verified viacosign verify-attestion
.Repro steps:
Create a sample report with some data:
Attach and sign the report going through the signing flow
Generating ephemeral keys... Retrieving signed certificate... ... Successfully verified SCT...
cosign verify-attestation docker.io/daha97/openvex:1.23.4 --certificate-identity="..." --certificate-oidc-issuer=https://github.com/login/oauth
Error: no matching attestations: nil certificate provided main.go:74: error during command execution: no matching attestations: nil certificate provided
{ "mediaType": "application/vnd.dsse.envelope.v1+json", "digest": "sha256:49709de8de52ec1ecb610900e2066e557edba647d70944461caaba47cf14b4dd", "size": 1724, "annotations": { "dev.cosignproject.cosign/signature": "" } }
cosign attest --type custom --predicate vex.json docker.io/daha97/openvex:1.23.4
Generating ephemeral keys... Retrieving signed certificate... Successfully verified SCT...
cosign verify-attestation docker.io/daha97/openvex:1.23.4 --certificate-identity="..." --certificate-oidc-issuer=https://github.com/login/oauth
{ "mediaType": "application/vnd.dsse.envelope.v1+json", "digest": "sha256:50375613538f8b551ed758fb014d0832cdb1343f18b94bbc627e7d01cb7fc40c", "size": 1684, "annotations": { "predicateType": "https://cosign.sigstore.dev/attestation/v1", "dev.cosignproject.cosign/signature": "", "dev.sigstore.cosign/bundle": "...", "dev.sigstore.cosign/certificate": "...", "dev.sigstore.cosign/chain": "..." } }