Then use cosign attach signature command to try to attach the sinature for the image in new location B;
$ cosign attach signature --payload tmp/payload --signature tmp/signature --rekor-response tmp/bundle.json
Download the new signature from registry_location_B and I saw the Bundle is not attached succeed.
$ cosign download signature > signature.new
$ cat signature.new
{"Base64Signature":"MEUCIHxJt0clf0aSiPdtEhjk0hHUSA7AXv3FU89rHU4ynYPaAiEAjCa0b0z3A9s5ycAGCu9SRa9XnPdXCWSM6iTsNH+6+g0=","Payload":"eyJjcml0aWNhbCI6eyJpZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiOTg3NzgwNzA0OTc2LmRrci5lY3IudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vYXJ1YmFvcy9jb250YWluZXItbWFuYWdlciJ9LCJpbWFnZSI6eyJkb2NrZXItbWFuaWZlc3QtZGlnZXN0Ijoic2hhMjU2OjQ5ZTY4NGUzODZiOGI5MzViZTMwM2RhZGU3ZmIzYzg0MTk0OTBmNTVkYTZkMDU4MmU1ODdkZTIwNWMwYmFkZTQifSwidHlwZSI6ImNvc2lnbiBjb250YWluZXIgaW1hZ2Ugc2lnbmF0dXJlIn0sIm9wdGlvbmFsIjpudWxsfQ==","Cert":null,"Chain":null,"Bundle":null,"RFC3161Timestamp":null}
Version
cosign version: 2.2.4
Solution:
Cosign attach should attach the rekor-bundle if rekor-response flag is provided by the user.
Description
My requirement is to copy signature from one docker registry location to another registry location, together with the image.
This is what i did for the signature file to achieve this goal:
$ cosign download signature
Version cosign version: 2.2.4
Solution: Cosign attach should attach the rekor-bundle if rekor-response flag is provided by the user.
Discussion at https://github.com/sigstore/cosign/issues/3458