cosign attach command couldn't attach the rekor-bundle to an image

[ArubaTest]

Description

My requirement is to copy signature from one docker registry location to another registry location, together with the image.

This is what i did for the signature file to achieve this goal:

• Download the original signature by cosign download signature; $ cosign download signature > signature.raw
• Parse the signature file into payload, signature, cert, bundle.json, etc; $ cat signature.raw | jq -rj .Payload | base64 -d > tmp/payload $ cat signature.raw | jq -rj .Base64Signature > tmp/signature $ cat signature.raw | jq -rj .Bundle > tmp/bundle.json $ cat tmp/bundle.json { "SignedEntryTimestamp": "MEUCICKgTYPZ78d1lRMeGZgOzKDzFt6QL8qoYPCdjU1FC0FFAiEA3l6r2g1B2TEZ5p4nQHvrNYSi5GdxYt6/CEF0JiUFahE=", "Payload": { "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3......", "integratedTime": 1713602723, "logIndex": 35, "logID": "c4f66443a08e6b5d4f26bd984373c53a4420681df4e86d7eb60a5d7e36f9d5b7" }
• Then use cosign attach signature command to try to attach the sinature for the image in new location B; $ cosign attach signature --payload tmp/payload --signature tmp/signature --rekor-response tmp/bundle.json
• Download the new signature from registry_location_B and I saw the Bundle is not attached succeed.
  $ cosign download signature > signature.new $ cat signature.new {"Base64Signature":"MEUCIHxJt0clf0aSiPdtEhjk0hHUSA7AXv3FU89rHU4ynYPaAiEAjCa0b0z3A9s5ycAGCu9SRa9XnPdXCWSM6iTsNH+6+g0=","Payload":"eyJjcml0aWNhbCI6eyJpZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiOTg3NzgwNzA0OTc2LmRrci5lY3IudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vYXJ1YmFvcy9jb250YWluZXItbWFuYWdlciJ9LCJpbWFnZSI6eyJkb2NrZXItbWFuaWZlc3QtZGlnZXN0Ijoic2hhMjU2OjQ5ZTY4NGUzODZiOGI5MzViZTMwM2RhZGU3ZmIzYzg0MTk0OTBmNTVkYTZkMDU4MmU1ODdkZTIwNWMwYmFkZTQifSwidHlwZSI6ImNvc2lnbiBjb250YWluZXIgaW1hZ2Ugc2lnbmF0dXJlIn0sIm9wdGlvbmFsIjpudWxsfQ==","Cert":null,"Chain":null,"Bundle":null,"RFC3161Timestamp":null}

Version cosign version: 2.2.4

Solution: Cosign attach should attach the rekor-bundle if rekor-response flag is provided by the user.

Discussion at https://github.com/sigstore/cosign/issues/3458

[haydentherapper]

Dup of https://github.com/sigstore/cosign/issues/3458

Will try to circle back to this issue soon, sorry it's been open for awhile.