cosign signature verification is enforcing docker-reference to match

[dirkmueller]

In

image/signature/policy_eval_sigstore.go

Lines 355 to 357 in df7e80d

	if !pr.SignedIdentity.matchesDockerReference(image, ref) {
	return PolicyRequirementError(fmt.Sprintf("Signature for identity %q is not accepted", ref))
	}

the docker-reference is being checked to match. even though cosign --verify appears to be ignoring it, as I can read from the spec:

https://github.com/sigstore/cosign/blame/544d76a7098565aea9a77ab8e9ca60e5ea825d82/specs/SIGNATURE_SPEC.md#L268

I've tried various attempts at using "remapIdentity" but I cannot make this check to pass. I wonder though why there is a validation difference to what cosign --verify performs? Is this intentional?

[github-actions]

This repository has been migrated to https://github.com/containers/container-libs. Please open your issue there.