Support stdout output for attest-blob bundles

Enable `attest-blob --bundle=-` to write bundles to stdout with a
trailing newline, allowing users to create JSONL files containing
multiple attestations by redirecting and appending output.

This change adds support for the convention of using "-" to represent
stdout. When the bundle path is "-", the bundle is written to stdout
instead of a file, and the signature output is suppressed to avoid
conflicts.

Changes:
- Add stdout detection in attest/attest_blob.go and signcommon/common.go
- Suppress signature output when bundle goes to stdout
- Add comprehensive test coverage in attest_blob_test.go
- Update flag description and add JSONL example to documentation

Example usage:
  cosign attest-blob --key key.key --predicate pred1.json \
    --type slsaprovenance --bundle=- blob.txt >> attestations.jsonl
  cosign attest-blob --key key.key --predicate pred2.json \
    --type slsaprovenance --bundle=- blob.txt >> attestations.jsonl

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Ralph Bean <[email protected]>

Author: ralphbean

cmd/cosign/cli/attest/attest_blob.go

@@ -186,18 +186,24 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 			}
 		}
 
-		if err := os.WriteFile(c.BundlePath, contents, 0600); err != nil {
-			return fmt.Errorf("create bundle file: %w", err)
+		// If BundlePath is "-", write to stdout with trailing newline
+		if c.BundlePath == "-" {
+			fmt.Fprintln(os.Stdout, string(contents))
+		} else {
+			if err := os.WriteFile(c.BundlePath, contents, 0600); err != nil {
+				return fmt.Errorf("create bundle file: %w", err)
+			}
+			fmt.Fprintln(os.Stderr, "Bundle wrote in the file ", c.BundlePath)
 		}
-		fmt.Fprintln(os.Stderr, "Bundle wrote in the file ", c.BundlePath)
 	}
 
 	if c.OutputSignature != "" {
 		if err := os.WriteFile(c.OutputSignature, bundleComponents.SignedPayload, 0600); err != nil {
 			return fmt.Errorf("create signature file: %w", err)
 		}
 		fmt.Fprintf(os.Stderr, "Signature written in %s\n", c.OutputSignature)
-	} else {
+	} else if c.BundlePath != "-" {
+		// Only output signature to stdout if bundle is not going to stdout
 		fmt.Fprintln(os.Stdout, string(bundleComponents.SignedPayload))
 	}
 

cmd/cosign/cli/attest/attest_blob_test.go

@@ -341,3 +341,62 @@ func TestStatementPath(t *testing.T) {
 	err := at.Exec(ctx, "")
 	assert.NoError(t, err)
 }
+
+// TestAttestBlobBundleStdout tests that the bundle is printed to stdout
+// with a trailing newline when --bundle is set to "-"
+func TestAttestBlobBundleStdout(t *testing.T) {
+	ctx := context.Background()
+	td := t.TempDir()
+
+	keys, _ := cosign.GenerateKeyPair(nil)
+	keyRef := writeFile(t, td, string(keys.PrivateBytes), "key.pem")
+
+	blob := []byte("foo")
+	blobPath := writeFile(t, td, string(blob), "foo.txt")
+	predicatePath := makeSLSA02PredicateFile(t, td)
+
+	// Capture stdout
+	oldStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	at := AttestBlobCommand{
+		KeyOpts: options.KeyOpts{
+			KeyRef:          keyRef,
+			NewBundleFormat: true,
+			BundlePath:      "-", // stdout
+		},
+		PredicatePath:  predicatePath,
+		PredicateType:  "slsaprovenance",
+		RekorEntryType: "dsse",
+	}
+
+	err := at.Exec(ctx, blobPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Restore stdout and read captured output
+	w.Close()
+	os.Stdout = oldStdout
+	var buf bytes.Buffer
+	_, _ = buf.ReadFrom(r)
+	output := buf.String()
+
+	// Verify output has trailing newline
+	if !strings.HasSuffix(output, "\n") {
+		t.Fatal("expected bundle output to have trailing newline")
+	}
+
+	// Verify output is valid JSON
+	outputWithoutNewline := strings.TrimSuffix(output, "\n")
+	var bundle interface{}
+	if err := json.Unmarshal([]byte(outputWithoutNewline), &bundle); err != nil {
+		t.Fatalf("bundle output is not valid JSON: %v", err)
+	}
+
+	// Verify bundle is non-empty
+	if len(outputWithoutNewline) == 0 {
+		t.Fatal("expected non-empty bundle output")
+	}
+}

cmd/cosign/cli/attest_blob.go

@@ -52,7 +52,11 @@ func AttestBlob() *cobra.Command {
   cosign attest-blob --predicate <FILE> --type <TYPE> --key hashivault://[KEY] <BLOB>
 
   # supply attestation via stdin
-  echo <PAYLOAD> | cosign attest-blob --predicate - --yes`,
+  echo <PAYLOAD> | cosign attest-blob --predicate - --yes
+
+  # create a JSONL file with multiple attestations by outputting bundles to stdout
+  cosign attest-blob --key cosign.key --predicate <FILE1> --type <TYPE> --bundle=- <BLOB> >> attestations.jsonl
+  cosign attest-blob --key cosign.key --predicate <FILE2> --type <TYPE> --bundle=- <BLOB> >> attestations.jsonl`,
 
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {

cmd/cosign/cli/options/attest_blob.go

@@ -95,7 +95,7 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 	_ = cmd.MarkFlagFilename("key", certificateExts...)
 
 	cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
-		"write everything required to verify the blob to a FILE")
+		"write everything required to verify the blob to a FILE (use \"-\" for stdout)")
 	_ = cmd.MarkFlagFilename("bundle", bundleExts...)
 
 	cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", true,

cmd/cosign/cli/signcommon/common.go

@@ -514,6 +514,11 @@ func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, ce
 	}
 
 	if bundleOpts.BundlePath != "" {
+		// If bundleOpts.BundlePath is "-", write to stdout with trailing newline
+		if bundleOpts.BundlePath == "-" {
+			fmt.Fprintln(os.Stdout, string(bundle))
+			return nil
+		}
 		if err := os.WriteFile(bundleOpts.BundlePath, bundle, 0600); err != nil {
 			return fmt.Errorf("creating bundle file: %w", err)
 		}