Skip to content

cosign triangulate command generate a .sig tag even for referrers signatures #4553

New issue
New issue
Open
Open
cosign triangulate command generate a .sig tag even for referrers signatures#4553
Labels
enhancementNew feature or request
@scraly

Description

@scraly
scraly
opened on Nov 28, 2025

With cosign 3.0.2 when we sign an image, it generates a signature in the OCI distribution spec 1.1 Referrers API format.
Before, it generate a signature in a .sig tag.

After signing an image, when we execute the cosign triangulate, it shows a digest ending by .sig but this .sig does not exists ...

# Sign an image
$ cosign sign -y --key cosign.key $IMAGE@sha256:$HASH
Enter password for private key: 

# Verify
$ cosign verify $IMAGE@sha256:$HASH --key cosign.pub -o text | jq
 
Verification for xxxxxx.c1.de1.container-registry.ovh.net/public/gophers-api@sha256:xxxxxxxxxxxxxxx --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
{
  "critical": {
    "identity": {
      "docker-reference": "xxxxxx.c1.de1.container-registry.ovh.net/public/gophers-api@sha256:xxxxxxxxxxxxxxxxxxx"
    },
    "image": {
      "docker-manifest-digest": "sha256:xxxxxxxxxxxx"
    },
    "type": "https://sigstore.dev/cosign/sign/v1"
  },
  "optional": null
}

# Get a non existing .sig??
$ cosign triangulate $IMAGE@sha256:$HASH
xxxxxxxx.c1.de1.container-registry.ovh.net/public/gophers-api:sha256-xxxxxxxxxxxxxxxxxxxx.sig

# Testing it
$ crane manifest xxxxxxxx.c1.de1.container-registry.ovh.net/public/gophers-api:sha256-xxxxxxxxxxxxxxxxxxxx.sig
Error: fetching manifest xxxxxxxx.c1.de1.container-registry.ovh.net/public/gophers-api:sha256-xxxxxxxxxxxxxxxxxxxx.sig: GET https://xxxxxxxx.c1.de1.container-registry.ovh.net/v2/public/gophers-api/manifests/sha256-xxxxxxxxxxxxxxx.sig: NOT_FOUND: artifact public/gophers-api:sha256-xxxxxxxxxxxxxx.sig not found

$ skopeo inspect docker://xxxxxxx.c1.de1.container-registry.ovh.net/public/gophers-api:sha256-xxxxxxxxxxxxx.sig
FATA[0000] Error parsing image name "docker://xxxxxxxx.c1.de1.container-registry.ovh.net/public/gophers-api:sha256-xxxxxxxxxxx.sig": reading manifest sha256-xxxxxxxxx.sig in xxxxx.c1.de1.container-registry.ovh.net/public/gophers-api: unknown: artifact public/gophers-api:sha256-xxxxxxxxxxxxxx.sig not found

If we sign an image with the Referrers API, the cosign triangulate should not generate a non existing .sig tag.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions