cosign verify fails after cosign copy (JFrog artifactory)

[Munken]

Description

I run the following commands:

Sign:

cosign sign --key cosign.key registry.bankdata.dev/all-docker-snapshot-local/dxt/bogedal-play:757e41da3e7fbd8cca0652f5555eaf89504057a3

Verify

cosign verify --key cosign.pub registry.bankdata.dev/all-docker-snapshot-local/dxt/bogedal-play:757e41da3e7fbd8cca0652f5555eaf89504057a3

Verification for registry.bankdata.dev/all-docker-snapshot-local/dxt/bogedal-play:757e41da3e7fbd8cca0652f5555eaf89504057a3 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"registry.bankdata.dev/all-docker-snapshot-local/dxt/bogedal-play:757e41da3e7fbd8cca0652f5555eaf89504057a3"},"image":{"docker-manifest-digest":"sha256:e42243c70280290ba0ed3f9b329175d564e8e33786bd26ad5d63266459979abd"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":null}]

Copy:

 % cosign copy registry.bankdata.dev/all-docker-snapshot-local/dxt/bogedal-play:757e41da3e7fbd8cca0652f5555eaf89504057a3 registry.bankdata.dev/all-docker-release-local/dxt/bogedal-play:757e41da3e7fbd8cca0652f5555eaf89504057a3 

Copying registry.bankdata.dev/all-docker-snapshot/dxt/bogedal-play@sha256:e42243c70280290ba0ed3f9b329175d564e8e33786bd26ad5d63266459979abdto registry.bankdata.dev/all-docker-release-local/dxt/bogedal-play:sha256-e42243c70280290ba0ed3f9b329175d564e8e33786bd26ad5d63266459979abd...

Copying registry.bankdata.dev/all-docker-snapshot/dxt/bogedal-play@sha256:84be5f196101695bdbcbc83162d389a30821ae33aab9a2b3a27e9b908edd908f to registry.bankdata.dev/all-docker-release-local/dxt/bogedal-play:611cd884a59b693f38b564d26e4e0154287ef937...

Verify:

% cosign verify --key cosign.pub registry.bankdata.dev/all-docker-release-local/dxt/bogedal-play:757e41da3e7fbd8cca0652f5555eaf89504057a3
Error: no signatures found
error during command execution: no signatures found

Looking in the debug log for the verify, the referrers call returns empty:

{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[]}

It the tries to fall back to .sig. However, this result in a 404.

https://registry.bankdata.dev/v2/all-docker-release-local/dxt/bogedal-play/manifests/sha256-e42243c70280290ba0ed3f9b329175d564e8e33786bd26ad5d63266459979abd.sig

Setting COSIGN_DOCKER_MEDIA_TYPES=1 does not resolve the issue.

I have attached the log for copy and verify

copy.log
verify.log

Version

cosign:

GitVersion: v3.0.2
GitCommit: 8444969
GitTreeState: clean
BuildDate: 2025-10-10T18:17:56Z
GoVersion: go1.25.1
Compiler: gc
Platform: linux/amd64

JFrog platform:
Artifactory 7.127.0 Cloud (SaaS)

[Munken]

Just reverted back to cosign 2.6.1

When I sign I get a sha256-DIGEST.sig tag that refers to the primary image.

When I copy I get sha256-DIGEST.sig and sha256-DIGEST, where the latter does not refer to the original image:

 % cosign2 copy registry.bankdata.dev/all-docker-snapshot-local/dxt/cosign/test:v1 registry.bankdata.dev/all-docker-snapshot-local/dxt/cosign-copy/test:v1
Copying registry.bankdata.dev/all-docker-snapshot-local/dxt/cosign/test@sha256:9d8ed6fcd1c46ec572e8a4fb5b9319b00ccea0d9ed545ea8d3b14b360f7932ef to registry.bankdata.dev/all-docker-snapshot-local/dxt/cosign-copy/test:sha256-9d8ed6fcd1c46ec572e8a4fb5b9319b00ccea0d9ed545ea8d3b14b360f7932ef...
Copying registry.bankdata.dev/all-docker-snapshot-local/dxt/cosign/test:sha256-9d8ed6fcd1c46ec572e8a4fb5b9319b00ccea0d9ed545ea8d3b14b360f7932ef.sig to registry.bankdata.dev/all-docker-snapshot-local/dxt/cosign-copy/test:sha256-9d8ed6fcd1c46ec572e8a4fb5b9319b00ccea0d9ed545ea8d3b14b360f7932ef.sig...
Copying registry.bankdata.dev/all-docker-snapshot-local/dxt/cosign/test@sha256:9d8ed6fcd1c46ec572e8a4fb5b9319b00ccea0d9ed545ea8d3b14b360f7932ef to registry.bankdata.dev/all-docker-snapshot-local/dxt/cosign-copy/test:v1...