cosign 3.0.3: cosign attestation download skips new-bundle-format style annotations, if any sort of bundle is found via referrers api

[tamcore]

Description

With cosign v3.0.3, new-bundle-format style attestations are correctly detected on an image. It correctly checks the referrers API for artifacts for references.

But it already considers itself to be done, if the referrers api even returns just a simple cosign signature, without an attestation.

In that case, expected behaviour would be, for it to move on and check for an new-bundle-format=false style sha256-xyz.att attestation as well.

If I comment out the line

cosign/cmd/cosign/cli/download/attestation.go

Line 75 in 3f32cea

return nil

it works just fine and it detects both old and new-style attestations just fine.

Version

3.0.3

[haydentherapper]

Thanks for filing this, the proposed fix looks correct to me. @steiza can you confirm?

[steiza]

Yeah, previously I've thought that people were either dealing with objects that were signed with protobuf bundles or using old bundle formats / the old OCI storage mechanism.

For verify type subcommands we probably still want to try protobuf bundles first, and return success early if they are found and meet the verification criteria.

But I can see how for inspection subcommands (download, tree, save, load, ...) you would want it to handle both cases and not just stop after the protobuf bundle is handled.

All that is a long way of saying, yes, I think this change is fine for download.

[rishiclb08-wq]

Thanks for the those who all supported me with positive thinking and vibes love u all for our achievements and finally we made it thanks all our team sponsors everyone ❤️❤️❤️❤️❤️❤️❤️🥳🥳🥳🥳