Description
When signing an image, if the Rekor transparency log upload succeeds but the subsequent OCI registry upload fails (due to a registry 429 rate exceeded, or other transient network error), any attempt to retry the cosign sign command fails permanently with 409 createLogEntryConflict.
Expected Behavior
If Rekor returns a 409 createLogEntryConflict, cosign should recognize this as an idempotent success (the entry already exists in the log), retrieve the necessary proof/bundle data, and proceed to the OCI registry push.
Actual Behavior
The 409 createLogEntryConflict is treated as a fatal error and the execution halts immediately. Any attempts to retry never attempts to push the .sig manifest to the OCI registry, forcing users to either abandon the signature, build a new image hash, or bypass the log entirely.
Version
v3.0.2
Description
When signing an image, if the Rekor transparency log upload succeeds but the subsequent OCI registry upload fails (due to a registry
429 rate exceeded, or other transient network error), any attempt to retry thecosign signcommand fails permanently with409 createLogEntryConflict.Expected Behavior
If Rekor returns a
409 createLogEntryConflict, cosign should recognize this as an idempotent success (the entry already exists in the log), retrieve the necessary proof/bundle data, and proceed to the OCI registry push.Actual Behavior
The
409 createLogEntryConflictis treated as a fatal error and the execution halts immediately. Any attempts to retry never attempts to push the .sig manifest to the OCI registry, forcing users to either abandon the signature, build a new image hash, or bypass the log entirely.Version
v3.0.2