cosign verify-attestation and cosign attach attestation not working together under custom fulcio instance #4277
Description
Description
I am creating keys and certificates on my own instance of fulcio (custom CA). I want to create attestations for container images. I create the in-toto statement, then sign it, and craft the DSSE Envelope. It is exactly the same with what cosign attest creates.
I upload the attestation on the OCI registry with cosign attach attestation --attestation ./slsa.att $IMAGE:$TAG
However, when I run cosign verify-attestation I get the following error:
Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1
error during command execution: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1
The attestation is uploaded on the registry. The command cosign download attestation $IMAGE:$TAG does return the same attestation I uploaded with cosign attach.
However, the difference I noticed is in the manifests in each case. For cosign attest the manifest of the attestation layer contains these annotations:
"annotations": {
"dev.cosignproject.cosign/signature": "",
"dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEQCIEXE.......eMkQiqb0AjrpaQ==\",\"Payload\":{\"body\":\"eyJ.......V19fQ==\",\"integratedTime\":1751977848,\"logIndex\":267518593,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}",
"dev.sigstore.cosign/certificate": "-----BEGIN CERTIFICATE-----\nMIIF.......Qahg==\n-----END CERTIFICATE-----\n",
"dev.sigstore.cosign/chain": "-----BEGIN CERTIFICATE-----\nMIICGjCCAa.......Cdliiow=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIB9zCC.......4vnBHJ\n-----END CERTIFICATE-----",
"predicateType": "https://slsa.dev/provenance/v1"
}If I use the cosign attach command, the manifest's annotations only contain:
"annotations": {
"dev.cosignproject.cosign/signature": ""
}Does cosign verify-attestation lookup for annotation fields?