WriteAttestationsReferrer drops per-layer annotations (certificate, chain, RFC3161 timestamp)

[rdsharma]

Summary

WriteAttestationsReferrer in pkg/oci/remote/write.go silently drops per-layer OCI descriptor annotations when pushing DSSE attestations via the OCI 1.1 Referrers API. This makes referrer attestation manifests unverifiable — cosign, Kyverno, and any policy engine reading attestation referrers cannot find the signing certificate, chain, or RFC3161 timestamp.

Root Cause

WriteAttestationsReferrer (line 421) calls atts.Layers() which returns []v1.Layer — raw layer content with no descriptor metadata. These layers are passed to WriteReferrer, which rebuilds descriptors (lines 357-361) using only MediaType, Digest, and Size, omitting the Annotations field entirely.

Cosign stores verification materials as per-layer descriptor annotations (not in layer content):

• dev.sigstore.cosign/certificate
• dev.sigstore.cosign/chain
• dev.sigstore.cosign/rfc3161timestamp
• dev.cosignproject.cosign/signature
• predicateType

All of these are silently lost.

The sibling function WriteSignaturesExperimentalOCI() does not have this bug because it calls sigs.Get() (which returns []oci.Signature carrying annotations) rather than sigs.Layers().

Steps to Reproduce

This function is not called by cosign's CLI directly, but is exported public API in pkg/oci/remote/. We hit this as library consumers calling WriteAttestationsReferrer from our own signing tool.

1. Build an oci.SignedEntity with DSSE attestations that have per-layer descriptor annotations (certificate, chain, RFC3161 timestamp, predicateType):

   // Annotations are set via mutate.AppendSignatures → mutate.Addendum{Annotations: ...}
   // Verified present via atts.Get() → sig.Annotations() before push

2. Push via the Referrers API:

   d, err := ociremote.ResolveDigest(ref, remoteOpts...)
   ociremote.WriteAttestationsReferrer(d, signedEntity, remoteOpts...)

3. Fetch the resulting referrer manifest and inspect layer descriptors - annotations are missing:

   "layers": [{
     "mediaType": "application/vnd.in-toto+json",
     "size": 1757,
     "digest": "sha256:..."
     // No "annotations" field - certificate, chain, timestamp all dropped
   }]

4. Verification fails - e.g. cosign verify-attestation returns x509: certificate signed by unknown authority because the cert/chain annotations are gone.

For comparison, pushing the same SignedEntity via WriteAttestations (tag-based) preserves all per-layer annotations correctly,

Expected Behavior

Layer descriptors in the referrer manifest should include all annotations from the original attestation layers (certificate, chain, timestamp, predicateType).

Proposed Fix

1. In WriteAttestationsReferrer: use atts.Get() instead of atts.Layers() to retrieve []oci.Signature objects that carry annotations, then convert to []v1.Layer.
2. In WriteReferrer: after building each layer descriptor, check if the layer implements an Annotations() method (via structural interface assertion) and populate the descriptor's Annotations field.

I have a fix and test ready — will submit a PR shortly.

[cmurphy]

Can you provide a more descriptive example of the cosign command you used to attest an image and the exact command line and error message that happened when it failed to verify?

The "attest" subcommand has no --experimental-oci11 flag, and the WriteAttestationsReferrer function is not actually called anywhere in cosign apart from tests.

[rdsharma]

Sorry about the confusing repo steps @cmurphy - I was trying to map to analogs in the CLI since this was discovered via my work on an internal signing tool. I've updated the issue with more clear steps, but please let me know if you need a more comprehensive repro snippet and I can try to put something together. PTAL and let me know what you think.

You're right that cosign's CLI doesn't call this function, but it's exported in a public API in pkg/oci/remote/. The sibling function WriteSignaturesExperimentalOCI handles this correctly by using Get() + RawManifest() instead of Layers(). My PR (#4709) mirrors that approach.

[steiza]

@rdsharma we're in the process of updating Cosign from having disparate verification material to having verification material in one object - the Sigstore protobuf bundle.

Years ago, Cosign, as the only Sigstore CLI/library, just sort of made up how to store this content in container registries. But as we started using Sigstore in more places (npm, CPython, Kubernetes, ...) and implemented more clients than just Cosign (sigstore-python, sigstore-java, sigstore-js, sigstore-rust, ...) we standardized on the protobuf bundle so that clients can understand each others' content.

To that end, Cosign is in the middle of deprecating support for the "old" (made up) format it was using in functions like WriteAttestationsReferrer(). Instead, we'd strongly encourage you to use WriteAttestationNewBundleFormat() (or at least understand why that does not work for your use case).

We're in the middle of deprecating old bundle functionality, so it would be a good time to think about updating. Cosign v3 will keep these functions (although we may mark them as deprecated) and they may be removed later this year in Cosign v4 releases.

[rdsharma]

Thanks for the helpful context @steiza . We're aware of the bundle format and have it on our roadmap. Our use case is a private signing infrastructure (SPIRE for certificates replacing Fulcio, private TSA instance, no Rekor), so we've been working bottom-up through the cosign library APIs: tag-based signatures first, then referrers, then bundles. Looking at the code, it looks like MakeProtobufBundle() in pkg/cosign/bundle/protobundle.go already supports our use case, so we'll prioritize moving to that path.

Happy to close this issue/the PR if the direction is to deprecate WriteAttestationsReferrer rather than fix it. We can work around it on our side in the meantime.