cosign sign fails permanently with createLogEntryConflict if initial OCI push fails

[mjsmithnh]

Description

When signing an image, if the Rekor transparency log upload succeeds but the subsequent OCI registry upload fails (due to a registry 429 rate exceeded, or other transient network error), any attempt to retry the cosign sign command fails permanently with 409 createLogEntryConflict.

Expected Behavior
If Rekor returns a 409 createLogEntryConflict, cosign should recognize this as an idempotent success (the entry already exists in the log), retrieve the necessary proof/bundle data, and proceed to the OCI registry push.

Actual Behavior
The 409 createLogEntryConflict is treated as a fatal error and the execution halts immediately. Any attempts to retry never attempts to push the .sig manifest to the OCI registry, forcing users to either abandon the signature, build a new image hash, or bypass the log entirely.

Version

v3.0.2

[mehrdadbn9]

Hi, I'd like to work on this sign retry issue. Could a maintainer please assign it to me? Thank you!

[Hayden-IO]

@mehrdadbn9, before working on it, can you talk through what your solution?

Note we have two different versions of Rekor, both of which should be handled. For both, once you have an index from the first successful request, you can look up a proof in the log. The challenge is that the index won't be written to an on-disk bundle on failure.