Verification fails

[mykter]

I'm getting what looks to be invalid json output from cosign when following the notice from the v0.1.3 run? This might be a cosign (v1.6.0) bug, I haven't looked into it further.

$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation ghcr.io/marcofranssen/slsa-workflow-examples-docker@sha256:04b0426d40c824929fd5a75821f39f349db5ffa2eb07df22a55f736d7f40232c | jq 

Verification for ghcr.io/marcofranssen/slsa-workflow-examples-docker@sha256:04b0426d40c824929fd5a75821f39f349db5ffa2eb07df22a55f736d7f40232c --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
parse error: Invalid numeric literal at line 1, column 12

Ah yeah, cosign outputs these two lines before the json content on stdout. Presumably it didn't in an earlier version?

Certificate subject:  https://github.com/marcofranssen/slsa-workflow-examples/.github/workflows/release.yaml@refs/tags/v0.1.3
Certificate issuer URL:  https://token.actions.githubusercontent.com

I don't know whether you call that a cosign bug or a verification script bug :)

[marcofranssen]

Correct. It is a cosign 1.6.0 bug which I contributed a fix for already sigstore/cosign#1590.

You can workaround the issue with the following approach (grep -v).

COSIGN_EXPERIMENTAL=1 cosign verify-attestation ghcr.io/marcofranssen/slsa-workflow-examples-docker@sha256:04b0426d40c824929fd5a75821f39f349db5ffa2eb07df22a55f736d7f40232c | grep -v 'Certificate' | jq .