sigstore · mattmoor · Sep 27, 2022 · Sep 27, 2022
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -506,6 +506,11 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C
 	validationErrs := []string{}
 
 	for _, sig := range sl {
+		sig, err := static.Copy(sig)
+		if err != nil {
+			validationErrs = append(validationErrs, err.Error())
+			continue
+		}
 		verified, err := VerifyImageSignature(ctx, sig, h, co)
 		bundleVerified = bundleVerified || verified
 		if err != nil {
@@ -702,6 +707,11 @@ func verifyImageAttestations(ctx context.Context, atts oci.Signatures, h v1.Hash
 
 	validationErrs := []string{}
 	for _, att := range sl {
+		att, err := static.Copy(att)
+		if err != nil {
+			validationErrs = append(validationErrs, err.Error())
+			continue
+		}
 		if err := func(att oci.Signature) error {
 			verifier := co.SigVerifier
 			if verifier == nil {

diff --git a/pkg/oci/static/signature.go b/pkg/oci/static/signature.go
@@ -55,6 +55,58 @@ func NewAttestation(payload []byte, opts ...Option) (oci.Signature, error) {
 	return NewSignature(payload, "", opts...)
 }
 
+// Copy constructs a new oci.Signature from the provided one.
+func Copy(sig oci.Signature) (oci.Signature, error) {
+	payload, err := sig.Payload()
+	if err != nil {
+		return nil, err
+	}
+	b64sig, err := sig.Base64Signature()
+	if err != nil {
+		return nil, err
+	}
+	var opts []Option
+
+	mt, err := sig.MediaType()
+	if err != nil {
+		return nil, err
+	}
+	opts = append(opts, WithLayerMediaType(mt))
+
+	ann, err := sig.Annotations()
+	if err != nil {
+		return nil, err
+	}
+	opts = append(opts, WithAnnotations(ann))
+
+	bundle, err := sig.Bundle()
+	if err != nil {
+		return nil, err
+	}
+	opts = append(opts, WithBundle(bundle))
+
+	cert, err := sig.Cert()
+	if err != nil {
+		return nil, err
+	}
+	if cert != nil {
+		rawCert, err := cryptoutils.MarshalCertificateToPEM(cert)
+		if err != nil {
+			return nil, err
+		}
+		chain, err := sig.Chain()
+		if err != nil {
+			return nil, err
+		}
+		rawChain, err := cryptoutils.MarshalCertificatesToPEM(chain)
+		if err != nil {
+			return nil, err
+		}
+		opts = append(opts, WithCertChain(rawCert, rawChain))
+	}
+	return NewSignature(payload, b64sig, opts...)
+}
+
 type staticLayer struct {
 	b      []byte
 	b64sig string