Duplicated attestation?

[pstoeckle]

Describe the bug
When I use cosign download attestation with a platform, I get the SBOM twice... Is there a reason for this? 😅

To Reproduce

Assuming that cosign and jq are installed:

cosign download attestation \
    --platform linux/amd64 \
    gcr.io/distroless/static-debian12:debug-nonroot@sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9 \
      | jq -r .payload \
      | base64 -d \
      | jq -r '.' > payload.json

creates this payload.json

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://spdx.dev/Document",
  "subject": [
    {
      "name": "gcr.io/distroless/static-debian12",
      "digest": {
        "sha256": "e14f4c00d388743628c674d88e44ac51895d7bc074a37e805eaf141cdbfa5ff1"
      }
    }
  ],
  "predicate": "{\"spdxVersion\":\"SPDX-2.3\",\"dataLicense\":\"CC0-1.0\",...}"
}
{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://spdx.dev/Document",
  "subject": [
    {
      "name": "gcr.io/distroless/static-debian12",
      "digest": {
        "sha256": "e14f4c00d388743628c674d88e44ac51895d7bc074a37e805eaf141cdbfa5ff1"
      }
    }
  ],
  "predicate": "{\"spdxVersion\":\"SPDX-2.3\",\"dataLicense\":\"CC0-1.0\",...}"
}

Expected behavior

The payload.json should look like this

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://spdx.dev/Document",
  "subject": [
    {
      "name": "gcr.io/distroless/static-debian12",
      "digest": {
        "sha256": "e14f4c00d388743628c674d88e44ac51895d7bc074a37e805eaf141cdbfa5ff1"
      }
    }
  ],
  "predicate": "{\"spdxVersion\":\"SPDX-2.3\",\"dataLicense\":\"CC0-1.0\",...}"
}

Console Output
If applicable, add information from your container run

Additional context

$ cosign version
cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.4.3
GitCommit:     6a7abbf3ae7eb6949883a80c8f6007cc065d2dfb
GitTreeState:  clean
BuildDate:     2025-02-19T19:34:52Z
GoVersion:     go1.23.6
Compiler:      gc
Platform:      darwin/arm64

$ jq --version
jq-1.7.1

[loosebazooka]

this is an artifact of our build process being somewhat suboptimal. It doesn't check if the image built was the same and just resigns an sbom and uploads it. I think we can kind of add checks here to prevent multiple uploads.