Malformed JSON for attestation verification output

[toddysm]

Description

The output from the cosign verify command for attestations returns a malformed JSON. Here is the steps to get the output:

$ cosign verify-attestation --key awskms:///61c124fb-bf47-4f95-a805-65dda7cd08ae 562077019569.dkr.ecr.us-west-2.amazonaws.com/flasksample:v1 > sigstore-verify-attestation-output.json

and here is how the output looks in VS Code:

It seems there are two JSON objects concatenated with each other and not put in an JSON array.

Is this intentional? And if so, what is the purpose of the output if it cannot be properly parsed?

Version

1.13.0

[dlorenc]

This is actually a JSONL format, or an attestation bundle: https://github.com/in-toto/attestation/blob/main/spec/bundle.md

It's just multiple JSON documents concatenated with newlines. Many tools like jq support it fine!

[trevrosen]

@toddysm are you in the Sigstore Slack? It's a great place to ask questions any time you see behavior that might seem a little odd. We work hard to make it a very welcoming community - hope to see you there! 😄

[toddysm]

@dlorenc Thank you for the clarification - I assumed that is what you were going for. Was not clear from the docs what to expect, and the output is a bit stumbling for a user unfamiliar with the tool. Is parsing with jq the expected usage for the output? Would be good to add to the documentation.

[toddysm]

BTW, @trevrosen, I cannot find out how to join the Sigstore slack. I saw a link somewhere but now I can't find it.

[trevrosen]

https://join.slack.com/t/sigstore/shared_invite/zt-mhs55zh0-XmY3bcfWn4XEyMqUUutbUQ