Init entity from ociremote when signing a digest ref

[puerco]

Summary

This PR modifies the object used to seed the SignedEntity used when signing a digest reference to fix a bug where cosign would wipe out all signatures from the manifest (and thus, not garbage-collecting previous signature layers) when signing a digest reference.

Before, the entity was created from a ociempty.SignedImage. This caused cosign to create a new manifest on every invocation of cosign sign image@sha.... , effectively wiping any previous signatures attached to the image.

Now, cosign el init the entity from a ociremote.SignedEntity which will append new signatures to any existing ones.

Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev

Ticket Link

Release Note

Fixed a bug where cosign would always create a new sig manifest when signing a digest reference, preventing it from attaching more than one signature.

[codecov-commenter]

Codecov Report

Merging #1616 (2c2e074) into main (a60fd71) will decrease coverage by 0.06%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #1616      +/-   ##
==========================================
- Coverage   28.01%   27.95%   -0.07%     
==========================================
  Files         137      137              
  Lines        7802     7826      +24     
==========================================
+ Hits         2186     2188       +2     
- Misses       5386     5407      +21     
- Partials      230      231       +1     

Impacted Files	Coverage Δ
cmd/cosign/cli/sign/sign.go	1.62% <0.00%> (ø)
pkg/cosign/tlog.go	4.70% <0.00%> (+0.41%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a60fd71...2c2e074. Read the comment docs.