Filter v3 attestations and sigs in output

In v3 signature bundles, the signature is actually just another type
of attestation. So when we list attestations (in v3) we see both the
sig and the provenance. Similarly, when we list the image signatures
we see the image signature and the attestation signature.

In the detailed output for ec validate image we show details about
the signatures and attestations. This changes attempts to avoid
listing provenance atts in the image sig list, and imag sigs in the
provenance att list.

As mentioned in the comments, there might be other ways to do this.

Ref: https://issues.redhat.com/browse/EC-1690
Co-authored-by: Claude Code <noreply@anthropic.com>

Author: simonbaird

features/__snapshots__/task_validate_image.snap

@@ -249,10 +249,6 @@ true
       ],
       "success": true,
       "signatures": [
-        {
-          "keyid": "",
-          "sig": "MEQCIDj5l7I0bPCua+H1ZfAAUnd4Hd4k7wUUEi/lpWYSLkOFAiBGgK9KWiNR1t+C4TbmkU/vnpHonmg5hNnwLRC70xc2Rg=="
-        },
         {
           "keyid": "",
           "sig": "MEUCIBZc+dmgTn8SCx30h9yvCOjsBwj1+aZX0gW53c7TeyuSAiEAp4zWGNHMrjql9NFl/fCmFXnJkgDkOqbN5n7H7mw6aqI="
@@ -268,16 +264,6 @@ true
               "sig": "MEUCIQC5bGm4zzbExXBMrZCmqZ98iqUhi8TV/maq/8dJ/c3POAIgCNw+RkeO7PAkT6JDWIvISZ2AjILu9YuPQ0qqfNwCqug="
             }
           ]
-        },
-        {
-          "type": "https://in-toto.io/Statement/v0.1",
-          "predicateType": "https://sigstore.dev/cosign/sign/v1",
-          "signatures": [
-            {
-              "keyid": "",
-              "sig": "MEUCID1cJkxyk1oGvXcoAVkDST9A1vfX2gxPEz+LUzN10nDmAiEAxh9rp79yr4fZmAWWOit0dZ5QWK+uYIU8fQVb0/rLIyM="
-            }
-          ]
         }
       ]
     }

internal/evaluation_target/application_snapshot_image/application_snapshot_image.go

@@ -162,6 +162,13 @@ func (a *ApplicationSnapshotImage) ValidateImageSignature(ctx context.Context) e
 	var err error
 
 	if a.hasBundles(ctx) {
+		// For v3 bundles, both image signatures and attestations are stored as
+		// "attestations" in the unified bundle format. So we use VerifyImageAttestations
+		// to extract image signatures from the bundle, even though it seems unintuitive.
+		// This is different from v2 where image signatures and attestations were separate.
+		//
+		// The certificate extraction requires different handling for bundles and
+		// should be addressed in future work to achieve full v2 parity.
 		opts.NewBundleFormat = true
 		opts.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
 		sigs, _, err = client.VerifyImageAttestations(a.reference, &opts)
@@ -175,6 +182,17 @@ func (a *ApplicationSnapshotImage) ValidateImageSignature(ctx context.Context) e
 
 	for _, s := range sigs {
 		if a.hasBundles(ctx) {
+			// This will appears in the output under "signatures" so filter out
+			// the sigs that are provenance attestations leaving only the sigs
+			// that are image signatures. Note: This does seems confusing and
+			// I'm not 100% sure we're doing the right thing here. Maybe revisit
+			// once we have a better idea about sigstore bundles and how they're
+			// handled by cosign itself.
+			if !isImageSignatureAttestation(s) {
+				log.Debugf("Skipping non-image signature attestation")
+				continue
+			}
+
 			// For bundle image signatures produced by cosign v3, the old
 			// method of accessing the signatures doesn't work. Instead we have
 			// to extract them from the bundle. And the bundle actually has
@@ -185,7 +203,8 @@ func (a *ApplicationSnapshotImage) ValidateImageSignature(ctx context.Context) e
 			}
 			a.signatures = append(a.signatures, signatures...)
 		} else {
-			// For older non-bundle image signatures produced by cosign v2
+			// For older non-bundle image signatures produced by cosign v2.
+			// Note that filtering isn't needed, since we have only image sigs here.
 			es, err := signature.NewEntitySignature(s)
 			if err != nil {
 				return err
@@ -212,6 +231,11 @@ func (a *ApplicationSnapshotImage) ValidateAttestationSignature(ctx context.Cont
 		return err
 	}
 
+	// Todo:
+	// - For the non-bundle code path we actually check the syntax.
+	//   We should do that for bundles as well probably.
+	// - Doing an early return like thi shere seems untidy, refactor
+	//   maybe?
 	if useBundles {
 		return a.parseAttestationsFromBundles(layers)
 	}
@@ -264,8 +288,19 @@ func (a *ApplicationSnapshotImage) ValidateAttestationSignature(ctx context.Cont
 // parseAttestationsFromBundles extracts attestations from Sigstore bundles.
 // Bundle-wrapped layers report an incorrect media type, so we unmarshal the
 // DSSE envelope from the raw payload directly.
+//
+// Note: For v3 bundles, this function filters out image signature attestations
+// (https://sigstore.dev/cosign/sign/v1) since those are handled in ValidateImageSignature.
+// Only provenance and other attestations are added to the attestations array.
 func (a *ApplicationSnapshotImage) parseAttestationsFromBundles(layers []cosignOCI.Signature) error {
 	for _, sig := range layers {
+		// For v3 bundles, filter out image signature attestations - those are handled
+		// in ValidateImageSignature. Only add provenance attestations here.
+		if isImageSignatureAttestation(sig) {
+			log.Debugf("Skipping image signature attestation - handled in ValidateImageSignature")
+			continue
+		}
+
 		payload, err := sig.Payload()
 		if err != nil {
 			log.Debugf("Skipping bundle entry: cannot read payload: %v", err)
@@ -288,8 +323,8 @@ func (a *ApplicationSnapshotImage) parseAttestationsFromBundles(layers []cosignO
 		if err != nil {
 			return fmt.Errorf("unable to parse bundle attestation: %w", err)
 		}
-		t := att.PredicateType()
-		log.Debugf("Found bundle attestation with predicateType: %s", t)
+		log.Debugf("Found bundle attestation with predicateType: %s", att.PredicateType())
+
 		a.attestations = append(a.attestations, att)
 	}
 	return nil
@@ -494,6 +529,29 @@ func (a *ApplicationSnapshotImage) WriteInputFile(ctx context.Context) (string,
 	return inputJSONPath, inputJSON, nil
 }
 
+// isImageSignatureAttestation checks if a signature from a bundle represents
+// an image signature attestation (vs. a provenance attestation).
+func isImageSignatureAttestation(sig cosignOCI.Signature) bool {
+	payload, err := sig.Payload()
+	if err != nil {
+		log.Debugf("Cannot read signature payload: %v", err)
+		return false
+	}
+
+	att, err := attestation.ProvenanceFromBundlePayload(sig, payload)
+	if err != nil {
+		log.Debugf("Cannot parse bundle attestation: %v", err)
+		return false
+	}
+
+	predicateType := att.PredicateType()
+	// Image signature attestations use the cosign/sign predicate type
+	isImageSig := predicateType == "https://sigstore.dev/cosign/sign/v1"
+	log.Debugf("Attestation predicateType: %s, isImageSignature: %t", predicateType, isImageSig)
+
+	return isImageSig
+}
+
 // extractSignaturesFromBundle extracts signature information from a bundle
 // image signature attestation, using the same pattern as createEntitySignatures.
 //