diff --git a/EXAMPLES.md b/EXAMPLES.md
index 1c5ad9b5daa..ea2a1c1f349 100644
--- a/EXAMPLES.md
+++ b/EXAMPLES.md
@@ -8,7 +8,7 @@ Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosig
 $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json
 $ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central
 # We have to base64 encode the signature
-$ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
+$ cat gcpkms.sig | base64 | cosign attach signature --payload payload.json --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
 ```
 
 Now (on another machine) download the public key, payload, signatures and verify it!
@@ -71,7 +71,7 @@ $ aws kms sign  --key-id $AWS_CMK_ID \
               --output text \
               --query Signature > payload.sig
 
-$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig)
+$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) --payload payload.json
 ```
 
 Now (on another machine) use the `cosign` to download signature bundle, extract payload and signature value, and verify it with `aws kms`!
diff --git a/USAGE.md b/USAGE.md
index e58d1295161..7a593849cef 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -130,18 +130,18 @@ $ cosign generate $IMAGE_DIGEST | openssl...
 
 ## Upload a generated signature
 
-The signature is passed via the `--signature` flag.
+The signature is passed via the `--signature` and `--payload` flags.
 It can be a file:
 
 ```shell
-$ cosign attach signature --signature file.sig $IMAGE_DIGEST
+$ cosign attach signature --signature file.sig --payload payload.json $IMAGE_DIGEST
 Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.sig
 ```
 
 or, `-` for stdin for chaining from other commands:
 
 ```shell
-$ cosign generate $IMAGE_DIGEST | openssl... | cosign attach signature --signature - $IMAGE_DIGEST
+$ … | openssl... | cosign attach signature --signature - --payload ... $IMAGE_DIGEST
 Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def.sig
 ```
 
diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go
index aa0d2f5acbf..f1ad36cdd4f 100644
--- a/cmd/cosign/cli/attach/sig.go
+++ b/cmd/cosign/cli/attach/sig.go
@@ -25,10 +25,10 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/cosign/v2/pkg/oci/mutate"
 	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
-	sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
 )
 
 func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, imageRef string) error {
@@ -58,7 +58,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
 
 	var payload []byte
 	if payloadRef == "" {
-		payload, err = (&sigPayload.Cosign{Image: digest}).MarshalJSON()
+		payload, err = cosign.ObsoletePayload(ctx, digest)
 	} else {
 		payload, err = os.ReadFile(filepath.Clean(payloadRef))
 	}
diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go
index 8eaa4cf281f..5c02663516c 100644
--- a/cmd/cosign/cli/options/attach.go
+++ b/cmd/cosign/cli/options/attach.go
@@ -44,7 +44,7 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) {
 		"path to the signature, or {-} for stdin")
 
 	cmd.Flags().StringVar(&o.Payload, "payload", "",
-		"path to the payload covered by the signature (if using another format)")
+		"path to the payload covered by the signature")
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
diff --git a/doc/cosign_attach_signature.md b/doc/cosign_attach_signature.md
index bbe86366672..861a142e578 100644
--- a/doc/cosign_attach_signature.md
+++ b/doc/cosign_attach_signature.md
@@ -22,7 +22,7 @@ cosign attach signature [flags]
       --certificate-chain string                                                                 path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature
   -h, --help                                                                                     help for signature
       --k8s-keychain                                                                             whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
-      --payload string                                                                           path to the payload covered by the signature (if using another format)
+      --payload string                                                                           path to the payload covered by the signature
       --signature string                                                                         path to the signature, or {-} for stdin
 ```