sign-blob --bundle clobbers --output-{signature,certificate}

[znewman01]

If I pass all three of --output-signature, --output-certificate, and --bundle, Cosign silently only respects --bundle.

$ cosign sign-blob /dev/null --output-signature /tmp/keyless.sig --output-certificate /tmp/keyless.crt --bundle /tmp/keyless.bundle
[...]
$ ls /tmp/keyless.*
/tmp/keyless.bundle

I expect either:

1. I get all three: a signature, a bundle, a cert (preferred)
2. An error from the option parser

Guilty line looks like:

cosign/cmd/cosign/cli/sign/sign_blob.go

Line 86 in e74f180

// if bundle is specified, just do that and ignore the rest

It appears that cosign sign does not support --bundle, though I'm not sure why not. CC @priyawadhwa who added it in #1306

[priyawadhwa]

Hey @znewman01 sorry I missed your ping in this issue! Basically for OCI images the bundle will be stored on the image, so it can be saved locally with cosign save and cosign load and offline verification will still work. But, this doesn't really work for blobs, so we added in --bundle for blobs only. The goal was offline verification for blobs. There's some more explanation in this issue: #1193

I think this is a bug though! I don't think --bundle should be clobbering the other flags, they should all be able to work at the same time.