cosign: fix image signature verification by tag

For a tag (e.g. :latest), there is no reference.digest().
image-rs falls back to image.manifest_digest, which comes from pull_manifest
in the image pull path.
Cosign (and sigstore triangulation) uses fetch_manifest_digest for that
ref — the same digest cosign verify uses.
For multi-arch images, pull_manifest can be a platform-specific child
while the signature (and triangulation) refer to the list/index digest,
so the two strings don’t match even when verification is correct.

verify_signature_and_get_payload now returns (payloads, source_image_digest),
where source_image_digest is the digest from client.triangulate
(same as cosign’s triangulation / fetch_manifest_digest).

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Assisted-by: AI

For the payload digest check:
* @sha256:… in the reference -> still use reference digest.
* Tag only (:latest, etc.) -> use triangulated_manifest_digest, not pull_manifest’s digest.

So tag pulls stay aligned with cosign verify --key … image:tag.

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>

Author: esposem

image-rs/src/signature/policy/cosign/mod.rs

@@ -94,7 +94,7 @@ impl CosignParameters {
         };
 
         // Verification, will access the network
-        let payloads = self
+        let (payloads, triangulated_manifest_digest) = self
             .verify_signature_and_get_payload(image, auth, key, certificates, proxy_config)
             .await?;
 
@@ -104,14 +104,16 @@ impl CosignParameters {
                 payload.validate_signed_docker_reference(&image.reference, rule)?;
             }
 
-            // When the user pins `@sha256:…`, cosign payloads usually record that digest (often a
-            // multi-arch manifest list). `pull_manifest` may resolve to a platform-specific child
-            // manifest with a different digest — compare against the reference digest when set.
-            let digest_for_comparison = image
-                .reference
-                .digest()
-                .map(str::to_string)
-                .unwrap_or_else(|| image.manifest_digest.to_string());
+            // Digest to compare with the cosign simple-signing payload:
+            // - If the user pinned `@sha256:…`, use that (matches multi-arch index vs per-arch pull).
+            // - If they used a tag (e.g. `:latest`), use the digest from sigstore triangulation —
+            //   same as `cosign verify` / `fetch_manifest_digest`, not necessarily `pull_manifest`'s
+            //   digest (which can be a platform-specific child of a manifest list).
+            let digest_for_comparison = if let Some(d) = image.reference.digest() {
+                d.to_string()
+            } else {
+                triangulated_manifest_digest.clone()
+            };
             payload.validate_signed_docker_manifest_digest(&digest_for_comparison)?;
         }
 
@@ -142,7 +144,8 @@ impl CosignParameters {
     /// * Download the signature image, gather the signatures and verify them
     ///   using the pubkey.
     ///
-    /// If succeeds, the payloads of the signature will be returned.
+    /// If succeeds, returns the verified payloads and the manifest digest string from cosign
+    /// triangulation (registry `fetch_manifest_digest`), aligned with `cosign verify`.
     #[allow(clippy::too_many_arguments)]
     async fn verify_signature_and_get_payload(
         &self,
@@ -151,7 +154,7 @@ impl CosignParameters {
         key: Vec<u8>,
         certificates: Vec<&Certificate>,
         proxy_config: Option<&ProxyConfig>,
-    ) -> Result<Vec<SigPayload>> {
+    ) -> Result<(Vec<SigPayload>, String)> {
         let image_ref = OciReference::from_str(&image.reference.whole())?;
         let auth = match auth {
             RegistryAuth::Anonymous => Auth::Anonymous,
@@ -212,7 +215,7 @@ impl CosignParameters {
                         .iter()
                         .map(|layer| SigPayload::from(layer.simple_signing.clone()))
                         .collect();
-                    return Ok(payloads);
+                    return Ok((payloads, source_image_digest));
                 }
                 Err(SigstoreVerifyConstraintsError {
                     unsatisfied_constraints,