From b4f34ed319b8e973aa9da1ab38d935de77d549c0 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Tue, 13 Jan 2026 16:21:46 +0100
Subject: [PATCH] sigstore: make retry on manifest unknown optional

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 src/sigstore/sigstore.ts       | 25 ++++++++++++++++++++++---
 src/types/sigstore/sigstore.ts |  2 +-
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/sigstore/sigstore.ts b/src/sigstore/sigstore.ts
index 8c2b3e55..ed8c5d82 100644
--- a/src/sigstore/sigstore.ts
+++ b/src/sigstore/sigstore.ts
@@ -135,7 +135,7 @@ export class Sigstore {
         const verifyResult = await this.verifyImageAttestation(attestationRef, {
           noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID,
           certificateIdentityRegexp: opts.certificateIdentityRegexp,
-          retries: opts.retries
+          retryOnManifestUnknown: opts.retryOnManifestUnknown
         });
         core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`);
         result[attestationRef] = verifyResult;
@@ -164,8 +164,6 @@ export class Sigstore {
   }
 
   public async verifyImageAttestation(attestationRef: string, opts: VerifySignedManifestsOpts): Promise<VerifySignedManifestsResult> {
-    const retries = opts.retries ?? 15;
-
     if (!(await this.cosign.isAvailable())) {
       throw new Error('Cosign is required to verify signed manifests');
     }
@@ -183,6 +181,27 @@ export class Sigstore {
       cosignArgs.push('--use-signed-timestamps', '--insecure-ignore-tlog');
     }
 
+    if (!opts.retryOnManifestUnknown) {
+      core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
+      const execRes = await Exec.getExecOutput('cosign', ['--verbose', ...cosignArgs, attestationRef], {
+        ignoreReturnCode: true,
+        silent: true,
+        env: Object.assign({}, process.env, {
+          COSIGN_EXPERIMENTAL: '1'
+        }) as {[key: string]: string}
+      });
+      if (execRes.exitCode !== 0) {
+        // prettier-ignore
+        throw new Error(`Cosign verify command failed with: ${execRes.stderr.trim().split(/\r?\n/).filter(line => line.length > 0).pop() ?? 'unknown error'}`);
+      }
+      const verifyResult = Cosign.parseCommandOutput(execRes.stderr.trim());
+      return {
+        cosignArgs: cosignArgs,
+        signatureManifestDigest: verifyResult.signatureManifestDigest!
+      };
+    }
+
+    const retries = 15;
     let lastError: Error | undefined;
     core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
     for (let attempt = 0; attempt < retries; attempt++) {
diff --git a/src/types/sigstore/sigstore.ts b/src/types/sigstore/sigstore.ts
index bacce353..97255567 100644
--- a/src/types/sigstore/sigstore.ts
+++ b/src/types/sigstore/sigstore.ts
@@ -48,7 +48,7 @@ export interface SignAttestationManifestsResult extends ParsedBundle {
 export interface VerifySignedManifestsOpts {
   certificateIdentityRegexp: string;
   noTransparencyLog?: boolean;
-  retries?: number;
+  retryOnManifestUnknown?: boolean;
 }
 
 export interface VerifySignedManifestsResult {