Support stdout output for attest-blob bundles

[ralphbean]

Summary

This enables attest-blob --bundle=- to write bundles to stdout with a trailing newline, allowing users to create JSONL files containing multiple attestations by redirecting and appending output.

This change adds support for the convention of using "-" to represent stdout. When the bundle path is "-", the bundle is written to stdout instead of a file, and the signature output is suppressed to avoid conflicts.

Changes:

• Add stdout detection in attest/attest_blob.go and signcommon/common.go
• Suppress signature output when bundle goes to stdout
• Add comprehensive test coverage in attest_blob_test.go
• Update flag description and add JSONL example to documentation

Example usage, appending two predicates about the same blob to the same jsonl file.

cosign attest-blob --key key.key --predicate pred1.json \ --type slsaprovenance --bundle=- blob.txt >> attestations.jsonl
cosign attest-blob --key key.key --predicate pred2.json \ --type slsaprovenance --bundle=- blob.txt >> attestations.jsonl

🤖 Generated with Claude Code

Closes #4494

Release Note

Added support for writing blob attestations to stdout.

Documentation

I don't think this needs any special docs update, but I'm open to it if you think there's somewhere it should be noted.

[codecov]

Codecov Report

❌ Patch coverage is 46.66667% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 36.68%. Comparing base (2ef6022) to head (77486a5).
⚠️ Report is 574 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/cosign/cli/attest/attest_blob.go	42.85%	3 Missing and 1 partial ⚠️
cmd/cosign/cli/signcommon/common.go	0.00%	3 Missing ⚠️
cmd/cosign/cli/options/attest_blob.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4495      +/-   ##
==========================================
- Coverage   40.10%   36.68%   -3.42%     
==========================================
  Files         155      220      +65     
  Lines       10044    12173    +2129     
==========================================
+ Hits         4028     4466     +438     
- Misses       5530     7017    +1487     
- Partials      486      690     +204     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[steiza]

I like the idea of cosign supporting a way to construct a bundles.sigstore.jsonl file, but I'm hesitant to assume that the only stdout from subcommands like attest-blob will be the bundle itself.

Would it make sense to have these subcommands append to the --bundle path, instead of just calling os.WriteFile(), which truncates the file? Then, adapting the example you provided you'd do something like:

cosign attest-blob --key key.key --predicate pred1.json --type slsaprovenance --bundle=attestations.sigstore.jsonl blob.txt 
cosign attest-blob --key key.key --predicate pred2.json --type slsaprovenance --bundle=attestations.sigstore.jsonl blob.txt

I'm curious as to what other Cosign maintainers think. Also, if we made this change, we'd probably want to update attest-blob and sign-blob to behave in the same way.

[ralphbean]

I'm hesitant to assume that the only stdout from subcommands like attest-blob will be the bundle itself.

Yeah, there's an old issue lurking about this at #2510

[ralphbean]

Would it make sense to have these subcommands append to the --bundle path, instead of just calling os.WriteFile(), which truncates the file?

As a user, this sounds nice. Consider, is it a breaking change? A user might theoretically be depending on that truncation, but in practice I can't imagine it mattering. At most, somebody's local flow might change if they were depending on writing an attestation over and over again as a test.

Is there a type-ambiguity? If you call attest-blob once with --bundle, you get a json file where .json is an appropriate suffix. If you call it twice, you get a json lines file where .jsonl is an appropriate suffix.

Perhaps an explicit --append option, defaulting to false would be the right choice (although, it does inflate the number of options and I believe there's an effort underway or done with v3 to reduce the number of options).