Problems with local Rekor server & `cosign attest`

[BorekZnovustvoritel]

Question

I tried attesting an image with an SPDX SBOM with the command cosign attest --key cosign.key --type spdxjson --predicate mysbom.spdx.json sampleregistry.com/myorg/myimage@sha256:a. When I specify --tlog-upload=false, everything runs just fine. But when I run Rekor server locally with the provided compose file, download the Rekor pub key from http://localhost:3000/api/v1/log/publicKey into a file to which I point the env variable SIGSTORE_REKOR_PUBLIC_KEY and specify --rekor-url=http://localhost:3000, I receive the following message:

        The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
        Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
        This may include the email address associated with the account with which you authenticate your contractual Agreement.
        This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] 

Which obviously seems wrong as I wanted to use the local Rekor server and not the public one. Is there something I am obviously doing wrong or missing?

[haydentherapper]

This is a UX bug, it is using your local instance still even though that message is printed.

[BorekZnovustvoritel]

Thank you for the fast response! I appreciate it.