Cosign v3 silently ignores pushing signatures to a separate repository via the `COSIGN_REPOSITORY` envvar

[apyrgio]

Description

In Cosign v2, we could push signatures to a separate repository via the COSIGN_REPOSITORY environment variable. This is where it was used in the code:

cosign/cmd/cosign/cli/sign/sign.go

Lines 326 to 331 in aab0126

	repo, _ := ociremote.GetEnvTargetRepository()
	if repo.RepositoryStr() == "" {
	ui.Infof(ctx, "Pushing signature to: %s", digest.Repository)
	} else {
	ui.Infof(ctx, "Pushing signature to: %s", repo.RepositoryStr())
	}

In Cosign v3, this is no longer the case, and I don't see this envvar being used somewhere in signDigestBundle. Is this a bug, or is this behavior deprecated?

Version

  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v3.0.2
GitCommit:     84449696f0658a5ef5f2abba87fdd3f8b17ca1be
GitTreeState:  clean
BuildDate:     2025-10-10T18:17:56Z
GoVersion:     go1.25.1
Compiler:      gc
Platform:      linux/amd64

[apyrgio]

Actually, I did some tests and it seems that the following flags are also ignored:

--upload
--output-certificate
--output-payload
--output-signature