Segmentation fault with cosign verify --local-image #4468
Description
Description
Verifying a local image may fail with a segmentation fault:
$ cosign save busybox --dir busybox/
$ cosign verify --local-image busybox/ --key <pubkey>
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x556483c79d95]
goroutine 1 [running]:
github.com/sigstore/cosign/v3/pkg/cosign.VerifyImageAttestation({0x5564870dd110, 0xc000038310}, {0x0?, 0x0?}, {{0x5564859e6a50?, 0x556485a04970?}, {0xc000952180?, 0x4e94914f0000?}}, 0xc0004b31e0)
/build/cosign/src/cosign/pkg/cosign/verify.go:1100 +0x75
github.com/sigstore/cosign/v3/pkg/cosign.VerifyLocalImageAttestations({0x5564870dd110, 0xc000038310}, {0x7ffe65a8f88c?, 0x31?}, 0xc0004b31e0)
/build/cosign/src/cosign/pkg/cosign/verify.go:1091 +0x1b9
github.com/sigstore/cosign/v3/cmd/cosign/cli/verify.(*VerifyCommand).Exec(0xc000407790, {0x5564870dd110, 0xc000038310}, {0xc0003cd180, 0x1, 0x1?})
/build/cosign/src/cosign/cmd/cosign/cli/verify/verify.go:337 +0x19ab
github.com/sigstore/cosign/v3/cmd/cosign/cli.Verify.func1(0xc00086af08, {0xc0003cd180, 0x1, 0x4})
/build/cosign/src/cosign/cmd/cosign/cli/verify.go:160 +0x547
github.com/spf13/cobra.(*Command).execute(0xc00086af08, {0xc0003cd140, 0x4, 0x4})
/build/cosign/src/cosign/vendor/github.com/spf13/cobra/command.go:1015 +0xb02
github.com/spf13/cobra.(*Command).ExecuteC(0xc000980908)
/build/cosign/src/cosign/vendor/github.com/spf13/cobra/command.go:1148 +0x465
github.com/spf13/cobra.(*Command).Execute(0x0?)
/build/cosign/src/cosign/vendor/github.com/spf13/cobra/command.go:1071 +0x13
main.main()
/build/cosign/src/cosign/cmd/cosign/main.go:64 +0x44f
The example above involves a public image that has not been signed. I have managed to reproduce it with an image I've signed as well. I think in practice there's no difference, because I don't think cosign save downloads the sigstore bundle locally.
Version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / || | / _____|| \ | |
| ,----'| | | | | (----`| | | | __ | \| |
| | | | | | \ \ | | | | |_ | | . ` |
| `----.| `--' | .----) | | | | |__| | | |\ |
\______| \______/ |_______/ |__| \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v3.0.2+dirty
GitCommit: 84449696f0658a5ef5f2abba87fdd3f8b17ca1be
GitTreeState: dirty
BuildDate: 2025-10-10T18:17:56
GoVersion: go1.25.2 X:nodwarf5
Compiler: gc
Platform: linux/amd64