Issue with --output-certificate in cosign sign-blob #4140
Description
Both cosign sign and cosign sign-blob commands support the --output-certificate parameter, but they behave differently when signing with a private key.
Example with cosign sign (image signing):
cosign sign --key cosign.key --output-certificate certificate.crt --output-signature signature.sig --record-creation-timestamp --tlog-upload=false --upload=false hello-world:latest
In this example, when signing an image using cosign sign, the --output-certificate flag generates a certificate containing the public key.
Example with cosign sign-blob (blob signing):
cosign sign-blob --key cosign.key --output-certificate certificate.crt --output-signature signature.sig --tlog-upload=false test-zip-file.zip
However, when signing a blob using cosign sign-blob, despite the presence of the --output-certificate flag, no certificate is generated.
My question is:
Why does signing an image generate a certificate with the public key, but signing a blob does not? How does the --output-certificate flag work in this context for blobs or in general?
I understand that when a blob is signed using the keyless method, a certificate is generated, but this behavior seems different when using the private key for signing.