Description

We recently started using cosign at v2.2.0. We have a CI step that runs cosign copy temp-image prod-image which would copy the container image and signatures.
After the cosign-installer action got updated in our repo this week, I noticed I could no longer verify signatures on prod images because the signatures were missing from the prod registry.
I tested with -d using 2.2.0 and 2.2.1 and confirmed 2.2.1 doesn't copy or look for existing .sig artifacts without setting -only sign. 2.2.0 does copy without needing extra params.

I think this change was introduced by #3247. Should there be some default tags if nothing is explicitly requested?

Version

v2.2.1