From 60ea65a3b130b3fe198e95a38fc9fe844a78f880 Mon Sep 17 00:00:00 2001
From: Juan Cruz Viotti <jv@jviotti.com>
Date: Tue, 24 Feb 2026 13:47:40 -0400
Subject: [PATCH] Fix broken `cosign` SBOM SPDX attestation

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
---
 enterprise/scripts/cosign.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/enterprise/scripts/cosign.sh b/enterprise/scripts/cosign.sh
index eaa5fd19..568f6a66 100755
--- a/enterprise/scripts/cosign.sh
+++ b/enterprise/scripts/cosign.sh
@@ -30,7 +30,7 @@ echo "Cosign: Signing ${IMAGE}@${DIGEST}" 1>&2
 cosign sign --yes "${IMAGE}@${DIGEST}"
 
 echo "Cosign: Attaching SBOM attestation to ${IMAGE}@${DIGEST}" 1>&2
-cosign attest --yes --predicate "$SBOM_FILE" --type spdx "${IMAGE}@${DIGEST}"
+cosign attest --yes --predicate "$SBOM_FILE" --type spdxjson "${IMAGE}@${DIGEST}"
 
 echo "Cosign: Verifying signature for ${IMAGE}@${DIGEST}" 1>&2
 echo "Cosign: OIDC issuer: ${CERTIFICATE_OIDC_ISSUER}" 1>&2
@@ -43,7 +43,7 @@ cosign verify \
 echo "Cosign: Signature verified successfully" 1>&2
 
 echo "Cosign: Verifying SBOM attestation for ${IMAGE}@${DIGEST}" 1>&2
-cosign verify-attestation --type spdx \
+cosign verify-attestation --type spdxjson \
   --certificate-oidc-issuer "$CERTIFICATE_OIDC_ISSUER" \
   --certificate-identity "$CERTIFICATE_IDENTITY" \
   "${IMAGE}@${DIGEST}"