fix: cosign image pulls

src/internal/packager/images/pull.go

@@ -165,7 +165,13 @@ func Pull(ctx context.Context, cfg PullConfig) (map[transform.Image]v1.Image, er
 				return fmt.Errorf("%s resolved to an index, please select a specific platform to use", refInfo.Reference)
 			}
 
-			img = cache.Image(img, cache.NewFilesystemCache(cfg.CacheDirectory))
+			cacheImg, err := utils.OnlyHasImageLayers(img)
+			if err != nil {
+				return err
+			}
+			if cacheImg {
+				img = cache.Image(img, cache.NewFilesystemCache(cfg.CacheDirectory))
+			}
 
 			manifest, err := img.Manifest()
 			if err != nil {

src/internal/packager/images/pull_test.go

@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2021-Present The Zarf Authors
+
+// Package images provides functions for building and pushing images.
+package images
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/defenseunicorns/zarf/src/pkg/transform"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPull(t *testing.T) {
+	t.Run("pulling a cosign image is successful and doesn't add anything to the cache", func(t *testing.T) {
+
+		ref, err := transform.ParseImageRef("ghcr.io/stefanprodan/podinfo:sha256-57a654ace69ec02ba8973093b6a786faa15640575fbf0dbb603db55aca2ccec8.sig")
+		require.NoError(t, err)
+		destDir := t.TempDir()
+		cacheDir := t.TempDir()
+		pullConfig := PullConfig{
+			DestinationDirectory: destDir,
+			CacheDirectory:       cacheDir,
+			ImageList: []transform.Image{
+				ref,
+			},
+		}
+
+		_, err = Pull(context.Background(), pullConfig)
+		require.NoError(t, err)
+		require.FileExists(t, filepath.Join(destDir, "blobs/sha256/3e84ea487b4c52a3299cf2996f70e7e1721236a0998da33a0e30107108486b3e"))
+
+		dir, err := os.ReadDir(cacheDir)
+		require.NoError(t, err)
+		require.Empty(t, dir)
+	})
+}

src/pkg/packager/creator/normal.go

@@ -201,7 +201,7 @@ func (pc *PackageCreator) Assemble(ctx context.Context, dst *layout.PackagePaths
 			if err := dst.Images.AddV1Image(img); err != nil {
 				return err
 			}
-			ok, err := utils.HasImageLayers(img)
+			ok, err := utils.OnlyHasImageLayers(img)
 			if err != nil {
 				return fmt.Errorf("failed to validate %s is an image and not an artifact: %w", info, err)
 			}

src/pkg/utils/image.go

@@ -86,8 +86,8 @@ func AddImageNameAnnotation(ociPath string, referenceToDigest map[string]string)
 	return os.WriteFile(indexPath, b, helpers.ReadWriteUser)
 }
 
-// HasImageLayers checks if all layers in the v1.Image are known image layers.
-func HasImageLayers(img v1.Image) (bool, error) {
+// OnlyHasImageLayers checks if all layers in the v1.Image are known image layers.
+func OnlyHasImageLayers(img v1.Image) (bool, error) {
 	layers, err := img.Layers()
 	if err != nil {
 		return false, err