[Bug]: install script has a bad error if your version of cosign is too old.

[lockwobr]

Prerequisites

• I searched existing issues and found no duplicates
• I can reproduce this issue consistently
• This is not a security vulnerability (use Security Advisories instead)

Bug Description

Install script: unhelpful error when cosign is too old for attestation verification

Problem

When a user has cosign installed but at an older version, cosign verify-blob-attestation fails silently (stderr is redirected to /dev/null) and the install script shows a generic warning:

→ Verifying provenance attestation (Sigstore cosign)...
Confirms this binary was built by NVIDIA/aicr CI — not a third-party rebuild
! Attestation verification failed — cannot confirm binary provenance
The binary may still be valid, but its build origin could not be cryptographically verified

This gives no indication that the failure is due to an outdated cosign version, leading users to think the binary itself is suspect.

Current behavior

• install line 263 redirects stderr to /dev/null, hiding the actual cosign error
• The fallback message on lines 266-267 is generic — it doesn't distinguish between "bad attestation" and "old tool"

Proposed fix

Before calling cosign verify-blob-attestation, check the installed cosign version against the minimum required version (already tracked in .settings.yaml as cosign: 'v3.0.4'). If the version is too old, print a specific message:

Installed cosign version (v2.x.x) is older than the minimum required (v3.0.4)
Update cosign to verify provenance: [https://docs.sigstore.dev/cosign/system_config/installatio](https://docs.sigstore.dev/cosign/system_config/installation/)

Implementation options

Option	Effort	Maintenance
A. Add a hint to the existing failure message (e.g. "If verification fails, ensure cosign >= v3.0.4")	Low	Low
B. Parse cosign version output and compare against a hardcoded minimum	Medium	Medium — must update the minimum when requirements change
C. Read the minimum version from .settings.yaml (already the source of truth for tool versions)	Medium	Low — single source of truth

Recommendation: Option A — Simplest approach with the least maintenance burden. Unlike Option B, there's no version-parsing logic to maintain, and unlike Option C, there's no dependency on another file in the repo or build process needed to template the value into the install script.

Additional improvement

Consider capturing cosign's stderr into a variable instead of discarding it entirely (2>/dev/null). On failure, log it at debug/info level so users (or support) can see the actual error when needed.

References

• Install script: install:254-272
• Minimum cosign version: .settings.yaml:36

Impact

Blocking (cannot proceed)

Component

CLI (aicr)

Regression?

Yes, this worked before (please specify version below)

Steps to Reproduce

1. install old version of cosign, like 2.4.0 for example
2. run install script

Expected Behavior

Nice error telling the use to see if they have an old version of cosign.

Actual Behavior

Error that is not really helpful, sort of scary sounding.

Environment

• Latest install script (currently: 0.10.8)

Command / Request Used

No response

Logs / Error Output

Additional Context

No response

[mchmarny]

must update the minimum when requirements change
This should be pretty stable, no? Only change when the aicr binary itself changes, new min version only needed if we added some other functionality in that area.

[lockwobr]

@mchmarny I suppose, we can go for something like option b or c. if it becomes a point of friction we could at that point move to something like option A?