Description
We observe the cosign sign started to fail with the Artifactory Registry from commit 17cc138 / #2929. The cosign clients sends a GET request with a tag derived from the digest but with : changed to - and .sig append, such as:
GET https://docker.xyz.com:4443/v2/dmitris777/scratch-3047c035/manifests/sha256-766b3e7864fcccb18ca4bd0d3a396c8ee16da4fe5b321ccbae79bec32c95139f.sig
It does so to check if there is a signature image already or not, expecting the "regular" 404 (Not Found) if there is no such tag. Unfortunately, some Docker Registries such as JFrog Artifactory apparently return 403 (Forbidden) instead of 404 for the /v2/<image>/manifests/<reference> when <reference> is a non-existing tag:

$ curl -v -i -H “$acc” -H “$host” -H “$jwt” https://docker.xyz.com:4443/v2/dmitris777/scratch-3047c035/manifests/xyznosuch
< HTTP/1.1 403
{“errors”:[{“code”:“UNAUTHORIZED”,“message”:“The client does not have permission for manifest: Download request for repo:path ‘docker-ouroath-cache:dmitris777/scratch-3047c035/xyznosuch/list.manifest.json’ is forbidden for user: ‘token:dockerwrite’.“,”detail”:{“manifest”:“dmitris777/scratch-3047c035"}}]}

It may be related to https://jfrog.atlassian.net/browse/RTFACT-13797 "Artifactory return 403 instead of 404 for non-existing artifacts in virtual repositories."

The proposed workaround is to treat the 403 response the same way as 404 when checking for existence of the signature image and not do a hard/fatal error in this case. This is similar to a recent change in https://github.com/google/go-containerregistry/pull/1691/files. When testing with modification in #2972, I was able to do cosign sign (and the subsequent cosign verify).

/cc @jonjohnsonjr