Expected cosign verify-attestation to validate an attestation of type spdxjson; Got error

[spiffcs]

Description
👋 Thanks for looking at this issue

I noticed some changes in cosign the other day and wanted to get some clarification from the community:

Running the attest command is still producing the correct output I expect:

$COSIGN_EXPERIMENTAL=1 cosign attest --predicate test_spdx_scratch.json --type spdxjson caphill4/scratch:latest 

..........
Successfully verified SCT...
Using payload from: test_spdx_scratch.json
using ephemeral certificate:
-----BEGIN CERTIFICATE-----
MIICrjCCAjSgAwIBAgIUWzUlDjW8WzMM7wGoLZqftMjHbRMwCgYIKoZIzj0EAwMw
NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
cm1lZGlhdGUwHhcNMjIxMTI5MTg1NzQ4WhcNMjIxMTI5MTkwNzQ4WjAAMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAE0TWvStkETakgtO01+7XlurT+shgKiGD91i/6
7Wvvh7cH194gL6qkQ7lXMS7ixJLbbYH9X2gR1CvxkG5ixnq5oKOCAVMwggFPMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUiH+i
ki2+nQG68TZ6oQ1o8KnraIwwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y
ZD8wLgYDVR0RAQH/BCQwIoEgY2hyaXN0b3BoZXIucGhpbGxpcHNAYW5jaG9yZS5j
b20wLAYKKwYBBAGDvzABAQQeaHR0cHM6Ly9naXRodWIuY29tL2xvZ2luL29hdXRo
MIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/
h4pygC8p7o4AAAGExMCeDAAABAMARjBEAiB9UHGH2igXEENoVxGwukenldbQmg5b
LFtZeKgHI9+9WwIgMJQwL5wiDps7ICoqQAlsrW9BKTm5Zd/c4yH3hHT0UIYwCgYI
KoZIzj0EAwMDaAAwZQIxAJ66yDKlCmebNBUdJvSie30GgTYtCm4RhWN9smYeXsMS
n6MKCuLOfx26xVKPcFS5rQIwDxLixIH1SRhtd+R73/HZzfU6ssnM1k6M5G2ije51
21ymu6OvTXRJtFI8G2WKQWb1
-----END CERTIFICATE-----

tlog entry created with index: 8106991

When I go to do any kind of validation now though it expects a custom type:

COSIGN_EXPERIMENTAL=1 cosign verify-attestation caphill4/scratch:latest                                                                                                                                    
Error: none of the attestations matched the predicate type: custom
main.go:62: error during command execution: none of the attestations matched the predicate type: custom

I did not expect this error since I passed a known spdxjson type to the command.

I'm also seeing the same behavior in the syft integration which used its own custom type not present here:

cosign/cmd/cosign/cli/options/predicate.go

Lines 30 to 49 in 95b74db

	const (
	PredicateCustom = "custom"
	PredicateSLSA = "slsaprovenance"
	PredicateSPDX = "spdx"
	PredicateSPDXJSON = "spdxjson"
	PredicateCycloneDX = "cyclonedx"
	PredicateLink = "link"
	PredicateVuln = "vuln"
	)
	// PredicateTypeMap is the mapping between the predicate `type` option to predicate URI.
	var PredicateTypeMap = map[string]string{
	PredicateCustom: attestation.CosignCustomProvenanceV01,
	PredicateSLSA: slsa.PredicateSLSAProvenance,
	PredicateSPDX: in_toto.PredicateSPDX,
	PredicateSPDXJSON: in_toto.PredicateSPDX,
	PredicateCycloneDX: in_toto.PredicateCycloneDX,
	PredicateLink: in_toto.PredicateLinkV1,
	PredicateVuln: attestation.CosignVulnProvenanceV01,
	}

Is it expected for all attestation going forward to use custom, or is there a bug where verify-attestation should be more permissive for the types?
Version

  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    1.13.1
GitCommit:     d1c6336475b4be26bb7fb52d97f56ea0a1767f9f
GitTreeState:  "clean"
BuildDate:     2022-10-17T18:00:05Z
GoVersion:     go1.19.2
Compiler:      gc
Platform:      darwin/amd64