diff --git a/cmd/cosign/cli/copy/copy.go b/cmd/cosign/cli/copy/copy.go
index 6575c71fb4be..6e8d8391064c 100644
--- a/cmd/cosign/cli/copy/copy.go
+++ b/cmd/cosign/cli/copy/copy.go
@@ -80,7 +80,10 @@ func CopyCmd(ctx context.Context, regOpts options.RegistryOptions, srcImg, dstIm
 	}
 
 	onlyFlagSet := false
-	tags := parseOnlyOpt(copyOnly, sigOnly)
+	tags, err := parseOnlyOpt(copyOnly, sigOnly)
+	if err != nil {
+		return err
+	}
 	if len(tags) > 0 {
 		onlyFlagSet = true
 	} else {
@@ -180,13 +183,20 @@ func remoteCopy(ctx context.Context, pusher *remote.Pusher, src, dest name.Refer
 	return pusher.Push(ctx, dest, got)
 }
 
-func parseOnlyOpt(onlyFlag string, sigOnly bool) []tagMap {
+func parseOnlyOpt(onlyFlag string, sigOnly bool) ([]tagMap, error) {
 	var tags []tagMap
 	tagSet := sets.New(strings.Split(onlyFlag, ",")...)
 
 	if sigOnly {
 		fmt.Fprintf(os.Stderr, "--sig-only is deprecated, use --only=sig instead")
-		tagSet.Insert("sign")
+		tagSet.Insert("sig")
+	}
+
+	validTags := sets.New("sig", "sbom", "att")
+	for tag := range tagSet {
+		if !validTags.Has(tag) {
+			return nil, fmt.Errorf("invalid value for --only: %s, only following values are supported, %s", tag, validTags)
+		}
 	}
 
 	if tagSet.Has("sig") {
@@ -198,5 +208,5 @@ func parseOnlyOpt(onlyFlag string, sigOnly bool) []tagMap {
 	if tagSet.Has("att") {
 		tags = append(tags, ociremote.AttestationTag)
 	}
-	return tags
+	return tags, nil
 }
diff --git a/cmd/cosign/cli/options/copy.go b/cmd/cosign/cli/options/copy.go
index 7f4d5f373caf..940818637154 100644
--- a/cmd/cosign/cli/options/copy.go
+++ b/cmd/cosign/cli/options/copy.go
@@ -35,7 +35,7 @@ func (o *CopyOptions) AddFlags(cmd *cobra.Command) {
 	o.Registry.AddFlags(cmd)
 
 	cmd.Flags().StringVar(&o.CopyOnly, "only", "",
-		"custom string array to only copy specific items, this flag is comma delimited. ex: --only=sbom,sign,att")
+		"custom string array to only copy specific items, this flag is comma delimited. ex: --only=sig,att,sbom")
 
 	cmd.Flags().BoolVar(&o.SignatureOnly, "sig-only", false,
 		"[DEPRECATED] only copy the image signature")
diff --git a/doc/cosign_copy.md b/doc/cosign_copy.md
index 5cce9b638d5d..467a43022655 100644
--- a/doc/cosign_copy.md
+++ b/doc/cosign_copy.md
@@ -36,7 +36,7 @@ cosign copy [flags]
   -f, --force                                                                                    overwrite destination image(s), if necessary
   -h, --help                                                                                     help for copy
       --k8s-keychain                                                                             whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
-      --only string                                                                              custom string array to only copy specific items, this flag is comma delimited. ex: --only=sbom,sign,att
+      --only string                                                                              custom string array to only copy specific items, this flag is comma delimited. ex: --only=sig,att,sbom
       --platform string                                                                          only copy container image and its signatures for a specific platform image
       --registry-password string                                                                 registry basic auth password
       --registry-token string                                                                    registry bearer auth token