Skip to content

Commit

Permalink
Update warning when users sign images by tag.
Browse files Browse the repository at this point in the history
See sigstore#2047.

Signed-off-by: Zachary Newman <zjn@chainguard.dev>
  • Loading branch information
znewman01 committed Oct 13, 2022
1 parent e3a4aa6 commit b8c257f
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 4 deletions.
6 changes: 5 additions & 1 deletion cmd/cosign/cli/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,11 @@ func Sign() *cobra.Command {
cmd := &cobra.Command{
Use: "sign",
Short: "Sign the supplied container image.",
Long: "Sign the supplied container image.",
Long: `Sign the supplied container image.
Images should be specified by digest (example.com/image@sha256:abcdef...) rather
than tag (example.com/image:latest).
`,
Example: ` cosign sign --key <key path>|<kms uri> [--payload <path>] [-a key=value] [--upload=true|false] [-f] [-r] <image uri>
# sign a container image with Google sign-in (experimental)
Expand Down
14 changes: 11 additions & 3 deletions cmd/cosign/cli/sign/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,14 @@ import (
_ "github.com/sigstore/cosign/pkg/providers/all"
)

const TagReferenceMessage string = `WARNING: Image reference %s uses a tag, not a digest, to identify the image to sign.
This can lead you to sign a different image than the intended one. Please use a
digest (example.com/ubuntu@sha256:abc123...) rather than tag
(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
images by tag will be removed in a future release.
`

func ShouldUploadToTlog(ctx context.Context, ref name.Reference, force bool, noTlogUpload bool, url string) bool {
// Check whether experimental is on!
if !options.EnableExperimental() {
Expand Down Expand Up @@ -151,9 +159,9 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist
return fmt.Errorf("unable to resolve attachment %s for image %s", attachment, inputImg)
}

if _, ok := ref.(name.Tag); ok {
fmt.Println("Warning: Tag used in reference to identify the image. Consider supplying the digest for immutability.")
}
if _, ok := ref.(name.Tag); ok {
fmt.Fprintf(os.Stderr, TagReferenceMessage, inputImg)
}

if digest, ok := ref.(name.Digest); ok && !recursive {
se, err := ociremote.SignedEntity(ref, opts...)
Expand Down
4 changes: 4 additions & 0 deletions doc/cosign_sign.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit b8c257f

Please sign in to comment.