add note about using image tag vs digest

equinixmetal-buildkite · Jun 17, 2024 · 1896729 · 1896729
1 parent 6968f8d
commit 1896729
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -36,7 +36,7 @@ step with the private Sigstore instance:
 steps:
   - plugins:
       - equinixmetal-buildkite/cosign#v0.1.0:
-          image: "ghcr.io/my-project/my-image:latest"
+          image: "ghcr.io/my-project/my-image@sha256:1e1e4f97dd84970160975922715909577d6c12eaaf6047021875674fa7166c27"
           public-sigstore: false
           keyless-config:
             fulcio-url: "https://fulcio.my-sigstore.dev"
@@ -51,6 +51,13 @@ steps:
 
 References the image to sign.
 
+It is strongly recommended to use image digest instead of image tag. Otherwise, you might get a warning from cosign, or it might not work:
+>WARNING: Image reference ghcr.io/my-project/my-image:v1.2.3 uses a tag, not a digest, to identify the image to sign.
+    This can lead you to sign a different image than the intended one. Please use a
+    digest (example.com/ubuntu@sha256:abc123...) rather than tag
+    (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
+    images by tag will be removed in a future release.
+
 ### `public-sigstore` (Optional, boolean)
 
 If set to `true`, the plugin will use the Public-Good Sigstore Instance.

diff --git a/hooks/post-command b/hooks/post-command
@@ -33,7 +33,6 @@ display_success() {
   buildkite-agent annotate --style success "$message<br />" --context "$ctx"
 }
 
-
 # Parameters
 ############
 
@@ -62,26 +61,26 @@ cosign_keyless() {
 
     rm -f out.sig
 
-    # using the Public-Good Sigstore Instance
+    # using the public-good sigstore instance
     if [[ "${is_public}" == true ]]; then
-        # sign the image using default Sigstore components
+        # sign the image using default sigstore components
         cosign sign \
             -y \
             --output-signature=out.sig \
             "${image}"
     else
         if [[ -z "${fulcio_url}" || -z "${rekor_url}" || -z "${tuf_mirror_url}" || -z "${tuf_root_url}" ]]; then
-            fail_with_message "cosign" "Private Sigstore instance URL(s) not specified"
+            fail_with_message "cosign" "Custom sigstore instance url(s) not specified"
         else
-            # initialise the cosign configuration for the private Sigstore instance
+            # initialise the cosign configuration for the custom sigstore instance
             cosign initialize --mirror "${tuf_mirror_url}" --root "${tuf_root_url}"
 
             status=$?
             if [[ $status -ne 0 ]]; then
                 fail_with_message "cosign" "Failed to initialise"
             fi
 
-            # sign the image using custom Sigstore components
+            # sign the image using custom sigstore components
             cosign sign \
                 -y \
                 --fulcio-url="${fulcio_url}" \