diff --git a/README.md b/README.md index d63ed5f..a4fcc33 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ step with the private Sigstore instance: steps: - plugins: - equinixmetal-buildkite/cosign#v0.1.0: - image: "ghcr.io/my-project/my-image:latest" + image: "ghcr.io/my-project/my-image@sha256:1e1e4f97dd84970160975922715909577d6c12eaaf6047021875674fa7166c27" public-sigstore: false keyless-config: fulcio-url: "https://fulcio.my-sigstore.dev" @@ -51,6 +51,13 @@ steps: References the image to sign. +It is strongly recommended to use image digest instead of image tag. Otherwise, you might get a warning from cosign, or it might not work: +>WARNING: Image reference ghcr.io/my-project/my-image:v1.2.3 uses a tag, not a digest, to identify the image to sign. + This can lead you to sign a different image than the intended one. Please use a + digest (example.com/ubuntu@sha256:abc123...) rather than tag + (example.com/ubuntu:latest) for the input to cosign. The ability to refer to + images by tag will be removed in a future release. + ### `public-sigstore` (Optional, boolean) If set to `true`, the plugin will use the Public-Good Sigstore Instance. diff --git a/hooks/post-command b/hooks/post-command index be3638e..836521e 100755 --- a/hooks/post-command +++ b/hooks/post-command @@ -33,7 +33,6 @@ display_success() { buildkite-agent annotate --style success "$message
" --context "$ctx" } - # Parameters ############ @@ -62,18 +61,18 @@ cosign_keyless() { rm -f out.sig - # using the Public-Good Sigstore Instance + # using the public-good sigstore instance if [[ "${is_public}" == true ]]; then - # sign the image using default Sigstore components + # sign the image using default sigstore components cosign sign \ -y \ --output-signature=out.sig \ "${image}" else if [[ -z "${fulcio_url}" || -z "${rekor_url}" || -z "${tuf_mirror_url}" || -z "${tuf_root_url}" ]]; then - fail_with_message "cosign" "Private Sigstore instance URL(s) not specified" + fail_with_message "cosign" "Custom sigstore instance url(s) not specified" else - # initialise the cosign configuration for the private Sigstore instance + # initialise the cosign configuration for the custom sigstore instance cosign initialize --mirror "${tuf_mirror_url}" --root "${tuf_root_url}" status=$? @@ -81,7 +80,7 @@ cosign_keyless() { fail_with_message "cosign" "Failed to initialise" fi - # sign the image using custom Sigstore components + # sign the image using custom sigstore components cosign sign \ -y \ --fulcio-url="${fulcio_url}" \