From 18967294e8eabd3ede63f67e8bf51fd8ff10b9fa Mon Sep 17 00:00:00 2001
From: Predrag Rogic <prezha@users.noreply.github.com>
Date: Mon, 17 Jun 2024 10:18:10 +0100
Subject: [PATCH] add note about using image tag vs digest

---
 README.md          |  9 ++++++++-
 hooks/post-command | 11 +++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index d63ed5f..a4fcc33 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ step with the private Sigstore instance:
 steps:
   - plugins:
       - equinixmetal-buildkite/cosign#v0.1.0:
-          image: "ghcr.io/my-project/my-image:latest"
+          image: "ghcr.io/my-project/my-image@sha256:1e1e4f97dd84970160975922715909577d6c12eaaf6047021875674fa7166c27"
           public-sigstore: false
           keyless-config:
             fulcio-url: "https://fulcio.my-sigstore.dev"
@@ -51,6 +51,13 @@ steps:
 
 References the image to sign.
 
+It is strongly recommended to use image digest instead of image tag. Otherwise, you might get a warning from cosign, or it might not work:
+>WARNING: Image reference ghcr.io/my-project/my-image:v1.2.3 uses a tag, not a digest, to identify the image to sign.
+    This can lead you to sign a different image than the intended one. Please use a
+    digest (example.com/ubuntu@sha256:abc123...) rather than tag
+    (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
+    images by tag will be removed in a future release.
+
 ### `public-sigstore` (Optional, boolean)
 
 If set to `true`, the plugin will use the Public-Good Sigstore Instance.
diff --git a/hooks/post-command b/hooks/post-command
index be3638e..836521e 100755
--- a/hooks/post-command
+++ b/hooks/post-command
@@ -33,7 +33,6 @@ display_success() {
   buildkite-agent annotate --style success "$message<br />" --context "$ctx"
 }
 
-
 # Parameters
 ############
 
@@ -62,18 +61,18 @@ cosign_keyless() {
 
     rm -f out.sig
 
-    # using the Public-Good Sigstore Instance
+    # using the public-good sigstore instance
     if [[ "${is_public}" == true ]]; then
-        # sign the image using default Sigstore components
+        # sign the image using default sigstore components
         cosign sign \
             -y \
             --output-signature=out.sig \
             "${image}"
     else
         if [[ -z "${fulcio_url}" || -z "${rekor_url}" || -z "${tuf_mirror_url}" || -z "${tuf_root_url}" ]]; then
-            fail_with_message "cosign" "Private Sigstore instance URL(s) not specified"
+            fail_with_message "cosign" "Custom sigstore instance url(s) not specified"
         else
-            # initialise the cosign configuration for the private Sigstore instance
+            # initialise the cosign configuration for the custom sigstore instance
             cosign initialize --mirror "${tuf_mirror_url}" --root "${tuf_root_url}"
 
             status=$?
@@ -81,7 +80,7 @@ cosign_keyless() {
                 fail_with_message "cosign" "Failed to initialise"
             fi
 
-            # sign the image using custom Sigstore components
+            # sign the image using custom sigstore components
             cosign sign \
                 -y \
                 --fulcio-url="${fulcio_url}" \