respect least surprise principle - keep default keyless and warnings

equinixmetal-buildkite · Jul 1, 2024 · bb24bfa · bb24bfa
1 parent d07e399
commit bb24bfa
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ The following code snippets demonstrates how to use the plugin in a pipeline
 step with the configuration parameters and upload the signature to the same
 repository as the container image.
 
-### Keyless signing
+### Keyless signing (default)
 
 #### Using the Public-Good Sigstore Instance
 
@@ -43,7 +43,6 @@ steps:
   - plugins:
       - equinixmetal-buildkite/cosign#v0.1.0:
           image: "ghcr.io/my-project/my-image@sha256:1e1e4f97dd84970160975922715909577d6c12eaaf6047021875674fa7166c27"
-          keyless: true
 ```
 
 #### Using a custom/private Sigstore Instance
@@ -53,15 +52,14 @@ steps:
   - plugins:
       - equinixmetal-buildkite/cosign#v0.1.0:
           image: "ghcr.io/my-project/my-image@sha256:1e1e4f97dd84970160975922715909577d6c12eaaf6047021875674fa7166c27"
-          keyless: true
           keyless-config:
             tuf-mirror-url: "https://tuf.my-sigstore.dev"
             tuf-root-url: "https://tuf.my-sigstore.dev/root.json"
             rekor-url: "https://rekor.my-sigstore.dev"
             fulcio-url: "https://fulcio.my-sigstore.dev"
 ```
 
-### Keyed signing (default)
+### Keyed signing
 
 Note: Currently, only the file-based keyed signing is supported.
 
@@ -74,6 +72,7 @@ steps:
   - plugins:
       - equinixmetal-buildkite/cosign#v0.1.0:
           image: "ghcr.io/my-project/my-image@sha256:1e1e4f97dd84970160975922715909577d6c12eaaf6047021875674fa7166c27"
+          keyless: false
           keyed-config:
             key: "/path-to/cosign.key"
 ```
@@ -85,6 +84,7 @@ steps:
   - plugins:
       - equinixmetal-buildkite/cosign#v0.1.0:
           image: "ghcr.io/my-project/my-image@sha256:1e1e4f97dd84970160975922715909577d6c12eaaf6047021875674fa7166c27"
+          keyless: false
           keyed-config:
             tuf-mirror-url: "https://tuf.my-sigstore.dev"
             tuf-root-url: "https://tuf.my-sigstore.dev/root.json"
@@ -104,7 +104,7 @@ See `Important notes` above for details.
 ### `keyless` (Optional, boolean)
 
 If set to `true`, the plugin will use keyless signatures. If set to `false`, the
-plugin will use a keypair. If not specified, the plugin will default to `false`.
+plugin will use a keypair. If not specified, the plugin will default to `true`.
 
 ### `keyless-config` (Optional, object)
 

diff --git a/hooks/post-command b/hooks/post-command
@@ -76,7 +76,7 @@ sigfile="sigstore-${random}.sig"
 # flags for the cosign sign command
 sign_flags=("-y" "--output-signature" "${sigfile}")
 
-is_keyless=${BUILDKITE_PLUGIN_COSIGN_KEYLESS:-false}
+is_keyless=${BUILDKITE_PLUGIN_COSIGN_KEYLESS:-true}
 
 # Hook functions
 ################

diff --git a/plugin.yml b/plugin.yml
@@ -14,7 +14,7 @@ configuration:
     keyless:
       type: boolean
       description: "Use keyless signing"
-      default: false
+      default: true
     keyless-config:
       type: object
       properties: