fix: don't warn about tag usage for cosign-generated references#4967
Open
ricardbejarano wants to merge 1 commit into
Open
fix: don't warn about tag usage for cosign-generated references#4967ricardbejarano wants to merge 1 commit into
ricardbejarano wants to merge 1 commit into
Conversation
When signing a cosign-generated discovery tag (for example the "sha256-<digest>.att" reference produced by `cosign triangulate`), ParseOCIReference emitted the "uses a tag, not a digest" warning. Those tags are derived from an image digest, so the warning is both inaccurate and confusing to users who are intentionally signing an attestation, signature or SBOM artifact. Skip the warning for the sha256-<digest>.sig/.att/.sbom tag form, while still warning for ordinary mutable tags. Fixes sigstore#3995 Signed-off-by: bejaratommy <tommy@bejara.net>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4967 +/- ##
==========================================
- Coverage 40.10% 38.54% -1.57%
==========================================
Files 155 209 +54
Lines 10044 12994 +2950
==========================================
+ Hits 4028 5008 +980
- Misses 5530 7276 +1746
- Partials 486 710 +224 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Contributor
|
I think the warning still applies here, since it is still a tag and so it still is mutable, right? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3995.
When signing a cosign-generated discovery tag — e.g. the
sha256-<digest>.attreference returned bycosign triangulate ... --type attestation—ParseOCIReferenceprinted:That warning is misleading here: these tags are derived from an image digest, so they already pin to specific content, and the user is deliberately signing the attestation/signature/SBOM artifact rather than a mutable image tag.
Changes
ParseOCIReferencenow skips the tag warning when the reference is one of cosign's own digest-derived discovery tags (sha256-<digest>.sig,.att,.sbom). Ordinary mutable tags still warn as before, and digest references continue to be silent.ociremote.{Signature,Attestation,SBOM}TagSuffixconstants so it stays in sync with cosign's tag scheme.Test_ParseOCIReferencewith cases for each generated suffix (no warning) and a look-alike taglatest.att(still warns).Notes
CHANGELOG.md is release-generated, so it is intentionally left untouched. No Go toolchain was available locally; relied on CI for
go test/lint.