Skip to content

fix: don't warn about tag usage for cosign-generated references#4967

Open
ricardbejarano wants to merge 1 commit into
sigstore:mainfrom
bejaratommy:fix/parseocireference-cosign-tag-warning
Open

fix: don't warn about tag usage for cosign-generated references#4967
ricardbejarano wants to merge 1 commit into
sigstore:mainfrom
bejaratommy:fix/parseocireference-cosign-tag-warning

Conversation

@ricardbejarano

Copy link
Copy Markdown
Contributor

Summary

Fixes #3995.

When signing a cosign-generated discovery tag — e.g. the sha256-<digest>.att reference returned by cosign triangulate ... --type attestationParseOCIReference printed:

WARNING: Image reference <repo>:sha256-abc123.att uses a tag, not a digest, to identify the image to sign.
    ...

That warning is misleading here: these tags are derived from an image digest, so they already pin to specific content, and the user is deliberately signing the attestation/signature/SBOM artifact rather than a mutable image tag.

Changes

  • ParseOCIReference now skips the tag warning when the reference is one of cosign's own digest-derived discovery tags (sha256-<digest>.sig, .att, .sbom). Ordinary mutable tags still warn as before, and digest references continue to be silent.
  • The suffix set reuses the existing ociremote.{Signature,Attestation,SBOM}TagSuffix constants so it stays in sync with cosign's tag scheme.
  • Extended Test_ParseOCIReference with cases for each generated suffix (no warning) and a look-alike tag latest.att (still warns).

Notes

CHANGELOG.md is release-generated, so it is intentionally left untouched. No Go toolchain was available locally; relied on CI for go test/lint.

When signing a cosign-generated discovery tag (for example the
"sha256-<digest>.att" reference produced by `cosign triangulate`),
ParseOCIReference emitted the "uses a tag, not a digest" warning.
Those tags are derived from an image digest, so the warning is both
inaccurate and confusing to users who are intentionally signing an
attestation, signature or SBOM artifact.

Skip the warning for the sha256-<digest>.sig/.att/.sbom tag form, while
still warning for ordinary mutable tags.

Fixes sigstore#3995

Signed-off-by: bejaratommy <tommy@bejara.net>
@ricardbejarano ricardbejarano requested a review from a team as a code owner June 29, 2026 11:32
@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 38.54%. Comparing base (2ef6022) to head (7d47259).
⚠️ Report is 787 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/signcommon/common.go 0.00% 12 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #4967      +/-   ##
==========================================
- Coverage   40.10%   38.54%   -1.57%     
==========================================
  Files         155      209      +54     
  Lines       10044    12994    +2950     
==========================================
+ Hits         4028     5008     +980     
- Misses       5530     7276    +1746     
- Partials      486      710     +224     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cmurphy

cmurphy commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

I think the warning still applies here, since it is still a tag and so it still is mutable, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Signing an attestation generates a misleading warning

3 participants