From 2c2e0745038845d3a59773bf3ed342d9b6ab9734 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?= Date: Tue, 15 Mar 2022 22:57:06 -0600 Subject: [PATCH] Init entity from ociremote when signing a digest ref MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit modifies the object used to seed the SignedEntity used when signing a digest reference to fix a bug where cosign would wipe out all signatures from the manifest (and not garbage-collecting previous signature layers) Before the entity was created from a `ociempty.SignedImage`. This cuased cosign to always wipe any previous signatures attached to the image. Now, cosign el init the entity from a `ociremote.SignedEntity` which will append new signatures to any existing ones. Signed-off-by: Adolfo GarcĂ­a Veytia (Puerco) --- cmd/cosign/cli/sign/sign.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index fc21f670dfa..18d0d5d99e4 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -45,7 +45,6 @@ import ( "github.com/sigstore/cosign/pkg/cosign/pkcs11key" cremote "github.com/sigstore/cosign/pkg/cosign/remote" "github.com/sigstore/cosign/pkg/oci" - ociempty "github.com/sigstore/cosign/pkg/oci/empty" "github.com/sigstore/cosign/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/pkg/oci/remote" "github.com/sigstore/cosign/pkg/oci/walk" @@ -147,7 +146,7 @@ func SignCmd(ro *options.RootOptions, ko KeyOpts, regOpts options.RegistryOption } if digest, ok := ref.(name.Digest); ok && !recursive { - se, err := ociempty.SignedImage(ref) + se, err := ociremote.SignedEntity(ref, opts...) if err != nil { return errors.Wrap(err, "accessing image") }