You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A cosign digest $artifact-reference subcommand that can resolve an image tag to the digest.
Why
Signing (or any other operation) by tag is generally discouraged (ref #2047), as tags can be mutable and change between two different steps in a workflow (eg publish and sign).
In most cases, users should try and get an image digest from a previous step, eg directly from the output of their build tool.
However, there are situations where there is no previous stage that can produce an image digest, and we'd like to resolve a tag to a digest, and only use the digest going forward in a workflow.
Example: check if there's a signed copy of in image in a private mirror. If not, run processes to generate trust on the image (scanners), and push the signed result into the private mirror for use.
There are other tools that can do this, eg crane digest, but installing an extra tool that isn't otherwise needed seems wasteful. cosign already partially does this with cosign triangulate (the digest is used as the tag for the signature) and some massaging of the output can turn it into the digest, but it would be nice to to have to do that:
$ cosign triangulate $image| tr ':-''@:'| sed 's/\.sig$//'
Description
A
cosign digest $artifact-reference
subcommand that can resolve an image tag to the digest.Why
Signing (or any other operation) by tag is generally discouraged (ref #2047), as tags can be mutable and change between two different steps in a workflow (eg publish and sign).
In most cases, users should try and get an image digest from a previous step, eg directly from the output of their build tool.
However, there are situations where there is no previous stage that can produce an image digest, and we'd like to resolve a tag to a digest, and only use the digest going forward in a workflow.
Example: check if there's a signed copy of in image in a private mirror. If not, run processes to generate trust on the image (scanners), and push the signed result into the private mirror for use.
There are other tools that can do this, eg
crane digest
, but installing an extra tool that isn't otherwise needed seems wasteful.cosign
already partially does this withcosign triangulate
(the digest is used as the tag for the signature) and some massaging of the output can turn it into the digest, but it would be nice to to have to do that:Slack thread
The text was updated successfully, but these errors were encountered: