From e924c716da18aa07bad02bb0cdf4aea79c3b74d9 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Wed, 5 Oct 2022 15:00:53 +0100 Subject: [PATCH] adding warning to pin to digest Signed-off-by: chaosinthecrd --- cmd/cosign/cli/sign/sign.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 24d005b0b5c..dd003b9910d 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -151,6 +151,10 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist return fmt.Errorf("unable to resolve attachment %s for image %s", attachment, inputImg) } + if _, ok := ref.(name.Tag); ok { + fmt.Println("Warning: Tag used in reference to identify the image. Consider supplying the digest for immutability.") + } + if digest, ok := ref.(name.Digest); ok && !recursive { se, err := ociremote.SignedEntity(ref, opts...) if err != nil {