You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
not related to this PR. Just notice when pushing an image, sign (line 152) happens after push (line 133-150). Is this expected?
IIUC signing after pushing is ok (for cosign, at least), but the current implementation is wrong anyway; the Sign() function should receive the digest from the Push() function to prohibit TOCTOU.
(I'm mentioning this bug publicly because the cosign integration is still experimental for nerdctl)
nerdctl/pkg/cmd/image/push.go
Line 151 in 8a1f227
Originally posted by @AkihiroSuda in #2132 (comment)
The text was updated successfully, but these errors were encountered: