Update spiffe-vault-cosign example instructions

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
philips-labs · Nov 15, 2022 · 9ea7f3a · 9ea7f3a
1 parent 22690f8
commit 9ea7f3a
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/example/README.md b/example/README.md
@@ -63,8 +63,9 @@ In `k8s/spiffe-vault.yaml` we defined we want to use the `philipssoftware/spiffe
 Let's build this custom build now and then deploy our workload to Kubernetes.
 
 ```bash
+# from the example folder
 docker build -t philipssoftware/spiffe-vault-cosign:latest spiffe-vault-cosign
-helm -n my-app install my-app ../charts/spiffe-vault --create-namespace -f k8s/spiffe-vault.yaml
+helm -n my-app upgrade my-app ../charts/spiffe-vault --create-namespace --install -f k8s/spiffe-vault.yaml
 ```
 
 ### play with spiffe-vault
@@ -136,17 +137,22 @@ The push refers to repository [docker.io/marcofranssen/busybox]
 cfd97936a580: Mounted from library/busybox
 latest: digest: sha256:febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b size: 527
 $ eval "$(spiffe-vault auth -role local)"
-$ cosign sign -key hashivault://cosign marcofranssen/busybox:latest
-Pushing signature to: index.docker.io/marcofranssen/busybox:sha256-febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b.sig
-$ cosign verify -key hashivault://cosign marcofranssen/busybox:latest
+$ cosign sign --key hashivault://cosign marcofranssen/busybox:latest
+WARNING: Image reference marcofranssen/busybox:latest uses a tag, not a digest, to identify the image to sign.
 
-Verification for marcofranssen/busybox:latest --
+This can lead you to sign a different image than the intended one. Please use a
+digest (example.com/ubuntu@sha256:abc123...) rather than tag
+(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
+images by tag will be removed in a future release.
+Pushing signature to: index.docker.io/marcofranssen/busybox
+$ cosign verify --key hashivault://cosign marcofranssen/busybox:latest
+
+Verification for index.docker.io/marcofranssen/busybox:latest --
 The following checks were performed on each of these signatures:
   - The cosign claims were validated
   - The signatures were verified against the specified public key
-  - Any certificates were verified against the Fulcio roots.
 
-[{"critical":{"identity":{"docker-reference":"index.docker.io/marcofranssen/busybox"},"image":{"docker-manifest-digest":"sha256:febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b"},"type":"cosign container image signature"},"optional":null}]
+[{"critical":{"identity":{"docker-reference":"index.docker.io/marcofranssen/busybox"},"image":{"docker-manifest-digest":"sha256:dacd1aa51e0b27c0e36c4981a7a8d9d8ec2c4a74bf125c0a44d0709497a522e9"},"type":"cosign container image signature"},"optional":null}]
 ```
 
 [kubernetes]: https://kubernetes.io "Production-Grade Container Orchestration"