Improve warning message when signing or verifying with tag

Signed-off-by: Pritesh Bandi <pritesb@amazon.com>

cmd/notation/sign.go

@@ -100,8 +100,8 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error {
 
 func prepareSigningContent(ctx context.Context, opts *signOpts, sigRepo notationregistry.Repository) (notation.SignOptions, registry.Reference, error) {
 	ref, err := resolveReference(ctx, &opts.SecureFlagOpts, opts.reference, sigRepo, func(ref registry.Reference, manifestDesc ocispec.Descriptor) {
-		fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference)
-		fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, manifestDesc.Digest.String())
+		fmt.Printf("Warning: Resolved artifact tag `%s` to digest `%s` before signing. ", ref.Reference, manifestDesc.Digest.String())
+		fmt.Printf("Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference)
 	})
 	if err != nil {
 		return notation.SignOptions{}, registry.Reference{}, err

cmd/notation/verify.go

@@ -72,8 +72,8 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error {
 
 	// resolve the given reference and set the digest
 	ref, err := resolveReference(command.Context(), &opts.SecureFlagOpts, reference, sigRepo, func(ref registry.Reference, manifestDesc ocispec.Descriptor) {
-		fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, manifestDesc.Digest.String())
-		fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.")
+		fmt.Printf("Warning: Resolved artifact tag `%s` to digest `%s` before verification. ", ref.Reference, manifestDesc.Digest.String())
+		fmt.Println("The resolved digest may not point to the same signed artifact, since tags are mutable.")
 	})
 	if err != nil {
 		return err

specs/commandline/sign.md

@@ -15,8 +15,7 @@ Successfully signed <registry>/<repository>@<digest>
 If a `tag` is used to identify the OCI artifact, the output message is as following:
 
 ```test
-Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:<tag>`) because tags are mutable and a tag reference can point to a different artifact than the one signed.
-Resolved artifact tag `<tag>` to digest `<digest>` before signing.
+Warning: Resolved artifact tag `<tag>` to digest `<digest>` before signing. Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:<tag>`) because tags are mutable and a tag reference can point to a different artifact than the one signed.
 Successfully signed <registry>/<repository>@<digest>
 ```
 
@@ -44,7 +43,7 @@ Flags:
 ### Sign an OCI artifact
 
 ```shell
-# Prerequisites: 
+# Prerequisites:
 # - A signing plugin is installed. See plugin documentation (https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details.
 # - Configure the signing plugin as instructed by plugin vendor.
 
@@ -65,7 +64,7 @@ Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da
 ### Sign an OCI artifact using COSE signature format
 
 ```shell
-# Prerequisites: 
+# Prerequisites:
 # A default signing key is configured using CLI "notation key"
 
 # Use option "--signature-format" to set the signature format to COSE.
@@ -75,7 +74,7 @@ notation sign --signature-format cose <registry>/<repository>@<digest>
 ### Sign an OCI artifact stored in a registry using the default signing key
 
 ```shell
-# Prerequisites: 
+# Prerequisites:
 # A default signing key is configured using CLI "notation key"
 
 # Use a digest that uniquely and immutably identifies an OCI artifact.
@@ -101,7 +100,7 @@ notation sign --key <key_name> <registry>/<repository>@<digest>
 ### Sign an OCI artifact identified by a tag
 
 ```shell
-# Prerequisites: 
+# Prerequisites:
 # A default signing key is configured using CLI "notation key"
 
 # Use a tag to identify a container image
@@ -112,7 +111,6 @@ An example for a successful signing:
 
 ```console
 $ notation sign localhost:5000/net-monitor:v1
-Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed.
-Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before signing.
+Warning: Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before signing. Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed.
 Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
 ```

specs/commandline/verify.md

@@ -11,8 +11,7 @@ Successfully verified signature for <registry>/<repository>@<digest>
 Tags are mutable and a tag reference can point to a different artifact than that was signed referred by the same tag. If a `tag` is used to identify the OCI artifact, the output message is as follows:
 
 ```text
-Resolved artifact tag `<tag>` to digest `<digest>` before verification.
-Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.
+Warning: Resolved artifact tag `<tag>` to digest `<digest>` before verification. The resolved digest may not point to the same signed artifact, since tags are mutable.
 Successfully verified signature for <registry>/<repository>@<digest>
 ```
 
@@ -127,7 +126,6 @@ notation verify localhost:5000/net-monitor:v1
 An example of output messages for a successful verification:
 
 ```text
-Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification.
-Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.
+Warning: Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification. The resolved digest may not point to the same signed artifact, since tags are mutable.
 Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
 ```