diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go index 74ce1d8dd..ab5a23c7d 100644 --- a/cmd/notation/sign.go +++ b/cmd/notation/sign.go @@ -100,8 +100,8 @@ func runSign(command *cobra.Command, cmdOpts *signOpts) error { func prepareSigningContent(ctx context.Context, opts *signOpts, sigRepo notationregistry.Repository) (notation.SignOptions, registry.Reference, error) { ref, err := resolveReference(ctx, &opts.SecureFlagOpts, opts.reference, sigRepo, func(ref registry.Reference, manifestDesc ocispec.Descriptor) { - fmt.Printf("Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference) - fmt.Printf("Resolved artifact tag `%s` to digest `%s` before signing.\n", ref.Reference, manifestDesc.Digest.String()) + fmt.Printf("Warning: Resolved artifact tag `%s` to digest `%s` before signing. ", ref.Reference, manifestDesc.Digest.String()) + fmt.Printf("Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed.\n", ref.Reference) }) if err != nil { return notation.SignOptions{}, registry.Reference{}, err diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 387e045dc..306e32c7d 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -72,8 +72,8 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { // resolve the given reference and set the digest ref, err := resolveReference(command.Context(), &opts.SecureFlagOpts, reference, sigRepo, func(ref registry.Reference, manifestDesc ocispec.Descriptor) { - fmt.Printf("Resolved artifact tag `%s` to digest `%s` before verification.\n", ref.Reference, manifestDesc.Digest.String()) - fmt.Println("Warning: The resolved digest may not point to the same signed artifact, since tags are mutable.") + fmt.Printf("Warning: Resolved artifact tag `%s` to digest `%s` before verification. ", ref.Reference, manifestDesc.Digest.String()) + fmt.Println("The resolved digest may not point to the same signed artifact, since tags are mutable.") }) if err != nil { return err diff --git a/specs/commandline/sign.md b/specs/commandline/sign.md index a40bb8825..5683c370c 100644 --- a/specs/commandline/sign.md +++ b/specs/commandline/sign.md @@ -15,8 +15,7 @@ Successfully signed /@ If a `tag` is used to identify the OCI artifact, the output message is as following: ```test -Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:`) because tags are mutable and a tag reference can point to a different artifact than the one signed. -Resolved artifact tag `` to digest `` before signing. +Warning: Resolved artifact tag `` to digest `` before signing. Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:`) because tags are mutable and a tag reference can point to a different artifact than the one signed. Successfully signed /@ ``` @@ -44,7 +43,7 @@ Flags: ### Sign an OCI artifact ```shell -# Prerequisites: +# Prerequisites: # - A signing plugin is installed. See plugin documentation (https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md) for more details. # - Configure the signing plugin as instructed by plugin vendor. @@ -65,7 +64,7 @@ Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da ### Sign an OCI artifact using COSE signature format ```shell -# Prerequisites: +# Prerequisites: # A default signing key is configured using CLI "notation key" # Use option "--signature-format" to set the signature format to COSE. @@ -75,7 +74,7 @@ notation sign --signature-format cose /@ ### Sign an OCI artifact stored in a registry using the default signing key ```shell -# Prerequisites: +# Prerequisites: # A default signing key is configured using CLI "notation key" # Use a digest that uniquely and immutably identifies an OCI artifact. @@ -101,7 +100,7 @@ notation sign --key /@ ### Sign an OCI artifact identified by a tag ```shell -# Prerequisites: +# Prerequisites: # A default signing key is configured using CLI "notation key" # Use a tag to identify a container image @@ -112,7 +111,6 @@ An example for a successful signing: ```console $ notation sign localhost:5000/net-monitor:v1 -Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. -Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before signing. +Warning: Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before signing. Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed. Successfully signed localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ``` diff --git a/specs/commandline/verify.md b/specs/commandline/verify.md index b154caac9..fb38d7d29 100644 --- a/specs/commandline/verify.md +++ b/specs/commandline/verify.md @@ -11,8 +11,7 @@ Successfully verified signature for /@ Tags are mutable and a tag reference can point to a different artifact than that was signed referred by the same tag. If a `tag` is used to identify the OCI artifact, the output message is as follows: ```text -Resolved artifact tag `` to digest `` before verification. -Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. +Warning: Resolved artifact tag `` to digest `` before verification. The resolved digest may not point to the same signed artifact, since tags are mutable. Successfully verified signature for /@ ``` @@ -127,7 +126,6 @@ notation verify localhost:5000/net-monitor:v1 An example of output messages for a successful verification: ```text -Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification. -Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. +Warning: Resolved artifact tag `v1` to digest `sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9` before verification. The resolved digest may not point to the same signed artifact, since tags are mutable. Successfully verified signature for localhost:5000/net-monitor@sha256:b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 ```