Update warning when users sign images by tag.

See sigstore#2047.
znewman01 · Oct 5, 2022 · 020cb29 · 020cb29
1 parent dc40467
commit 020cb29
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
@@ -57,6 +57,14 @@ import (
 	_ "github.com/sigstore/cosign/pkg/providers/all"
 )
 
+const TagReferenceMessage string = `WARNING: Image reference %s uses a tag, not a digest, to identify the image to sign.
+
+This can lead you to sign a different image than the intended one. Please use a
+digest (example.com/ubuntu@sha256:abc123...) rather than tag
+(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
+images by tag will be removed in a future release.
+`
+
 func ShouldUploadToTlog(ctx context.Context, ref name.Reference, force bool, noTlogUpload bool, url string) bool {
 	// Check whether experimental is on!
 	if !options.EnableExperimental() {
@@ -151,9 +159,9 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist
 			return fmt.Errorf("unable to resolve attachment %s for image %s", attachment, inputImg)
 		}
 
-                if _, ok := ref.(name.Tag); ok {
-                   fmt.Println("Warning: Tag used in reference to identify the image. Consider supplying the digest for immutability.")
-                }
+		if _, ok := ref.(name.Tag); ok {
+			fmt.Fprintf(os.Stderr, TagReferenceMessage, inputImg)
+		}
 
 		if digest, ok := ref.(name.Digest); ok && !recursive {
 			se, err := ociremote.SignedEntity(ref, opts...)