Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign digests not tags. #1840

Merged
merged 1 commit into from
Dec 17, 2021
Merged

Sign digests not tags. #1840

merged 1 commit into from
Dec 17, 2021

Conversation

mattmoor
Copy link
Collaborator

@mattmoor mattmoor commented Dec 16, 2021
edited
Loading

The logic that was in here was signing the tags we publish, which has a race. Also since what cosign signs is actually the digest, this was signing 3x where we really only need one call.

This is based on: #1839 (will remove [WIP] when I rebase this)

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes unit tests
  • Adds integration tests if needed.

See the contribution guide for more details.

Reviewer Notes

  • The code flow looks good.
  • Unit tests and or integration tests added.

Release Notes

NONE

@mattmoor
Copy link
Collaborator Author

cc @priyawadhwa @dlorenc @imjasonh

@mattmoor mattmoor mentioned this pull request Dec 16, 2021
Merged
4 tasks
@mattmoor
Sign digests not tags.
47995cc 
The logic that was in here was signing the tags we publish, which has a race.  Also since what cosign signs is actually the digest, this was signing 3x where we really only need one call.
@mattmoor mattmoor changed the title [WIP] Sign digests not tags. Sign digests not tags. Dec 17, 2021
@mattmoor
Copy link
Collaborator Author

cc @imjasonh @priyawadhwa

This is rebased and RFAL

@imjasonh imjasonh merged commit 22f76bb into GoogleContainerTools:master Dec 17, 2021
@mattmoor mattmoor deleted the sign-digests branch December 17, 2021 23:44
gcalmettes pushed a commit to gcalmettes/kaniko that referenced this pull request Dec 24, 2021
@mattmoor @gcalmettes-fbox
Sign digests not tags. (GoogleContainerTools#1840)
524de6c 
The logic that was in here was signing the tags we publish, which has a race.  Also since what cosign signs is actually the digest, this was signing 3x where we really only need one call.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mattmoor @imjasonh