From afe3f3783e37d8cdddbc464d1dd3fe08cb69a9ea Mon Sep 17 00:00:00 2001 From: Ompragash Viswanathan Date: Thu, 31 Jul 2025 18:18:19 +0530 Subject: [PATCH] Updated docker.go --- docker.go | 42 +++++-------------- docker/docker/Dockerfile.windows.amd64.1809 | 2 +- .../docker/Dockerfile.windows.amd64.ltsc2022 | 2 +- 3 files changed, 12 insertions(+), 34 deletions(-) diff --git a/docker.go b/docker.go index 1f71cd2..c54d57b 100644 --- a/docker.go +++ b/docker.go @@ -726,22 +726,7 @@ func getDigest(buildName string) (string, error) { return "", errors.New("unable to fetch digest") } -// getDigestFromRegistry gets the digest of a pushed image from the registry -func getDigestFromRegistry(image string) (string, error) { - cmd := exec.Command(dockerExe, "inspect", "--format={{index .RepoDigests 0}}", image) - output, err := cmd.Output() - if err != nil { - return "", err - } - - // Parse the output to extract the repo digest. - digest := strings.Trim(string(output), "\n") - parts := strings.Split(digest, "@") - if len(parts) > 1 { - return parts[1], nil - } - return "", errors.New("unable to fetch digest from registry") -} +// Note: getDigestFromRegistry function removed - using getDigest() instead // shouldSignWithCosign determines if cosign signing should be performed func (p Plugin) shouldSignWithCosign() bool { @@ -808,31 +793,24 @@ func isValidPEMKey(pemContent string) bool { // commandCosignSign creates the cosign sign command func commandCosignSign(build Build, tag string, cosign CosignConfig) *exec.Cmd { - // Try to get image digest from the pushed image for secure signing - pushedImageRef := fmt.Sprintf("%s:%s", build.Repo, tag) - digest, err := getDigestFromRegistry(pushedImageRef) + // Use the tagged image reference that was actually pushed + imageRef := fmt.Sprintf("%s:%s", build.Repo, tag) + + // Try to get image digest for secure signing from the pushed image + digest, err := getDigest(imageRef) if err != nil { - fmt.Printf("⚠️ WARNING: Could not get image digest from registry: %s\n", err) + fmt.Printf("⚠️ WARNING: Could not get image digest for cosign signing: %s\n", err) fmt.Println(" Falling back to tag-based signing") - digest = "" - } - - // Construct image reference - var imageRef string - if digest != "" { + // Continue with tag-based signing + } else { + // Use digest-based signing for better security imageRef = fmt.Sprintf("%s@%s", build.Repo, digest) fmt.Printf("🔐 Signing image by digest: %s\n", imageRef) - } else { - imageRef = pushedImageRef - fmt.Printf("🔐 Signing image by tag: %s\n", imageRef) } // Start with base sign command and non-interactive flag args := []string{"sign", "--yes"} - // Note: Transparency log upload is enabled by default - // Users can disable with --tlog-upload=false in cosign.Params if needed - // Handle private key (content vs file path) if strings.HasPrefix(cosign.PrivateKey, "-----BEGIN") { // PEM content - use environment variable method diff --git a/docker/docker/Dockerfile.windows.amd64.1809 b/docker/docker/Dockerfile.windows.amd64.1809 index f85891d..a7a6486 100644 --- a/docker/docker/Dockerfile.windows.amd64.1809 +++ b/docker/docker/Dockerfile.windows.amd64.1809 @@ -26,7 +26,7 @@ LABEL maintainer="Drone.IO Community " ` RUN mkdir C:\bin # Install cosign for container image signing -RUN powershell -Command "Invoke-WebRequest 'https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe' -OutFile 'C:\bin\cosign.exe'" +RUN Invoke-WebRequest 'https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe' -OutFile 'C:\bin\cosign.exe' -UseBasicParsing COPY --from=download /windows/system32/netapi32.dll /windows/system32/netapi32.dll COPY --from=download /app/docker.exe C:/bin/docker.exe diff --git a/docker/docker/Dockerfile.windows.amd64.ltsc2022 b/docker/docker/Dockerfile.windows.amd64.ltsc2022 index c891e16..cc956f8 100644 --- a/docker/docker/Dockerfile.windows.amd64.ltsc2022 +++ b/docker/docker/Dockerfile.windows.amd64.ltsc2022 @@ -24,7 +24,7 @@ LABEL maintainer="Drone.IO Community " ` RUN mkdir C:\bin # Install cosign for container image signing -RUN powershell -Command "Invoke-WebRequest 'https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe' -OutFile 'C:\bin\cosign.exe'" +RUN Invoke-WebRequest 'https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe' -OutFile 'C:\bin\cosign.exe' -UseBasicParsing COPY --from=download /windows/system32/netapi32.dll /windows/system32/netapi32.dll COPY --from=download /app/docker.exe C:/bin/docker.exe