Updated docker.go

docker.go

@@ -711,14 +711,14 @@ func GetDroneDockerExecCmd() string {
 }
 
 func getDigest(buildName string) (string, error) {
-	cmd := exec.Command("docker", "inspect", "--format='{{index .RepoDigests 0}}'", buildName)
+	cmd := exec.Command("docker", "inspect", "--format={{index .RepoDigests 0}}", buildName)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", err
 	}
 
 	// Parse the output to extract the repo digest.
-	digest := strings.Trim(string(output), "'\n")
+	digest := strings.Trim(string(output), "\n")
 	parts := strings.Split(digest, "@")
 	if len(parts) > 1 {
 		return parts[1], nil
@@ -726,6 +726,23 @@ func getDigest(buildName string) (string, error) {
 	return "", errors.New("unable to fetch digest")
 }
 
+// getDigestFromRegistry gets the digest of a pushed image from the registry
+func getDigestFromRegistry(image string) (string, error) {
+	cmd := exec.Command(dockerExe, "inspect", "--format={{index .RepoDigests 0}}", image)
+	output, err := cmd.Output()
+	if err != nil {
+		return "", err
+	}
+
+	// Parse the output to extract the repo digest.
+	digest := strings.Trim(string(output), "\n")
+	parts := strings.Split(digest, "@")
+	if len(parts) > 1 {
+		return parts[1], nil
+	}
+	return "", errors.New("unable to fetch digest from registry")
+}
+
 // shouldSignWithCosign determines if cosign signing should be performed
 func (p Plugin) shouldSignWithCosign() bool {
 	return p.Cosign.PrivateKey != ""
@@ -791,10 +808,11 @@ func isValidPEMKey(pemContent string) bool {
 
 // commandCosignSign creates the cosign sign command
 func commandCosignSign(build Build, tag string, cosign CosignConfig) *exec.Cmd {
-	// Get image digest for secure signing
-	digest, err := getDigest(build.TempTag)
+	// Try to get image digest from the pushed image for secure signing
+	pushedImageRef := fmt.Sprintf("%s:%s", build.Repo, tag)
+	digest, err := getDigestFromRegistry(pushedImageRef)
 	if err != nil {
-		fmt.Printf("⚠️  WARNING: Could not get image digest for cosign signing: %s\n", err)
+		fmt.Printf("⚠️  WARNING: Could not get image digest from registry: %s\n", err)
 		fmt.Println("   Falling back to tag-based signing")
 		digest = ""
 	}
@@ -802,37 +820,38 @@ func commandCosignSign(build Build, tag string, cosign CosignConfig) *exec.Cmd {
 	// Construct image reference
 	var imageRef string
 	if digest != "" {
-		imageRef = fmt.Sprintf("%s:%s@%s", build.Repo, tag, digest)
+		imageRef = fmt.Sprintf("%s@%s", build.Repo, digest)
 		fmt.Printf("🔐 Signing image by digest: %s\n", imageRef)
 	} else {
-		imageRef = fmt.Sprintf("%s:%s", build.Repo, tag)
+		imageRef = pushedImageRef
 		fmt.Printf("🔐 Signing image by tag: %s\n", imageRef)
 	}
 
-	args := []string{"sign"}
+	// Start with base sign command and non-interactive flag
+	args := []string{"sign", "--yes"}
+
+	// Note: Transparency log upload is enabled by default
+	// Users can disable with --tlog-upload=false in cosign.Params if needed
 
 	// Handle private key (content vs file path)
 	if strings.HasPrefix(cosign.PrivateKey, "-----BEGIN") {
 		// PEM content - use environment variable method
 		args = append(args, "--key", "env://COSIGN_PRIVATE_KEY")
 		os.Setenv("COSIGN_PRIVATE_KEY", cosign.PrivateKey)
-		fmt.Println("🔑 Using private key from environment variable")
-
-		// Note: Environment variables will be cleaned up when process exits
-		// For long-running processes, consider manual cleanup after all signing is done
 	} else {
 		// File path method
 		args = append(args, "--key", cosign.PrivateKey)
-		fmt.Printf("🔑 Using private key from file: %s\n", cosign.PrivateKey)
 	}
 
-	// Set password environment variable
+	// Set password and non-interactive environment variables
 	if cosign.Password != "" {
 		os.Setenv("COSIGN_PASSWORD", cosign.Password)
-		fmt.Println("🔐 Password provided for private key")
 	}
 
-	// Add custom parameters
+	// Set COSIGN_YES for additional non-interactive assurance
+	os.Setenv("COSIGN_YES", "true")
+
+	// Add custom parameters (after our defaults so users can override)
 	if cosign.Params != "" {
 		extraArgs := strings.Fields(cosign.Params)
 		args = append(args, extraArgs...)
@@ -842,5 +861,7 @@ func commandCosignSign(build Build, tag string, cosign CosignConfig) *exec.Cmd {
 	// Add image reference
 	args = append(args, imageRef)
 
-	return exec.Command(cosignExe, args...)
+	cmd := exec.Command(cosignExe, args...)
+	fmt.Printf("🚀 Executing: %s %s\n", cosignExe, strings.Join(args, " "))
+	return cmd
 }