diff --git a/docker.go b/docker.go index c54d57b..e726238 100644 --- a/docker.go +++ b/docker.go @@ -711,14 +711,14 @@ func GetDroneDockerExecCmd() string { } func getDigest(buildName string) (string, error) { - cmd := exec.Command("docker", "inspect", "--format={{index .RepoDigests 0}}", buildName) + cmd := exec.Command("docker", "inspect", "--format='{{index .RepoDigests 0}}'", buildName) output, err := cmd.Output() if err != nil { return "", err } // Parse the output to extract the repo digest. - digest := strings.Trim(string(output), "\n") + digest := strings.Trim(string(output), "'\n") parts := strings.Split(digest, "@") if len(parts) > 1 { return parts[1], nil @@ -726,8 +726,6 @@ func getDigest(buildName string) (string, error) { return "", errors.New("unable to fetch digest") } -// Note: getDigestFromRegistry function removed - using getDigest() instead - // shouldSignWithCosign determines if cosign signing should be performed func (p Plugin) shouldSignWithCosign() bool { return p.Cosign.PrivateKey != "" @@ -793,11 +791,9 @@ func isValidPEMKey(pemContent string) bool { // commandCosignSign creates the cosign sign command func commandCosignSign(build Build, tag string, cosign CosignConfig) *exec.Cmd { - // Use the tagged image reference that was actually pushed imageRef := fmt.Sprintf("%s:%s", build.Repo, tag) - - // Try to get image digest for secure signing from the pushed image - digest, err := getDigest(imageRef) + + digest, err := getDigest(build.TempTag) if err != nil { fmt.Printf("⚠️ WARNING: Could not get image digest for cosign signing: %s\n", err) fmt.Println(" Falling back to tag-based signing") @@ -808,25 +804,18 @@ func commandCosignSign(build Build, tag string, cosign CosignConfig) *exec.Cmd { fmt.Printf("🔐 Signing image by digest: %s\n", imageRef) } - // Start with base sign command and non-interactive flag args := []string{"sign", "--yes"} - - // Handle private key (content vs file path) if strings.HasPrefix(cosign.PrivateKey, "-----BEGIN") { - // PEM content - use environment variable method args = append(args, "--key", "env://COSIGN_PRIVATE_KEY") os.Setenv("COSIGN_PRIVATE_KEY", cosign.PrivateKey) } else { - // File path method args = append(args, "--key", cosign.PrivateKey) } - // Set password environment variable if provided if cosign.Password != "" { os.Setenv("COSIGN_PASSWORD", cosign.Password) } - // Add custom parameters (after our defaults so users can override) if cosign.Params != "" { extraArgs := strings.Fields(cosign.Params) args = append(args, extraArgs...) diff --git a/docker/docker/Dockerfile.windows.amd64.1809 b/docker/docker/Dockerfile.windows.amd64.1809 index a7a6486..5113e16 100644 --- a/docker/docker/Dockerfile.windows.amd64.1809 +++ b/docker/docker/Dockerfile.windows.amd64.1809 @@ -26,7 +26,7 @@ LABEL maintainer="Drone.IO Community " ` RUN mkdir C:\bin # Install cosign for container image signing -RUN Invoke-WebRequest 'https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe' -OutFile 'C:\bin\cosign.exe' -UseBasicParsing +ADD https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-windows-amd64.exe C:/bin/cosign.exe COPY --from=download /windows/system32/netapi32.dll /windows/system32/netapi32.dll COPY --from=download /app/docker.exe C:/bin/docker.exe diff --git a/docker/docker/Dockerfile.windows.amd64.ltsc2022 b/docker/docker/Dockerfile.windows.amd64.ltsc2022 index cc956f8..d85fc60 100644 --- a/docker/docker/Dockerfile.windows.amd64.ltsc2022 +++ b/docker/docker/Dockerfile.windows.amd64.ltsc2022 @@ -24,7 +24,7 @@ LABEL maintainer="Drone.IO Community " ` RUN mkdir C:\bin # Install cosign for container image signing -RUN Invoke-WebRequest 'https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe' -OutFile 'C:\bin\cosign.exe' -UseBasicParsing +ADD https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-windows-amd64.exe C:/bin/cosign.exe COPY --from=download /windows/system32/netapi32.dll /windows/system32/netapi32.dll COPY --from=download /app/docker.exe C:/bin/docker.exe