Updated docker.go

docker.go

@@ -711,14 +711,14 @@ func GetDroneDockerExecCmd() string {
 }
 
 func getDigest(buildName string) (string, error) {
-	cmd := exec.Command("docker", "inspect", "--format={{index .RepoDigests 0}}", buildName)
+	cmd := exec.Command("docker", "inspect", "--format='{{index .RepoDigests 0}}'", buildName)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", err
 	}
 
 	// Parse the output to extract the repo digest.
-	digest := strings.Trim(string(output), "\n")
+	digest := strings.Trim(string(output), "'\n")
 	parts := strings.Split(digest, "@")
 	if len(parts) > 1 {
 		return parts[1], nil
@@ -726,8 +726,6 @@ func getDigest(buildName string) (string, error) {
 	return "", errors.New("unable to fetch digest")
 }
 
-// Note: getDigestFromRegistry function removed - using getDigest() instead
-
 // shouldSignWithCosign determines if cosign signing should be performed
 func (p Plugin) shouldSignWithCosign() bool {
 	return p.Cosign.PrivateKey != ""
@@ -793,11 +791,9 @@ func isValidPEMKey(pemContent string) bool {
 
 // commandCosignSign creates the cosign sign command
 func commandCosignSign(build Build, tag string, cosign CosignConfig) *exec.Cmd {
-	// Use the tagged image reference that was actually pushed
 	imageRef := fmt.Sprintf("%s:%s", build.Repo, tag)
-	
+
-	// Try to get image digest for secure signing from the pushed image
+	digest, err := getDigest(build.TempTag)
-	digest, err := getDigest(imageRef)
 	if err != nil {
 		fmt.Printf("⚠️  WARNING: Could not get image digest for cosign signing: %s\n", err)
 		fmt.Println("   Falling back to tag-based signing")
@@ -808,25 +804,18 @@ func commandCosignSign(build Build, tag string, cosign CosignConfig) *exec.Cmd {
 		fmt.Printf("🔐 Signing image by digest: %s\n", imageRef)
 	}
 
-	// Start with base sign command and non-interactive flag
 	args := []string{"sign", "--yes"}
-
-	// Handle private key (content vs file path)
 	if strings.HasPrefix(cosign.PrivateKey, "-----BEGIN") {
-		// PEM content - use environment variable method
 		args = append(args, "--key", "env://COSIGN_PRIVATE_KEY")
 		os.Setenv("COSIGN_PRIVATE_KEY", cosign.PrivateKey)
 	} else {
-		// File path method
 		args = append(args, "--key", cosign.PrivateKey)
 	}
 
-	// Set password environment variable if provided
 	if cosign.Password != "" {
 		os.Setenv("COSIGN_PASSWORD", cosign.Password)
 	}
 
-	// Add custom parameters (after our defaults so users can override)
 	if cosign.Params != "" {
 		extraArgs := strings.Fields(cosign.Params)
 		args = append(args, extraArgs...)

docker/docker/Dockerfile.windows.amd64.1809

@@ -26,7 +26,7 @@ LABEL maintainer="Drone.IO Community <drone-dev@googlegroups.com>" `
 RUN mkdir C:\bin
 
 # Install cosign for container image signing
-RUN Invoke-WebRequest 'https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe' -OutFile 'C:\bin\cosign.exe' -UseBasicParsing
+ADD https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-windows-amd64.exe C:/bin/cosign.exe
 
 COPY --from=download /windows/system32/netapi32.dll /windows/system32/netapi32.dll
 COPY --from=download /app/docker.exe C:/bin/docker.exe

docker/docker/Dockerfile.windows.amd64.ltsc2022

@@ -24,7 +24,7 @@ LABEL maintainer="Drone.IO Community <drone-dev@googlegroups.com>" `
 RUN mkdir C:\bin
 
 # Install cosign for container image signing
-RUN Invoke-WebRequest 'https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe' -OutFile 'C:\bin\cosign.exe' -UseBasicParsing
+ADD https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-windows-amd64.exe C:/bin/cosign.exe
 
 COPY --from=download /windows/system32/netapi32.dll /windows/system32/netapi32.dll
 COPY --from=download /app/docker.exe C:/bin/docker.exe