fix(follow): pass full repo+sha to the signature verification functio…

…n during follow Signed-off-by: Luca Guerra <[email protected]>
falcosecurity · Sep 13, 2023 · 7f0a8bf · 7f0a8bf
1 parent 1d66acc
commit 7f0a8bf
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/internal/follower/follower.go b/internal/follower/follower.go
@@ -262,13 +262,21 @@ func (f *Follower) pull(ctx context.Context) (filePaths []string, res *oci.Regis
 		return filePaths, res, fmt.Errorf("unable to pull artifact %q: %w", f.ref, err)
 	}
 
+	repo, err := utils.RepositoryFromRef(f.ref)
+	if err != nil {
+		return filePaths, res, err
+	}
+
+	digestRef := fmt.Sprintf("%s@%s", repo, res.RootDigest)
+
 	// Verify the signature if needed
 	if f.Config.Signature != nil {
-		f.Verbosef("verifying signature")
-		err = signature.Verify(ctx, res.RootDigest, f.Config.Signature)
+		f.Verbosef("verifying signature for %s", digestRef)
+		err = signature.Verify(ctx, digestRef, f.Config.Signature)
 		if err != nil {
 			return filePaths, res, fmt.Errorf("could not verify signature for %s: %w", res.RootDigest, err)
 		}
+		f.Verbosef("signature successfully verified")
 	}
 
 	f.Verbosef("extracting artifact")