From 93b72d22d84000a80dcfaf32d1df701202d4337e Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 12 Nov 2024 19:29:06 -0500 Subject: [PATCH] Add a log message if user doesn't provide `--trusted-root` (#3933) So the user knows that we're assuming the public good instance and fetching the trusted root via TUF. Signed-off-by: Zach Steindler --- cmd/cosign/cli/verify/verify_bundle.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cmd/cosign/cli/verify/verify_bundle.go b/cmd/cosign/cli/verify/verify_bundle.go index 05a50ebd801..e775ce7b45b 100644 --- a/cmd/cosign/cli/verify/verify_bundle.go +++ b/cmd/cosign/cli/verify/verify_bundle.go @@ -39,6 +39,7 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" + "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" sigs "github.com/sigstore/cosign/v2/pkg/signature" @@ -62,6 +63,7 @@ func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, s var trustedroot *root.TrustedRoot if trustedRootPath == "" { + ui.Infof(ctx, "no --trusted-root specified; fetching public good instance verification material via TUF") // Assume we're using public good instance; fetch via TUF trustedroot, err = root.FetchTrustedRoot() if err != nil {