Finish up publish to work without signed blobs

cmd/fatt/cli/publish.go

@@ -81,21 +81,17 @@ func NewPublishCommand() *cobra.Command {
 				if err != nil {
 					return err
 				}
-				fmt.Fprintf(os.Stderr, "cosign sign --key %s %s\n", po.KeyRef, r.OCIRef)
 
 				purls[i] = r.PURL
 			}
 
-			discoveryOCIRef := fmt.Sprintf("%s:%s.%s", po.Repository, po.Version, "discover")
-
 			fmt.Fprintln(os.Stderr)
 			fmt.Fprintln(os.Stderr, "Generating attestations.txt based on uploaded attestations…")
 			_, err := attestation.Publish(ctx, po.Repository, po.Version, purls)
 			if err != nil {
 				return err
 			}
 			fmt.Fprintln(os.Stderr)
-			fmt.Fprintf(os.Stderr, "cosign sign --key %s %s\n", po.KeyRef, discoveryOCIRef)
 			return nil
 		},
 	}

pkg/oci/purl.go

@@ -25,11 +25,13 @@ func FromPackageURL(purl packageurl.PackageURL) (name.Reference, error) {
 
 	var ociRef string
 	if repo, ok := purl.Qualifiers.Map()["repository_url"]; ok {
-		if tag, ok := purl.Qualifiers.Map()["tag"]; ok {
-			ociRef = fmt.Sprintf("%s:%s", repo, tag)
-		} else {
-			ociRef = fmt.Sprintf("%s@%s", repo, v)
-		}
+		ociRef = fmt.Sprintf("%s@%s", repo, v)
+		// TODO: Restore this logic when signatures are implemented in publish command.
+		// if tag, ok := purl.Qualifiers.Map()["tag"]; ok {
+		// 	ociRef = fmt.Sprintf("%s:%s", repo, tag)
+		// } else {
+		// 	ociRef = fmt.Sprintf("%s@%s", repo, v)
+		// }
 	} else if strings.Contains(v, "sha") {
 		ociRef = fmt.Sprintf("%s/%s@%s", ns, purl.Name, v)
 	} else {

pkg/oci/purl_test.go

@@ -31,7 +31,6 @@ func TestToPackageUrl(t *testing.T) {
 	digestRef, err = name.ParseReference("ghcr.io/philips-labs/with-long-repo/fatt@sha256:f25d28beea7c81af4160a32256831380d7173449cfc49dde70bcca1b697f9c7e")
 	assert.NoError(err)
 
-	// TODO: to comply with the purl spec need to have digest as version
 	expectedPURL, err = packageurl.FromString("pkg:oci/philips-labs/with-long-repo/fatt@sha256:f25d28beea7c81af4160a32256831380d7173449cfc49dde70bcca1b697f9c7e?repository_url=ghcr.io/philips-labs/with-long-repo/fatt&tag=v0.1.0.provenance")
 	assert.NoError(err)
 
@@ -44,7 +43,6 @@ func TestToPackageUrl(t *testing.T) {
 	digestRef, err = name.ParseReference("philipssoftware/fatt@sha256:877084e55eb2896eb3d159df7483862e8f7470469d9ac732a54da2298bcf456c")
 	assert.NoError(err)
 
-	// TODO: to comply with the purl spec need to have digest as version
 	expectedPURL, err = packageurl.FromString("pkg:oci/philipssoftware/fatt@sha256:877084e55eb2896eb3d159df7483862e8f7470469d9ac732a54da2298bcf456c?repository_url=index.docker.io/philipssoftware/fatt&tag=v0.1.0.sbom")
 	assert.NoError(err)
 
@@ -59,7 +57,8 @@ func TestFromPackageURL(t *testing.T) {
 	purl, err := packageurl.FromString("pkg:oci/philips-labs/slsa-provenance@sha256:e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7?repository_url=ghcr.io/philips-labs/slsa-provenance&tag=v0.7.2")
 	assert.NoError(err)
 
-	expectedOCIRef, err := name.ParseReference("ghcr.io/philips-labs/slsa-provenance:v0.7.2")
+	// expectedOCIRef, err := name.ParseReference("ghcr.io/philips-labs/slsa-provenance:v0.7.2")
+	expectedOCIRef, err := name.ParseReference("ghcr.io/philips-labs/slsa-provenance@sha256:e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7")
 	assert.NoError(err)
 
 	ociRef, err := oci.FromPackageURL(purl)
@@ -99,7 +98,8 @@ func TestFromPackageURL(t *testing.T) {
 	purl, err = packageurl.FromString("pkg:oci/library/alpine@sha256:ceeae2849a425ef1a7e591d8288f1a58cdf1f4e8d9da7510e29ea829e61cf512?repository_url=docker.io/library/alpine&tag=latest")
 	assert.NoError(err)
 
-	expectedOCIRef, err = name.ParseReference("alpine:latest")
+	// expectedOCIRef, err = name.ParseReference("alpine:latest")
+	expectedOCIRef, err = name.ParseReference("alpine@sha256:ceeae2849a425ef1a7e591d8288f1a58cdf1f4e8d9da7510e29ea829e61cf512")
 	assert.NoError(err)
 
 	ociRef, err = oci.FromPackageURL(purl)