How to handle single-repo, mutiple tag variations #4263
Description
Question
Given the warning about one signing a tag, instead of a hash, what will be the best way to sign multiple images that have varying tags?
Basically I am building fedora images with varying packages installed in them based on the "vendor" AMD/INTEL/NVIDIA respectively, which include a lot of common functionality but have variation in packages (i.e GPU acceleration packages) so, what would be the best way to handle this, since the commit hash for the build of the 4 images (NVIDIA, INTEL, AMD, BASE) is the same, do I really need to have 4 different registry repositories so I could sign each image individually or is there an alternative approach that will satisfy this warning:
WARNING: Image reference {registry_name}:42-{variation} uses a tag, not a digest, to identify the image to sign.
This can lead you to sign a different image than the intended one. Please use a
digest (example.com/ubuntu@sha256:abc123...) rather than tag
(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
images by tag will be removed in a future release.
My images are tagged as 42-{variation} and 42-{variation}-{commit_sha}