Hector Fernandez

> 'admission webhook 'policy.sigstore.dev' denied the request: validation failed: invalid value: (pods) must be an image digest: spec.template.spec.containers[0].image'. This error is supposed to happen whenever the image cannot be parsed...

@codysoyland It sounds good. Could you share some examples of yaml definitions here? That would help to understand the changes.

@MageshSrinivasulu As discussed over slack, this scenario works similarly to how cosign v2 does https://github.com/sigstore/cosign/pull/2650/files#diff-72911b6572099462e5f2e8ff920f4f9228587ab100820a26d3e90377c36bd73fR118. You can use a tag but if it doesn't resolve to a digest, you get...

The other main reason to get the mentioned error could be due to problems pulling the secrets to access to that image. However if you are getting a similar error...

We're investigating the issue in two channels slack (https://sigstore.slack.com/archives/C01PZKDL4DP/p1675689427673029?thread_ts=1675658446.116119&cid=C01PZKDL4DP) and here. Perhaps we should move our conversation here.

@MageshSrinivasulu have you tried to deploy the pod in namespace where label is not enabled and to use acr-dev secret in imagePullSecrets section of the pod?

After attempting to trust immutable tags, we realized it is impossible to detect this type of tags. I am concerned of the security risks that can cause the usage of...

@barthek Sure, that is what it happens. However there are certain tags that cannot get resolved to a digest. The mutating webhook attempts to resolve those tags consuming the `imagePullSecrets`...

@JRolfe-Gen There are multiple reasons why to reject any usage of tags even if immutable (which are difficult to detect). When signing a tag, nothing tells you if a tag...

@vaikas Should we include this issue into the v1 milestone ?