From 3af58ac5a5b9612ac331f163dfec523a39404982 Mon Sep 17 00:00:00 2001
From: Hector Fernandez <hectorf@vmware.com>
Date: Fri, 15 Apr 2022 02:21:16 +0200
Subject: [PATCH] chore: add warning when downloading a sBOM (#1763)

Signed-off-by: hectorj2f <hectorf@vmware.com>
---
 cmd/cosign/cli/download.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmd/cosign/cli/download.go b/cmd/cosign/cli/download.go
index ce2410bf848..cdd5fcf99b7 100644
--- a/cmd/cosign/cli/download.go
+++ b/cmd/cosign/cli/download.go
@@ -16,6 +16,9 @@
 package cli
 
 import (
+	"fmt"
+	"os"
+
 	"github.com/spf13/cobra"
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/download"
@@ -64,6 +67,7 @@ func downloadSBOM() *cobra.Command {
 		Example: "  cosign download sbom <image uri>",
 		Args:    cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			fmt.Fprintln(os.Stderr, "WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature.")
 			_, err := download.SBOMCmd(cmd.Context(), *o, args[0], cmd.OutOrStdout())
 			return err
 		},