From 16e32455bb8896c0aa72eb21928827ab8a7b312d Mon Sep 17 00:00:00 2001
From: hectorj2f <hectorf@vmware.com>
Date: Thu, 14 Apr 2022 15:46:06 +0200
Subject: [PATCH] chore: add warn when attaching sBOM

Signed-off-by: hectorj2f <hectorf@vmware.com>
---
 cmd/cosign/cli/attach.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmd/cosign/cli/attach.go b/cmd/cosign/cli/attach.go
index fbea7b0dc85..99281af7a61 100644
--- a/cmd/cosign/cli/attach.go
+++ b/cmd/cosign/cli/attach.go
@@ -16,6 +16,9 @@
 package cli
 
 import (
+	"fmt"
+	"os"
+
 	"github.com/sigstore/cosign/cmd/cosign/cli/attach"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/spf13/cobra"
@@ -67,6 +70,7 @@ func attachSBOM() *cobra.Command {
 			if err != nil {
 				return err
 			}
+			fmt.Fprintf(os.Stderr, "WARNING: Attaching SBOMs this way does not sign them. If you want to sign them, use 'cosign attest -predicate %s -key <key path>' or 'cosign sign -key <key path> <sbom image>'.\n", o.SBOM)
 			return attach.SBOMCmd(cmd.Context(), o.Registry, o.SBOM, mediaType, args[0])
 		},
 	}