What happened
When signing a Task with tkn task sign -K key.pem -f task.yaml -f task.yaml, the command rewrites the entire YAML document: it reorders metadata keys (name, labels, annotations), reformats lists (e.g. params), and generally re-emits a canonicalized serialization rather than preserving the author's original file.
The only intended change is adding the tekton.dev/signature annotation. Everything else should be byte-for-byte preserved.
Why this is a problem
Catalog repositories (e.g. tektoncd-catalog/golang, tektoncd-catalog/git-clone) generate their Task YAMLs from base templates and run a CI check that regenerates and diffs the committed files (verify-generated). Because tkn task sign reserializes/reorders the whole document, the signed committed file no longer matches the generator output — producing a large spurious diff (hundreds of lines) that has nothing to do with the signature.
This forces downstream workarounds:
- normalizing both sides with
yq -P (sorted keys) before diffing
- stripping the signature annotation before comparison
A signing operation should be minimally invasive: parse, add the annotation, and re-emit while preserving the original key order and formatting as much as possible.
Expected behavior
tkn task sign adds the tekton.dev/signature annotation and otherwise preserves the input serialization (key order, list formatting), so the diff between the unsigned and signed file is limited to the added annotation line.
Related
Steps to reproduce
cat > task.yaml <<'YAML'
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: example
labels:
app.kubernetes.io/version: "1.0.0"
annotations:
tekton.dev/displayName: example
spec:
steps:
- name: run
image: alpine
script: echo hi
YAML
cp task.yaml before.yaml
tkn task sign task.yaml -K key.pem -f task.yaml
diff before.yaml task.yaml # expect: only the signature annotation added; actual: whole file reordered
What happened
When signing a Task with
tkn task sign -K key.pem -f task.yaml -f task.yaml, the command rewrites the entire YAML document: it reordersmetadatakeys (name,labels,annotations), reformats lists (e.g.params), and generally re-emits a canonicalized serialization rather than preserving the author's original file.The only intended change is adding the
tekton.dev/signatureannotation. Everything else should be byte-for-byte preserved.Why this is a problem
Catalog repositories (e.g.
tektoncd-catalog/golang,tektoncd-catalog/git-clone) generate their Task YAMLs from base templates and run a CI check that regenerates and diffs the committed files (verify-generated). Becausetkn task signreserializes/reorders the whole document, the signed committed file no longer matches the generator output — producing a large spurious diff (hundreds of lines) that has nothing to do with the signature.This forces downstream workarounds:
yq -P(sorted keys) before diffingA signing operation should be minimally invasive: parse, add the annotation, and re-emit while preserving the original key order and formatting as much as possible.
Expected behavior
tkn task signadds thetekton.dev/signatureannotation and otherwise preserves the input serialization (key order, list formatting), so the diff between the unsigned and signed file is limited to the added annotation line.Related
tkn task signalso injects emptyresources: {}into steps (separate but related serialization side effect)Steps to reproduce