From b3099f04bbdb369aa71e2f372298eb7e286432b3 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Fri, 26 May 2023 09:45:25 +0800
Subject: [PATCH] added digest check on resolve ref

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 cmd/notation/manifest.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmd/notation/manifest.go b/cmd/notation/manifest.go
index 35c281ac9..1d8f8acba 100644
--- a/cmd/notation/manifest.go
+++ b/cmd/notation/manifest.go
@@ -64,6 +64,10 @@ func resolveReference(ctx context.Context, inputType inputType, reference string
 	resolvedRef = resolvedRef + "@" + manifestDesc.Digest.String()
 	if _, err := digest.Parse(tagOrDigestRef); err == nil {
 		// tagOrDigestRef is a digest reference
+		if tagOrDigestRef != manifestDesc.Digest.String() {
+			// tagOrDigestRef does not match the resolved digest
+			return ocispec.Descriptor{}, "", fmt.Errorf("user input digest %s does not match the resolved digest %s", tagOrDigestRef, manifestDesc.Digest.String())
+		}
 		return manifestDesc, resolvedRef, nil
 	}
 	// tagOrDigestRef is a tag reference