From 4414cc889075c6e3b09504372bbe41d557c74984 Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Mon, 11 Nov 2024 09:22:22 -0500
Subject: [PATCH] Add a log message if user doesn't provide `--trusted-root`

So the user knows that we're assuming the public good instance and
fetching the trusted root via TUF.

Signed-off-by: Zach Steindler <steiza@github.com>
---
 cmd/cosign/cli/verify/verify_bundle.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cmd/cosign/cli/verify/verify_bundle.go b/cmd/cosign/cli/verify/verify_bundle.go
index 05a50ebd801..e775ce7b45b 100644
--- a/cmd/cosign/cli/verify/verify_bundle.go
+++ b/cmd/cosign/cli/verify/verify_bundle.go
@@ -39,6 +39,7 @@ import (
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 
+	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/cosign/v2/pkg/cosign/pivkey"
 	sigs "github.com/sigstore/cosign/v2/pkg/signature"
@@ -62,6 +63,7 @@ func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, s
 	var trustedroot *root.TrustedRoot
 
 	if trustedRootPath == "" {
+		ui.Infof(ctx, "no --trusted-root specified; fetching public good instance verification material via TUF")
 		// Assume we're using public good instance; fetch via TUF
 		trustedroot, err = root.FetchTrustedRoot()
 		if err != nil {