changes from review

Signed-off-by: razzle <harry@razzle.cloud>

src/pkg/layout/package.go

@@ -169,13 +169,20 @@ func (pp *PackagePaths) IsLegacyLayout() bool {
 }
 
 // SignPackage signs the zarf.yaml in a Zarf package.
-func (pp *PackagePaths) SignPackage(signingKeyPath, signingKeyPassword string) error {
+func (pp *PackagePaths) SignPackage(signingKeyPath, signingKeyPassword string, isInteractive bool) error {
+	if signingKeyPath == "" {
+		return nil
+	}
+
 	pp.Signature = filepath.Join(pp.Base, Signature)
 
 	passwordFunc := func(_ bool) ([]byte, error) {
 		if signingKeyPassword != "" {
 			return []byte(signingKeyPassword), nil
 		}
+		if !isInteractive {
+			return nil, nil
+		}
 		return interactive.PromptSigPassword()
 	}
 	_, err := utils.CosignSignBlob(pp.ZarfYAML, pp.Signature, signingKeyPath, passwordFunc)

src/pkg/packager/creator/normal.go

@@ -254,10 +254,8 @@ func (pc *PackageCreator) Output(dst *layout.PackagePaths, pkg *types.ZarfPackag
 	}
 
 	// Sign the package if a key has been provided
-	if pc.createOpts.SigningKeyPath != "" {
-		if err := dst.SignPackage(pc.createOpts.SigningKeyPath, pc.createOpts.SigningKeyPassword); err != nil {
-			return err
-		}
+	if err := dst.SignPackage(pc.createOpts.SigningKeyPath, pc.createOpts.SigningKeyPassword, !config.CommonOptions.Confirm); err != nil {
+		return err
 	}
 
 	// Create a remote ref + client for the package (if output is OCI)

src/pkg/packager/creator/skeleton.go

@@ -11,6 +11,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/defenseunicorns/zarf/src/config"
 	"github.com/defenseunicorns/zarf/src/config/lang"
 	"github.com/defenseunicorns/zarf/src/extensions/bigbang"
 	"github.com/defenseunicorns/zarf/src/internal/packager/helm"
@@ -114,14 +115,7 @@ func (sc *SkeletonCreator) Output(dst *layout.PackagePaths, pkg *types.ZarfPacka
 		return fmt.Errorf("unable to write zarf.yaml: %w", err)
 	}
 
-	// Sign the package if a key has been provided
-	if sc.publishOpts.SigningKeyPath != "" {
-		if err := dst.SignPackage(sc.publishOpts.SigningKeyPath, sc.publishOpts.SigningKeyPassword); err != nil {
-			return err
-		}
-	}
-
-	return nil
+	return dst.SignPackage(sc.publishOpts.SigningKeyPath, sc.publishOpts.SigningKeyPassword, !config.CommonOptions.Confirm)
 }
 
 func (sc *SkeletonCreator) processExtensions(components []types.ZarfComponent, layout *layout.PackagePaths) (processedComponents []types.ZarfComponent, err error) {

src/pkg/packager/deploy.go

@@ -71,11 +71,6 @@ func (p *Packager) Deploy() (err error) {
 		return fmt.Errorf("deployment cancelled")
 	}
 
-	p.cfg.Pkg.Components, err = filter.Apply(p.cfg.Pkg)
-	if err != nil {
-		return err
-	}
-
 	// Set variables and prompt if --confirm is not set
 	if err := variables.SetVariableMapInConfig(p.cfg); err != nil {
 		return err

src/pkg/packager/publish.go

@@ -79,10 +79,8 @@ func (p *Packager) Publish() (err error) {
 		}
 
 		// Sign the package if a key has been provided
-		if p.cfg.PublishOpts.SigningKeyPath != "" {
-			if err := p.layout.SignPackage(p.cfg.PublishOpts.SigningKeyPath, p.cfg.PublishOpts.SigningKeyPassword); err != nil {
-				return err
-			}
+		if err := p.layout.SignPackage(p.cfg.PublishOpts.SigningKeyPath, p.cfg.PublishOpts.SigningKeyPassword, !config.CommonOptions.Confirm); err != nil {
+			return err
 		}
 	}
 

src/pkg/packager/sources/oci.go

@@ -75,11 +75,16 @@ func (s *OCISource) LoadPackage(dst *layout.PackagePaths, filter filters.Compone
 	dst.SetFromLayers(layersFetched)
 
 	// if --confirm is not set, read the zarf.yaml that was pulled
+	// and apply the filter to the components
 	if !config.CommonOptions.Confirm {
 		pkg, warnings, err = dst.ReadZarfYAML()
 		if err != nil {
 			return pkg, nil, err
 		}
+		pkg.Components, err = filter.Apply(pkg)
+		if err != nil {
+			return pkg, nil, err
+		}
 	}
 
 	if err := dst.MigrateLegacy(); err != nil {