cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Enable signing and verifying image without registry access

Open bkabrda opened this issue 11 months ago • 1 comments

Summary

Fixes https://github.com/sigstore/cosign/issues/3832. This PR essentially enables:

  • Signing an image with the --upload=false flag even if the image registry is (temporarily) unavailable.
  • Properly verifying and image offline with certificate, payload and signature
    • There was previously a bug doing this, as the tlog function would attempt to search tlog by public key, when instead it needs to submit the certificate (see https://github.com/sigstore/rekor/issues/809).

I tried my best to test all the code paths that go through this function, but to be honest there are so many that I'm not 100 % everything is still correct - a thorough review would be appreciated.

Release Note

  • It is now possible to sign an image when the image registry is unreachable when using --upload=false.
  • The TLog search now works properly when verifying image using disconnected certificate, payload and signature.

Documentation

I don't believe this PR requires documentation change.

bkabrda avatar Jan 16 '25 09:01 bkabrda