Support off-line mode for air-gapped environments #766
Comments
|
That should be doable. We do use the bundle. So we need to not query rekor and it should work. Then we can a flag |
|
For sigstore signed provenance I would have thought that we would also need to point it at a local copy of the TUF root as well? but cosign seems to be able to verify without that so maybe not? |
|
@ianlewis I believe you are right, in order to get this to work I had to do a Which meant that for the offline checks to work as per tin description you needed a) somewhere in the air-gapped environment that repository had to be available, or b) the cosign container image (or environment) was already initialized. |
|
@pjbgf Ok yeah. that makes more sense. |
|
@haydentherapper this came up I think before |
|
TUF and airgapped environments don't work together and there really is no solution that doesn't involve deviating from the TUF specification. The Sigstore TUF client has no mechanism for an airgapped environment, the best we can do is cache until the timestamp expires which would force an online update. I would recommend providing an API that allows a user to specify a trust root bundle which will be provided to the Sigstore verifier (Note this is assuming the use of sigstore-go, not Cosign). Then an online client can follow the TUF specification to maintain an up-to-date copy of You can see an example of this UX in https://github.com/sigstore/sigstore-python?tab=readme-ov-file#configuring-a-custom-root-of-trust-byo-pki. |
An off-line mode would enable the use of
slsa-verifierin air-gapped environments, which are isolated from any network connection for security reasons.Cosign already support this, so I am assuming this would be possible by leaning on the same bundle file they use. The SLSA builders would also need to support this, as they would generate the bundle as part of the build process and upload it to the release, which would later be consumed by
slsa-verifier.The text was updated successfully, but these errors were encountered: