You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An off-line mode would enable the use of slsa-verifier in air-gapped environments, which are isolated from any network connection for security reasons.
Cosign already support this, so I am assuming this would be possible by leaning on the same bundle file they use. The SLSA builders would also need to support this, as they would generate the bundle as part of the build process and upload it to the release, which would later be consumed by slsa-verifier.
The text was updated successfully, but these errors were encountered:
That should be doable. We do use the bundle. So we need to not query rekor and it should work. Then we can a flag --rekor-offline or something along these lines
For sigstore signed provenance I would have thought that we would also need to point it at a local copy of the TUF root as well? but cosign seems to be able to verify without that so maybe not?
@ianlewis I believe you are right, in order to get this to work I had to do a cosign initialize pointing to a TUF root repository or it would try to reach out to the internet for it.
Which meant that for the offline checks to work as per tin description you needed a) somewhere in the air-gapped environment that repository had to be available, or b) the cosign container image (or environment) was already initialized.
An off-line mode would enable the use of
slsa-verifier
in air-gapped environments, which are isolated from any network connection for security reasons.Cosign already support this, so I am assuming this would be possible by leaning on the same bundle file they use. The SLSA builders would also need to support this, as they would generate the bundle as part of the build process and upload it to the release, which would later be consumed by
slsa-verifier
.The text was updated successfully, but these errors were encountered: