Support off-line mode for air-gapped environments

[pjbgf]

An off-line mode would enable the use of slsa-verifier in air-gapped environments, which are isolated from any network connection for security reasons.

Cosign already support this, so I am assuming this would be possible by leaning on the same bundle file they use. The SLSA builders would also need to support this, as they would generate the bundle as part of the build process and upload it to the release, which would later be consumed by slsa-verifier.

[laurentsimon]

@ramonpetgrave64

That should be doable. We do use the bundle. So we need to not query rekor and it should work. Then we can a flag --rekor-offline or something along these lines

[ianlewis]

For sigstore signed provenance I would have thought that we would also need to point it at a local copy of the TUF root as well? but cosign seems to be able to verify without that so maybe not?

[pjbgf]

@ianlewis I believe you are right, in order to get this to work I had to do a cosign initialize pointing to a TUF root repository or it would try to reach out to the internet for it.

Which meant that for the offline checks to work as per tin description you needed a) somewhere in the air-gapped environment that repository had to be available, or b) the cosign container image (or environment) was already initialized.

[ianlewis]

@pjbgf Ok yeah. that makes more sense.