Is it possible to skip TUF? #3368
Comments
|
I'm using: ..and then i want to verify my sign by kyverno in k8s but cant do it... |
|
You can bypass TUF with |
Can you explain me how i cant skip it locally without this variables but if i checking in kyverno all's fine? |
|
You may need to ask kyverno if that's what you're using, I'm not sure if these variables will have an effect in Kyverno. For Cosign, setting them equal to a file path that holds either a public key or CA certificate will skip the TUF queries. |
Question
I was using version 2.2.0 and skips tlog and sct with commands "--insecure-ignore-tlog --insecure-ignore-sct" but when i updated to 2.2.1 i start getting TUF-error:
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 9.root.json: Get "https://tuf-repo-cdn.sigstore.dev/9.root.json": EOF
remote status:{
"mirror": "https://tuf-repo-cdn.sigstore.dev",
"metadata": {}
}
main.go:74: error during command execution: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 9.root.json: Get "https://tuf-repo-cdn.sigstore.dev/9.root.json": EOF
remote status:{
"mirror": "https://tuf-repo-cdn.sigstore.dev",
"metadata": {}
}
My cosign works in corporate net and there is no internet.
Is is possible to skip this step and just verify signature with public-key?
The text was updated successfully, but these errors were encountered: