Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow signing local image without registry access #3832

Open
bkabrda opened this issue Aug 14, 2024 · 3 comments · May be fixed by #4014
Open

Allow signing local image without registry access #3832

bkabrda opened this issue Aug 14, 2024 · 3 comments · May be fixed by #4014
Labels
enhancement New feature or request

Comments

@bkabrda
Copy link
Contributor

bkabrda commented Aug 14, 2024

Description

Hi 👋
I want to sign a local image that hasn't yet been uploaded to a registry (or the registry is not reachable right now) with --upload=false --output-signature=signature.sig --output-certificate=certificate.crt. Right now this fails with:

$ cosign sign -y --upload=false --output-signature=disconnected-fulcio.sig --output-certificate=disconnected-fulcio.crt foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2
Generating ephemeral keys...
Retrieving signed certificate...

<snip>

Successfully verified SCT...
Error: signing [foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2]: accessing image: Get "https://foobarasd.com/v2/": dial tcp: lookup foobarasd.com on 192.168.1.20:53: no such host
main.go:74: error during command execution: signing [foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2]: accessing image: Get "https://foobarasd.com/v2/": dial tcp: lookup foobarasd.com on 192.168.1.20:53: no such host

I think this should work, because to generate these artifacts locally we don't need to access the registry.

I have a simple change that I tested locally that I could submit as a PR if you folks think that this makes sense - please let me know. Thank you!
@bkabrda bkabrda added the enhancement New feature or request label Aug 14, 2024
@bkabrda bkabrda mentioned this issue Aug 20, 2024
Closed
@slimm609
Copy link

This would be very useful with cosign save to be able to sign and save a bundle, which then becomes portable to offline registries.

right now the workflow is

  • push
  • sign
  • download (save)

which requires a temporary registry to get a offline bundle which is a lot of network activity and extra time.

@bkabrda
Copy link
Contributor Author

bkabrda commented Dec 10, 2024

@slimm609 I didn't have time to work on this properly in the past 2 months, but I have some free time on my hands right now, so I'm going to revamp the PR that I submitted and try to make sure that your scenario is accounted for.

@bkabrda bkabrda linked a pull request Jan 16, 2025 that will close this issue
Open
@bkabrda
Copy link
Contributor Author

bkabrda commented Jan 16, 2025

@slimm609 after a lot of research I realized that your usecase would need to go through a completely different code path, so I didn't fix that in the PR that I submitted. However, your usecase actually makes a lot of sense I think, as it would actually be better to just save the bundle instead of producing a set of disconnected files (certificate, payload and signature). Once this issue is resolved, I would definitely like to work on that usecase as well (I'll open a new issue for it later), but I need to finish this up first to have at least something working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable signing and verifying image without registry access bkabrda/cosign
2 participants
@bkabrda @slimm609