Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow signing local image without registry access #3832

Open
bkabrda opened this issue Aug 14, 2024 · 2 comments
Open

Allow signing local image without registry access #3832

bkabrda opened this issue Aug 14, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@bkabrda
Copy link
Contributor

bkabrda commented Aug 14, 2024

Description

Hi 👋
I want to sign a local image that hasn't yet been uploaded to a registry (or the registry is not reachable right now) with --upload=false --output-signature=signature.sig --output-certificate=certificate.crt. Right now this fails with:

$ cosign sign -y --upload=false --output-signature=disconnected-fulcio.sig --output-certificate=disconnected-fulcio.crt foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2
Generating ephemeral keys...
Retrieving signed certificate...

<snip>

Successfully verified SCT...
Error: signing [foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2]: accessing image: Get "https://foobarasd.com/v2/": dial tcp: lookup foobarasd.com on 192.168.1.20:53: no such host
main.go:74: error during command execution: signing [foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2]: accessing image: Get "https://foobarasd.com/v2/": dial tcp: lookup foobarasd.com on 192.168.1.20:53: no such host

I think this should work, because to generate these artifacts locally we don't need to access the registry.

I have a simple change that I tested locally that I could submit as a PR if you folks think that this makes sense - please let me know. Thank you!

@slimm609
Copy link

This would be very useful with cosign save to be able to sign and save a bundle, which then becomes portable to offline registries.

right now the workflow is

  • push
  • sign
  • download (save)

which requires a temporary registry to get a offline bundle which is a lot of network activity and extra time.

@bkabrda
Copy link
Contributor Author

bkabrda commented Dec 10, 2024

@slimm609 I didn't have time to work on this properly in the past 2 months, but I have some free time on my hands right now, so I'm going to revamp the PR that I submitted and try to make sure that your scenario is accounted for.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants