Skip to content

Allow signing local image without registry access #3832

New issue
New issue
Open
#4014
Open
Allow signing local image without registry access#3832
#4014
Labels
enhancementNew feature or request
@bkabrda

Description

@bkabrda
bkabrda
opened on Aug 14, 2024

Description

Hi 👋
I want to sign a local image that hasn't yet been uploaded to a registry (or the registry is not reachable right now) with --upload=false --output-signature=signature.sig --output-certificate=certificate.crt. Right now this fails with:

$ cosign sign -y --upload=false --output-signature=disconnected-fulcio.sig --output-certificate=disconnected-fulcio.crt foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2
Generating ephemeral keys...
Retrieving signed certificate...

<snip>

Successfully verified SCT...
Error: signing [foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2]: accessing image: Get "https://foobarasd.com/v2/": dial tcp: lookup foobarasd.com on 192.168.1.20:53: no such host
main.go:74: error during command execution: signing [foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2]: accessing image: Get "https://foobarasd.com/v2/": dial tcp: lookup foobarasd.com on 192.168.1.20:53: no such host

I think this should work, because to generate these artifacts locally we don't need to access the registry.

I have a simple change that I tested locally that I could submit as a PR if you folks think that this makes sense - please let me know. Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions