Cosign 3.0.2 continues trying to reach out to TUF CDN even with local key, Nexus-only access

[oarifbulut]

Cosign v3.0.2
Signing --> Local key pair (cosign.key, cosign.pub)
Registry --> Sonatype Nexus
Build Agent --> Only has access to Nexus, no Internet egress
Goal --> Sign + verify an image through Nexus only, without contacting TUF, Rekor, CTLog, Fulcio

Hello team,
I would like to clarify the correct approach for a fully private signing and verification workflow using Cosign v3.0.2, where only a Nexus Registry is reachable and no network access to Sigstore TUF services is allowed.

here how I could sign the image

cosign sign --key cosign.key --tlog-upload=false --use-signing-config=false IMAGE

how I couldn't verify it

COSIGN_EXPERIMENTAL=0 cosign verify --key cosign.pub --insecure-ignore-tlog=true --insecure-ignore-sct=true --use-signing-config=false

OR

cosign verify --key cosign.pub --offline=true --new-bundle-format=false --trusted-root .../trusted_root.json --local-image /path/to/dir

[oarifbulut]

Is there anybody who has this info? +++

[oarifbulut]

@haydentherapper Hello, do you have any idea on this? This would be highly apprecited if I could get any answer. I got stucked in something and need to overcome. :(

[haydentherapper]

@oarifbulut Could you confirm when you're seeing the outbound network requests, on signing and/or verification? We shouldn't be fetching TUF metadata on signing when you provide a key and specify --use-signing-config=false (code).

If it is on verification, I think I've found the issue in SetTrustedMaterial. We check if you provide any service trust roots, and if not, fetch trust root material from TUF. In your case, you only need a key to verify, so you provide no service roots and therefore we make a call to TUF.

[oarifbulut]

Hello @haydentherapper, Yes I can confirm that this is in the verification stage. So what course of action would you recommend in this situation? If there is a way to go around this, please let me know. Since it is a closed system with no external internet access, I need to sign and verify the images..
I would be grateful for any assistance.