-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Insecure in cosign verifier #918
Comments
I'd like to take this on cosign side. ☝️ |
We need to wait for this to be included in a cosign release, then test if it really works and remove the condition where we error out when verifying with insecure. |
To complete @stefanprodan comment, we error out here https://github.com/fluxcd/source-controller/blob/main/controllers/ocirepository_controller.go#L405. Then it's just a matter of passing the |
kindly ping @souleb @stefanprodan ☝️ |
I think this still has not been released. I seems to be targeting v1.14.0 in cosign. |
This is now merged. |
kindly ping, I can take care of this one, I think, it will be resolved once we upgrade cosign dep on Flux side. |
@developer-guy I think there is an opportunity to add this to #1103 |
Now that we've updated Cosign to 2.1 we can map Cosign's AllowHTTP to our insecure flag. |
We cannot connect to insecure (plain http) registries with the cosign verifier because cosign does not propagate the insecure flag from their
RegistryOptions
to thename.Registry
scheme, so it stays on HTTPS (when the host is not localhost).This needs to be adressed on cosign first, see sigstore/cosign#2290.
The text was updated successfully, but these errors were encountered: