Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Insecure in cosign verifier #918

Closed
souleb opened this issue Sep 28, 2022 · 10 comments · Fixed by #1176
Closed

Add support for Insecure in cosign verifier #918

souleb opened this issue Sep 28, 2022 · 10 comments · Fixed by #1176
Labels
area/oci OCI related issues and pull requests enhancement New feature or request help wanted Extra attention is needed

Comments

@souleb
Copy link
Member

souleb commented Sep 28, 2022

We cannot connect to insecure (plain http) registries with the cosign verifier because cosign does not propagate the insecure flag from their RegistryOptions to the name.Registry scheme, so it stays on HTTPS (when the host is not localhost).

This needs to be adressed on cosign first, see sigstore/cosign#2290.

@souleb souleb added enhancement New feature or request area/oci OCI related issues and pull requests labels Sep 28, 2022
@developer-guy
Copy link
Member

I'd like to take this on cosign side. ☝️

@souleb souleb added this to the GA milestone Oct 6, 2022
@developer-guy
Copy link
Member

Hi @souleb, the PR1 on cosign side seems to be merged; what will be the next step ☝️

Footnotes

  1. https://github.com/sigstore/cosign/pull/2316

@stefanprodan
Copy link
Member

We need to wait for this to be included in a cosign release, then test if it really works and remove the condition where we error out when verifying with insecure.

@pjbgf pjbgf moved this to In Progress in Maintainers' Focus Oct 24, 2022
@souleb
Copy link
Member Author

souleb commented Oct 24, 2022

To complete @stefanprodan comment, we error out here https://github.com/fluxcd/source-controller/blob/main/controllers/ocirepository_controller.go#L405.

Then it's just a matter of passing the insecure option when creating the verifier options.

@developer-guy
Copy link
Member

kindly ping @souleb @stefanprodan ☝️

@souleb
Copy link
Member Author

souleb commented Dec 11, 2022

I think this still has not been released. I seems to be targeting v1.14.0 in cosign.

@souleb
Copy link
Member Author

souleb commented Feb 19, 2023

I think this still has not been released. I seems to be targeting v1.14.0 in cosign.

This is now merged.

@souleb souleb added the help wanted Extra attention is needed label Mar 14, 2023
@developer-guy
Copy link
Member

kindly ping, I can take care of this one, I think, it will be resolved once we upgrade cosign dep on Flux side.

@souleb
Copy link
Member Author

souleb commented May 22, 2023

@developer-guy I think there is an opportunity to add this to #1103

@stefanprodan stefanprodan removed this from the GA milestone Jun 27, 2023
@stefanprodan
Copy link
Member

Now that we've updated Cosign to 2.1 we can map Cosign's AllowHTTP to our insecure flag.

@github-project-automation github-project-automation bot moved this from In Progress to Since Last Dev Meeting in Maintainers' Focus Jul 31, 2023
@souleb souleb moved this from Since Last Dev Meeting to Done in Maintainers' Focus Feb 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oci OCI related issues and pull requests enhancement New feature or request help wanted Extra attention is needed
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

3 participants