Skip to content

cosign: fix v3 bundle verify on http and private CA registries + pass TLS to Rekor#2061

Draft
stealthybox wants to merge 5 commits into
mainfrom
sigstore-transport
Draft

cosign: fix v3 bundle verify on http and private CA registries + pass TLS to Rekor#2061
stealthybox wants to merge 5 commits into
mainfrom
sigstore-transport

Conversation

@stealthybox
Copy link
Copy Markdown
Member

@stealthybox stealthybox commented May 26, 2026

Follow-up to #2003.

Fixes:

  • v3 bundle discovery fails on HTTP registries with non-loopback hostnames
    (GetBundles creates internal refs without copying name.Insecure from the original ref)
  • Rekor client ignores certSecretRef CA (uses system trust store only)
  • Deepcopy not regenerated for TrustedRootSecretRef field

Changes:

  • Add WithInsecure and WithTLSConfig options to the cosign verifier
  • Wire both from OCIRepository controller (spec.insecure + transport TLS)
  • Wire both from HelmChart controller (clientOpts.Insecure + clientOpts.TLSConfig)
  • Regenerate deepcopy

Unit test covers the insecure bundle discovery fix using a fake
non-loopback hostname.

Pierre-Gilles Mialon and others added 2 commits April 1, 2026 19:06
@pmialon
Add custom Sigstore trusted root support for OCIRepository
1ee7959 
Enable signature verification of OCI artifacts against self-hosted
Sigstore infrastructure (custom Fulcio CA, self-hosted Rekor instance)
by introducing a trustedRootSecretRef field on the verify spec.

When set, the controller reads a trusted_root.json from the referenced
Secret, extracts the Rekor URL from the transparency log entries, and
creates a verifier using the custom trusted material instead of the
public Sigstore TUF root.

Signed-off-by: Pierre-Gilles Mialon <pierre-gilles.mialon@qube-rt.com>
@stealthybox
api: regenerate deepcopy for TrustedRootSecretRef field
58209fd 
Signed-off-by: leigh capili <leigh@null.net>
@stealthybox stealthybox force-pushed the sigstore-transport branch from 295b592 to 211fb0a Compare May 26, 2026 06:38
@stefanprodan stefanprodan marked this pull request as draft May 26, 2026 10:26
@stealthybox
cosign: add WithInsecure and WithTLSConfig verifier options
bfe55f9 
WithInsecure passes name.Insecure to GetBundles/VerifyImageAttestations
for v3 bundle discovery on HTTP registries. Follows the same pattern as
notation's WithInsecureRegistry.

WithTLSConfig passes a *tls.Config to the Rekor client, supporting
private CAs from certSecretRef. Replaces the cosign CLI rekor wrapper
with a direct rekor.GetRekorClient call to thread the option through.

Includes a test using a fake non-loopback hostname to verify the
insecure option is required for bundle discovery on HTTP registries.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
controller: wire insecure and TLS config to cosign verifier
c583de3 
Pass obj.Spec.Insecure and transport.TLSClientConfig to the cosign
verifier so v3 bundle discovery and Rekor connections use the same
transport settings as the registry.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
controller: pass TLS config and insecure to cosign verifier for HelmC…
ffa18cc 
…hart OCI

Pass clientOpts.TLSConfig and clientOpts.Insecure to the cosign
verifier in makeVerifiers so that HelmChart verification of OCI-sourced
charts works against registries behind private CAs and on HTTP.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox stealthybox force-pushed the sigstore-transport branch from 211fb0a to ffa18cc Compare May 26, 2026 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stealthybox