Skip to content

cosign: fix v3 bundle verify on http and private CA registries + pass TLS to Rekor#2061

Merged
stefanprodan merged 4 commits into
mainfrom
sigstore-transport
Jun 4, 2026
Merged

cosign: fix v3 bundle verify on http and private CA registries + pass TLS to Rekor#2061
stefanprodan merged 4 commits into
mainfrom
sigstore-transport

Conversation

@stealthybox

@stealthybox stealthybox commented May 26, 2026

Copy link
Copy Markdown
Member

Follow-up to #2003.

Fixes:

  • v3 bundle discovery fails on HTTP registries with non-loopback hostnames
    (GetBundles creates internal refs without copying name.Insecure from the original ref)
  • Rekor client ignores certSecretRef CA (uses system trust store only)
  • Deepcopy not regenerated for TrustedRootSecretRef field

Changes:

  • Add WithInsecure and WithTLSConfig options to the cosign verifier
  • Wire both from OCIRepository controller (spec.insecure + transport TLS)
  • Wire both from HelmChart controller (clientOpts.Insecure + clientOpts.TLSConfig)
  • Regenerate deepcopy

Unit test covers the insecure bundle discovery fix using a fake
non-loopback hostname.

@stealthybox stealthybox force-pushed the sigstore-transport branch from 295b592 to 211fb0a Compare May 26, 2026 06:38
@stefanprodan stefanprodan marked this pull request as draft May 26, 2026 10:26
@stealthybox stealthybox force-pushed the sigstore-transport branch from 211fb0a to ffa18cc Compare May 26, 2026 16:04
@stefanprodan stefanprodan mentioned this pull request Jun 2, 2026
Merged
@stealthybox stealthybox force-pushed the sigstore-transport branch from ffa18cc to b00f7ba Compare June 4, 2026 05:19
matheuscscp
matheuscscp reviewed Jun 4, 2026
View reviewed changes
Comment thread go.mod Outdated
@stealthybox
api: regenerate deepcopy for TrustedRootSecretRef field
81bdda3 
Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
cosign: add WithInsecure and WithTLSConfig verifier options
41cd382 
WithInsecure passes name.Insecure to GetBundles/VerifyImageAttestations
for v3 bundle discovery on HTTP registries. Follows the same pattern as
notation's WithInsecureRegistry.

WithTLSConfig passes a *tls.Config to the Rekor client, supporting
private CAs from certSecretRef. Replaces the cosign CLI rekor wrapper
with a direct rekor.GetRekorClient call to thread the option through.

Includes a test using a fake non-loopback hostname to verify the
insecure option is required for bundle discovery on HTTP registries.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
controller: wire insecure and TLS config to cosign verifier
c22363b 
Pass obj.Spec.Insecure and transport.TLSClientConfig to the cosign
verifier so v3 bundle discovery and Rekor connections use the same
transport settings as the registry.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
controller: pass TLS config and insecure to cosign verifier for HelmC…
34c7c9c 
…hart OCI

Pass clientOpts.TLSConfig and clientOpts.Insecure to the cosign
verifier in makeVerifiers so that HelmChart verification of OCI-sourced
charts works against registries behind private CAs and on HTTP.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox stealthybox force-pushed the sigstore-transport branch from b00f7ba to 34c7c9c Compare June 4, 2026 08:00
matheuscscp
matheuscscp approved these changes Jun 4, 2026
View reviewed changes

@matheuscscp matheuscscp left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stealthybox stealthybox marked this pull request as ready for review June 4, 2026 08:26
@stefanprodan stefanprodan added the area/oci OCI related issues and pull requests label Jun 4, 2026
stefanprodan
stefanprodan approved these changes Jun 4, 2026
View reviewed changes

@stefanprodan stefanprodan left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @stealthybox

@stefanprodan stefanprodan merged commit 867bc3a into main Jun 4, 2026
7 checks passed
@stefanprodan stefanprodan deleted the sigstore-transport branch June 4, 2026 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp approved these changes

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees

No one assigned

Labels

area/oci OCI related issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stealthybox @matheuscscp @stefanprodan