You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev and fulcio.sigstore.dev.
So to use them you need to allow the access to these endpoints.
But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.
To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.
Workaround
There is no workaround.
Example Code
Add command line options
e.g.
aqua [-disable-cosign] [-disable-slsa] i
Add environment variables
e.g.
env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i
Note
This feature isn't good in terms of security,
but I don't think the disabling the verification with Cosign and slsa-verifier causes the security threats immediately.
And most packages don't support Cosign and slsa-verifier, so the affect is limited.
I don't want to require users to allow the access to those endpoints.
The text was updated successfully, but these errors were encountered:
To disable the verification when you install aqua with aqua-installer, please use aqua-installer v2.3.0 or newer and set the environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA.
Feature Overview
Support disabling the verification with Cosign and slsa-verifier.
Why is the feature needed?
Original discussion: https://github.com/orgs/aquaproj/discussions/2631
Cosign and sla-verifier access some endpoints such as
oauth2.sigstore.dev
andfulcio.sigstore.dev
.So to use them you need to allow the access to these endpoints.
But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.
To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.
Workaround
There is no workaround.
Example Code
e.g.
e.g.
Note
This feature isn't good in terms of security,
but I don't think the disabling the verification with Cosign and slsa-verifier causes the security threats immediately.
And most packages don't support Cosign and slsa-verifier, so the affect is limited.
I don't want to require users to allow the access to those endpoints.
The text was updated successfully, but these errors were encountered: