Skip to content

v2.22.0-1

Pre-release
Pre-release
Compare
Choose a tag to compare
@github-actions github-actions released this 25 Jan 15:13
· 360 commits to main since this release
v2.22.0-1
This tag was signed with the committer’s verified signature.
suzuki-shunsuke Shunsuke Suzuki
GPG key ID: 8C1396BBB3626865
Learn about vigilant mode.
b1cc466
This commit was signed with the committer’s verified signature.
suzuki-shunsuke Shunsuke Suzuki
GPG key ID: 8C1396BBB3626865
Learn about vigilant mode.

v2.21.3...v2.22.0-1

Features

#2631 #2633 #2634 Support disabling the verification with Cosign and slsa-verifier

Why is the feature needed?

Caution

This feature is for users who can't use Cosign and slsa-verifier.
Most users can use them, so most users don't need this feature.
aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself.
If you can use Cosign and slsa-verifier, you should not disable them because they are important for security.

Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev and fulcio.sigstore.dev.
So to use them you need to allow the access to these endpoints.

But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.

To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.

How to use

You can use command line options -disable-cosign and -disable-slsa or environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA.

e.g.

aqua [-disable-cosign] [-disable-slsa] i
env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i
Assets 12
Loading