You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, cosign initialize is the only way to update BYO TUF metadata. If the TUF metadata is out of date on verification/signing, then cosign will fetch the updated TUF metadata from the hosted GCS bucket.
One option would be to move mirror and root to global flags, so that these could be used with any cosign command. The TUF client would need to be refactored to look for these flags when updating TUF metadata.
#1288 improves UX for this issue, so that the flag values don't have to be passed with each invocation.
then cosign will fetch the updated TUF metadata from the hosted GCS bucket.
This is because of the default fallback. It's kind of questionable on whether we want to fallback gracefully or fail when your cache is expired or corrupt
Adding support for this will also allow cosign to support BYO TUF with no disk writes (SIGSTORE_NO_CACHE), since the TUF client would use the mirror to fetch TUF metadata/targets, and then those would be persisted in-memory.
It'd be also nice if cosign is keeping the mirror URL which is passed on cosign initialize and tries to update from it when the local cache has expired.
Description
Currently,
cosign initialize
is the only way to update BYO TUF metadata. If the TUF metadata is out of date on verification/signing, then cosign will fetch the updated TUF metadata from the hosted GCS bucket.One option would be to move
mirror
androot
to global flags, so that these could be used with anycosign
command. The TUF client would need to be refactored to look for these flags when updating TUF metadata.#1288 improves UX for this issue, so that the flag values don't have to be passed with each invocation.
cc @asraa
The text was updated successfully, but these errors were encountered: