Skip to content

feat(cosign): allow configurable sign/verify args via env vars#806

Open
jtsylve wants to merge 1 commit into
blue-build:mainfrom
jtsylve:cosign-configurable-sign-verify-args
Open

feat(cosign): allow configurable sign/verify args via env vars#806
jtsylve wants to merge 1 commit into
blue-build:mainfrom
jtsylve:cosign-configurable-sign-verify-args

Conversation

@jtsylve

@jtsylve jtsylve commented Jun 30, 2026

Copy link
Copy Markdown

The cosign signing driver builds fixed cosign sign / cosign verify commands with no way to pass extra flags. cosign defaults --tlog-upload=true on sign (publishing image digests to the public Rekor log and requiring internet) and, symmetrically, cosign verify requires a tlog entry by default — so an image signed offline cannot be verified by the build's own sign-and-verify step.

Change

Add two opt-in env vars whose whitespace-separated tokens are appended to the respective command:

  • BB_COSIGN_SIGN_ARGS → appended to cosign sign
  • BB_COSIGN_VERIFY_ARGS → appended to cosign verify

Both are unset by default, so there is no behavior change for existing users. For a private/offline registry:

BB_COSIGN_SIGN_ARGS="--tlog-upload=false"
BB_COSIGN_VERIFY_ARGS="--insecure-ignore-tlog=true"

Notes

  • Env-var names are declared in utils/src/constants.rs per the existing convention and documented with rustdoc.
  • Token splitting is factored into a small split_extra_args helper with a unit test (whitespace-only → no args, single flag, multiple flags). Shell quoting is intentionally not supported; each flag must be a single whitespace-free token.
  • cargo fmt --check, cargo clippy, and the new unit test pass.

The cosign signing driver builds fixed `cosign sign` and `cosign verify`
commands with no way to pass additional cosign flags. cosign defaults
`--tlog-upload=true` on sign (publishing image digests to the public Rekor
log and requiring internet) and, symmetrically, `cosign verify` requires a
tlog entry by default — so an image signed offline cannot be verified by the
build's own sign-and-verify step.

Add two opt-in env vars whose whitespace-separated tokens are appended:
  BB_COSIGN_SIGN_ARGS    -> appended to `cosign sign`
  BB_COSIGN_VERIFY_ARGS  -> appended to `cosign verify`

Both are unset by default, so there is no behavior change for existing
users. For a private/offline registry, set:
  BB_COSIGN_SIGN_ARGS="--tlog-upload=false"
  BB_COSIGN_VERIFY_ARGS="--insecure-ignore-tlog=true"

Signed-off-by: Joe Sylve <joe.sylve@gmail.com>
@jtsylve jtsylve requested a review from gmpinder as a code owner June 30, 2026 17:49

@gmpinder gmpinder left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like this is something that should be an argument to the CLI itself, especially if we want this to also work with the sigstore driver too as the cosign driver isn't the only thing that is used for signing and verification. As a matter of fact, the cosign driver will be removed at a later point in favor of the native rust code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants