sigstore · haydentherapper · Nov 17, 2023 · Nov 17, 2023
diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go
@@ -28,7 +28,8 @@ type CommonVerifyOptions struct {
 	MaxWorkers       int
 	// This is added to CommonVerifyOptions to provide a path to support
 	// it for other verify options.
-	ExperimentalOCI11 bool
+	ExperimentalOCI11     bool
+	PrivateInfrastructure bool
 }
 
 func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
@@ -43,6 +44,9 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
 		"ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts "+
 			"cannot be publicly verified when not included in a log")
 
+	cmd.Flags().BoolVar(&o.PrivateInfrastructure, "private-infrastructure", false,
+		"skip transparency log verification when verifying artifacts in a privately deployed infrastructure")
+
 	cmd.Flags().BoolVar(&o.ExperimentalOCI11, "experimental-oci11", false,
 		"set to true to enable experimental OCI 1.1 behaviour")
 

diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -89,6 +89,10 @@ against the transparency log.`,
 		Args:             cobra.MinimumNArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.CommonVerifyOptions.PrivateInfrastructure {
+				o.CommonVerifyOptions.IgnoreTlog = true
+			}
+
 			annotations, err := o.AnnotationsMap()
 			if err != nil {
 				return err
@@ -140,7 +144,7 @@ against the transparency log.`,
 
 			ctx := cmd.Context()
 
-			if o.CommonVerifyOptions.IgnoreTlog {
+			if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
 				ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "signature"))
 			}
 
@@ -201,6 +205,10 @@ against the transparency log.`,
 		Args:             cobra.MinimumNArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.CommonVerifyOptions.PrivateInfrastructure {
+				o.CommonVerifyOptions.IgnoreTlog = true
+			}
+
 			v := &verify.VerifyAttestationCommand{
 				RegistryOptions:              o.Registry,
 				CheckClaims:                  o.CheckClaims,
@@ -235,7 +243,7 @@ against the transparency log.`,
 
 			ctx := cmd.Context()
 
-			if o.CommonVerifyOptions.IgnoreTlog {
+			if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
 				ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "attestation"))
 			}
 
@@ -298,6 +306,10 @@ The blob may be specified as a path to a file or - for stdin.`,
 		Args:             cobra.ExactArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.CommonVerifyOptions.PrivateInfrastructure {
+				o.CommonVerifyOptions.IgnoreTlog = true
+			}
+
 			ko := options.KeyOpts{
 				KeyRef:               o.Key,
 				Sk:                   o.SecurityKey.Use,
@@ -326,7 +338,7 @@ The blob may be specified as a path to a file or - for stdin.`,
 
 			ctx := cmd.Context()
 
-			if o.CommonVerifyOptions.IgnoreTlog {
+			if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
 				ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "blob"))
 			}
 
@@ -359,6 +371,10 @@ The blob may be specified as a path to a file.`,
 		Args:             cobra.MaximumNArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.CommonVerifyOptions.PrivateInfrastructure {
+				o.CommonVerifyOptions.IgnoreTlog = true
+			}
+
 			ko := options.KeyOpts{
 				KeyRef:               o.Key,
 				Sk:                   o.SecurityKey.Use,
@@ -397,7 +413,7 @@ The blob may be specified as a path to a file.`,
 
 			ctx := cmd.Context()
 
-			if o.CommonVerifyOptions.IgnoreTlog {
+			if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
 				ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "blob attestation"))
 			}
 

diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md
diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md
diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md
diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md
diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md
diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md
diff --git a/test/e2e_signblob_tsa_mtls.sh b/test/e2e_signblob_tsa_mtls.sh
@@ -86,6 +86,11 @@ $COSIGN_CLI verify-blob --bundle cosign.bundle \
     --rfc3161-timestamp=timestamp.txt --timestamp-certificate-chain=$TIMESTAMP_CHAIN_FILE \
     --insecure-ignore-tlog=true --key import-cosign.pub $BLOB
 
+$COSIGN_CLI verify-blob --bundle cosign.bundle \
+    --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' \
+    --rfc3161-timestamp=timestamp.txt --timestamp-certificate-chain=$TIMESTAMP_CHAIN_FILE \
+    --private-infrastructure --key import-cosign.pub $BLOB
+
 # cleanup
 rm -fr blob.sig ca-key.pem cacert.pem cert.pem cosign.bundle import-cosign.key \
     import-cosign.pub key.pem timestamp.txt timestamp-chain.pem \

diff --git a/test/e2e_test_secrets.sh b/test/e2e_test_secrets.sh
@@ -165,6 +165,7 @@ cat /dev/urandom | head -n 10 | base64 > randomblob
 dgst=$(./cosign upload blob -f randomblob ${blobimg})
 ./cosign sign --key ${signing_key} --tlog-upload=false ${dgst}
 ./cosign verify --key ${verification_key} --insecure-ignore-tlog=true ${dgst} # For sanity
+./cosign verify --key ${verification_key} --private-infrastructure ${dgst}
 
 # clean up a bit
 crane delete $blobimg || true