Add support for Insecure in cosign verifier

[souleb]

We cannot connect to insecure (plain http) registries with the cosign verifier because cosign does not propagate the insecure flag from their RegistryOptions to the name.Registry scheme, so it stays on HTTPS (when the host is not localhost).

This needs to be adressed on cosign first, see sigstore/cosign#2290.

[developer-guy]

I'd like to take this on cosign side. ☝️

[developer-guy]

Hi @souleb, the PR¹ on cosign side seems to be merged; what will be the next step ☝️

Footnotes

1. https://github.com/sigstore/cosign/pull/2316 ↩

[stefanprodan]

We need to wait for this to be included in a cosign release, then test if it really works and remove the condition where we error out when verifying with insecure.

[souleb]

To complete @stefanprodan comment, we error out here https://github.com/fluxcd/source-controller/blob/main/controllers/ocirepository_controller.go#L405.

Then it's just a matter of passing the insecure option when creating the verifier options.

[developer-guy]

kindly ping @souleb @stefanprodan ☝️

[souleb]

I think this still has not been released. I seems to be targeting v1.14.0 in cosign.

[souleb]

I think this still has not been released. I seems to be targeting v1.14.0 in cosign.

This is now merged.

[developer-guy]

kindly ping, I can take care of this one, I think, it will be resolved once we upgrade cosign dep on Flux side.

[souleb]

@developer-guy I think there is an opportunity to add this to #1103

[stefanprodan]

Now that we've updated Cosign to 2.1 we can map Cosign's AllowHTTP to our insecure flag.