Verify images from tar file or local podman cache

[muzammil786]

Currently cosign verify images from remote registries. We work in airgapped network where internet connection or connection to registry is not possible. The images are uploaded to system via tarball and loaded to locally via docker|podman load -i command.

Request to add a feature to verify the image from tar file or available locally in cache. Understand that there are many different container managers and formats but we can fix it only for OCI format images and to docker/podman/containerd managers, the ones which are most popular in the community.

[znewman01]

This is not quite the same as #2255 so I'm going to rename

[znewman01]

I think the workaround right now would be to spin up that podman service that imitates a docker daemon.

cosign verify is a little difficult in this scenario because you'd need to get the signatures in somehow.

[muzammil786]

You mean podman API service and load image to cache? How does it work?

[znewman01]

I meant the Docker compatibility mode. But on second thought that still doesn't work. You need a full registry for the workaround at the moment ☹️

[muzammil786]

Hence my feature request please 🙂

[mattdibi]

Hello there! Resuming this discussion since I have a problem similar to @muzammil786...

cosign verify is a little difficult in this scenario because you'd need to get the signatures in somehow.

Wouldn't the cosign download signature command work in this scenario? Can, the output of that command, be used with the --payload/--signature option of the verify command?

I'm asking because I tried and things are not quite working as expected. @znewman01 am I missing something?