Support off-line mode for air-gapped environments

[pjbgf]

An off-line mode would enable the use of slsa-verifier in air-gapped environments, which are isolated from any network connection for security reasons.

Cosign already support this, so I am assuming this would be possible by leaning on the same bundle file they use. The SLSA builders would also need to support this, as they would generate the bundle as part of the build process and upload it to the release, which would later be consumed by slsa-verifier.

[laurentsimon]

@ramonpetgrave64

That should be doable. We do use the bundle. So we need to not query rekor and it should work. Then we can a flag --rekor-offline or something along these lines

[ianlewis]

For sigstore signed provenance I would have thought that we would also need to point it at a local copy of the TUF root as well? but cosign seems to be able to verify without that so maybe not?

[pjbgf]

@ianlewis I believe you are right, in order to get this to work I had to do a cosign initialize pointing to a TUF root repository or it would try to reach out to the internet for it.

Which meant that for the offline checks to work as per tin description you needed a) somewhere in the air-gapped environment that repository had to be available, or b) the cosign container image (or environment) was already initialized.

[ianlewis]

@pjbgf Ok yeah. that makes more sense.

[laurentsimon]

@haydentherapper this came up I think before

[haydentherapper]

TUF and airgapped environments don't work together and there really is no solution that doesn't involve deviating from the TUF specification. The Sigstore TUF client has no mechanism for an airgapped environment, the best we can do is cache until the timestamp expires which would force an online update.

I would recommend providing an API that allows a user to specify a trust root bundle which will be provided to the Sigstore verifier (Note this is assuming the use of sigstore-go, not Cosign). Then an online client can follow the TUF specification to maintain an up-to-date copy of trusted_root.json from Sigstore's TUF repo, and provide that root to the airgapped environment via whatever mechanism works for your environment.

You can see an example of this UX in https://github.com/sigstore/sigstore-python?tab=readme-ov-file#configuring-a-custom-root-of-trust-byo-pki.