Pull Requests | Issues | v2.21.3...v2.22.0
Features
#2631 #2633 #2634 Support disabling the verification with Cosign and SLSA Provenance
You can disable the verification with Cosign and SLSA Provenance if you can't use them.
Why is the feature needed?
Caution
This feature is for users who can't use Cosign and slsa-verifier.
Most users can use them, so most users don't need this feature.
aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself.
If you can use Cosign and slsa-verifier, you should not disable them because they are important for security.
Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev and fulcio.sigstore.dev.
So to use them you need to allow the access to these endpoints.
But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.
To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.
How to use
You can use command line options -disable-cosign and -disable-slsa or environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA.
e.g.
aqua [-disable-cosign] [-disable-slsa] ienv AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua iUpdate dependencies
- Go 1.21.5 to 1.21.6
- goreleaser v1.22.1 to v1.23.0
- go.mod