Features
#2631 #2633 #2634 Support disabling the verification with Cosign and slsa-verifier
Why is the feature needed?
Caution
This feature is for users who can't use Cosign and slsa-verifier.
Most users can use them, so most users don't need this feature.
aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself.
If you can use Cosign and slsa-verifier, you should not disable them because they are important for security.
Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev
and fulcio.sigstore.dev
.
So to use them you need to allow the access to these endpoints.
But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.
To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.
How to use
You can use command line options -disable-cosign
and -disable-slsa
or environment variables AQUA_DISABLE_COSIGN
and AQUA_DISABLE_SLSA
.
e.g.
aqua [-disable-cosign] [-disable-slsa] i
env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i