Signature verification issue in ringfenced environments

[sl31pn1r]

Hi Everyone,

I'm facing with an issue on a ringfenced environment of ours.
Images are being signed with TektonChains and Cosign running on OpenShift clusters.
The image and the signature + attestation is being stored in Jfrog Artifactory, this part is working like a charm.

Our issue is around signature/attestation validation with cosign. A Tekton Cluster task is being created which is using the cosign.pub key to verify the signature and the attestation. With Cosign version 2.0.0 this is working without any issues.

Attestation verification:

./cosign verify-attestation --key cosign.pub --insecure-ignore-tlog=true jfrog.XXX.com/image-signing-test/XXX:microservice-36ccd523c08352da64efd6f358b965f3a160d685 --type slsaprovenance

Verification for jfrog.uk.XXX.com/image-signing-test/XXX:microservice-36ccd523c08352da64efd6f358b965f3a160d685 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

Image signature verification:

./cosign verify --key cosign.pub --insecure-ignore-tlog=true jfrog.XXX.com/image-signing-test/XXX:microservice-36ccd523c08352da64efd6f358b965f3a160d685 --offline
**Warning** Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.

Verification for jfrog.XXX.com/image-signing-test/XXX:microservice-36ccd523c08352da64efd6f358b965f3a160d685 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"jfrog.XXX.com/image-signing-test/XXX"},"image":{"docker-manifest-digest":"sha256:114918ad2cc4479eb0f644148d76394d1995b286941631efefb2455841a449a2"},"type":"cosign container image signature"},"optional":null}]

Cosign version:

[ cosign]$ ./cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.0.0
GitCommit:     d6b9001f8e6ed745fb845849d623274c897d55f2
GitTreeState:  clean
BuildDate:     2023-02-23T19:26:35Z
GoVersion:     go1.20.1
Compiler:      gc
Platform:      linux/amd64

With a newer cosign version I'm getting the following error message, until I run version 2.0.0 and that generated the tuf.db.

Error message:

./cosign-linux-amd64 verify --key cosign.pub --insecure-ignore-tlog=true jfrog.XXX.com/image-signing-test/XXX:microservice-36ccd523c08352da64efd6f358b965f3a160d685 --offline
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 3.root.json: Get "https://tuf-repo-cdn.sigstore.dev/3.root.json": EOF
remote status:{
        "mirror": "https://tuf-repo-cdn.sigstore.dev",
        "metadata": {}
}
main.go:74: error during command execution: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 3.root.json: Get "https://tuf-repo-cdn.sigstore.dev/3.root.json": EOF
remote status:{
        "mirror": "https://tuf-repo-cdn.sigstore.dev",
        "metadata": {}
}

Cosign version (latest as of today 2.1.1):

./cosign-linux-amd64 version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.1.1
GitCommit:     baf97ccb4926ed09c8f204b537dc0ee77b60d043
GitTreeState:  clean
BuildDate:     2023-06-27T06:57:11Z
GoVersion:     go1.20.5
Compiler:      gc
Platform:      linux/amd64

Does anybody know how to prevent newer versions trying to access this remote location?
Any suggestion would be much appreciated.