failed to download 10.root.json- while using slsa-verifier within enterprise network?

[sohgaura]

Hi Team,

We are trying to use slsa-verifier within enterprise for validating the artifacts. As enterprise network doesn't allow connection to https://tuf-repo-cdn.sigstore.dev/10.root.json , Is it possible to download this file and keep it somewhere local sothat it can work without trying to reach outside enterprise network. Will we see any other limitation like trying to reach to public rekor instance for validation of transaction logs?
How can we use it within an enterprise network which doesn't allow access to public internet?

[loosebazooka]

I think it would be helpful to know how you are generating your slsa attestations?

[sohgaura]

As first step we want to verify the OSS artifacts which already generate the attestations, may be using slsa-github-generator OR other tools. Further we plan to use slsa-github-generator for generating the attestations for internal artifacts but all the signatures and transaction logs must be managed within enterprise.

[loosebazooka]

@ramonpetgrave64 can correct me if I'm mistaken -- the underlying library supports injecting the trusted root in, but I think this application will need some changes for that to work.

obtaining 10.root.json is just a step to securely acquiring https://github.com/sigstore/root-signing-staging/blob/main/targets/trusted_root.json which contains the necessary trust information for verifying the sigstore envelope around an attestation.

I'm not sure slsa-github-verifier supports the private use case right now. But you might be able to use the native github attestation framework.

[ramonpetgrave64]

@sohgaura slsa-github-generator relies on the Sigstore Public Good instance for generating attestations. It cannot be customized to a private instance, if that's what you mean by "managed within enterprise".

About your original question, slsa-verifier doesn't currently support offline verification. See more about a potential implementation #766 (comment)