Cosign 3.0.2 continues trying to reach out to TUF CDN even with local key, Nexus-only access

[oarifbulut]

Cosign v3.0.2
Signing --> Local key pair (cosign.key, cosign.pub)
Registry --> Sonatype Nexus
Build Agent --> Only has access to Nexus, no Internet egress
Goal --> Sign + verify an image through Nexus only, without contacting TUF, Rekor, CTLog, Fulcio

Hello team,
I would like to clarify the correct approach for a fully private signing and verification workflow using Cosign v3.0.2, where only a Nexus Registry is reachable and no network access to Sigstore TUF services is allowed.

here how I could sign the image

cosign sign --key cosign.key --tlog-upload=false --use-signing-config=false IMAGE

how I couldn't verify it

COSIGN_EXPERIMENTAL=0 cosign verify --key cosign.pub --insecure-ignore-tlog=true --insecure-ignore-sct=true --use-signing-config=false

OR

cosign verify --key cosign.pub --offline=true --new-bundle-format=false --trusted-root .../trusted_root.json --local-image /path/to/dir

[oarifbulut]

Is there anybody who has this info? +++

[oarifbulut]

@haydentherapper Hello, do you have any idea on this? This would be highly apprecited if I could get any answer. I got stucked in something and need to overcome. :(