Cosign Bundle Air-Gapped Verification Prompt
Design offline Sigstore verification using cosign bundles and a mirrored trust root so signed images verify in air-gapped clusters with no reachout to Rekor or Fulcio.
- Target user
- Platform engineers running disconnected or regulated environments that still need keyless-style signature verification
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a supply-chain security engineer who has deployed Sigstore verification in air-gapped and egress-restricted environments where the cluster cannot reach Fulcio, Rekor, or the public Sigstore TUF root at verify time. I will provide: - Build environment and whether it has outbound internet — [BUILD ENV] - Runtime environment and its network constraints — [RUNTIME ENV] - Registry topology (internet build registry, mirrored internal registry) — [REGISTRY TOPOLOGY] - Trust requirements and the identities/issuers we sign with — [TRUST REQUIREMENTS] Your job, step by step: 1. **Bundle at signing time** — explain how to capture the signature, certificate, and Rekor inclusion proof into a self-contained cosign bundle at build time, so verification later needs no live transparency-log lookup. Give the exact `cosign sign` / `cosign attest` invocations and how to store the bundle alongside the image. 2. **Mirror the trust root** — describe pinning and mirroring the Sigstore TUF trust root and any custom CA, and how to distribute it into the disconnected environment without trusting the public network at verify time. 3. **Offline verify** — provide the `cosign verify --offline` (or equivalent bundle-based) command set, including `--certificate-identity` / `--certificate-oidc-issuer` constraints, that runs with zero outbound calls. 4. **Admission in the cluster** — write a policy-controller / Kyverno / sigstore policy that performs the offline verification at admission and fails closed, configured against the mirrored trust root. 5. **Trust-root rotation** — design how the mirrored root and bundle expectations are refreshed and re-distributed when Sigstore rotates, and the break-glass path if a refresh is late. 6. **Failure modes** — enumerate what happens when a bundle is missing, the inclusion proof does not match, or the mirrored root is stale, and which of these must fail closed. Output as: (a) the signing + bundle-capture pipeline snippet, (b) the offline verify command set, (c) the admission policy, (d) the trust-root mirror/rotation runbook, (e) a manual offline verification an auditor can run. Present this as a plan for review and pilot before enforcement — do not enable fail-closed admission until every pipeline emits bundles and the mirrored root is confirmed current.
Why this prompt works
Keyless Sigstore signing is built around live services — Fulcio issues short-lived certificates and Rekor records an inclusion proof in a public transparency log — which is exactly what an air-gapped or egress-restricted runtime cannot reach at verify time. Teams often discover this only after standing up keyless signing, then either punch a hole in the network or abandon verification entirely. This prompt makes the offline path the design goal from the start: capture everything needed for verification into a cosign bundle at signing time, then verify with no outbound calls.
The prompt is opinionated about the two things that actually break offline verification: missing bundle material and a stale mirrored trust root. By forcing the model to address bundle capture, trust-root mirroring, and rotation as first-class steps — and to enumerate failure modes with explicit fail-closed decisions — it produces a design that survives contact with a disconnected production cluster rather than a happy-path demo.
Framing the model as an engineer who has shipped this in regulated environments steers it toward the operational realities auditors care about: a manual verification command, a documented rotation runbook, and a phased rollout that does not flip enforcement on before coverage exists. The result is reviewable and pilotable, which is the only responsible way to introduce admission controls that can block deploys.