Deprecate offline flag #4457
Merged
Deprecate offline flag #4457
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4457 +/- ##
==========================================
- Coverage 40.10% 35.36% -4.74%
==========================================
Files 155 220 +65
Lines 10044 15160 +5116
==========================================
+ Hits 4028 5362 +1334
- Misses 5530 9110 +3580
- Partials 486 688 +202 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
haydentherapper
force-pushed
the
deprecate-offline
branch
from
8f82ee3 to
41b620a
Compare
cmurphy
previously approved these changes
Oct 13, 2025
cmd/cosign/cli/options/verify.go
Outdated
| func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) { | ||
| cmd.Flags().BoolVar(&o.Offline, "offline", false, | ||
| "only allow offline verification") | ||
| "[deprecated] only verify an artifact's inclusion in a transparency log using a provided proof, rather than querying the log. May still include network requests to retrieve service keys from a TUF repository") |
There was a problem hiding this comment.
FYI it looks like using MarkDeprecated hides the flag from the --help output so I'm not sure it matters what's in this help text.
If it does appear somewhere, it might be better to change [deprecated] to DEPRECATED to match the deprecation format of the --attachment flag.
There was a problem hiding this comment.
Good point, I've removed [deprecated] since the flag help text is no longer used. Looking around, we also have [DEPRECATED] for --sig-only - I'll look at standardizing as we deprecate more flags.
haydentherapper
force-pushed
the
deprecate-offline
branch
from
41b620a to
63b6df3
Compare
The offline flag is misleading and is a no-op with the new Cosign v3 defaults. The flag's purpose was to prevent a client from falling back to verifying an artifact's inclusion in Rekor when a proof failed to verify. Most users thought offline verification forced the client to not make any network requests - a very reasonable assumption, but with TUF, network requests are a part of verification if the local TUF metadata has expired. I've updated the README as well, though we need to make a far more comprehensive pass over the documentation since it's out of date given our new trusted-root/bundle flags. Fixes sigstore#4454 Signed-off-by: Hayden <[email protected]>
haydentherapper
force-pushed
the
deprecate-offline
branch
from
63b6df3 to
716a659
Compare
cmurphy
approved these changes
Oct 13, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The offline flag is misleading and is a no-op with the new Cosign v3 defaults. The flag's purpose was to prevent a client from falling back to verifying an artifact's inclusion in Rekor when a proof failed to verify. Most users thought offline verification forced the client to not make any network requests - a very reasonable assumption, but with TUF, network requests are a part of verification if the local TUF metadata has expired.
I've updated the README as well, though we need to make a far more comprehensive pass over the documentation since it's out of date given our new trusted-root/bundle flags.
Fixes #4454
Summary
Release Note
Documentation