Problem in an air-gapped environment

[rseleven]

From the Helm repository https://sigstore.github.io/helm-charts, the following have been deployed in the closed environment:

sigstore/ctlog, sigstore/fulcio, sigstore/rekor, sigstore/trillian,

and sigstore/tuf has also been deployed.

I’m trying to run the command:

cosign initialize
--mirror="https://sigstore-tuf.local.stage"
--root="https://sigstore-tuf.local.stage/root.json"
--root-checksum="d85c9c0b5da2d046f65de181379addc38d9ca585c03573981fe943a44f5d30b5"

and I get an error:

$ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v3.0.4
GitCommit: 6832fba4928c1ad69400235bbc41212de5006176
GitTreeState: clean
BuildDate: 2026-01-09T21:17:16Z
GoVersion: go1.25.5
Compiler: gc
Platform: linux/amd64
$ cosign initialize \ --mirror="https://sigstore-tuf.local.stage" \ --root="https://sigstore-tuf.local.stage/root.json" \ --root-checksum="d85c9c0b5da2d046f65de181379addc38d9ca585c03573981fe943a44f5d30b5"
WARNING: Could not fetch signing_config.json from the TUF mirror (encountered error: failed to load metadata: tuf refresh failed: Get "https://tuf-repo-cdn.sigstore.dev/14.root.json": dial tcp 34.117.62.14:443: i/o timeout). It is recommended to use a signing config file rather than provide service URLs when signing.
WARNING: Could not fetch trusted_root.json from the TUF mirror (encountered error: failed to create TUF client failed to load metadata: tuf refresh failed: Get "https://tuf-repo-cdn.sigstore.dev/14.root.json": dial tcp 34.117.62.14:443: i/o timeout), falling back to individual targets. It is recommended to update your TUF metadata repository to include trusted_root.json.
Error: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 13.root.json: Get "https://tuf-repo-cdn.sigstore.dev/13.root.json": dial tcp 34.117.62.14:443: i/o timeout error during command execution: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 13.root.json: Get "https://tuf-repo-cdn.sigstore.dev/13.root.json": dial tcp 34.117.62.14:443: i/o timeout

I don’t quite understand why the cosign tool needs access to https://tuf-repo-cdn.sigstore.dev/. I specified the local https://sigstore-tuf.local.stage/; why is Internet access required?"

[Hayden-IO]

Hm, I'm not able to replicate this. Can you confirm that you have no stored metadata (rm -rf ~/.sigstore) and try again? This issue would be coming up with --mirror wasn't set.

[rseleven]

Hm, I'm not able to replicate this. Can you confirm that you have no stored metadata (rm -rf ~/.sigstore) and try again? This issue would be coming up with --mirror wasn't set.

$ rm -rf ~/.sigstore
$ cosign initialize \ --mirror="https://sigstore-tuf.local.stage" \ --root="https://sigstore-tuf.local.stage/root.json" \ --root-checksum="d85c9c0b5da2d046f65de181379addc38d9ca585c03573981fe943a44f5d30b5"
WARNING: Could not fetch signing_config.json from the TUF mirror (encountered error: failed to load metadata: tuf refresh failed: Get "https://tuf-repo-cdn.sigstore.dev/14.root.json": dial tcp 34.117.62.14:443: i/o timeout). It is recommended to use a signing config file rather than provide service URLs when signing.
WARNING: Could not fetch trusted_root.json from the TUF mirror (encountered error: failed to create TUF client failed to load metadata: tuf refresh failed: Get "https://tuf-repo-cdn.sigstore.dev/14.root.json": dial tcp 34.117.62.14:443: i/o timeout), falling back to individual targets. It is recommended to update your TUF metadata repository to include trusted_root.json.
Error: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 13.root.json: Get "https://tuf-repo-cdn.sigstore.dev/13.root.json": dial tcp 34.117.62.14:443: i/o timeout error during command execution: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 13.root.json: Get "https://tuf-repo-cdn.sigstore.dev/13.root.json": dial tcp 34.117.62.14:443: i/o timeout

[rseleven]

You can check for the absence of the internet with the command:
echo "0.0.0.0 tuf-repo-cdn.sigstore.dev" >> /etc/hosts