Skip to content

feat(bundle): air-gapped signing with --tlog-upload=false for restricted networks #409

Description

@mchmarny

Problem

Fully disconnected (air-gapped) environments cannot upload to any transparency log—public or private. Currently there is no way to sign bundles without network connectivity to a Rekor instance.

Proposal

Add a --tlog-upload flag (default true) to aicr bundle that disables transparency log uploads when set to false. Combined with KMS-backed signing (#407), this enables fully offline bundle attestation.

New Flag

Flag Type Default
--tlog-upload bool true

Behavior

  • When --tlog-upload=false, AICR skips the Rekor transparency log upload during signing
  • Must be combined with --signing-key <kms-uri> (keyless signing requires Fulcio, which requires network)
  • No operational metadata leaves the network perimeter
  • The resulting bundle is still a valid cosign bundle, verifiable with --insecure-ignore-tlog or offline verification

Validation Combinations

Signing Method tlog-upload Valid? Use Case
Keyless (OIDC) true Yes Default public Sigstore
Keyless (OIDC) false No Keyless requires Fulcio network access
KMS key true Yes KMS + public/private transparency log
KMS key false Yes Air-gapped: fully offline signing

AICR should reject the invalid combination (keyless + no tlog) at flag validation time with a clear error message.

Verification in Air-Gapped Environments

Verification uses the KMS public key and skips tlog verification:

cosign verify --key <kms-uri> --insecure-ignore-tlog <bundle>

Implementation Notes

Updated 2026-06-02: confirmed accurate against the current signing path; added the concrete code location.

  • Today, SignStatement in pkg/bundler/attestation/signing.go unconditionally wires sign.NewRekor into the bundle options. The flag needs to make that Rekor step conditional on --tlog-upload.
  • Pass the toggle through bundleCmdOptionsattestation.ResolveOptionsSignOptions alongside the --signing-key plumbing from feat(bundle): KMS-backed signing for CI/CD environments without OIDC #407.
  • There is no aicr bundle-sign subcommand; signing is folded into aicr bundle --attest.

Dependencies

Success Criteria

  • aicr bundle --signing-key gcpkms://... --tlog-upload=false produces a valid signed bundle with no network calls to Rekor
  • Invalid combination --tlog-upload=false without --signing-key is rejected with a clear error
  • Bundle is verifiable offline with the KMS public key
  • make test and make lint pass with no regressions

Metadata

Metadata

Assignees

No one assigned

    Fields

    No fields configured for Enhancement.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions