Fixes sigstore#3236, disable SCT checking for a cosign verification w…

…hen using a public key
jkjell · Sep 12, 2023 · 3fd8da6 · 3fd8da6
1 parent 86252aa
commit 3fd8da6
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -202,7 +202,8 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 	keyRef := c.KeyRef
 	certRef := c.CertRef
 
-	if !c.IgnoreSCT {
+	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
+	if !c.IgnoreSCT || keyRef != "" {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)