cosign does not seem to honor --tlog-upload=false

[rams3sh]

Description

Cosign does not seem to honor --tlog-upload=false. Below is the command I executed

cosign sign --tlog-upload=false --key awskms:///arn:aws:kms:us-west-2:0123456789123:key/mrk-dummy --verbose=true ttl.sh/<redacted>@sha256:<redacted>

I get the below snippet in the debug logs :-

2025/10/28 09:37:51 --> PATCH https://ttl.sh/v2/<redacted>?_state=<redacted>
2025/10/28 09:37:51 PATCH /v2/<redacted>/blobs/uploads/<redacted>?_state=<redacted> HTTP/1.1
Host: ttl.sh
User-Agent: cosign/v3.0.2 (darwin; arm64) go-containerregistry/v0.20.6
Content-Length: 4361
Content-Type: application/octet-stream
Accept-Encoding: gzip

{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial":{"publicKey":{"hint":"<redacted>"}, "tlogEntries":[{"logIndex":"647594071", "logId":{"keyId":"<redacted>"}, "kindVersion":{"kind":"dsse", "version":"0.0.1"}, "integratedTime":"1761624467", "inclusionPromise": .......

I checked the transparency logs in the below link :-
https://search.sigstore.dev/?logIndex=647594071

And it seems like the entry has been created.

I am not sure if I am doing anything wrong in the above command execution.

Version

  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v3.0.2
GitCommit:     84449696f0658a5ef5f2abba87fdd3f8b17ca1be
GitTreeState:  "clean"
BuildDate:     2025-10-10T18:17:56Z
GoVersion:     go1.25.2
Compiler:      gc
Platform:      darwin/arm64

[rams3sh]

UPDATE:

When I use --use-signing-config=false along with previously provided command , then the entries are not updated in the rekor transparency logs.

It would be better if this argument is explained and then updated as part of the docs, else users would assume that just adding the --tlog-upload=false would result in transparency log not getting updated just like previous versions (i.e. until v2.6.1)

[rabajaj0509]

For me when I use the --use-signing-config=false flag, the logs are not sent to transparency log, however, at the time of verification, I do get an error.

$ ./cosign-darwin-arm64\ \(1\) verify --key <publc-key> <artifactory-url>/<image>:<tag>  

Error: no matching attestations: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1
error during command execution: no matching attestations: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1

[haydentherapper]

Working on fixing this - #4458

In the meantime, you can either use Cosign v2.6 or provide --use-signing-config=false --new-bundle-format=false when using Cosign v3, which defaults to the older behavior.

[rams3sh]

@rabajaj0509 You should add --insecure-ignore-tlog=true argument during verification, to ignore the transparency log.

@haydentherapper Sure, thanks for the quick response.