Allow signing local image without registry access

[bkabrda]

Description

Hi 👋
I want to sign a local image that hasn't yet been uploaded to a registry (or the registry is not reachable right now) with --upload=false --output-signature=signature.sig --output-certificate=certificate.crt. Right now this fails with:

$ cosign sign -y --upload=false --output-signature=disconnected-fulcio.sig --output-certificate=disconnected-fulcio.crt foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2
Generating ephemeral keys...
Retrieving signed certificate...

<snip>

Successfully verified SCT...
Error: signing [foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2]: accessing image: Get "https://foobarasd.com/v2/": dial tcp: lookup foobarasd.com on 192.168.1.20:53: no such host
main.go:74: error during command execution: signing [foobarasd.com/myimage@sha256:2bbea7758536b170efcb168dc7cea3379908c2649af3e75ebac10161ddd513c2]: accessing image: Get "https://foobarasd.com/v2/": dial tcp: lookup foobarasd.com on 192.168.1.20:53: no such host

I think this should work, because to generate these artifacts locally we don't need to access the registry.

I have a simple change that I tested locally that I could submit as a PR if you folks think that this makes sense - please let me know. Thank you!

[slimm609]

This would be very useful with cosign save to be able to sign and save a bundle, which then becomes portable to offline registries.

right now the workflow is

• push
• sign
• download (save)

which requires a temporary registry to get a offline bundle which is a lot of network activity and extra time.