Signature verification changes: Cosign v3, mirror registries, and authentication improvements #893
Description
Summary
This issue documents recent changes to signature verification in falcoctl and provides guidance for users who may be affected, particularly those using mirror/cache registries.
What changed
Cosign v3 signatures (OCI Referrers)
Starting from October 23, 2025 (falcosecurity/plugins#1033), Falco plugins are now signed using Cosign v3 which stores signatures as OCI Referrers instead of the legacy .sig tag format. This is the new standard adopted by the Sigstore ecosystem.
Signature verification for all artifacts (PR #869)
PR #869 fixed a bug where signature verification was not being performed for:
- Artifacts specified with a full registry reference (e.g.,
myregistry.com/falcosecurity/plugins/...) - Resolved dependencies
This was unintended behavior - signatures should have always been verified. The fix ensures that all artifacts are now properly verified, regardless of how they are referenced.
Authentication for private registries (PR #891)
We also fixed an issue where signature verification failed on authenticated registries because credentials were not being passed to the verification component. Signature verification now correctly uses the same authentication methods already available in falcoctl for artifact pulls (basic auth, OAuth2, GCP Workload Identity).
Impact on mirror/cache registry users
Users pulling artifacts through a mirror or cache registry may encounter signature verification failures. This happens because:
- Not all registries support pull-through for OCI Referrers (Cosign v3 signatures)
- Some registries only support pull-through for Cosign v2 (
.sigtag) signatures - Some registries don't support signature pull-through at all
This is not a falcoctl issue—it depends on whether your registry is compliant with the OCI Referrers API specification.
Recommended actions
If you're affected
If you were using a previous version of falcoctl with full refs or a mirror registry, signatures were already not being verified due to the bug mentioned above. You can restore the previous behavior by explicitly using:
falcoctl artifact install --no-verify ...Or in your configuration:
artifact:
install:
noVerify: trueThis maintains the same security posture you had before.
If you want signature verification with a mirror
Currently, signature verification requires that your mirror registry supports OCI Referrers pull-through. Check with your registry vendor for compatibility.
Next steps
Dual signature format support
To support the community and provide maximum compatibility, we will:
- Maintain both Cosign v2 and v3 signatures for an indefinite period
- Retroactively publish Cosign v2 signatures for recent artifacts that were only signed with v3 (from October 23, 2025)
This ensures that registries supporting only v2 pull-through can still verify signatures.
Out-of-band signature verification (under evaluation)
We are evaluating the implementation of a new field in the falcoctl index.yaml that allows specifying an alternative registry for signature retrieval. This would enable scenarios like:
- Pull artifact from:
myregistry.example.com/... - Verify signature from:
ghcr.io/falcosecurity/...
This would allow users to benefit from signature verification even when their mirror registry doesn't support signature pull-through.
We appreciate the community's patience as we improve signature verification in falcoctl. Please comment below if you have questions or are experiencing issues related to these changes.