tuf: failed to download 8.root.json

[monkeysandy]

I'm using Cosign v1.13.6 now and running cosign verify --key <key> <image url>, meeting this error when verifying. I found some reviews mentioning upgrade to the latest version will fix, but I tried and didn't work for me, when using Cosign v2.4.1 the error become request for 10.root.json.

Error: no matching signatures:
unable to verify bundle: retrieving rekor public key: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "[https://tuf-repo-cdn.sigstore.dev/8.root.json"](https://tuf-repo-cdn.sigstore.dev/8.root.json%22): EOF
remote status:{
	"mirror": "https://tuf-repo-cdn.sigstore.dev",/
	"metadata": {}
}
main.go:62: error during command execution: no matching signatures:
unable to verify bundle: retrieving rekor public key: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "[https://tuf-repo-cdn.sigstore.dev/8.root.json"](https://tuf-repo-cdn.sigstore.dev/8.root.json%22): EOF
remote status:{
	"mirror": "https://tuf-repo-cdn.sigstore.dev",/
	"metadata": {}
}

I think there might be some network isolation in my code environment, is there any flag or env to set so I can bypass this by providing this root.json file from local side?

I know there is --insecure-ignore-tlog but I don't want to skip for this validation.

Thanks!