diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml
index d9d611348cf..dcb1f006fa4 100644
--- a/.github/workflows/kind-verify-attestation.yaml
+++ b/.github/workflows/kind-verify-attestation.yaml
@@ -33,10 +33,13 @@ jobs:
       matrix:
         k8s-version:
         - v1.24.x
+        tuf-root:
+        - remote
+        - air-gap
 
     env:
       KO_DOCKER_REPO: "registry.local:5000/policy-controller"
-      SCAFFOLDING_RELEASE_VERSION: "v0.4.12"
+      SCAFFOLDING_RELEASE_VERSION: "v0.4.13"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KOCACHE: ~/ko
@@ -83,11 +86,23 @@ jobs:
         echo Created image $demoimage
         popd
 
-    - name: Initialize with our custom TUF root
+    - name: Initialize with our custom TUF root pointing to remote root
+      if: ${{ matrix.tuf-root == 'remote' }}
       run: |
         TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
         ./cosign initialize --mirror $TUF_MIRROR --root ./root.json
 
+    - name: Initialize with custom TUF root pointing to local filesystem
+      if: ${{ matrix.tuf-root == 'air-gap' }}
+      run: |
+        # Grab the compressed repository for airgap testing.
+        kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}'  | base64 -d > ./repository.tar.gz
+        tar -zxvf ./repository.tar.gz
+        PWD=$(pwd)
+        ROOT=${PWD}/repository/1.root.json
+        REPOSITORY=${PWD}/repository
+        ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY}
+
     - name: Sign demoimage with cosign
       run: |
         ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --yes --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
diff --git a/cmd/cosign/cli/options/initialize.go b/cmd/cosign/cli/options/initialize.go
index 0929f530e58..ab91955ee7c 100644
--- a/cmd/cosign/cli/options/initialize.go
+++ b/cmd/cosign/cli/options/initialize.go
@@ -31,7 +31,7 @@ var _ Interface = (*InitializeOptions)(nil)
 // AddFlags implements Interface
 func (o *InitializeOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Mirror, "mirror", tuf.DefaultRemoteRoot,
-		"GCS bucket to a SigStore TUF repository or HTTP(S) base URL")
+		"GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap)")
 
 	cmd.Flags().StringVar(&o.Root, "root", "",
 		"path to trusted initial root. defaults to embedded root")
diff --git a/doc/cosign_initialize.md b/doc/cosign_initialize.md
index 5cd8f294312..73dfbe8e84a 100644
--- a/doc/cosign_initialize.md
+++ b/doc/cosign_initialize.md
@@ -41,7 +41,7 @@ cosign initialize -mirror <url> -root <url>
 
 ```
   -h, --help            help for initialize
-      --mirror string   GCS bucket to a SigStore TUF repository or HTTP(S) base URL (default "https://sigstore-tuf-root.storage.googleapis.com")
+      --mirror string   GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (default "https://sigstore-tuf-root.storage.googleapis.com")
       --root string     path to trusted initial root. defaults to embedded root
 ```