diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go
index f1110d10294..a23cd2474c6 100644
--- a/pkg/cosign/tlog.go
+++ b/pkg/cosign/tlog.go
@@ -78,6 +78,15 @@ func getLogID(pub crypto.PublicKey) (string, error) {
 // GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached
 // TUF root. If expired, makes a network call to retrieve the updated targets.
 func GetRekorPubs(ctx context.Context) (map[string]RekorPubKey, error) {
+	tufClient, err := tuf.NewFromEnv(ctx)
+	if err != nil {
+		return nil, err
+	}
+	defer tufClient.Close()
+	targets, err := tufClient.GetTargetsByMeta(tuf.Rekor, []string{rekorTargetStr})
+	if err != nil {
+		return nil, err
+	}
 	publicKeys := make(map[string]RekorPubKey)
 	altRekorPub := os.Getenv(altRekorPublicKey)
 	if altRekorPub != "" {
@@ -96,15 +105,6 @@ func GetRekorPubs(ctx context.Context) (map[string]RekorPubKey, error) {
 		}
 		publicKeys[keyID] = RekorPubKey{PubKey: extra, Status: tuf.Active}
 	} else {
-		tufClient, err := tuf.NewFromEnv(ctx)
-		if err != nil {
-			return nil, err
-		}
-		defer tufClient.Close()
-		targets, err := tufClient.GetTargetsByMeta(tuf.Rekor, []string{rekorTargetStr})
-		if err != nil {
-			return nil, err
-		}
 		for _, t := range targets {
 			rekorPubKey, err := PemToECDSAKey(t.Target)
 			if err != nil {