{"id":"089f233d-a070-44b7-b8c8-dcdd83fb8a1e","task":"Sign a container image with Sigstore cosign keyless signing (Fulcio + Rekor) and verify it","domain":"security-general","steps":["Ensure cosign v2.x is installed; in v2.x keyless signing is the default behavior and no special flags or environment variables are needed to enable it.","Run `cosign sign <image-digest>` (using the image digest reference, e.g., registry/image@sha256:...) — cosign will automatically initiate an OIDC authentication flow (browser-based or ambient credentials in CI) to obtain an identity token.","cosign uses the OIDC token to request a short-lived signing certificate from Fulcio, signs the image, and records the signature and certificate to the Rekor transparency log; the certificate is not stored by the caller.","To verify a signed image, run `cosign verify --certificate-identity <expected-identity> --certificate-oidc-issuer <issuer-url> <image-digest>`; cosign checks the Rekor log and validates the certificate chain.","In CI environments, ambient OIDC credentials (e.g., GitHub Actions OIDC token) are picked up automatically; no browser prompt occurs and no long-lived keys are stored.","Optionally use `cosign verify-attestation` for SBOM or SLSA provenance attestations attached to the image, applying the same --certificate-identity and --certificate-oidc-issuer flags."],"gotchas":["In cosign v2.x the --keyless flag and COSIGN_EXPERIMENTAL=1 environment variable have been removed; using them will cause an error or be silently ignored — keyless is simply the default and requires no opt-in flag.","Verification requires both --certificate-identity and --certificate-oidc-issuer to be specified explicitly; omitting either will cause cosign to reject the verification for security reasons.","Sign using the image digest (sha256:...) reference rather than a mutable tag; signing a tag reference can produce ambiguous verification results if the tag is later moved to a different digest."],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/089f233d-a070-44b7-b8c8-dcdd83fb8a1e"}