Install Cosign 2.x (e.g., via `brew install cosign` or the GitHub releases binary).
In a CI environment with OIDC support (GitHub Actions, GitLab CI, Google Cloud Build), run `cosign sign <image-ref>` with no additional flags — keyless signing is the default behavior in Cosign 2.x.
Cosign will automatically obtain a short-lived Fulcio certificate using the CI job's OIDC token; the signature and certificate are uploaded to the Rekor transparency log.
To suppress transparency log upload (e.g., for private images), add `--tlog-upload=false`; the signature is still stored in the OCI registry.
Verify the signature with `cosign verify --certificate-identity <CI-job-identity> --certificate-oidc-issuer <oidc-issuer-url> <image-ref>`.
Known gotchas
`COSIGN_EXPERIMENTAL=1` was **removed in Cosign 2.0** — keyless signing is now the default and this environment variable is no longer recognized or needed.
In Cosign 2.x, signatures are uploaded to Rekor by default for both key-based and keyless signing; opt out explicitly with `--tlog-upload=false` if your policy prohibits transparency log entries.
Keyless signing ties the signature to the CI job's OIDC identity (e.g., `https://github.com/org/repo/.github/workflows/build.yml@refs/heads/main`); verification must supply the exact identity and issuer used at sign time.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp