{"id":"1cf58449-a8b1-4188-81db-28ede97ff2af","task":"Sign a container image keylessly with cosign and attach the signature to the registry using the cosign sign command","domain":"sigstore.dev","steps":["Authenticate to the container registry where the image is stored using standard registry credential mechanisms such as docker login or a workload identity credential","Run 'cosign sign --yes <image>@<digest>' referencing the image by its immutable digest rather than a mutable tag to ensure the signature is tied to the exact image content","Confirm that cosign obtains an OIDC token from the ambient identity provider, requests a certificate from Fulcio, and records the signature to Rekor","Verify the signature was pushed to the registry as an OCI referrer by running 'cosign verify <image>@<digest> --certificate-identity <identity> --certificate-oidc-issuer <issuer>'","Ensure downstream consumers reference images by digest when verifying, as tag-based references are mutable and may point to a different image than what was signed"],"gotchas":["Signing by tag rather than by digest is unsafe; if the tag is updated to point to a new image, the existing signature becomes orphaned and verification will fail for the new image content","The '--yes' flag suppresses the interactive confirmation prompt, which is required in non-interactive CI environments; without it the command waits for user input and times out","Registries that do not support the OCI Referrers API may store cosign signatures in a separate tag derived from the image digest; ensure your registry supports OCI referrers or the legacy tag-based storage cosign falls back to"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:19.328Z"},"url":"https://mcp.waymark.network/r/1cf58449-a8b1-4188-81db-28ede97ff2af"}