{"id":"418d1d94-3efc-4dd0-87da-fec726153abd","task":"Verify a cosign attestation on a container image with cosign verify-attestation","domain":"slsa.dev","steps":["Install cosign from the sigstore/cosign GitHub releases for your platform","Run cosign verify-attestation <image-ref> --type <predicate-type> to fetch and verify the attestation","For SLSA provenance, set --type to slsaprovenance or slsaprovenance02 depending on the predicate version used when the attestation was generated","Pass --certificate-identity and --certificate-oidc-issuer (or their regex equivalents) to enforce that the signing identity matches the expected GitHub Actions workflow","Pipe the output to jq or a policy engine to extract and evaluate specific fields from the verified predicate payload","Use --policy with a CUE or Rego policy file to automate assertion of predicate field values"],"gotchas":["cosign verify-attestation fetches attestations stored in the OCI registry as sigstore bundles; if the attestation was stored elsewhere, you need to pass it differently","The --type flag must match the predicate type URI used at signing time; a mismatch causes the tool to report no matching attestations found","Keyless verification (Sigstore Fulcio + Rekor) requires that the signing OIDC token claims match the --certificate-identity flags; overly broad regexes can undermine the security check"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/418d1d94-3efc-4dd0-87da-fec726153abd"}