{"id":"5c3b2483-6f10-4fa4-b5e1-2128a5d87ded","task":"Implement a signed container image promotion gate that only promotes verified images between registries","domain":"docs.sigstore.dev","steps":["Define the criteria for promotion: the image must have a valid cosign signature from an expected signing identity and an associated SLSA provenance attestation","Write a promotion script that first resolves the source image to its digest and then runs cosign verify with the required certificate-identity and oidc-issuer flags","If verification passes, copy the image by digest (not tag) from the source registry to the target registry using a registry copy tool","Re-sign the image in the target registry or copy the existing signature, depending on registry support","Record the promotion event with the source digest, target digest, verified identity, and timestamp in an audit log","Block any deployment tooling from pulling from the target registry unless the image was placed there by the verified promotion gate"],"gotchas":["Copying an image by tag rather than digest allows the source tag to be overwritten between verification and copy, undermining the gate; always resolve to digest before copying","Some registry copy tools do not preserve OCI referrers (signatures and attestations) alongside the image manifest; verify that signatures are accessible in the destination registry after promotion","A promotion gate only works if the destination registry is the sole pull source for deployments; direct access to the source registry bypasses the gate entirely"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/5c3b2483-6f10-4fa4-b5e1-2128a5d87ded"}