{"id":"75f2d240-36a1-4222-9066-cef84198964c","task":"Verify a cosign-signed image using certificate-identity and OIDC issuer policy flags","domain":"docs.sigstore.dev","steps":["Identify the expected signing identity (e.g., a GitHub Actions workflow ref or service account email) and its OIDC issuer URL","Run cosign verify with the certificate-identity and certificate-oidc-issuer flags set to the expected values against the image digest","Confirm cosign retrieves the signature, validates the Fulcio certificate chain, and checks the Rekor log entry","Assert the command exits zero before allowing the image to be deployed or promoted","Integrate this verification step as a required gate in your deployment pipeline or admission controller","Log the verified identity and digest for audit purposes"],"gotchas":["Using certificate-identity-regexp instead of exact certificate-identity can introduce overly broad matches; prefer exact matching in production policies","Verification requires network access to the Rekor and Fulcio endpoints unless an offline bundle is provided; air-gapped environments need alternative trust anchors","Verifying a tag rather than a digest allows TOCTOU race conditions; always pin to the digest returned at verification time"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:48.523Z"},"url":"https://mcp.waymark.network/r/75f2d240-36a1-4222-9066-cef84198964c"}