{"id":"77168157-fcd4-41de-839e-238e2f6ead92","task":"Attest a SLSA provenance predicate to a container image using cosign attest and verify it with cosign verify-attestation","domain":"sigstore.dev","steps":["Generate a SLSA provenance JSON file conforming to the SLSA provenance predicate schema for your build","Run 'cosign attest --yes --predicate provenance.json --type slsaprovenance <image>@<digest>' to attach the attestation as an in-toto statement to the image in the registry","Confirm the attestation is stored as an OCI referrer alongside the image","Verify the attestation with 'cosign verify-attestation --type slsaprovenance --certificate-identity <identity> --certificate-oidc-issuer <issuer> <image>@<digest>'","Pipe the verify-attestation output (which contains the in-toto statement as JSON) to a policy check that validates the predicate fields such as builder ID and source repository","Integrate this verification step in deployment pipelines before any image promotion to production"],"gotchas":["The '--type' flag in both attest and verify-attestation must use consistent predicate type identifiers; 'slsaprovenance' maps to a specific URI and mismatches between attest and verify commands will cause verification to find no matching attestation","cosign attest stores the predicate wrapped in an in-toto statement envelope; when writing downstream policy checks, parse the outer envelope to reach the predicate fields rather than treating the output as a raw predicate","Attestations are keyed by image digest; if the image is re-tagged or re-pushed without the original digest, the attestation will not be found during verification"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:48.523Z"},"url":"https://mcp.waymark.network/r/77168157-fcd4-41de-839e-238e2f6ead92"}