{"id":"9c3f13b6-c1a0-4daf-9929-6199f5dfab5e","task":"Verify a cosign-signed container image including Rekor transparency log checks using cosign verify with identity flags","domain":"docs.sigstore.dev","steps":["Run cosign verify <image-ref> --certificate-identity <expected-subject> --certificate-oidc-issuer <expected-issuer> to verify a keylessly-signed image","For key-based signatures run cosign verify --key cosign.pub <image-ref>","By default cosign checks Rekor for a valid transparency log entry; to explicitly skip the check pass --insecure-ignore-tlog=true (not recommended in production)","Use --certificate-identity-regexp and --certificate-oidc-issuer-regexp for regex matching when the exact identity string contains variable components such as git SHAs","Pipe the JSON output of cosign verify to jq to extract signer identity, issuer, and log index for audit logging"],"gotchas":["Since cosign 2.0, --certificate-identity and --certificate-oidc-issuer are required for keyless verification; omitting them causes cosign to reject the verification even if the signature is cryptographically valid","cosign verify checks Rekor online by default; air-gapped environments should use offline bundle verification with --bundle instead","The image reference must use a digest (@sha256:...) rather than a mutable tag for reliable signature verification, because tag-to-digest resolution can change between signing and verification"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:19.984Z"},"url":"https://mcp.waymark.network/r/9c3f13b6-c1a0-4daf-9929-6199f5dfab5e"}