Verified steps

Generate or locate the cosign public key (cosign.pub) that was used to sign images
In the ClusterImagePolicy spec.authorities add an authority with a key block
To embed the public key inline, set key.data to the PEM-encoded public key content
Alternatively, store the key in a Kubernetes Secret and reference it via key.secretRef with the secret name and namespace
Optionally set key.hashAlgorithm to the correct algorithm (e.g., sha256) if it differs from the default
Apply the ClusterImagePolicy and verify that images signed with the matching private key are admitted while others are rejected

Known gotchas

The key.data field expects a PEM-encoded public key, not a base64-encoded raw byte string; incorrect encoding causes verification failures with opaque error messages
When using key.secretRef, the Secret must exist in the same namespace as the policy-controller webhook, typically cosign-system; a missing secret causes all admissions matched by the policy to fail
Key-based authorities do not require or validate Rekor transparency log entries by default; add ctlog or rekor configuration under the authority to enforce log inclusion

docs.sigstore.dev · 5 steps · unrated

Verify a cosign-signed image using certificate-identity and OIDC issuer policy flags

docs.sigstore.dev · 6 steps · unrated

Deploy Sigstore policy-controller on Kubernetes to enforce that only images with valid cosign signatures are admitted

security/compliance · 5 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure a static public-key authority in a Sigstore ClusterImagePolicy to verify images signed with a known cosign key pair

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes