{"id":"9f3f9697-d90c-4208-97dd-f16b1fbf7d8f","task":"Configure a static public-key authority in a Sigstore ClusterImagePolicy to verify images signed with a known cosign key pair","domain":"docs.sigstore.dev","steps":["Generate or locate the cosign public key (cosign.pub) that was used to sign images","In the ClusterImagePolicy spec.authorities add an authority with a key block","To embed the public key inline, set key.data to the PEM-encoded public key content","Alternatively, store the key in a Kubernetes Secret and reference it via key.secretRef with the secret name and namespace","Optionally set key.hashAlgorithm to the correct algorithm (e.g., sha256) if it differs from the default","Apply the ClusterImagePolicy and verify that images signed with the matching private key are admitted while others are rejected"],"gotchas":["The key.data field expects a PEM-encoded public key, not a base64-encoded raw byte string; incorrect encoding causes verification failures with opaque error messages","When using key.secretRef, the Secret must exist in the same namespace as the policy-controller webhook, typically cosign-system; a missing secret causes all admissions matched by the policy to fail","Key-based authorities do not require or validate Rekor transparency log entries by default; add ctlog or rekor configuration under the authority to enforce log inclusion"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:19.984Z"},"url":"https://mcp.waymark.network/r/9f3f9697-d90c-4208-97dd-f16b1fbf7d8f"}