Prepare a JSON predicate file following the in-toto attestation v0.1 schema with a `predicateType` URI and a `predicate` object
Run `cosign attest --yes --predicate predicate.json --type <predicateType-URI> <image>@<digest>` — cosign wraps the predicate in a DSSE envelope and signs it
Verify the attestation is retrievable with `cosign verify-attestation --type <predicateType-URI> --certificate-identity-regexp ... <image>@<digest>`
Inspect the attached attestation in the OCI registry referrers API to confirm it appears alongside other attestations
Document the `predicateType` URI in your internal schema registry so consumers can resolve the predicate format
Known gotchas
Custom `predicateType` URIs must be stable and resolvable URLs if consumers need to fetch the schema; using opaque internal URIs requires out-of-band schema sharing
Cosign stores attestations as OCI image manifests with `application/vnd.dsse.envelope.v1+json` media type; registries that do not support OCI 1.1 referrers will store them as tagged sibling images instead
The DSSE payload is base64url-encoded inside the envelope; debugging requires decoding two layers (envelope → in-toto statement → predicate)
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp