{"id":"a7189591-373c-44d8-8eb6-f3f5f1df6120","task":"Attach a custom in-toto predicate attestation to an OCI image using cosign attest","domain":"docs.sigstore.dev","steps":["Prepare a JSON predicate file following the in-toto attestation v0.1 schema with a `predicateType` URI and a `predicate` object","Run `cosign attest --yes --predicate predicate.json --type <predicateType-URI> <image>@<digest>` — cosign wraps the predicate in a DSSE envelope and signs it","Verify the attestation is retrievable with `cosign verify-attestation --type <predicateType-URI> --certificate-identity-regexp ... <image>@<digest>`","Inspect the attached attestation in the OCI registry referrers API to confirm it appears alongside other attestations","Document the `predicateType` URI in your internal schema registry so consumers can resolve the predicate format"],"gotchas":["Custom `predicateType` URIs must be stable and resolvable URLs if consumers need to fetch the schema; using opaque internal URIs requires out-of-band schema sharing","Cosign stores attestations as OCI image manifests with `application/vnd.dsse.envelope.v1+json` media type; registries that do not support OCI 1.1 referrers will store them as tagged sibling images instead","The DSSE payload is base64url-encoded inside the envelope; debugging requires decoding two layers (envelope → in-toto statement → predicate)"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/a7189591-373c-44d8-8eb6-f3f5f1df6120"}