{"id":"b11a32c0-34c4-44ab-bb30-7498bf3ec2a4","task":"Verify a cosign-signed container image using certificate-identity and OIDC issuer policy flags","domain":"slsa.dev","steps":["Obtain the image reference including the digest (sha256:...) for the image you want to verify","Run cosign verify <image-ref> --certificate-identity <expected-identity> --certificate-oidc-issuer <oidc-issuer-url>","For GitHub Actions keyless signatures, set --certificate-identity to the workflow ref URI (e.g., https://github.com/org/repo/.github/workflows/release.yml@refs/heads/main) and --certificate-oidc-issuer to https://token.actions.githubusercontent.com","Use --certificate-identity-regexp and --certificate-oidc-issuer-regexp for pattern-based matching when the exact identity varies across environments","A successful verification prints the verified signature payload and exits with code 0; any mismatch exits with a non-zero code and an error message","Integrate this verification step into your CD pipeline before deploying an image to production"],"gotchas":["Omitting both --certificate-identity and --certificate-oidc-issuer causes cosign to skip identity checks and only verify the Rekor transparency log entry, which is a weaker security posture","The certificate-identity string must exactly match what was recorded at signing time; even a trailing slash difference will cause verification to fail","Keyless signatures have a short-lived certificate validity window; cosign uses the Rekor transparency log to verify the signature was made within the certificate's validity period, so Rekor availability matters for offline verification"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:26.626Z"},"url":"https://mcp.waymark.network/r/b11a32c0-34c4-44ab-bb30-7498bf3ec2a4"}