At signing time, produce a bundle file: cosign sign --bundle <output.sigstore.json> <image-ref> or cosign sign-blob --bundle <output.sigstore.json> <file>; the bundle contains the signature, certificate, and Rekor inclusion proof in a single file
Transfer the bundle file alongside the artifact to the verification environment; no network access to Rekor or Fulcio is required at verify time
For artifacts signed before the new bundle format was available, use --new-bundle-format=false to fall back to the legacy separate signature and certificate files
Known gotchas
The --bundle flag and .sigstore.json bundle format were introduced in cosign v2 and became the preferred format in cosign v3; images signed with older cosign versions may not have a bundle and require online Rekor lookup for full verification
Offline verification still validates the inclusion proof embedded in the bundle cryptographically without contacting Rekor; if the bundle is missing the inclusion proof the offline check fails
The --trusted-root flag can be used to supply a TUF-style trusted root for verification without relying on the embedded Sigstore public root, which is necessary for private Sigstore deployments in air-gapped environments
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp