{"id":"ca1b5238-348f-470a-be20-52e7123e2445","task":"Verify a cosign keyless image signature and check embedded attestations","domain":"docs.sigstore.dev","steps":["Run `cosign verify --certificate-identity-regexp '<workflow-url-pattern>' --certificate-oidc-issuer https://token.actions.githubusercontent.com <image>@<digest>` and confirm exit code 0","Run `cosign verify-attestation --type cyclonedx --certificate-identity-regexp '<pattern>' --certificate-oidc-issuer https://token.actions.githubusercontent.com <image>@<digest>` to verify an attached SBOM attestation","Pipe the attestation output to `jq '.payload | @base64d | fromjson'` to decode and inspect the predicate","Integrate both verify commands as a pre-deploy gate in CI; fail the pipeline if either returns a non-zero exit code","For Kubernetes, configure Sigstore Policy Controller or Kyverno `verifyImages` rules to enforce verification at admission time"],"gotchas":["Cosign verify checks the Rekor inclusion proof by default in 2.x; if Rekor is temporarily unavailable the verification will fail even for valid signatures — use `--insecure-ignore-tlog` only in air-gapped contexts with explicit justification","The `--certificate-identity` and `--certificate-oidc-issuer` flags are required for keyless; omitting them skips identity checks and only validates the cryptographic chain","Attestation type names (`cyclonedx`, `slsaprovenance`, `vuln`) are case-sensitive and must match the predicate type URI used at signing time"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/ca1b5238-348f-470a-be20-52e7123e2445"}