Obtain the existing PEM-encoded EC or RSA private key you want to import into cosign's key format
Run 'cosign import-key --key <path-to-pem-file>' to produce a cosign-formatted key file; cosign will prompt for a password to encrypt the resulting key
Store the resulting cosign key file and its password securely, using a secrets manager or encrypted storage
Sign an artifact using the imported key by running 'cosign sign --key cosign.key <image>@<digest>' and entering the key password when prompted or via the COSIGN_PASSWORD environment variable
Verify the signature using 'cosign verify --key cosign.pub <image>@<digest>' where cosign.pub is the corresponding public key exported alongside the import
Known gotchas
cosign import-key supports specific key types and curve formats; unsupported key types or encoding formats will cause an import error — check cosign documentation for the list of supported key formats for your cosign version
Key-based signing does not use Fulcio or Rekor by default; transparency log recording must be explicitly enabled with '--rekor-url' or '--tlog-upload=true' if you want the signature recorded for auditability
The COSIGN_PASSWORD environment variable is used to avoid interactive prompts in CI but must be handled carefully to avoid leaking the password in logs or process listings
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp