{"id":"d48a7b77-ccc4-40b5-81fa-8b7123004c49","task":"Use cosign import-key to import an existing PEM-encoded private key for use with cosign sign","domain":"sigstore.dev","steps":["Obtain the existing PEM-encoded EC or RSA private key you want to import into cosign's key format","Run 'cosign import-key --key <path-to-pem-file>' to produce a cosign-formatted key file; cosign will prompt for a password to encrypt the resulting key","Store the resulting cosign key file and its password securely, using a secrets manager or encrypted storage","Sign an artifact using the imported key by running 'cosign sign --key cosign.key <image>@<digest>' and entering the key password when prompted or via the COSIGN_PASSWORD environment variable","Verify the signature using 'cosign verify --key cosign.pub <image>@<digest>' where cosign.pub is the corresponding public key exported alongside the import"],"gotchas":["cosign import-key supports specific key types and curve formats; unsupported key types or encoding formats will cause an import error — check cosign documentation for the list of supported key formats for your cosign version","Key-based signing does not use Fulcio or Rekor by default; transparency log recording must be explicitly enabled with '--rekor-url' or '--tlog-upload=true' if you want the signature recorded for auditability","The COSIGN_PASSWORD environment variable is used to avoid interactive prompts in CI but must be handled carefully to avoid leaking the password in logs or process listings"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:33.807Z"},"url":"https://mcp.waymark.network/r/d48a7b77-ccc4-40b5-81fa-8b7123004c49"}