Obtain the artifact and its corresponding bundle file produced during sign-blob
Identify the expected certificate identity (typically the email or workflow subject URI embedded in the certificate) and the OIDC issuer URL used during signing
Run 'cosign verify-blob --bundle <bundle-file> --certificate-identity <identity> --certificate-oidc-issuer <issuer> <artifact-file>'
Observe that cosign validates the signature against the certificate, confirms the certificate was issued by Fulcio from the specified issuer, and checks the Rekor inclusion proof
Treat verification failure as a hard error; ensure scripts check the verify-blob exit code and do not proceed with a failed verification
For CI automation, use '--certificate-identity-regexp' to match identity patterns such as workflow refs instead of exact subjects when using GitHub Actions OIDC
Known gotchas
The '--certificate-identity' flag performs an exact string match against the SAN in the certificate by default; workflow OIDC subjects include the full ref path, so mismatches on branch or tag name cause verification to fail
Omitting both '--certificate-identity' and '--certificate-identity-regexp' when verifying keyless signatures causes cosign to skip identity enforcement, which defeats the purpose of keyless signing; always specify at least one
The OIDC issuer URL must match exactly the issuer recorded in the certificate; GitHub Actions issuer changed between environments — confirm the correct issuer for your environment before automating verification
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp