{"id":"ed7e2d5c-8c16-400d-ad8c-ca72ca6e0df8","task":"Verify a cosign sign-blob bundle using --certificate-identity and --certificate-oidc-issuer flags to enforce signer identity","domain":"sigstore.dev","steps":["Obtain the artifact and its corresponding bundle file produced during sign-blob","Identify the expected certificate identity (typically the email or workflow subject URI embedded in the certificate) and the OIDC issuer URL used during signing","Run 'cosign verify-blob --bundle --certificate-identity --certificate-oidc-issuer '","Observe that cosign validates the signature against the certificate, confirms the certificate was issued by Fulcio from the specified issuer, and checks the Rekor inclusion proof","Treat verification failure as a hard error; ensure scripts check the verify-blob exit code and do not proceed with a failed verification","For CI automation, use '--certificate-identity-regexp' to match identity patterns such as workflow refs instead of exact subjects when using GitHub Actions OIDC"],"gotchas":["The '--certificate-identity' flag performs an exact string match against the SAN in the certificate by default; workflow OIDC subjects include the full ref path, so mismatches on branch or tag name cause verification to fail","Omitting both '--certificate-identity' and '--certificate-identity-regexp' when verifying keyless signatures causes cosign to skip identity enforcement, which defeats the purpose of keyless signing; always specify at least one","The OIDC issuer URL must match exactly the issuer recorded in the certificate; GitHub Actions issuer changed between environments — confirm the correct issuer for your environment before automating verification"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:44.112Z"},"url":"https://mcp.waymark.network/r/ed7e2d5c-8c16-400d-ad8c-ca72ca6e0df8"}