Ensure cosign 2.x is installed and the environment has a valid OIDC token from a supported provider such as GitHub Actions or Google Cloud
Run 'cosign sign-blob --bundle output.bundle <artifact-file>' to sign the artifact; cosign will use the ambient OIDC token to obtain a certificate from Fulcio and record the signature to Rekor
Confirm the bundle file is written, containing the certificate, signature, and Rekor transparency log entry in a single JSON structure
Store the bundle file alongside the artifact or in an attestation storage system for later verification
Run 'cosign verify-blob --bundle output.bundle --certificate-identity <expected-email-or-subject> --certificate-oidc-issuer <issuer-url> <artifact-file>' to verify offline using the bundle
Confirm verification succeeds and that the certificate identity matches the expected signer identity
Known gotchas
The '--new-bundle-format' flag produces a bundle format compatible with cosign 2.x verification; older cosign versions cannot verify bundles produced with the new format, so coordinate with consumers on version compatibility
Keyless signing requires a valid OIDC token at signing time; in CI environments this is provided automatically, but local signing requires an interactive browser flow or a preconfigured identity provider
The certificate issued by Fulcio is short-lived (typically 10 minutes); the bundle captures the Rekor inclusion proof so that verification remains possible long after the certificate expires
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp