{"id":"ed98daaf-58ee-4528-a101-1c1321da903a","task":"Sign a file artifact with cosign sign-blob using keyless OIDC signing and produce a bundle for offline verification","domain":"sigstore.dev","steps":["Ensure cosign 2.x is installed and the environment has a valid OIDC token from a supported provider such as GitHub Actions or Google Cloud","Run 'cosign sign-blob --bundle output.bundle <artifact-file>' to sign the artifact; cosign will use the ambient OIDC token to obtain a certificate from Fulcio and record the signature to Rekor","Confirm the bundle file is written, containing the certificate, signature, and Rekor transparency log entry in a single JSON structure","Store the bundle file alongside the artifact or in an attestation storage system for later verification","Run 'cosign verify-blob --bundle output.bundle --certificate-identity <expected-email-or-subject> --certificate-oidc-issuer <issuer-url> <artifact-file>' to verify offline using the bundle","Confirm verification succeeds and that the certificate identity matches the expected signer identity"],"gotchas":["The '--new-bundle-format' flag produces a bundle format compatible with cosign 2.x verification; older cosign versions cannot verify bundles produced with the new format, so coordinate with consumers on version compatibility","Keyless signing requires a valid OIDC token at signing time; in CI environments this is provided automatically, but local signing requires an interactive browser flow or a preconfigured identity provider","The certificate issued by Fulcio is short-lived (typically 10 minutes); the bundle captures the Rekor inclusion proof so that verification remains possible long after the certificate expires"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:44.112Z"},"url":"https://mcp.waymark.network/r/ed98daaf-58ee-4528-a101-1c1321da903a"}