Identify the expected signing identity (the OIDC subject, such as a GitHub Actions workflow path) and the OIDC issuer URL used during signing.
Run cosign verify IMAGE_REF --certificate-identity=EXPECTED_SUBJECT --certificate-oidc-issuer=EXPECTED_ISSUER to verify the signature and confirm the certificate was bound to the expected identity.
For images signed with an explicit key pair instead of keyless, run cosign verify --key cosign.pub IMAGE_REF.
In Kubernetes admission workflows, use the Sigstore Policy Controller to enforce signature verification at deploy time: annotate namespaces and define ClusterImagePolicy resources specifying allowed identities.
Verify a multi-platform index by specifying the index digest; cosign will verify the index manifest signature, not individual platform manifests.
Use the --output-signature and --output-certificate flags to save artifacts for audit evidence.
Known gotchas
Verification fails if either --certificate-identity or --certificate-oidc-issuer is omitted for keyless signatures; both are required to prevent accepting signatures from unintended identities.
Cosign verifies the Rekor inclusion proof by default; air-gapped environments must configure a local Rekor mirror or disable inclusion proof verification explicitly.
Registry rate limits can cause transient cosign verify failures when the signature artifact layer fetch is throttled; add retry logic in automated pipelines.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp