Open-Source Wikis

/

Cosign

/

CLI

/

Verification commands

sigstore/cosign

Verification commands

Four commands consume the artifacts produced by the signing commands and answer the question "did the right person/system sign this?":

Command Verifies Notable input
cosign verify Cosign signature attached to an OCI image image digest, expected identity
cosign verify-attestation DSSE-wrapped in-toto attestation attached to an OCI image image digest, predicate type, optional CUE/Rego policy
cosign verify-blob A signature alongside a local blob blob path, signature, cert/bundle
cosign verify-blob-attestation A DSSE attestation alongside a local blob blob path, attestation envelope

All four share cmd/cosign/cli/verify/common.go (~475 lines) which holds the cross-command helpers: identity checking, TUF/trusted-root resolution, Rekor entry checking, etc.

cosign verify

cosign verify [--key path|pub-uri | --certificate cert.pem]
              --certificate-identity[-regexp] <ident>
              --certificate-oidc-issuer[-regexp] <issuer>
              [--ca-roots roots.pem] [--ca-intermediates inters.pem]
              [--annotations key=value]...
              [--offline] [--local-image dir] [--new-bundle-format=true|false]
              <image-digest>...

Implementation: cmd/cosign/cli/verify.go (Cobra) + cmd/cosign/cli/verify/verify.go (~290 lines orchestrator) → pkg/cosign/verify.go (legacy path) or cmd/cosign/cli/verify/verify_bundle.gosigstore-go (new bundle path).

Flow:

sequenceDiagram
    participant U as User
    participant V as cosign verify
    participant R as Registry
    participant S as Verifier (sigstore-go / pkg/cosign)
    participant T as TUF
    U->>V: cosign verify $IMAGE --certificate-identity ...
    V->>R: pull manifest, find sha256-<digest>.sig (or attached bundle)
    V->>T: resolve trusted_root.json (CA, Rekor key, CT key, TSA chain)
    V->>S: verify signature against payload + cert
    S->>S: chain validation (cert vs Fulcio CA)
    S->>S: SCT verification (CT log key)
    S->>S: Rekor inclusion proof + SET
    S->>S: optional TSA timestamp
    S->>V: ok or error
    V->>V: enforce --certificate-identity / --certificate-oidc-issuer match
    V->>U: claims printed to stdout

If verification succeeds, cosign prints the simple-signing payload as JSON on stdout (and a human summary to stderr). If you ask for --output text, only the human summary is emitted.

--offline skips the live Rekor lookup and trusts the inclusion proof embedded in the bundle (or in the legacy BundleAnnotationKey annotation). Required for air-gapped verification.

--local-image <dir> verifies a saved image written by cosign save instead of fetching from a registry. pkg/cosign/verifiers.go has the local layout reader.

cosign verify-attestation

cosign verify-attestation [--key|--certificate-identity ...]
                          --type slsaprovenance|vuln|... [--policy policy.cue|policy.rego]
                          <image-digest>

Implementation: cmd/cosign/cli/verify_attestation.go + cmd/cosign/cli/verify/verify_attestation.go.

Steps beyond plain verify:

  1. After the cryptographic check, parse the DSSE payload as an in-toto Statement.
  2. Filter to attestations of the requested --type.
  3. If --policy is supplied, hand the predicate to pkg/cosign/cue/ or pkg/cosign/rego/ and require the policy to evaluate to true.
  4. Print the matching Statement on stdout.

cosign verify-blob

cosign verify-blob [--key|--certificate cert.pem|--bundle bundle.sigstore.json]
                   --signature sig.txt
                   --certificate-identity[-regexp] <ident>
                   --certificate-oidc-issuer[-regexp] <issuer>
                   [--offline] <file>

Implementation: cmd/cosign/cli/verify_blob.go + cmd/cosign/cli/verify/verify_blob.go (12 KB) and a giant verify_blob_test.go (57 KB) covering legacy/new-bundle, online/offline, and various certificate combinations.

The function accepts every shape signatures take in the wild:

  • raw base64 in --signature plus a --certificate PEM,
  • a Rekor bundle JSON,
  • a Sigstore protobuf bundle.

It picks the appropriate verifier based on what's present, then enforces the identity assertions.

cosign verify-blob-attestation

cosign verify-blob-attestation --bundle bundle.sigstore.json
                               --certificate-identity ... --certificate-oidc-issuer ...
                               [--type ...] [--policy ...] <file>

Implementation: cmd/cosign/cli/verify_blob_attestation.go + cmd/cosign/cli/verify/verify_blob_attestation.go (~12 KB) — the equivalent of verify-attestation for non-OCI inputs. Shares the policy plumbing with the OCI flavour.

Identity matching

Across all four, identity is asserted via:

  • --certificate-identity and --certificate-oidc-issuer (exact match against the cert SAN), or
  • --certificate-identity-regexp and --certificate-oidc-issuer-regexp (regex match).

These are required for any keyless verification. The check happens after cryptographic validation, so a wrong identity always fails after the chain has already been validated.

cmd/cosign/cli/verify/common.go houses the Identities extraction and matching logic.

TLog and TSA verification

  • By default, the verifier requires a Rekor entry. Set --insecure-ignore-tlog to bypass (cosign prints a Skipping tlog verification is an insecure practice… warning, see ignoreTLogMessage in cmd/cosign/cli/verify.go).
  • --use-signed-timestamps checks an embedded RFC3161 TSA timestamp in addition to the Rekor SET.
  • --certificate-chain / --ca-roots / --ca-intermediates swap in custom roots for BYO PKI.

Key source files

File Purpose
cmd/cosign/cli/verify.go Cobra command for verify
cmd/cosign/cli/verify/verify.go Orchestrator (legacy + bundle paths)
cmd/cosign/cli/verify/verify_bundle.go New protobuf-bundle verification path
cmd/cosign/cli/verify/common.go Identity matching, trusted-root resolution
pkg/cosign/verify.go Legacy verification primitives (~2,000 lines)
pkg/cosign/verify_sct.go SCT verification
pkg/cosign/tlog.go Rekor inclusion proof + SET checks
cmd/cosign/cli/verify/verify_attestation.go Attestation flow
cmd/cosign/cli/verify/verify_blob.go Blob signature verification
cmd/cosign/cli/verify/verify_blob_attestation.go Blob attestation verification

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Verification commands – Cosign wiki | Factory