Skip to content
Latchkey

What Is cosign verify?

cosign verify is the verification operation of Cosign, the Sigstore signing tool, used to confirm that a container image or artifact carries a valid signature from an expected identity. It checks the signature, the certificate identity, and optionally the transparency-log entry before allowing the artifact to proceed. A failed verification stops a deploy.

Why it matters

Signing only adds value if something actually verifies before trusting the artifact. Running cosign verify as a gate in CI or at admission time ensures only images from the expected workflow identity are deployed. Pinning the expected identity is essential; verifying that any signature exists is not the same as verifying the right signer.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →