Skip to content
Latchkey

How to Verify a Cosign Signature Before Deploy

cosign verify fails the build unless the signature matches the exact issuer and identity you expect.

Run cosign verify with --certificate-identity-regexp and --certificate-oidc-issuer so a valid Sigstore signature is not enough: it must be signed by your workflow. This is the verify-before-trust gate that belongs before any deploy step.

Steps

  • Install Cosign in the verifying job.
  • Pin --certificate-oidc-issuer to https://token.actions.githubusercontent.com.
  • Pin --certificate-identity(-regexp) to your workflow ref.
  • Fail the job if verification returns non-zero.

Workflow

.github/workflows/ci.yml
steps:
  - uses: sigstore/cosign-installer@v3
  - run: |
      cosign verify \
        --certificate-oidc-issuer https://token.actions.githubusercontent.com \
        --certificate-identity-regexp '^https://github.com/OWNER/REPO/.github/workflows/.+' \
        ghcr.io/OWNER/REPO@${{ steps.build.outputs.digest }}

Gotchas

  • Omitting the identity flags accepts any Sigstore signature, which defeats the purpose.
  • Verify the digest you are about to deploy, not a tag that could resolve to a different image.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →