How to Verify a Cosign Signature Before Deploy
cosign verify fails the build unless the signature matches the exact issuer and identity you expect.
Run cosign verify with --certificate-identity-regexp and --certificate-oidc-issuer so a valid Sigstore signature is not enough: it must be signed by your workflow. This is the verify-before-trust gate that belongs before any deploy step.
Steps
- Install Cosign in the verifying job.
- Pin
--certificate-oidc-issuertohttps://token.actions.githubusercontent.com. - Pin
--certificate-identity(-regexp)to your workflow ref. - Fail the job if verification returns non-zero.
Workflow
.github/workflows/ci.yml
steps:
- uses: sigstore/cosign-installer@v3
- run: |
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/OWNER/REPO/.github/workflows/.+' \
ghcr.io/OWNER/REPO@${{ steps.build.outputs.digest }}Gotchas
- Omitting the identity flags accepts any Sigstore signature, which defeats the purpose.
- Verify the digest you are about to deploy, not a tag that could resolve to a different image.
Related guides
How to Sign Artifacts With Cosign Keyless in GitHub ActionsSign container images and artifacts in CI using Cosign keyless signing backed by the workflow OIDC token, so…
How to Enforce a Verify-Before-Deploy Policy GateAdd a policy gate job that verifies signatures and provenance before any deploy job runs in GitHub Actions, s…