Skip to content
Latchkey

cosign verify: Verify an Image Signature

cosign verify confirms that a container image carries a valid signature, either from a known key or a trusted keyless identity.

Verification is the point of signing. cosign verify is what a deploy gate or admission controller runs to ensure an image was signed by who you expect before it ships.

What it does

cosign verify resolves the image digest, fetches the associated signatures, and checks them. With --key it verifies against a public key; keyless, it checks the Fulcio certificate identity and OIDC issuer and the Rekor inclusion proof. It exits non-zero if no signature satisfies the criteria.

Common usage

Terminal
# key-based
cosign verify --key cosign.pub ghcr.io/org/app@${DIGEST}
# keyless: pin the expected identity and issuer
cosign verify \
  --certificate-identity-regexp 'https://github.com/org/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/org/app@${DIGEST}

Options

FlagWhat it does
--key <ref>Public key (file, env://, kms://) to verify against
--certificate-identity[-regexp]Required signer identity (keyless)
--certificate-oidc-issuerRequired OIDC issuer (keyless)
-a key=valueRequire a matching signature annotation
--output text|jsonVerification output format

In CI

Run cosign verify in the deploy job before promoting an image, and fail the deploy on a non-zero exit. For keyless verification you must pin both --certificate-identity and --certificate-oidc-issuer, otherwise any valid Sigstore signature passes and the gate is meaningless.

Common errors in CI

"no matching signatures" means the image was not signed, was re-pushed after signing, or you verified a tag that moved; verify by digest. "none of the expected identities matched the certificate" means the identity or issuer flag is wrong. "error: no signatures found" can also mean the signature lives in a different repo (set COSIGN_REPOSITORY).

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →