cosign verify: Verify an Image Signature
cosign verify confirms that a container image carries a valid signature, either from a known key or a trusted keyless identity.
Verification is the point of signing. cosign verify is what a deploy gate or admission controller runs to ensure an image was signed by who you expect before it ships.
What it does
cosign verify resolves the image digest, fetches the associated signatures, and checks them. With --key it verifies against a public key; keyless, it checks the Fulcio certificate identity and OIDC issuer and the Rekor inclusion proof. It exits non-zero if no signature satisfies the criteria.
Common usage
# key-based
cosign verify --key cosign.pub ghcr.io/org/app@${DIGEST}
# keyless: pin the expected identity and issuer
cosign verify \
--certificate-identity-regexp 'https://github.com/org/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/org/app@${DIGEST}Options
| Flag | What it does |
|---|---|
| --key <ref> | Public key (file, env://, kms://) to verify against |
| --certificate-identity[-regexp] | Required signer identity (keyless) |
| --certificate-oidc-issuer | Required OIDC issuer (keyless) |
| -a key=value | Require a matching signature annotation |
| --output text|json | Verification output format |
In CI
Run cosign verify in the deploy job before promoting an image, and fail the deploy on a non-zero exit. For keyless verification you must pin both --certificate-identity and --certificate-oidc-issuer, otherwise any valid Sigstore signature passes and the gate is meaningless.
Common errors in CI
"no matching signatures" means the image was not signed, was re-pushed after signing, or you verified a tag that moved; verify by digest. "none of the expected identities matched the certificate" means the identity or issuer flag is wrong. "error: no signatures found" can also mean the signature lives in a different repo (set COSIGN_REPOSITORY).