{"id":"2d94f96a-3fc3-461c-aeec-dfec9c8f7a8c","shortId":"UVKVM9","kind":"skill","title":"Sigstore Cosign Verification Pipeline","tagline":"Verifies container image signatures and SBOMs using Sigstore Cosign and Rekor transparency log. Enforces supply chain security policies by validating keyless signatures against Fulcio certificate authorities.","description":"# Sigstore Cosign Verification Pipeline\n\nVerifies container image signatures and SBOMs using Sigstore Cosign and Rekor transparency log. Enforces supply chain security policies by validating keyless signatures against Fulcio certificate authorities.\n\n## Installation\n\nUse the upstream install or setup path that matches your environment:\n- $ git clone https://github.com/sigstore/cosign\n- $ go install ./cmd/cosign\n- $ docker push $IMAGE_URI\n\nRequirements and caveats from upstream:\n- {\"Critical\":{\"Identity\":{\"docker-reference\":\"\"},\"Image\":{\"Docker-manifest-digest\":\"sha256:87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8\"},\"Type\":\"cosign container image signature\"},\"Optional\":null}\n- **Note:** Most verification workflows require periodically requesting service keys from a TUF repository.\n- Verification fails with failed to verify timestamps: threshold not met for verified log entry integrated timestamps: 0 < 1: You may be verifying a signature that requires RFC3161 timestamp support\n\nBasic usage or getting-started notes:\n- For Homebrew, Arch, Nix, GitHub Action, and Kubernetes installs see the [installation docs](https://docs.sigstore.dev/cosign/system_config/installation/).\n- For Linux and macOS binaries see the [GitHub release assets](https://github.com/sigstore/cosign/releases/latest).\n- :rotating_light: If you are downloading releases of cosign from our GCS bucket - please see more information on the July 31, 2023 [deprecation notice](https://blog.sigstore.dev/cosign-releases-bucket-deprecation/) :ro...\n\n- Source: https://github.com/sigstore/cosign\n- Extracted from upstream docs: https://raw.githubusercontent.com/sigstore/cosign/HEAD/README.md\n\n## Source\n\n- [Agent Skill Exchange](https://agentskillexchange.com/skills/sigstore-cosign-verification-pipeline/)","tags":["sigstore","cosign","verification","pipeline","skills","agentskillexchange","agent-skills","ai-agents","ai-tools","awesome-list","claude-code","codex"],"capabilities":["skill","source-agentskillexchange","skill-sigstore-cosign-verification-pipeline","topic-agent-skills","topic-ai-agents","topic-ai-tools","topic-awesome-list","topic-claude-code","topic-codex","topic-cursor","topic-llm","topic-mcp","topic-npx-skills","topic-openclaw","topic-skills-catalog"],"categories":["skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/agentskillexchange/skills/sigstore-cosign-verification-pipeline","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add agentskillexchange/skills","source_repo":"https://github.com/agentskillexchange/skills","install_from":"skills.sh"}},"qualityScore":"0.454","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (1,801 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:12:29.652Z","embedding":null,"createdAt":"2026-05-18T13:19:25.962Z","updatedAt":"2026-05-18T19:12:29.652Z","lastSeenAt":"2026-05-18T19:12:29.652Z","tsv":"'/cmd/cosign':80 '/cosign-releases-bucket-deprecation/)':213 '/cosign/system_config/installation/).':173 '/sigstore/cosign':77,218 '/sigstore/cosign/head/readme.md':225 '/sigstore/cosign/releases/latest).':186 '/skills/sigstore-cosign-verification-pipeline/)':232 '0':138 '1':139 '2023':208 '31':207 '87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8':101 'action':163 'agent':227 'agentskillexchange.com':231 'agentskillexchange.com/skills/sigstore-cosign-verification-pipeline/)':230 'arch':160 'asset':183 'author':30,60 'basic':151 'binari':178 'blog.sigstore.dev':212 'blog.sigstore.dev/cosign-releases-bucket-deprecation/)':211 'bucket':199 'caveat':87 'certif':29,59 'chain':20,50 'clone':74 'contain':6,36,104 'cosign':2,13,32,43,103,195 'critic':90 'deprec':209 'digest':99 'doc':170,222 'docker':81,93,97 'docker-manifest-digest':96 'docker-refer':92 'docs.sigstore.dev':172 'docs.sigstore.dev/cosign/system_config/installation/).':171 'download':192 'enforc':18,48 'entri':135 'environ':72 'exchang':229 'extract':219 'fail':123,125 'fulcio':28,58 'gcs':198 'get':155 'getting-start':154 'git':73 'github':162,181 'github.com':76,185,217 'github.com/sigstore/cosign':75,216 'github.com/sigstore/cosign/releases/latest).':184 'go':78 'homebrew':159 'ident':91 'imag':7,37,83,95,105 'inform':203 'instal':61,65,79,166,169 'integr':136 'juli':206 'key':117 'keyless':25,55 'kubernet':165 'light':188 'linux':175 'log':17,47,134 'maco':177 'manifest':98 'match':70 'may':141 'met':131 'nix':161 'note':109,157 'notic':210 'null':108 'option':107 'path':68 'period':114 'pipelin':4,34 'pleas':200 'polici':22,52 'push':82 'raw.githubusercontent.com':224 'raw.githubusercontent.com/sigstore/cosign/head/readme.md':223 'refer':94 'rekor':15,45 'releas':182,193 'repositori':121 'request':115 'requir':85,113,147 'rfc3161':148 'ro':214 'rotat':187 'sbom':10,40 'secur':21,51 'see':167,179,201 'servic':116 'setup':67 'sha256':100 'signatur':8,26,38,56,106,145 'sigstor':1,12,31,42 'skill':228 'skill-sigstore-cosign-verification-pipeline' 'sourc':215,226 'source-agentskillexchange' 'start':156 'suppli':19,49 'support':150 'threshold':129 'timestamp':128,137,149 'topic-agent-skills' 'topic-ai-agents' 'topic-ai-tools' 'topic-awesome-list' 'topic-claude-code' 'topic-codex' 'topic-cursor' 'topic-llm' 'topic-mcp' 'topic-npx-skills' 'topic-openclaw' 'topic-skills-catalog' 'transpar':16,46 'tuf':120 'type':102 'upstream':64,89,221 'uri':84 'usag':152 'use':11,41,62 'valid':24,54 'verif':3,33,111,122 'verifi':5,35,127,133,143 'workflow':112","prices":[{"id":"48be5162-346c-4d8f-bb5b-236f37c50287","listingId":"2d94f96a-3fc3-461c-aeec-dfec9c8f7a8c","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"agentskillexchange","category":"skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:19:25.962Z"}],"sources":[{"listingId":"2d94f96a-3fc3-461c-aeec-dfec9c8f7a8c","source":"github","sourceId":"agentskillexchange/skills/sigstore-cosign-verification-pipeline","sourceUrl":"https://github.com/agentskillexchange/skills/tree/main/skills/sigstore-cosign-verification-pipeline","isPrimary":false,"firstSeenAt":"2026-05-18T13:19:25.962Z","lastSeenAt":"2026-05-18T19:12:29.652Z"}],"details":{"listingId":"2d94f96a-3fc3-461c-aeec-dfec9c8f7a8c","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"agentskillexchange","slug":"sigstore-cosign-verification-pipeline","github":{"repo":"agentskillexchange/skills","stars":8,"topics":["agent-skills","ai-agents","ai-tools","awesome-list","claude-code","codex","cursor","llm","mcp","npx-skills","openclaw","skills-catalog"],"license":"mit","html_url":"https://github.com/agentskillexchange/skills","pushed_at":"2026-05-18T19:02:17Z","description":"The open catalog of AI agent skills — 2,000+ security-scanned skills for Claude Code, Cursor, Codex, and more.","skill_md_sha":"ac11512ebcb37113e70645c4d34df41e86870c54","skill_md_path":"skills/sigstore-cosign-verification-pipeline/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/agentskillexchange/skills/tree/main/skills/sigstore-cosign-verification-pipeline"},"layout":"multi","source":"github","category":"skills","frontmatter":{"name":"Sigstore Cosign Verification Pipeline","description":"Verifies container image signatures and SBOMs using Sigstore Cosign and Rekor transparency log. Enforces supply chain security policies by validating keyless signatures against Fulcio certificate authorities."},"skills_sh_url":"https://skills.sh/agentskillexchange/skills/sigstore-cosign-verification-pipeline"},"updatedAt":"2026-05-18T19:12:29.652Z"}}