{"id":"7c9d04e8-6212-4e30-abb1-cb5e8c666d9f","shortId":"XNWmgk","kind":"skill","title":"Cosign Artifact Signature Verifier","tagline":"Validates container image and artifact signatures using Sigstore Cosign with keyless verification via Fulcio and Rekor transparency logs. Enforces supply chain integrity policies with OPA/Rego.","description":"# Cosign Artifact Signature Verifier\n\nValidates container image and artifact signatures using Sigstore Cosign with keyless verification via Fulcio and Rekor transparency logs. Enforces supply chain integrity policies with OPA/Rego.\n\n## Installation\n\nUse the upstream install or setup path that matches your environment:\n- $ git clone https://github.com/sigstore/cosign\n- $ go install ./cmd/cosign\n- $ docker push $IMAGE_URI\n\nRequirements and caveats from upstream:\n- {\"Critical\":{\"Identity\":{\"docker-reference\":\"\"},\"Image\":{\"Docker-manifest-digest\":\"sha256:87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8\"},\"Type\":\"cosign container image signature\"},\"Optional\":null}\n- **Note:** Most verification workflows require periodically requesting service keys from a TUF repository.\n- Verification fails with failed to verify timestamps: threshold not met for verified log entry integrated timestamps: 0 < 1: You may be verifying a signature that requires RFC3161 timestamp support\n\nBasic usage or getting-started notes:\n- For Homebrew, Arch, Nix, GitHub Action, and Kubernetes installs see the [installation docs](https://docs.sigstore.dev/cosign/system_config/installation/).\n- For Linux and macOS binaries see the [GitHub release assets](https://github.com/sigstore/cosign/releases/latest).\n- :rotating_light: If you are downloading releases of cosign from our GCS bucket - please see more information on the July 31, 2023 [deprecation notice](https://blog.sigstore.dev/cosign-releases-bucket-deprecation/) :ro...\n\n- Source: https://github.com/sigstore/cosign\n- Extracted from upstream docs: https://raw.githubusercontent.com/sigstore/cosign/HEAD/README.md\n\n## Documentation\n\n- https://docs.sigstore.dev/cosign/overview/\n\n## Source\n\n- [Agent Skill Exchange](https://agentskillexchange.com/skills/cosign-artifact-signature-verifier/)","tags":["cosign","artifact","signature","verifier","skills","agentskillexchange","agent-skills","ai-agents","ai-tools","awesome-list","claude-code","codex"],"capabilities":["skill","source-agentskillexchange","skill-cosign-artifact-signature-verifier","topic-agent-skills","topic-ai-agents","topic-ai-tools","topic-awesome-list","topic-claude-code","topic-codex","topic-cursor","topic-llm","topic-mcp","topic-npx-skills","topic-openclaw","topic-skills-catalog"],"categories":["skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/agentskillexchange/skills/cosign-artifact-signature-verifier","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add agentskillexchange/skills","source_repo":"https://github.com/agentskillexchange/skills","install_from":"skills.sh"}},"qualityScore":"0.454","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (1,844 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:09:58.856Z","embedding":null,"createdAt":"2026-05-18T13:15:54.531Z","updatedAt":"2026-05-18T19:09:58.856Z","lastSeenAt":"2026-05-18T19:09:58.856Z","tsv":"'/cmd/cosign':78 '/cosign-releases-bucket-deprecation/)':211 '/cosign/overview/':227 '/cosign/system_config/installation/).':171 '/sigstore/cosign':75,216 '/sigstore/cosign/head/readme.md':223 '/sigstore/cosign/releases/latest).':184 '/skills/cosign-artifact-signature-verifier/)':234 '0':136 '1':137 '2023':206 '31':205 '87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8':99 'action':161 'agent':229 'agentskillexchange.com':233 'agentskillexchange.com/skills/cosign-artifact-signature-verifier/)':232 'arch':158 'artifact':2,9,31,38 'asset':181 'basic':149 'binari':176 'blog.sigstore.dev':210 'blog.sigstore.dev/cosign-releases-bucket-deprecation/)':209 'bucket':197 'caveat':85 'chain':25,54 'clone':72 'contain':6,35,102 'cosign':1,13,30,42,101,193 'critic':88 'deprec':207 'digest':97 'doc':168,220 'docker':79,91,95 'docker-manifest-digest':94 'docker-refer':90 'docs.sigstore.dev':170,226 'docs.sigstore.dev/cosign/overview/':225 'docs.sigstore.dev/cosign/system_config/installation/).':169 'document':224 'download':190 'enforc':23,52 'entri':133 'environ':70 'exchang':231 'extract':217 'fail':121,123 'fulcio':18,47 'gcs':196 'get':153 'getting-start':152 'git':71 'github':160,179 'github.com':74,183,215 'github.com/sigstore/cosign':73,214 'github.com/sigstore/cosign/releases/latest).':182 'go':76 'homebrew':157 'ident':89 'imag':7,36,81,93,103 'inform':201 'instal':59,63,77,164,167 'integr':26,55,134 'juli':204 'key':115 'keyless':15,44 'kubernet':163 'light':186 'linux':173 'log':22,51,132 'maco':175 'manifest':96 'match':68 'may':139 'met':129 'nix':159 'note':107,155 'notic':208 'null':106 'opa/rego':29,58 'option':105 'path':66 'period':112 'pleas':198 'polici':27,56 'push':80 'raw.githubusercontent.com':222 'raw.githubusercontent.com/sigstore/cosign/head/readme.md':221 'refer':92 'rekor':20,49 'releas':180,191 'repositori':119 'request':113 'requir':83,111,145 'rfc3161':146 'ro':212 'rotat':185 'see':165,177,199 'servic':114 'setup':65 'sha256':98 'signatur':3,10,32,39,104,143 'sigstor':12,41 'skill':230 'skill-cosign-artifact-signature-verifier' 'sourc':213,228 'source-agentskillexchange' 'start':154 'suppli':24,53 'support':148 'threshold':127 'timestamp':126,135,147 'topic-agent-skills' 'topic-ai-agents' 'topic-ai-tools' 'topic-awesome-list' 'topic-claude-code' 'topic-codex' 'topic-cursor' 'topic-llm' 'topic-mcp' 'topic-npx-skills' 'topic-openclaw' 'topic-skills-catalog' 'transpar':21,50 'tuf':118 'type':100 'upstream':62,87,219 'uri':82 'usag':150 'use':11,40,60 'valid':5,34 'verif':16,45,109,120 'verifi':4,33,125,131,141 'via':17,46 'workflow':110","prices":[{"id":"cae988f3-a431-472e-bdcb-4ee0b84326f2","listingId":"7c9d04e8-6212-4e30-abb1-cb5e8c666d9f","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"agentskillexchange","category":"skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:15:54.531Z"}],"sources":[{"listingId":"7c9d04e8-6212-4e30-abb1-cb5e8c666d9f","source":"github","sourceId":"agentskillexchange/skills/cosign-artifact-signature-verifier","sourceUrl":"https://github.com/agentskillexchange/skills/tree/main/skills/cosign-artifact-signature-verifier","isPrimary":false,"firstSeenAt":"2026-05-18T13:15:54.531Z","lastSeenAt":"2026-05-18T19:09:58.856Z"}],"details":{"listingId":"7c9d04e8-6212-4e30-abb1-cb5e8c666d9f","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"agentskillexchange","slug":"cosign-artifact-signature-verifier","github":{"repo":"agentskillexchange/skills","stars":8,"topics":["agent-skills","ai-agents","ai-tools","awesome-list","claude-code","codex","cursor","llm","mcp","npx-skills","openclaw","skills-catalog"],"license":"mit","html_url":"https://github.com/agentskillexchange/skills","pushed_at":"2026-05-18T19:02:17Z","description":"The open catalog of AI agent skills — 2,000+ security-scanned skills for Claude Code, Cursor, Codex, and more.","skill_md_sha":"d0dce0a018c5217ec2352ec150af9183067614ba","skill_md_path":"skills/cosign-artifact-signature-verifier/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/agentskillexchange/skills/tree/main/skills/cosign-artifact-signature-verifier"},"layout":"multi","source":"github","category":"skills","frontmatter":{"name":"Cosign Artifact Signature Verifier","description":"Validates container image and artifact signatures using Sigstore Cosign with keyless verification via Fulcio and Rekor transparency logs. Enforces supply chain integrity policies with OPA/Rego."},"skills_sh_url":"https://skills.sh/agentskillexchange/skills/cosign-artifact-signature-verifier"},"updatedAt":"2026-05-18T19:09:58.856Z"}}