The defaults are finally correct. Your CI pipeline has no excuse.
cosign's current release gets signing, verification, and transparency log integration right out of the box. The remaining friction is organisational — you need to write your verify-in-CI step exactly once.
§1 · Context
cosign is now a default tool in the provenance-signing pipeline for
container images, blobs, and arbitrary build artefacts. Earlier releases
had sharp edges around key handling and OIDC-based identity flows that
did not match stated defaults. The current release has resolved those.
§2 · Findings
Two medium findings: (1) the CLI's --certificate-identity-regexp flag
accepts a subset of Go's regexp syntax in a way that's under-documented
— we found one deployment that thought it was enforcing a stricter match
than it actually was; (2) the fallback timestamp-authority logic is
correct but hard to audit from the code alone. Both are in open PRs.
§3 · Bottom line
Use it. Pin the binary to a release, verify it with its own signature,
then bake verification into your CI.