# Cosign interoperability

StellaOps can verify Cosign DSSE attestations, extract SBOMs, and ingest them
for scanning in both online and air-gapped environments.

Capabilities
- Verify Cosign-signed SBOM attestations.
- Extract SPDX or CycloneDX payloads from DSSE envelopes.
- Verify signatures offline using bundled trust roots and checkpoints.

Supported predicate types
- SPDX (3.0.1 and 2.3)
- CycloneDX (1.4 to 1.7)
- SLSA provenance (metadata only)

Common flows
- Keyless signing via Fulcio for public registries.
- Key-based signing for private or air-gapped environments.
- Verify then extract; do not extract without verification.

Offline trust
- Use local trust roots and Rekor checkpoints.
- Refresh checkpoints on a schedule appropriate to risk.

Related references
- docs/interop/cosign-integration.md
- docs/24_OFFLINE_KIT.md
- docs/modules/attestor/architecture.md