docker · crazy-max · Jan 14, 2026 · Jan 14, 2026
diff --git a/__tests__/sigstore/sigstore.test.itg.ts b/__tests__/sigstore/sigstore.test.itg.ts
@@ -23,6 +23,7 @@ import {Build} from '../../src/buildx/build';
 import {Install as CosignInstall} from '../../src/cosign/install';
 import {Docker} from '../../src/docker/docker';
 import {Exec} from '../../src/exec';
+import {OCI} from '../../src/oci/oci';
 import {Sigstore} from '../../src/sigstore/sigstore';
 
 const fixturesDir = path.join(__dirname, '..', '.fixtures');
@@ -114,6 +115,20 @@ maybe('verifyImageAttestations', () => {
     },
     60000
   );
+
+  it('default platform', async () => {
+    const sigstore = new Sigstore();
+    const verifyResults = await sigstore.verifyImageAttestations('moby/buildkit:master@sha256:84014da3581b2ff2c14cb4f60029cf9caa272b79e58f2e89c651ea6966d7a505', {
+      certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$`,
+      platform: OCI.defaultPlatform()
+    });
+    expect(Object.keys(verifyResults).length).toEqual(1);
+    for (const [attestationRef, res] of Object.entries(verifyResults)) {
+      expect(attestationRef).toBeDefined();
+      expect(res.cosignArgs).toBeDefined();
+      expect(res.signatureManifestDigest).toBeDefined();
+    }
+  });
 });
 
 maybeIdToken('signProvenanceBlobs', () => {

diff --git a/src/sigstore/sigstore.ts b/src/sigstore/sigstore.ts
@@ -133,8 +133,8 @@ export class Sigstore {
     for (const [attestationRef, signedRes] of Object.entries(signedManifestsResult)) {
       await core.group(`Verifying signature of ${attestationRef}`, async () => {
         const verifyResult = await this.verifyImageAttestation(attestationRef, {
-          noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID,
           certificateIdentityRegexp: opts.certificateIdentityRegexp,
+          noTransparencyLog: opts.noTransparencyLog || !signedRes.tlogID,
           retryOnManifestUnknown: opts.retryOnManifestUnknown
         });
         core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`);
@@ -147,7 +147,7 @@ export class Sigstore {
   public async verifyImageAttestations(image: string, opts: VerifySignedManifestsOpts): Promise<Record<string, VerifySignedManifestsResult>> {
     const result: Record<string, VerifySignedManifestsResult> = {};
 
-    const attestationDigests = await this.imageTools.attestationDigests(image);
+    const attestationDigests = await this.imageTools.attestationDigests(image, opts.platform);
     if (attestationDigests.length === 0) {
       throw new Error(`No attestation manifests found for ${image}`);
     }

diff --git a/src/types/sigstore/sigstore.ts b/src/types/sigstore/sigstore.ts
@@ -17,6 +17,7 @@
 import type {SerializedBundle} from '@sigstore/bundle';
 
 import {Subject} from '../intoto/intoto';
+import {Platform} from '../oci/descriptor';
 
 export const FULCIO_URL = 'https://fulcio.sigstore.dev';
 export const REKOR_URL = 'https://rekor.sigstore.dev';
@@ -47,6 +48,7 @@ export interface SignAttestationManifestsResult extends ParsedBundle {
 
 export interface VerifySignedManifestsOpts {
   certificateIdentityRegexp: string;
+  platform?: Platform;
   noTransparencyLog?: boolean;
   retryOnManifestUnknown?: boolean;
 }