cosign "MANIFEST_UNKNOWN" verifying a signature in CI
cosign stores signatures under a derived tag (sha256-<digest>.sig) next to the image. MANIFEST_UNKNOWN means the registry has no manifest at that location, so either nothing was signed or the image was overwritten.
What this error means
cosign verify fails with "MANIFEST_UNKNOWN" from the registry when it tries to fetch the signature manifest for the image digest.
Error: recursively getting attestations: GET
https://ghcr.io/v2/acme/app/manifests/sha256-abcd....sig: MANIFEST_UNKNOWN: manifest unknownCommon causes
The image was re-pushed to a new digest after signing
A rebuild changed the digest; the old signature tag no longer corresponds to the manifest under verification.
A registry that garbage-collected or never received the signature
Some registries prune untagged manifests, or the signature push targeted a different repository, leaving no .sig manifest.
How to fix it
Sign the exact digest you deploy
- Sign immediately after push using the digest that push returned.
- Do not rebuild the image between signing and verifying.
- Verify the same digest so the derived signature tag exists.
cosign sign --yes ghcr.io/acme/app@${{ steps.build.outputs.digest }}Use a registry that keeps referrers
Prefer a registry with OCI referrers/1.1 support (or keep the signature tags), so signature manifests are not pruned before verification.
How to prevent it
- Sign the digest right after push, before any rebuild.
- Use a registry that supports OCI referrers and retains signature artifacts.
- Avoid mutating or re-pushing the image between sign and verify.