Skip to content
Latchkey

cosign "MANIFEST_UNKNOWN" verifying a signature in CI

cosign stores signatures under a derived tag (sha256-<digest>.sig) next to the image. MANIFEST_UNKNOWN means the registry has no manifest at that location, so either nothing was signed or the image was overwritten.

What this error means

cosign verify fails with "MANIFEST_UNKNOWN" from the registry when it tries to fetch the signature manifest for the image digest.

cosign
Error: recursively getting attestations: GET
https://ghcr.io/v2/acme/app/manifests/sha256-abcd....sig: MANIFEST_UNKNOWN: manifest unknown

Common causes

The image was re-pushed to a new digest after signing

A rebuild changed the digest; the old signature tag no longer corresponds to the manifest under verification.

A registry that garbage-collected or never received the signature

Some registries prune untagged manifests, or the signature push targeted a different repository, leaving no .sig manifest.

How to fix it

Sign the exact digest you deploy

  1. Sign immediately after push using the digest that push returned.
  2. Do not rebuild the image between signing and verifying.
  3. Verify the same digest so the derived signature tag exists.
.github/workflows/ci.yml
cosign sign --yes ghcr.io/acme/app@${{ steps.build.outputs.digest }}

Use a registry that keeps referrers

Prefer a registry with OCI referrers/1.1 support (or keep the signature tags), so signature manifests are not pruned before verification.

How to prevent it

  • Sign the digest right after push, before any rebuild.
  • Use a registry that supports OCI referrers and retains signature artifacts.
  • Avoid mutating or re-pushing the image between sign and verify.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →