cosign verify-attestation "no matching attestations" in CI
cosign verify-attestation filters attached attestations by predicate type and signer identity. "no matching attestations" means an attestation exists but not one that matches your --type, or none was attached at all.
What this error means
cosign verify-attestation fails with "no matching attestations" even after a cosign attest step, often because the --type on verify does not match the type used at attest time.
cosign verify-attestation --type slsaprovenance ghcr.io/acme/app@sha256:...
Error: no matching attestations: none of the attestations matched the predicate typeCommon causes
Predicate type mismatch between attest and verify
You attested --type cyclonedx but verify with --type slsaprovenance (or a custom type). The types must be identical.
Identity filters exclude the real signer
The --certificate-identity / --certificate-oidc-issuer you pass do not match the identity that signed the attestation, so no attestation qualifies.
How to fix it
Match the predicate type and identity
- Use the same
--typevalue on verify that you used on attest. - Set
--certificate-oidc-issuerand--certificate-identity(-regexp)to the signer. - Re-run verify-attestation against the image digest.
cosign verify-attestation \
--type cyclonedx \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/acme/' \
ghcr.io/acme/app@sha256:...Confirm the attestation was attached
List what is attached to the digest to confirm the attestation exists and see its predicate type.
cosign tree ghcr.io/acme/app@sha256:...How to prevent it
- Keep the
--typeidentical between attest and verify-attestation. - Pin the exact signer identity and issuer on verify.
- Use
cosign treeto confirm attestations are attached before gating on them.