cosign verify "no signatures found" in CI
cosign verify resolves the image, computes its digest, and looks for a signature stored alongside it. "no signatures found" means nothing was signed for that exact digest, or you verified a different reference than you signed.
What this error means
cosign verify fails with "no signatures found" or "no matching signatures", even though a signing step ran earlier in the pipeline.
Error: no signatures found for image ghcr.io/acme/app:latest
Error: no matching signaturesCommon causes
Signed one digest, verified a different tag
A mutable tag like latest moved after signing, so verifying the tag resolves to a digest that was never signed.
The signing step did not actually push a signature
Signing was skipped, failed silently, or pushed to a registry the verify step cannot read.
How to fix it
Sign and verify the same immutable digest
- Capture the digest from the build/push step.
- Sign that
@sha256:...digest, not the tag. - Verify the exact same digest reference.
DIGEST=ghcr.io/acme/app@${{ steps.build.outputs.digest }}
cosign sign --yes "$DIGEST"
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp '^https://github.com/acme/' "$DIGEST"Confirm registry read access for verify
Ensure the verify job can pull the image and its signature tag from the same registry the signing job wrote to.
permissions:
packages: readHow to prevent it
- Always sign and verify the immutable digest, never a mutable tag.
- Fail the pipeline if the signing step is skipped.
- Give the verify job read access to the registry that holds signatures.