Skip to content
Latchkey

cosign verify "no signatures found" in CI

cosign verify resolves the image, computes its digest, and looks for a signature stored alongside it. "no signatures found" means nothing was signed for that exact digest, or you verified a different reference than you signed.

What this error means

cosign verify fails with "no signatures found" or "no matching signatures", even though a signing step ran earlier in the pipeline.

cosign
Error: no signatures found for image ghcr.io/acme/app:latest
Error: no matching signatures

Common causes

Signed one digest, verified a different tag

A mutable tag like latest moved after signing, so verifying the tag resolves to a digest that was never signed.

The signing step did not actually push a signature

Signing was skipped, failed silently, or pushed to a registry the verify step cannot read.

How to fix it

Sign and verify the same immutable digest

  1. Capture the digest from the build/push step.
  2. Sign that @sha256:... digest, not the tag.
  3. Verify the exact same digest reference.
Terminal
DIGEST=ghcr.io/acme/app@${{ steps.build.outputs.digest }}
cosign sign --yes "$DIGEST"
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp '^https://github.com/acme/' "$DIGEST"

Confirm registry read access for verify

Ensure the verify job can pull the image and its signature tag from the same registry the signing job wrote to.

.github/workflows/ci.yml
permissions:
  packages: read

How to prevent it

  • Always sign and verify the immutable digest, never a mutable tag.
  • Fail the pipeline if the signing step is skipped.
  • Give the verify job read access to the registry that holds signatures.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →