Skip to content
Latchkey

Provenance "unverified" blocking a policy gate in CI

A release gate that requires verified SLSA provenance blocks the deploy when the artifact has no provenance, or its provenance does not verify against the expected builder and source. The gate is doing its job; the provenance chain is the gap.

What this error means

A deploy or admission step reports the artifact provenance as "unverified" or "provenance verification failed" and refuses to promote the image.

policy
policy check: provenance for ghcr.io/acme/app@sha256:... is UNVERIFIED
(no provenance from expected builder github.com/acme/app)

Common causes

The build never produced provenance

The attest or SLSA generator step was skipped or failed, so there is nothing for the gate to verify.

The provenance does not match the expected builder/source

Provenance exists but was produced by a different builder or references a different source, so it fails the policy expectations.

How to fix it

Produce provenance and verify it before the gate

  1. Add the attest/provenance step to the build so every image ships provenance.
  2. Verify provenance in CI with the same builder and source the gate expects.
  3. Only promote images that pass verification.
Terminal
slsa-verifier verify-image ghcr.io/acme/app@sha256:... \
  --source-uri github.com/acme/app \
  --builder-id https://github.com/acme/app/.github/workflows/release.yml@refs/tags/v1.2.3

Align the gate expectations with the real builder

Set the policy expected builder-id and source to match what actually produces provenance, so legitimate builds are not rejected.

How to prevent it

  • Attach provenance to every release artifact.
  • Verify provenance in CI before the promotion gate runs.
  • Keep the policy expected builder and source in sync with the pipeline.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →